quite a few shops are hiring rn. i’ve been told google plans on easing up on hiring over the rest of 2020, but it wasn’t described to me as a freeze. there are a bunch of startups that managed to close funding before this broke open, they’ve been hiring as well if thats your thing
Google wouldn’t describe it as a freeze. “Pause”, “slow down”, “recalibration” are all great euphemisms because unless you are super hard up on cash you are going to have critical roles to fill or backfill and the PR hit on a “freeze” is and unforced error.
noticing a lot of comments about how this is a “javascript” problem. i just want to clarify whether or not people are asserting this is a _language design_ issue, or an implementation of the runtime specifically within the context of web browsers and web servers?
No, it has very little if anything to do with Javascript. My charitable reading is that people are using JS as a colloquial term to refer to the Web as a platform in general.
To the extent that it's a browser problem at all, it's a problem with how browsers as a platform handle HTTP requests and site-isolation, which is a security system that predates Javascript.
The issue is an injection attack. The ability to insert either unsanitised HTML data or data reflected inside the context of a JavaScript code block which results in JavaScript execution (by <script> tags, being able to specify data in DOM element events such as onClick or onError, or being able to specify code in onClick/onError events). I don't consider this a flaw in JavaScript itself, rather how JavaScript is harnessed from HTML.
Once JavaScript execution is obtained* it's possible to inject a JavaScript keylogger and/or rewrite the DOM to request authentication details from the victim (resulting in credential compromise). Alternatively, it's possible use AJAX to perform GET/POST requests to the same domain, routed through the victims browser which includes all cookies etc - effectively this is a time-boxed account compromise (CSRF controls do not apply when requests are executed from the local domain).
It's also possible to coerce a browser into triggering the exploit in a hidden iframe on a completely different page (eg you browse to evil.com, there's a hidden iframe which exploits an XSS vulnerability on facebook.com, compromising your facebook account if your currently logged into facebook on the exploited browser). I'm pretty sure samesite=strict only fix this if the XSS vector on facebook.com requires the user to be authenticated prior to exploitation, similarly, samesite=lax will not prevent attacks which require authenticated POST primitives.
*I'm a pentester, so that's sometimes my job, I don't break laws.
IMO, yes and no. The language design isn’t to blame. The libraries and runtime that are colloquially known as JS are. It’s hard to separate the two in discussion so the term js is a bit overloaded.
Thanks for pointing this out because I was just going to say the same thing. It’s most definitely not a Javascript problem, as Javascript is just a language, and nothing about the language design is inherently insecure. The problems are with the implementation of the browsers’ security mechanisms, some of which are indeed controlled via JS.
i’ve found these tools tend to be most readily adopted at the spec, estimate/quote and sales engineering phases. the output becomes part of a proposal.
No, we are not selling the software right now.
We are using it in-house,thus becoming only tech-based consulting firm providing drawings at superior speed & quality.
But the future vision is to convert it into SaaS.
I'm not asking about who is operating it. I'm asking about what it is being used. Can you articulate specifically what it is being used to do? Is it estimate BOM's? perform layouts? etc. There are many automated layout tools...all of which still require human (engineer) review.
in some places, like most places in the usa, a PE will need to stamp it. the assumption would be they review, approve and stamp. i designed several hundred controls systems for projects in dozens of states without a PE license in the same manner. super common
