>On April 12, Coinbase updated their user agreement to take effect TODAY, May 15, with new language about waiving some rights to class action lawsuits and jurisdiction selection.
Also, "Coinbase had detected the breach independently in previous months", aren't they required to disclose this? In the EU they are: Every EU institution must do this within 72 hours of becoming aware of the breach, where feasible
I've always been a little uneasy about Vercel after trying to self-host Next.js on a VPS and running into a few of the little traps they seem to have set to nudge you into hosting on their platform instead. I get they have to pay the bills somehow but it does feel a bit risky to bet on their goodwill long-term.
The way they've handled this vulnerability has made me even more uneasy.
Vercel's initial framing of their Firewall as having "proactively protect[ed]" their customers definitely leaves a bad taste.
This, plus the delay in notifying other platforms, reveals a conflict of interest I had not previously considered: is Vercel actually less motivated to prevent such vulnerabilities from being introduced to Next.js in the future because they can roll out mitigations on their own platform before public disclosure and then say "well you wouldn't have been affected if you used us for hosting :)"?
This reminds me of a bad vuln in Drupal years ago (2014, I think?).
Alot of people think Acquia, being started by the creator of Drupal, has special control of the open source project, but at the end of the day they really don't have that kind of control.
So when the security team found this vuln, they coordinated with as many Drupal hosting platforms as they could, and immediately Pantheon, Platform.sh, and Acquia had all blocked the exploit at the firewall level by the time the CVE was announced.
I really appreciate this post. I've always been a little uneasy about Vercel after trying to self-host Next.js on a VPS and running into a few of the little traps they seem to have set to nudge you into hosting on their platform instead. I get they have to pay the bills somehow but it does feel a bit risky to bet on their goodwill long-term.
The way they've handled this vulnerability has made me even more uneasy.
Vercel's initial framing of their Firewall as having "proactively protect[ed]" their customers definitely leaves a bad taste.
This, plus the delay in notifying other platforms, reveals a conflict of interest I had not previously considered: is Vercel actually less motivated to prevent such vulnerabilities from being introduced to Next.js in the future because they can roll out mitigations on their own platform before public disclosure and then say "well you wouldn't have been affected if you used us for hosting :)"?
John, a resident of the Startup Castle (who declined to give his last name), told me in an interview that he didn’t consider these rules discriminatory, and that the housemates were just “trying to get away from people who were obsessed with themselves.”
I'm astounded anyone could look at that list of requirements and say this with a straight face.
I actually thing he's serious. I truly believe he actually is that ignorant that he believes that the attributes in that list make sense with his "mission". Completely ridiculous, and really sad.
I know John, and yes, he is actually that serious, as is his on/off again gf Katie, who also is part of this startup process. As a previous tenant (from when they had a place in Mountain View), I can attest to some of the outlandish practices...interestingly enough, some of the rules, while applicable to others, they (aka Katie and John) don't even meet the requisites themselves that they necessitate.
"How do people's names differ around the world, and what are the implications of those differences on the design of forms, databases, ontologies, etc. for the Web?"
This has basically convinced me that you should only ever have a single (long) "Name" text input.
Except as pointed out that's generally not sufficient for Japanese since given their kanji based name you'll have no idea how to pronounce or sort it without them also telling you in a separate field how it's pronounced.
There's also the issue of interacting with other systems. You may want just one field but some credit card processor might want 2 etc....
>On April 12, Coinbase updated their user agreement to take effect TODAY, May 15, with new language about waiving some rights to class action lawsuits and jurisdiction selection.
https://bsky.app/profile/jsweetli.bsky.social/post/3lp7sw647...