Category: Tech

Hello Raspberry Pi

~ Steve ~ Leave a comment

I couldn’t help it. I’ve watched other open source friends rave about playing with the Raspberry Pi but had yet to really jump in on it all. See, I bought a GuruPlug a while back and had kind of a bad experience with it. You know, overheat and shut off. In fairness the manufacturer of the device did provide a hardware fix quite a while later, but I’d already moved on and forgotten why I bought the device in the first place. It took the consistant praise from online friends and one conversation with my friend Andrew to get me to take the plunge.

Yesterday it arrived in a nondescript package. A simple yellow padded envelope. Opening it up I saw two small boxes. Funny thing is the larger of the two boxes is actually the wall plug. But I didn’t have time to do anything other than prepare an SD card with raspbian on it. But today I’ve thrown it on the network (headless) and have an ssh connection in to update the default system.

Now I’m at a bit of a loss or, I should say I’m not sure where to start. I picked up a breadboard, wires and LED’s to do a little playing around. I’m just not sure what I want to do for a longer term project. I’d like to start working with some sensors and pick up more knowledge in that space. I have some more components on the way but it will be a while. Maybe I’ll snag a Arduino while I wait.

AR Gaming: Ingress If Fun If You Don’t Give Up

~ Steve ~ Leave a comment

In 2001 a game was released that I so badly wanted to play. It was called Majestic and was one of the first alternate reality game with a lot of game press and hype. I wanted to play it due to the blur between reality and game as the game takes place in real life — but just with false facts. I remember reading that one could change the level of realism for the game. For instance you could configure it so that any communication that came your way would be prefixed by a notice that it was from the game, with a marker of some kind or simply not differentiate itself at all. Or at least something like that could be done.

In conversations with my friends I found out that I was the only person I knew who thought this could be fun. My friends would state things about how it would be to much of an interruption to life or that people with severe mental problems could be sucked into the game believing it as reality. As it turned out there was not enough love for the game for it to continue and, sadly, I never got to give it a go myself.

Years went by where I figured the genere had been put in to a corner where only AR geeks would dare go. Half baked sub-indie attempts, extreme role playing guilds and stupid marketing tie-ins. None of these seemed that fun to me. I actually thought about trying to write my own (as in the server application for an ARG) as that seemed more fun than joining one of those ARG-but-not-really-ARG games.

Then Google released Ingress and I waited for an invite. I signed up for the closed beta. More waiting. And then a coworker passed me an invite and I was in.

I loaded up the game and went through the tutorial which confused me. See, I thought I was actually playing in the tutorial and not just learning how to play. I looked around and saw no portals (except the tutorial one) and though that maybe my area was not that hot for playing. Then I realized it was not the full AR but just a tutorial and got into the game proper.

Still confused. I saw these large green things on my device. There wasn’t anything explaining to me what these were so I assumed it meant ‘out of bounds’ areas. Of course later I learned what this meant. I actually played the game for a few weeks before realizing that they were Control Fields. If it wasn’t for my coworker essentially being the instructor of the game mechanics I’d probably of grown tired of being confused.

Once I got the hang of the game running to locations with portals became fun. Granted, I couldn’t do much yet a I was a level 1 agent in a level 4 or higher world but I still I knew I was helping. And it got better. Like any good ARG there was a community which was very active. And not just active within faction but outside as well. While playing it is faction versus faction but we all can have fun outside of the ARG together as well. How great is that?

I’m so glad that today there is the Ingress Field Guide which is exactly what I could have used when I joined up. It explains the dynamics of the game much in a way that Google should have done itself. If you get to join the closed beta take the time to read it guide.

Some Issues

I think that Google not providing information is probably the biggest detriment to the game as people can easily get confused, bored or frustrated especially if there is no community already established in an area.

Another issue is in smaller cities in towns where portals are, at best, very sparse. In such areas I think they should start to place some portals based on people who have joined in the area so that there is something for them to target. When I visited the place I lived previously I found there to be 5 or so portals in the entire city even though there was probably enough players to have many more portals. I have a feeling that those players will get frustrated or bored fighting over the same 5 portals. Even as I left I noticed most of the portals were owned by one of the factions and were high enough level that I doubt the other faction could do much back (unless there was an Op coming in from other cities).

The last issue I see is in balance. If either faction becomes too powerful they can dominate and sort of force the other faction from playing any longer. This takes time (and a whole lot of effort from the first faction) but it’s possible. The only fix for this is in rules and game balance as set by Google. We will see how they fix this over time.

But Worth It

Even with it’s faults I’m having a lot of fun and meeting people I normally would have never met. People in different industries. Folks from different backgrounds. People traveling in from different areas. The game is still evolving and the player base continues to grow as well. If all goes well the issues will be addressed by Google over time. The game is still in closed beta so changes and fixes are likely to continue. But even if they don’t fix all the issues the game is still a blast right now!

Nintendo Wii U

~ Steve ~ Leave a comment

It should come as no surprise I like video games. I’ve owned (at one time or another) each of the current generation systems. In fact that the believe I’ve owned at least two 360s and exactly two PS3’s. Why? Hardware failure. After my second or third 360 death I moved to PS3 which lasted years before needing a replacement. For the Wii I stood in line for hours launch day and was barely at the cut off point when they did the counting. I got sick from standing so long in the cold but it was worth it.

This week the Nintendo Wii U has been on my mind a lot. It’s the first of the next generation consoles. It’s marketing to people like me has been incredibly poor. I’m not a classic cable watcher or OTA network guy so all ads I’ve seen have been online. Many times I have to seek out information rather than be enticed by advertising. For me this means there is still things about the Wii U that I’m sure I don’t know about.

One feature I just picked up on was TVii. It actually matches half of what I’ve really been wanting in a media center device by finding the prices and availability across services I have seen subscribe to.

The primary usage of a Wii U is videos games. No brainer. It’s a Nintendo device. Recently I walked up to one of the demo stations at a store. The tablet style controller was comfortable and lighter than you’d expect but all of the games on the station were video only. I was pretty disappointed with the graphics quality shown.

I wasn’t expecting realistic graphics or anything like that but watching the videos on the station I felt like it was not much of a step up. Yes, better but an evolutionary step for the console series, not a revolutionary one. I saw artifacts on Mario. I shouldn’t be seeing that.

Granted, this could be the demo stations fault. It’s possible cheap televisions are in use. Maybe it will look better connected to a normal consumer TV. But then again this is a station that is there to entice me into buying. The only thing I could say for sure was that the station had the opposite effect. I went in with a secondary objective to find out about launch day plans or pre ordering but left pretty sure I would not be buying a Wii U.

But after further thoughts I think TVii is what will tip the scales for me. Not at first, mind you. I want to make sure it’s not a gimmick that falls into the shadows after launch. As long as TVii gets added sources and good post launch reviews  I think I’ll have a place for the the Wii U.

Indie Games and Mew-Genics!!

~ Steve ~ Leave a comment

Over the last few months I’ve been getting more and more into indie games. I’ve even toyed around with the idea of trying my hand at a super simple indie-indie game (just to see what the whole cycle is like). I’ve not stopped playing games from big studios but I do find many if the indie games to be much more satisfying either due to the unique mechanics and new ideas or from the retro feel sending me back to why I started playing games in the first place. Who would have thought I could have so much fun watching a fleet of ships run away from my managerial skills?

And fun indie gaming brings me to Team Meat, the creators of Super Meat Boy. Team Meat announced development on a new game called Mew-Genics. Right now there is very little information other than the blog post and the teaser image. Though even with missing specifics I’m not any less excited about this great indie duo pumping out another fun to play game with a strong dose if uniqueness!

If you are unfamiliar with Team Meat or have not watched Indie Game: The Movie, watch it now!

What I Want From a Home Theater PC/Digital Media Receiver

~ Steve ~ Leave a comment

A few years ago I sat down to figure out how much I was paying in cable versus the amount of time I was using it. I found that I really only watched a handful of shows and could probably save money by buying the seasons. In other words I was a normal casual TV watcher. The next course of action was easy because for me it was a no brainer. I cut cable. I haven’t wanted to go back.

Today I use a PS3 to watch Netflix and Amazon while relaxing at home. On the go its Android devices to watch Google Play and Netflix. These are great services and, overall, I’m happy with the content they provide (though Netflix seems to go up and down in terms of stability..).

I just read about the newer BoxeeTV after hearing about it in some podcasts. I like it’s idea but, for me, it still isn’t what I really want out of an entertainment device. I like the idea it uses cloud storage because it should make it easier to stream the content to other devices as well (at least in theory). It’s nice on general functionality now, but I can’t see it as a long term solution. I still have two issue with the designs of Boxee and the like that keep me waiting to put down money on a dedicated HTPC/DMR.

When I want to watch something that I will be paying for I want to feel like the customer. I want to feel like I’m getting the best price for the item I’m purchasing. Simple concept. So far I’ve yet to see a device which makes me feel this way. Instead, I feel like I get access to one or more video services where I can pay their price if I choose to buy/rent/subscribe. Most of the time I know what I want to watch and what I really want the device to do is search across all the services I have accounts on for the best price. Am I a Netflix member and it’s there? Great! Take me there! Is it, $0.50 cheaper on Google Play than Amazon VOD? Let’s buy it from Google then. In the end I don’t much care who is providing the content so much that it’s legal, I am getting it at the best price and am able to access it when I want to watch it. As a bonus it would be nice to tell the difference between watching it because it’s in a subscription and owning a watch it forever license.

The other item is not something a HTPC/DMR company can really influence directly in my opnion. I believe that when I purchase a video online I’m actually purchasing a license to stream the content. Not all services are available on all devices (as I eluded to before with Amazon not being on my tablet). Why can’t I import my licenses from provider A to provider B? At the very least why can’t I do it if provider A changes its business to something else (or goes out of business)? The quick argument against license import/export would probably be about how a customer could move away to another service but, honestly, that wouldn’t be a major problem. In fact, it could be a benefit  Someone who moves  is likely moving over to make the other service the sole provider of their content due to price/convenience/access for their specific situation. This would mean future revenue from the person. The original seller wouldn’t lose the money already made by selling the license and would gain back bandwidth by not needing to stream the content to the user. The also consumer wins here as well as they can gain the best access and use the service(s) they wish to use at any time. It’s not remotely like this today and I’ve been burnt in the past by companies deciding to change direction and cut access to purchased content. For this reason I can’t see any of the devices (or services) today as a long term buy nor a replacement for buying a blue ray or dvd.

The closest option seems to be XMBC but it also seems to be more channel focused instead of content focused and the issues around future access still exist from the big players. Things do seem to be moving in the right directions but, for now buying content in a physical media format is the safest bet for watching later.

Simplicity Over Beauty. Functionality Over Features.

~ Steve ~ Leave a comment

I’m a fan of many of the services that allow the legal purchase of music online. One service that I’ve come to enjoy over the years is emusic which, for quite some time, didn’t provide a way to download music other than through their website and desktop downloader.

As seems common, a developer decided to scratch his own itch and release a mobile downloader application. If it wasn’t for his application I could have easily moved over to Amazon MP3 or Google Music just based on the ease of purchase and growing selections. Fast forward a year and emusic figured out people wanted a mobile downloader. A beta was released.

And it was buggy and had features that, as a user, I really don’t care about while having oddly implemented features that seemed core to the downloader experience. Let me explain: I wanted to search, purchase and download music. I think that those three actions are nearly universal for a music purchase and download app. Here is the list of features for the official emusic application:

  • Listen to any MP3 files stored on your phone through the music player
  • Get song recommendations based on your listening habits
  • Create playlists tailored to your every mood
  • Browse an artist’s dossier (discographies, biographies, photos, features, and related artists) while you listen to music
  • Access eMusic’s unique charts
  • Search eMusic’s catalog and listen to track samples
  • Download music
  • Listen to eMusic Radio (available to U.S. members only)
  • Save for Later
  • Access account details

(Source)

This is how I ended up feeling about the emusic application: it searched, purchased (or crashed), downloaded in a weird filename format (or crashed), wanted to search my existing library to give recommendations (sort of weird) and listen to samples (or crash). When the application crashed there was a possibility that emusic would think I downloaded the song when I didn’t receive it meaning I would need to contact to support and ask for a redownload.

The ‘weird format’ may sound, well, weird but it’s true. I’m someone who likes to listen to music in many settings. The two most common ways I listen to music are from a laptop or via my phone. Obviously this means I’m at least using two different music players (right now it’s Nightingale and Player Pro) and the need to organize music is important. When I download via the emusic website or via the indie developers app I get a nice directory structure with artist and songs named in a way that makes sense to me. When I download from the emusic mobile application, well, see for yourself:

In fairness many of the crashing bugs have been fixed and it’s a better client than it was but I still buy and download using the third party app developers application. It’s simpler, stable and let’s me do the three tasks I need out of a downloader.

So why didn’t emusic decide to license/buy the downloader that the developer released? I’m not totally sure but I have a an inkling that they wanted to show they could outdo the simple app. Pretty interface, more features, samples, etc. As a user I care less about how it looks and much more about how functional the application is.

Today I still use the indie developers emusic downloader instead of the official app and I recommend it’s use over emusics official app. I want an application that let’s me get the music I want and delivers a consistent user experience (read: simple flow and doesn’t crash). If it’s not pretty or doesn’t have every single cool feature under the sun, well, I’m ok with that.

Basic Web Security For The Average User

~ Steve ~ 1 Comment

The Web has been around long enough that Web applications are a part of most everyone’s daily life. Even when a user is on a mobile device they could be interacting with Web services. Sadly there are still many applications and services out there which are lacking what should be the minimum security. Luckily there are some work around users can do to try and protect themselves when applications have less than stellar security practices.

Secure Socket Layer (SSL)

What is it?

SSL keeps the Web traffic between you and the originating server encrypted meaning its harder for someone else to see the data while it is in transit. If SSL is not in use the the Web traffic is viewable by anyone on the wire.

Can I increase my safety?

The best defense is diligence. Whenever you are going to be entering data, login or after you have logged in it’s best to make sure you see ‘https:’ at the start of the url.

For Firefox and Chrome users the EFF provides an extension called HTTPSEverywhere which attempts to keep your browsing over SSL where possible.

Cookie Flags

What is it?

Cookies are utilized to help identify and store small bits of information on the client side (your browser). Over the years there has been a few flags added to cookies that help keep them from getting to the wrong people as easily. These flags are Secure and HttpOnly. Secure tells the browser that it should only pass the cookie to the server if the connection is using SSL. If it isn’t using ng SSL the cookie does not get sent with the request. HttpOnly keeps the cookie out of the hands of javascript only giving it back to the originating server directly over HTTP/HTTPS requests.

Can I increase my safety?

Right now I’m not aware of any extensions which force cookies to be HttpOnly on the browser side. If you are aware of a good mitigation please comment.

Cross Site Scripting (XSS)

What is it?

OWASP defines XSS like so:

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

(Source)

Can I increase my safety?

By installing NoScript or something similar and utilizing Google Safe Browsing you can lessen the chance of successful XSS attacks but it is far from a silver bullet. There is work being done to to attempt to make XSS attacks much harder but it’s not currently in use.

Cross Site Request Forgery

What is it?

Cross site request forgeries happen when a browser on one page makes a request to a different site to attempt to do something on behalf of the user. There are many cases where this vulnerability is used by developers as functionality but that doesn’t make it any less dangerous.

Can I increase my safety?

Wikipedia has a good page on the subject:

Browser extensions such as RequestPolicy (for Mozilla Firefox) can prevent CSRF by providing a default-deny policy for cross-site requests. However, this can significantly interfere with the normal operation of many websites. The CsFire extension (also for Firefox) can mitigate the impact of CSRF with less impact on normal browsing, by removing authentication information from cross-site requests. The NoScript extension mitigates CSRF threats by distinguishing trusted from untrusted sites, and removing payloads from POST requests sent by untrusted sites to trusted ones.

(Source)

Password Hashing

What is it?

When an application stores passwords it should do so in a way that it doesn’t actually know the password you’ve entered. It may sound odd but it’s pretty trivial to do this for application developers. Yet sometimes they forget to implement this hashing (or the application is ancient and never was updated to do this).

Can I increase my safety?

The best defense a user can do to protect against disclosure is to use different passwords for each site. Understandably this can sound scary: people feel like they have to remember too many passwords already. Thankfully there are applications which can help generate and, store and remember these passwords and let you remember just one. Here are a few popular choices:

External References

What is it?

It’s very common for Web applications to include javascript, images or css from other locations. The reason for this is either to increase performance by using the browser’s cache, utilization of a content delivery system, including ads/analytics or, in some cases, laziness. The problem for the user comes when the remote content becomes unsafe or the content acts in ways the user is not OK with.

It can also cause problems for the application including the content. For more information see my previous post over trusting others to host your content.

Can I increase my safety?

Being that, in most cases, the external references are required for the application to work it is quite hard to fully add protection in the browser but there are still some things that can help.

One more thing…

While not specifically related to the bare minimum of remote web application security it’s important to keep your browser and extensions/plugins updated with the latest patches and supported versions. This can help protect against sites which are hosting browser based exploits for one reason or another (of course, don’t purposely go visit such a site!). For plugins, Mozilla provides a great plugin check page which seems to work for Chrome to some degree as well. Go check your versions!

Proprietary Content Provider Woes

~ Steve ~ Leave a comment

I am a fan of technology and comics so when Sony started providing comics through their Playstation Store service I decided to give it a go. It wasn’t bad for an early go and I enjoyed the ability to download and read comics on a whim.

Yesterday I received an email from Sony which was blank. Well, actually it was an HTML only email which my mail client did not render (as I block HTML email) including a email opened tracking image (http://links.sony.mkt3395.com/open/log/.*) via MarkMonitor. The email had the subject of “PSP (PlayStation Portable) comic content service closure announcement”. I followed the more information link and read up what the plan was.

Question: Why are you closing the Comic store for PSP?
Answer: We stopped providing new content to the Comic Store last summer to focus on bringing the comic service to other Sony devices. Our focus now is to bring more  digital entertainment services to our products.

Q: What happens in January when the re-download service for Comic Store is no longer available, will I be able to access my previously downloaded comic content?
A: From mid-January you will not be able to access previously downloaded content from the Comic Store however, to avoid losing your downloaded content you can back it up on your PC using the Media Go application

(Source)

My first thought was “Great, all my purchases are now dead.” but I decided to avoid being so negative so quickly and clicked for more information on Media Go. Maybe they have a plan for us consumers.

Plans?

Media Go can backup the comics that one purchased but it requires either Windows and/or Sony devices. That puts me totally out of luck. My understanding is that the format of the comics are proprietary so I’d probably be out of luck even if I could back them up without purchasing something to run Sony’s proprietary software. My saving grace is that I didn’t spend a ton of money on getting comics from Sony else I’d be really upset.

What Would Have Been Better

Sony’s focusing on ‘providing content’ to their other devices. That’s all well and good but I own one of their devices and the comics were some of the content. A better solution for customers would have been to make a deal with another provider of digital comics to allow for continued access to already purchased content. Even if it is proprietary to proprietary (like ComiXology) it would still be continued easy access.

Sony Says Thank You

“We apologise to fans for the change and thank you for your support of the Comic Store for PSP,” said SCEE’s Mayumi Donovan.

(Source)

I guess some companies are not ready to provide content. I hope they learn from this mistake as I have. In the future I’ll be much more cautions on who I allow be a paid content provider by looking at how they handled the end of previous content distribution.

Humble Indie Bundle 6

~ Steve ~ Leave a comment

A few years back I learned about the Humble Indie Bundle from a coworker. “Name your price, help charity and download” he said. My initial reaction at the time was to read about the package and nicely say “good for you for supporting them.” Why? Because I wasn’t sure what price to select for the games. I had been so desensitized to the general commercial distribution channels that the idea of picking my own price sounded to good to be true. I thought “sure, it goes to charity and indie developers but the games must not be that great if I can pay 10$ and walk away with 5+ games.

Fast forward. When the time was told a new bundle was released I decided to give it a shot. Worst case I’m out 20$ or so. I paid, downloaded and played. Then played followed by playing some more. I believe I played Bastion the most out of all of that bundle but I had a lot of fun with many of the games. It was obvious I had been missing out.

When 6 was released I didn’t hesitate. I bought the bundle the first day it went up. I even bought a second giftable bundle. I’ve not been disappointed.

There is one more awesome feature: The games run on Linux and Mac’s as well as the commonly supported Windows. For people like me who spend most of the time in Linux (because I like it) it’s so nice to play in the same OS I live.

So far I’ve spent the most time in SPAZ. It’s my kind of game for sure. In some ways it reminds me of Solar Winds which was one of my favorite games from my childhood though I’d say SPAZ is more action oriented. Torchlight is a close second followed by Dustforce. I’ve yet to try the latest 4 additions to the bundle (seriously, more AFTER you buy!) but can’t wait to try Jamestown, Wizorb and Gratuitous Space Battles as they all look right right up my alley.

TL;DR
The Humble Indie Bundle 6 is worth the cost and you can help charity at the same time. What’s not to like?

Trusting Others To Host Content In Your Web Apps

~ Steve ~ Leave a comment

One of the things I tend to warn other developers about is the inclusion of third party content into their applications. No, I’m not talking about pulling in serialized data from trusted sources. I’m talking about simply adding “stuff on the site”. This isn’t anything ground breaking. In fact, it’s pretty obvious stuff. The news that Google was identifying The Verge as a malware host is a pretty good and well publicized example of what can go wrong. Keep in mind I’m going based on public information.

If you are unaware of The Verge here is how they define who they are:

The Verge was founded in 2011 in partnership with Vox Media, and covers the intersection of technology, science, art, and culture. Its mission is to offer in-depth reporting and long-form feature stories, breaking news coverage, product information, and community content in a unified and cohesive manner. The site is powered by Vox Media’s Chorus platform, a modern media stack built for web-native news in the 21st century.

(Source)

Visiting

When most general users go to a website the probably don’t realize that they may be making requests out to many locations. In the case of The Verge’s main page they are making request out to the following domains for images and javascript.

  • http://www.google-analytics.com
  • ajax.googleapis.com
  • apis.google.com
  • ad.doubleclick.net
  • platform.twitter.com
  • cdn0.sbnation.com
  • cdn1.sbnation.com
  • ox-d.sbnation.com
  • tags.crwdcntrl.net
  • fonts.sbnation.com
  • bs.serving-sys.com
  • cdn3.sbnation.com
  • http://www.facebook.com
  • p.typekit.net
  • edge.quantserve.com
  • aperture.displaymarketplace.com
  • static.chartbeat.com

The more technical the reader is the more likely they are to understand that a visit to a website is probably going to include many requests to many different sites. The above list of domains are pretty normal. Facebook, Twitter and Google for social networking. Ad companies to show ads. Tracking companies for analytics. And the use of a CDN (content delivery network) is a pretty common practice for web applications which encounter high load. Nothing to see here, right?

Maybe a little

By including these domains there is an amount of trust given. If any of those third party sites encounter a security issue then the site doing the including could be affected. In this case it was sbnation.com’s reputation which was causing an issue. At one point Google’s Safe Browsing system identified malware being hosted on sbnation.com which means it is going to flag a requests to the domain as a possible problem. In fact, here is what Google Safe Browsing had for sbnation.com:

What happened when Google visited this site?
Of the 8071 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-09-17, and the last time suspicious content was found on this site was on 2012-09-16.
Malicious software includes 8 trojan(s), 2 exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 1 domain(s), including 63.143.*.0/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including u******.net/.

This site was hosted on 26 network(s) including AS29791 (VOXEL), AS36089 (OPENX), AS11855 (INTERNAP).

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, sbnation.com appeared to function as an intermediary for the infection of 3 site(s) including ml****.com/, fa******.com/, f*******es.com/.

(Source – Asterisks added)

Because sbnation.com had a malware associated with it recently The Verge, who was using sbnation as a CDN, had it’s threat level raised. It’s even pretty obvious via the red warning that Chrome was giving users. “www.theverge.com contains content from cdn0.sbnation.com, a site known to distribute malware”. If you are interested in what the errors looked like to users check out the thread that was going on the verge’s forums.

Was the situation dangerous?

I have a feeling in the above case it probably wasn’t. The cdn is probably used in a lot of different sites and the content in use is likely uploaded by the first party but, to be honest, I didn’t look into it as it’s an example of what can go wrong and not the the meat of the post. But it still isn’t the best position to be in. If users want to be protected then having a system like Safe Browsing warn them that a third party  host in use by the first party has been noted as distributing malware is probably a fair result.

Is including remote content really about trust?

Yeah, it kind of is. Let’s say there is a web application that allows you to get feedback on your site simply. All you need to do is drop in a small bit of javascript referencing the service and you will be set! Your all done and can have a drink to pre celebrate the great feedback you’ll get. But what if the developers create a terrible bug in the javascript you are including or, worse, something happens to the server that is hosting the javascript you now include? By adding in content from the third party you are trusting their security level matches or surpasses your own. You are also trusting that any third parties they are using meet or exceed your security level as well. If any/all third parties do not meet or exceed your standards then your users/visitors and brand (if applicable) could take a hit.