The "Dato Duo" is also a synth aimed at kids. It allows 2 kids to play together. it is made by a Dutch company called Dato (https://dato.mu). Their latest musical invention the "Dato Drum" had a successful Kickstarter and is shipping now. This drum machine allows even more kids to play together.
PS: As the owner of a Dato Duo I can share you a little secret: it's also fun for adults :)
Love my Datos (also own the drum now)! My kids are jamming with them regularly. Only issue: my youngest LOVES the "Crush" button and just holds it the whole time. Not easy for noise sensitive parents :)
Had a look at Quatt's website. Just a quick remark:
Requiring to fill in information for a brochure about your product, feels weird & I'm not willing too, but ok. However, automatically agreeing to receiving 'marketing communication' & agreeing with your cookie policy when pressing download is definitely not ok. Not from my personal standpoint, but more importantly also not by law (GDPR) although IANAL. Might be a good idea to tell your marketing colleagues about this. Please remind them not to be behave like assholes. Nobody likes forced "marketing communication"...it's just a euphemism for spam. Take care.
Yes, I ran & still run a Jitsi instance and a website which would connect you to one of 12 participating Jitsi server at random applying to our guidelines in the EU.
My goal was offering a low-barrier open for all way to connect with loved ones. During the peak of the Covid pandemic for many people it was easier to connect with colleagues than family members or friends. So I contacted a few sysadmins and public organizations of whom I knew were running Jitsi and asked if it could be shared via our public website. A few agreed and a few dropped by and wanted to help out. After a few days a commercial hosting company decided to sponsor us with one VPS as well.
Our idea was to connect the servers and use the API to select a server with the lowest load. In the meantime we used a randomizer...we've never used the API after all, the randomizer worked well enough ;)
People told us they've used our free service for yoga classes, library book reading clubs, hackerspaces & celebrating birthdays with grandma.
Overall I'm still very proud what we've achieved in a few days with some servers, opensource software and bit of work.
Many thanks to @saghul, 8x8 and all other people contributing to Jitsi. Thank you!
A similar thing happens in the Open Source WordPress plugin repository.
All of my WordPress plugins are free & Open Source. Most are tiny plugins using functionality (filters, actions) part of WordPress core. Unless WordPress becomes backwards-incompatible they will function perfectly fine for the foreseeable future.
From my perspective these plugins are feature complete & unless there's a bug, don't need any attention from me.
Sadly the WordPress repository expects me to update the version number or else the plugin will be become less visible in search results and a notice will be placed above the plugin's title stating: "This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress."
So for some of my plugins I occasionally 'bump' the version number to make sure people can still find it in the search & for some plugins I just leave it be because I have better things to do. However it didn't feel quite right to keep people using my work in the dark, so I've added a text to communicate this to them. This is the text from my 'Redirect To Homepage' plugin:
"Is this plugin actively being developed?
Yes and no. Let me explain:
I consider this plugin to be feature complete and unless bugs are found there will be no development on this plugin. In other words this plugin is in maintenance mode and will be maintained for the foreseeable future.
Due to other obligations I’m not always able to keep up with WordPress version’s and updating this readme’s ‘Tested up to’ version number. However, unless WordPress significantly changes the way the login_redirect filter works it should work perfectly fine even though the ‘Tested up to’ might be of a lower version number. As always, when in doubt, test it (and when it does give you issues, feel free to leave a comment)."
I think this balances both interests, those of people using (perhaps depending on) my work as well as my own. A similar approach could be used by commercial app stores to restore autonomy & balance interests.
In the Netherlands (Europe), where I reside there are plenty of jobs offering 36 or 32 hours. I think most employers are ok with it since they often also work 36 or 32 hrs. Quite a lot of people share the 'load' of bringing up a family, taking care of parents or sick family members & basic house chores & therefor will (have to) work a bit less than 40hrs.
The url points to a blogpost at Framasoft with information on the release canidate. If you visit the homepage of Peertube (https://joinpeertube.org) you'll likely find the information you are looking for.
I think this is a good example of what separates HN users from normal users. The fact that the blog is on a completely different domain and using a different name is confusing. What's more, when you visit the Peertube domain it's not clear what you should do. Do I need to download something? What's an instance? How come the top video on the page brings me to a separate page?
I know these are things that most HN users are happy to dig into and figure out, but currently there's no way Peertube is "an alternative to video platforms" for even saavy web users, let alone regular users. Maybe that's OK though?
Small correction, it's a non-profit association that can be placed in the same cluster as Mozilla, the EFF, the CCC or the Linux Foundation (i.e., the good guys if you care about FOSS and an open software and internet world)
> It's the same as if Microsoft was posting a blog on its own msdn.com domain for something related to visual studio or SharePoint
Which underlines the point that the parent is making. Normal users are not the ones reading things related to SharePoint. Apple does their announcements on the apple.com domain and not on applnews.com.
> I think this is a good example of what separates HN users from normal users.
Normal users are also not the ones primarily expected to read release notes for release candidates for the Peertube server software. Sharepoint is arguably a good comparison: run by administrators for users - it's just that peertube is more interesting to nerds that are both in one (although I'm sure there's some folks with sharepoint at home...).
The way peertube is an alternative to youtube is not by end users understanding what it is, but by technical users hosting themselves the videos. For example, OCaml has a peertube instance to watch OCaml related content: https://watch.ocaml.org/. This is an alternative to watching the content on youtube.
I think this is the challenge with all decentralised systems, its not as easy as you click some buttons and you get served like in web 2. Hope more focus will come on experience part of this, for such approaches to become popular
If you go to that site you don't get tons of videos, you get a technical explanation of what it is and a link to a page with 10 channels. Unless you're the kind of person who is on HN, you're just gonna go to youtube instead.
I agree. Pro-active audits will only go so far, there is definitely a need for other measures (which are implemented as well). A Content-Security-Policy is as far as I know still really hard to implement well (as in truly protecting assets instead of being a policy tick-off) on WordPress with external plugins and themes. Sadly, a CSP will not protect against attacks running on a post npm install in your development environment, as this is also a risk of using npm packages.
A WordPress plugin may contain hundreds of interdependent npm packages all neatly bundled and minified. Without access to a package.json or package-lock.json it is quite hard to find out which individual packages have been used. Quite often there is also no public repo available of the development files.
To give an example of my process thus far:
Someone in my team wants to see if we can use plugin X. I’m downloading the plugin to have a look at the code. Luckily this plugin has included a non-minified version of the js file. I can derive the use of npm packages from this file. Using Snyk I have a look at the first package mentioned. It’s axios. The included version is vulnerable (high & medium severity) and has been for almost a year (Note: the last version of the plugin is 3 months old and does not exclude this vulnerable version in it’s package.json which I found in a Github repo later on).
Since I have no package.json nor package-lock.json (all I have is the distributed build) I can’t easily update the npm package. I have no clue as to how this package relates to the other packages and how their version might depend on each other. Even if I would update the package, all other users of this plugin are still vulnerable. I contacted the plugin author. He tells me he will update the plugin as soon as possible. The plugin is (as of today) still not updated & has not released a new version. In the meantime there have been two new versions of the axios package released.
Every user of plugin X is still vulnerable to the issues mentioned on Snyk, but is this a real problem in this specific WordPress plugin context? I’m not sure how to interpret the high & medium severity in the context of this plugin. How exploitable are these issues & what is the impact of the exploits in the context of this plugin? Do I need to be a logged in user? Is this something which can be triggered by any visitor? What am I able to do when I can exploit these vulnerabilities? I can only try to find answers to these questions if I’m willing to invest a lot more time into this, which more or less beats the purpose of using a ‘ready-made’ WordPress plugin. And this is just one package of multiple npm packages used in this plugin. Packages which also have their own dependencies as well….
At this moment I’m wondering if any WordPress plugin using npm packages can be trusted at all.
ps: The way the npm ecosystem is structured is, in my view at least, problematic. Often packages are not like libraries as I’d expect, but look more like a function call or method call. I’d prefer to write these short pieces of code myself instead of depending on external code which also includes extra risks. The very rapid release schedules makes it even harder to trust external software (like a WordPress plugin) using npm packages as it seems they cannot keep up with it.
I’m sorry if this seems like a npm rant, but I’m seriously looking for methods on how to deal with these issues so we can use external software (like WordPress plugins) built with npm packages.
My first question here would be: What is the attack vector you are worried about? If your wordpress instance is taken over, what is the problem? That the intruder gains access to data they should not have? Or that they will use your machine in some way that would harm you?
There are multiple attack vectors I can think of, although most can be mitigated using other security measures. I don't want to rely on audits only off course. To give you an example: using the WordPress environment as a stepping stone to gain more access, running client-side software without out permission (stealing data from visitors, our resources e.g. crypto miners), defacement/fake-news, etc.
My reply to this would be that this is very broad.
In my experience, if you really want to make your infrastructure more secure, you need to explicitely define what it is you want to avoid.
Taking your first point: You say "using the WordPress environment as a stepping stone to gain more access". What type of stepping stone would this be? How can malicious JS on the WP instance escalate its privileges?
npm with wordpress usually means front-end code, so one possible issue is attackers sneaking in stuff like credit card number stealing scripts etc. So it is more like protecting end users and less protecting the server/system.
It would have similar security risks if your frontend is compromised, for example, it could make the users pay their cryptocurrency payments to an attacker-controlled address.
For those interested, Kanflo wasn't the first to create an Arduino like clone in this form factor. For instance there is the the Jeenode and its sibblings developed by Jean-Claude Wippler.
The JeeNode is way bigger than an AA (with the upper pins bent outwards nearly double the size).
I recently bought teensys (or teensies?) to get smaller (a little to wide for AA slots though): https://www.pjrc.com/teensy/teensyLC.html Given the cost you might want to try to sand of one side of connectors to make it fit :)
Reminds me of the Dato Duo I have.
The "Dato Duo" is also a synth aimed at kids. It allows 2 kids to play together. it is made by a Dutch company called Dato (https://dato.mu). Their latest musical invention the "Dato Drum" had a successful Kickstarter and is shipping now. This drum machine allows even more kids to play together.
PS: As the owner of a Dato Duo I can share you a little secret: it's also fun for adults :)