投稿時間:2023-05-09 07:17:49 RSSフィード2023-05-09 07:00 分まとめ(21件)

カテゴリー等	サイト名等	記事タイトル・トレンドワード等	リンクURL	頻出ワード・要約等/検索ボリューム	登録日
IT	気になる、記になる…	｢iPhone 15 Pro Max｣はペリスコープ望遠レンズを搭載へ	https://taisy0.com/2023/05/09/171559.html	iphone	2023-05-08 21:50:53
IT	気になる、記になる…	｢Apple Watch Series 9｣は｢A15｣チップがベースの新しい｢S9｣チップを搭載へ	https://taisy0.com/2023/05/09/171556.html	apple	2023-05-08 21:42:44
AWS	AWS News Blog	AWS Week in Review – AWS Notifications, Serverless event, and More – May 8, 2023	https://aws.amazon.com/blogs/aws/aws-week-in-review-aws-notifications-serverless-event-and-more-may-8-2023/	AWS Week in Review AWS Notifications Serverless event and More May At the end of this week I m flying to Seattle to take part in the AWS Serverless Innovation Day Along with many customers and colleagues from AWS we are going to be live on May at a virtual free event During the AWS Serverless Innovation Day we will share best practices related to building …	2023-05-08 21:57:51
python	Pythonタグが付けられた新着投稿 - Qiita	ChatGPT-4 と始めるデータ分析入門！(回帰編)	https://qiita.com/key353/items/9b1a4855aa5bc198bb7f	chatgpt	2023-05-09 06:49:47
海外TECH	Ars Technica	US senators call Tesla’s safety review a “sham,” demand answers from Musk	https://arstechnica.com/?p=1937589	number	2023-05-08 21:34:50
海外TECH	MakeUseOf	What Is OpenSea Pro? Should You Upgrade?	https://www.makeuseof.com/what-is-opensea-pro-should-you-upgrade/	opensea	2023-05-08 21:15:17
海外TECH	DEV Community	i built a react library for adding leaderboards to your app in minutes	https://dev.to/dylanintech/i-built-a-react-library-for-adding-leaderboards-to-your-app-in-minutes-5fi5	i built a react library for adding leaderboards to your app in minutesyo what s up i m dylan a high school senior and a software builder in the last two days i ve built the first version of flywheel a react library with one component for now a dynamic leaderboard that s hooked up to your app s data and ranks items the way you want them to be ranked i made a quick demo of me going from create react app to a fully working leaderboard in minutes lol how i got here is a pretty long story lol here s a quick TL DR if you re interestedi built launched the original version of flywheel at a hackathon in san francisco on february st it used to be a platform where founders could join a leaderboard w their founder friends based on their number of users but then game devs and community builders started asking me to build leaderboards for them lol the more i thought about it and the more people i talked to the more i realized that adding leaderboards to your app can be a real pain especially if you need it fast for a small project or a hackathon i esp felt this pain since i was building the leaderboard manually for the original product so i built a web app where you could fill out a couple of inputs and get a link to a leaderboard you could share with your users players friends for them to join but users wanted more control they wanted to not only embed the leaderboards in their frontends but to have more granular access to the columns props that the leaderboard used so i shipped this the library is fully open source btw also s o to tremor and tailwind i m using them for the skeleton styling of the leaderboard cards for now lmk what you think i m working w a couple co s to test the components w their data and am gonna be iterating quickly this is just v p s i also wrote up some docs in case you re looking for a more technical dive into flywheel written with ️and by dylan a fellow dev	2023-05-08 21:52:52
海外TECH	DEV Community	Solving a critical bug in the default Rails caching library	https://dev.to/aha/solving-a-critical-bug-in-the-default-rails-caching-library-2ga9	Solving a critical bug in the default Rails caching library An odd coincidenceOn March th ChatGPT users reported seeing conversations that were not their own Just a few weeks earlier I had solved a bug where the default Rails caching library Dalli would return incorrect values I thought this ChatGPT incident sounds a lot like what could happen with that caching bug via returning incorrect cached HTML But OpenAI doesn t use Rails so I shrugged the thought off as recency bias My jaw dropped when I saw the postmortem ーit was exactly the same bug concept just in a different library A reminder that hard things often transcend particular languages and libraries And boy is this a hard bug It sits at the intersection of caching shared resource management and state corruption ーinfamously tricky problem spaces The bug mechanismThe Dalli caching client connects to a memcached server with a socket which is essentially just a buffer I ll use the terms interchangeably The client issues a get message to the server which says give me the value for this key In response the server writes some data into the socket buffer The client then reads bytes off of the socket until it has processed one complete response making the assumption that what it s reading is the response to its own get message If the socket was empty at the beginning of the operation that assumption works and the client returns the correct cache value But what if the buffer was not empty when the client issued the get command Then the client processes the data that was on the socket as if it were the requested value and ーsince no extra validation steps occur ーreturns the wrong value for the given key Worse because it would only read one value s worth of data out of the buffer it knows when to stop reading based on a metadata header the actual response to its request would remain on the socket for the next request to return incorrectly and so on The socket has thus entered an indefinite off by one corrupt state Meaning the nth get operation will return the value for the n th operation s key leaving its own value in the buffer for the n th to read Oh no That corrupted state in a different library explains ChatGPT s incident If your cache system starts returning the wrong values that s very scary from a security perspective because data or HTML cached for one user might be shown to another user In the case I saw firsthand this didn t happen because the incorrect cache values all type mismatched causing the process to error repeatedly until it was killed That was lucky but a Rails app conceivably could see the exact kind of incident OpenAI saw It would just depend on what type of data was on the corrupted socket and how the application uses the cache How it happensWhy would there be an unread value in the buffer All that s required is for the client to send a get command to the server and then fail to actually read the response ーwhile also leaving the socket around for a future request to use One way this might happen in Dalli is if there s an issue in get multi code This could occur if the client requests multiple values reads some subset of those values off of the socket and then returns before the server finishes writing all of the values to the socket Another way this might happen is if something say an error or a timeout interrupts the client code execution between issuing a get message and reading the response Ideally the client would discard reset the socket in case of an error or timeout and in most scenarios that s exactly what would happen But all it takes is one code path where the socket can get corrupted and stick around Unfortunately there is at least one such a code path explaining the incorrect caching behavior I observed The specifics are less important than the question of whether the client should rely completely on the assumption that the socket will be empty when it begins a get operation The fixAs a security engineer I love when I can solve a bug deep in an abstraction making it impossible for a developer using the abstraction to cause the bug again ーeven if they make a mistake We should encourage developers to avoid known dangers sure but it s best for an abstraction itself to prevent unacceptable outcomes automatically Or within the abstraction we should try to manage our state correctly but it s best if we can preclude the worst impacts even if there s a flaw and some unexpected state emerges It is far more robust to make a failure case impossible at the root instead of relying on all the higher level code doing the right thing every time To that end I pursued a simple foundational fix Memcached has a getk command which differs from get by returning the key alongside the value The downside is a small performance cost ーreturning the key means processing more bytes The upside is that the client gets both the key and the value back from memcached and can check that the key matches what it asked for That s the core of my implementation if the keys don t match raise an error Simple Now even if the buffer contains a leftover value for a different key the client won t return it Instead it will reset and retry Analyzing the fixWhat of the cost vs benefit In the context of a multi tenant Rails application it is generally not an acceptable risk to potentially expose one tenant s data to another even in a low probability event A small increase in overhead to completely rule out a data exposure bug is a small price to pay In this case the overhead is really small When I rolled out this implementation in an application serving millions of requests a day there was zero measurable impact on performance Even if the overhead was noticeable it would still be worthwhile to pay the cost for most threat models It is conceivable that an application using the caching client might make a different cost benefit calculation and decide that performance is paramount and key value integrity failures are acceptable That s why one approach I proposed was making it a configuration option in the upstream PR Unfortunately the maintainer did not agree that the client should solve this problem at all despite multiple other reports of it happening in production systems The maintainer had some valid points ーapplication layer timeouts in Ruby are dangerous and if you re using them extreme caution is warranted Consider killing the process entirely after a timeout to prevent state corruption bugs like this one Nonetheless I firmly believe that given the severity of this issue it is worthwhile for the client itself to prevent the worst impact from happening I am also not convinced that timeouts are the only way for this bug to happen See the get multi issue or consider the possibility of a future code change introducing a connection handling bug AlternativesAnother way to solve the problem would be to keep the socket locked until the response is read That way a socket with an unread response would not be re used by a subsequent operation I m not sure why Dalli doesn t already work this way but currently it releases the lock after issuing the get command and re acquires it before reading the response I opened a second PR proposing to keep the lock on the socket for the entire get sequence which was also rejected The safe get implementation still has an advantage in that it works regardless of whether the socket is properly handled or even if memcached sends extraneous responses That approach is publicly available and production tested Please let me know if you have any questions or feedback about it	2023-05-08 21:24:30
海外TECH	DEV Community	Climbing the Ladder: Corporate Experience as a Stepping Stone	https://dev.to/snowman647/climbing-the-ladder-corporate-experience-as-a-stepping-stone-3p	Climbing the Ladder Corporate Experience as a Stepping StoneIn the past a wise mentor once told me that working in a corporation could provide invaluable experience before diving into entrepreneurship Heeding this advice I decided to spend some years in the corporate world before embarking on my own business venture This decision turned out to be beneficial in numerous ways Cost Awareness In a corporate setting I learned the financial aspects of product development from budgeting to managing resources This experience enabled me to make informed decisions when it came to allocating funds for my own business User Experience UX Focus I was exposed to the significance of user experience in product design and development This insight helped me create products tailored to the needs and preferences of my target audience ensuring their satisfaction Networking with Professionals Working in a corporation allowed me to collaborate with and learn from seasoned professionals Their guidance and expertise were invaluable resources that I could apply to my own entrepreneurial pursuits Safe Environment for Experimentation With a stable job and income I could explore side hustles and passion projects without the pressure of relying solely on their success This environment allowed me to take risks learn from failures and refine my ideas without jeopardizing my financial stability Time Investment While dedicating several years to working in a corporate environment may seem like a sacrifice the experience I gained was invaluable It equipped me with the necessary skills knowledge and network to confidently start my own business and navigate the world of entrepreneurship Looking back I m grateful for the time spent in the corporate world The lessons learned have undoubtedly contributed to my success as an entrepreneur and I believe this path has been worthwhile for me But I made one step forward and I build a game that will incorporate all this experience and make it available for everyone	2023-05-08 21:10:33
海外科学	NYT > Science	Theodor Diener, Who Discovered the Tiniest of Infectious Agents, Dies at 102	https://www.nytimes.com/2023/05/08/science/theodor-diener-who-discovered-the-tiniest-of-infectious-agents-dies-at-102.html	Theodor Diener Who Discovered the Tiniest of Infectious Agents Dies at The cause of a potato disease bedeviled scientists for decades before Dr Diener figured out that an impossibly small pathogen called a viroid was to blame	2023-05-08 21:53:08
海外科学	NYT > Science	Stanley Deser, Whose Ideas on Gravity Help Explain the Universe, Dies at 92	https://www.nytimes.com/2023/05/08/science/stanley-deser-dead.html	Stanley Deser Whose Ideas on Gravity Help Explain the Universe Dies at His theory of supergravity sought to bridge quantum mechanics and general relativity a potential step toward a theory of everything	2023-05-08 21:02:45
海外科学	NYT > Science	Overlooked No More: James Sakoda, Whose Wartime Internment Inspired a Social Science Tool	https://www.nytimes.com/2023/05/08/obituaries/james-sakoda-overlooked.html	Overlooked No More James Sakoda Whose Wartime Internment Inspired a Social Science ToolAfter documenting his experience in Japanese American internment camps Sakoda helped bring the study of human behavior to the computer age	2023-05-08 21:39:17
海外TECH	WIRED	30 Mother's Day Gifts We've Tried and Love (2023)	https://www.wired.com/gallery/best-mothers-day-gifts-2023/	figure	2023-05-08 21:16:02
ニュース	BBC News - Home	Coronation: Met Police express 'regret' over arresting six anti-monarchy protesters	https://www.bbc.co.uk/news/uk-65527007?at_medium=RSS&at_campaign=KARANGA	coronation	2023-05-08 21:25:24
ニュース	BBC News - Home	Three children among victims of Allen mall shooting in Texas	https://www.bbc.co.uk/news/world-us-canada-65527487?at_medium=RSS&at_campaign=KARANGA	allen	2023-05-08 21:49:13
ニュース	BBC News - Home	Jury hears closing remarks in Donald Trump civil rape case	https://www.bbc.co.uk/news/world-us-canada-65499719?at_medium=RSS&at_campaign=KARANGA	carroll	2023-05-08 21:35:48
ニュース	BBC News - Home	Nottingham Forest 4-3 Southampton: Taiwo Awoniyi's double helps lift Forest out of bottom three	https://www.bbc.co.uk/sport/football/65445809?at_medium=RSS&at_campaign=KARANGA	Nottingham Forest Southampton Taiwo Awoniyi x s double helps lift Forest out of bottom threeNottingham Forest come out on top in a seven goal thriller at the City Ground to climb out of the bottom three and leave Southampton on the brink of relegation	2023-05-08 21:35:38
ニュース	BBC News - Home	Brighton & Hove Albion 1-5 Everton: Visitors climb out of relegation zone with stunning win	https://www.bbc.co.uk/sport/football/65445807?at_medium=RSS&at_campaign=KARANGA	Brighton amp Hove Albion Everton Visitors climb out of relegation zone with stunning winEverton produce a superb display of counter attacking to boost their Premier League survival hopes with a stunning victory to dent Brighton s European ambitions	2023-05-08 21:26:42
ニュース	BBC News - Home	Fulham 5-3 Leicester City: Foxes remain in deep trouble after dismal first-half display	https://www.bbc.co.uk/sport/football/65445806?at_medium=RSS&at_campaign=KARANGA	Fulham Leicester City Foxes remain in deep trouble after dismal first half displayLeicester forward James Maddison believes his side were not hungry enough in their Premier League loss at Fulham	2023-05-08 21:15:28
ニュース	BBC News - Home	Champions League semi-finals: What to look for in Real Madrid v Manchester City & AC Milan v Inter Milan	https://www.bbc.co.uk/sport/football/65392625?at_medium=RSS&at_campaign=KARANGA	Champions League semi finals What to look for in Real Madrid v Manchester City amp AC Milan v Inter MilanThe Champions League semi finals start with Manchester City facing European royalty Real Madrid before Inter Milan take on AC Milan in a derby	2023-05-08 21:32:12
ビジネス	東洋経済オンライン	日本は｢G7の結束｣を強化することができるのか 40年前の中曽根外交というモデルに学ぶこと | 地経学の時代－地政学と経済の融合 | 東洋経済オンライン	https://toyokeizai.net/articles/-/670872?utm_source=rss&utm_medium=http&utm_campaign=link_back	東洋経済オンライン	2023-05-09 07:00:00