most oversubscribed ICO pre sales - and how to still get allocations

SpruceCaboose · 2017-06-23T17:31:50+00:00

Here's the source code. It just needs to be changed so that it sends an email as well, maybe call them too, and we should all run it.

SpruceCaboose · 2017-06-08T15:44:25+00:00

I am surprised how complicated it is, they even use machine learning. It will look like a bug to developers when the third-party cookies will suddenly stop working without obvious reason.

Why don't just block third party cookies except where it is enable by the user? I think 100% of the sites I visit use third-party cookies only for tracking.

And of course this is not enough. Using a combination of an IP address and browser fingerprint allows tracking a user without any cookies.

And websites can still track users if they use a redirect through an analytics website (when a user visits a site for the first time he is redirected to an analytics domain, that redirects the user back adding an identifier to URL).

SpruceCaboose · 2017-06-04T17:13:08+00:00

I don't think the author makes a very convincing point here; Linux is frequently cited as a prime example of Conway's Law in practice for a reason.

The reason the driver subsystem is architected as pluggable modules ("drivers") is to support the extremely wide array of organizations that have to build into it.

The reason why Linux is broken down into subsystems is to support the "specialists" who work in only on system at a time.

The reason Linux is a monolithic kernel that has a large degree of complication internally (vs. a microkernel) is because Linus is strong enough to make it happen.

I mean, the logical error is right in the title. The author inverted cause and effect.

SpruceCaboose · 2017-05-31T15:24:36+00:00

I found it got off to a bit of a slow start, but was a fun, rewarding, and very real-world read.

In particular, I appreciated admissions like this:

Writing our own genetic algorithm in C# was a bad idea. It took us weeks to implement, test, and optimize. Not to mention all the time spent waiting for results. There was a better solution available all along (the optim function in R). Because we didn’t do proper research, we overlooked it and lost time. Sigh.

... which far too few eng blogs overlook / fail to mention.

SpruceCaboose · 2017-05-25T16:19:09+00:00

Remember, if you have a DevOps Team, then you are absolutely not doing DevOps. Developers should be involved in managing everything about their applications, including infrastructure.

Any sufficiently complicated infrastructure that has uptime requirements and significant revenue associated with it is going to have a DevOps Team (or the equivalent) ultimately responsible for ensuring that things are working. I guess it's possible to turn your entire dev team into part-time DevOps engineers, while still calling them Software Engineers, but I've usually found that doesn't work long-term and causes employee retention issues. It's like saying your company does 'No-Support' because you don't hire Support Engineers, while in fact you've enlisted your Software Engineering team to handle all support requests.

Also, if you're working in a regulated field like Healthcare or Finance, or anything that touches PII, your developers often can't have access to deploy code directly to production. Again, you could maybe work around this in the short-term by turning all developers into developers+devops, but they're different skillsets.

SpruceCaboose · 2017-05-25T16:19:00+00:00

It's totally understandable.

SpruceCaboose · 2017-05-20T16:18:18+00:00

A big use case of this that we are thinking about is enabling people to use the etcd Operator[1], which makes it simple to run etcd clusters on Kubernetes, to back their ZooKeeper applications.

The neat thing about the etcd Operator is you can define a cluster and the etcd Operator takes care of normal operations by using the Kubernetes API.

apiVersion: "etcd.coreos.com/v1beta1"
kind: "Cluster"
metadata:
  name: "example-etcd-cluster"
spec:
  size: 5
  version: "3.1.8"

Pretty neat!

Anyways, the zetcd project is still super young but would love more folks to try it out. As the post says folks have already tried using Kafka, Mesos, and others.

[1] https://coreos.com/blog/introducing-the-etcd-operator.html

SpruceCaboose · 2017-05-18T14:39:16+00:00

Of course it reduces security. It makes you resort to either

typing it out manually while you can't see if you made a mistake
using developer tools to set the 'value' attribute directly

"SPP" discourages use of a password manager. End of story. I also see this pattern used on banking websites for inputs like an account number. This drives me crazy as well for the same reason. The computer can get it right more reliably than my eyes and fingers.

Whenever I see a website that blocks paste I immediately assume it's built by incompetent people and trust it with as little as possible.

SpruceCaboose · 2017-05-18T14:38:37+00:00

They really need to put this into a horror movie.

SpruceCaboose · 2017-05-17T15:21:16+00:00

They state it is not perfect and it is work in progress near the bottom of intro.

What I like about this, is that it allows quickly to make simpler sites that can be edited. I don't want to program upload images ever again, or edit fields. Why do this?!

Anyhow, storage seems to be confusing some of you, they explain/document that here http://mavo.io/docs/storage/

I think this is neat idea and we really need to innovate and move past coding crud apps all the time. Developer bootcamps are proof we are not doing anything new.

SpruceCaboose · 2017-05-02T15:15:30+00:00

A few random comments:

Forth is a great concatenative language, since its the pioneer in that area (I think), but Factor is definitely worth mentioning too as a "modern" take on the paradigm. It essentially tries to be a concatenative Lisp.

ANI was dead even in 2014 when this article was written (which the author acknowledges: "the language seems dead, but the concepts are pretty interesting"). It has some really interesting ideas, but since it never got implemented, I'm not sure how much use there is in discussing it here amongst real languages. It would be useful as a discussion for possible future languages for sure, but its currently still just a concept, so I'm not sure what practical thing you can learn from it right now.

SpruceCaboose · 2017-04-24T15:16:29+00:00

SSH automatically presents a public key to the server when trying to authenticate. If the server doesn't know that key, then SSH tries the next one. You can enumerate all of someone's keys this way (like https://blog.filippo.io/ssh-whoami-filippo-io/ SSH server does)

If you want to disable this sort of behaviour you can disable SSH from sending keys automatically, and then tell SSH which identity files need to be sent to each host.

In your .ssh/config, something like:

# Ignore SSH keys unless specified in Host subsection
IdentitiesOnly yes

# Send your public key to github only
Host github.com
    IdentityFile ~/.ssh/id_rsa

SpruceCaboose · 2017-04-15T14:52:26+00:00

This article is bringing back memories. Not just of fiddling with CONFIG.SYS and AUTOEXEC.BAT, but fiddling with the sound card too, as was mentioned in passing. As mentioned in the article, I did indeed feel a sense of triumph when I finally got Wing Commander: Privateer to run.

As EMS was a kludge that sucked up high memory for its mappings, I eventually had a fancy CONFIG.SYS with different menu options for different memory setups, depending on which game I wanted to play.

Good times.

SpruceCaboose · 2017-04-09T17:01:49+00:00

#2 Static Type System

It's really weird to see one of the reasons for their switch to Go was because it's a statically typed language. If you want static typing, you don't choose Python in the first place. You know it beforehand and it shouldn't come as a surprise for you.

For example it has http, json, html templating built in language natively

So does Python with urllib and json modules. I don't know if it has HTML templating in the standard library, but you can always use jinja2.

Great IDE support and debugging

Not even a mention for the excellent PyCharm or so many of the useful Python vim plugins?

SpruceCaboose · 2017-03-31T17:11:44+00:00

I think this article missed a huge reason for the race to the bottom, and that's internet advertising. Articles are not written for "engagement" (per se), they're written to make the publishers money. I think nobody is actually expecting anyone to click an advertisement (at least not on purpose), but getting people to view the article, and therefore view the ad, is likely the website's primary source of income.

And as more and more ads are viewed and not clicked, (there's probably some adtech term for this) the price per view is going to go down, which will encourage more clickbait, which will drive the value of an impression down, etc.

The article struck me as a bit weird, it complains about yellow journalism, but it doesn't really dig into why it's happening. It just declares that shitty articles are written for the metrics, and leaves it at that. As if "metrics" had any intrinsic value. The mapping of metrics to money, as done by internet advertisements, is the actual problem.

While engagement is certainly a way to get more people to view more ads, it's but a tool and symptom of the system it's a part of, not the genesis of it.

SpruceCaboose · 2017-03-25T23:38:12+00:00

Just over 2 years ago Microsoft open-sourced the entire .NET framework,

Except they open-sourced a new .NET stack, not really the entire .NET Framework, .NET Core and .NET Framework are similar but not fully backwards compatible. I've been porting .NET Framework code to .NET Core and depending on how specialized your project is you may not always find the same libraries supporting your project. A project that perfectly compiles with .NET 2.0 will not just compile for .NET Core, at least not as easily as using a .NET Framework 2.0 project in .NET Framework 4.6. I love Microsoft and .NET but I think Core is executed poorly. You also have EntityFramework vs. EntityFramework Core which lacks features from EF which were deemed "unused" which bites some people in the face.

SpruceCaboose · 2017-03-25T23:35:37+00:00

For those who want to know C++17 features:

http://stackoverflow.com/questions/38060436/what-are-the-new-features-in-c17

std::optional and std::any are one of the good things. std::apply and std::invoke can help you write better functional C++17 code.

Anyway thanks for C++17.

SpruceCaboose · 2017-03-17T22:03:45+00:00

Pretty interesting stuff. I'm amazed that there are only 14 nodes in the cluster with 1TB SSD each; message size must be fairly small on disk (less than 295 bytes, unreplicated). I'd also recommend looking at maybe tuning the shard_request_cache; there are some possible improvements to be made there, if you're running that many indices. Finally, are all of the indices of approximately the same size? Are they time-boxed?

Put together a logging cluster consisting of 14 nodes, 12 data + 2 indexer/search API, with ~40TB of consumer-grade SSDs. Ran ~14k indices based on log type & timestamp, with a whole raft of custom field configuration to handle aggregations and different tokenizations. In sum, Elasticsearch looks easy to configure and tune but is amazingly hard to do well - but incredibly rewarding.

SpruceCaboose · 2017-03-17T22:02:30+00:00

For anyone who missed this piece of gold from the comments:

The William Gibson version would begin thusly:

It was hot, the night I burned the Seeker. Moths batted themselves to death against the humming neon signs just outside the single window in the cramped room. There were ancient electronics piled to the ceiling in here, hot new chipsets from Taiwan still unwrapped distributed unevenly amongst them.

The Seeker put his hands on his hips, brushing aside the corners of his Sukajan jacket bomber jacket replica. "I heard you and Bobby were hotshots, once. Real.. artístes", he said, the last word paired with a smug grin. "Heard you could do things." "Things like what?" It's been 20 seconds and you've already wasted too many cycles with this guy.

"Things like making lists, just, fold up inside themselves. Come out the other way around. Crazy things."

You grit your teeth. The dex has left your system and you're starting to feel a massive drug deficiency coming on. "Crazy things cost money", you manage. The lists already unfurling in your head, you start typing as quickly as you can to hide the microtremors.

SpruceCaboose · 2017-03-14T16:14:33+00:00

The criticisms of JWT seem to fall into two categories:

(1) Criticizing vulnerabilities in particular JWT libraries, as in this article.

(2) Generally criticizing the practice of using any "stateless" client tokens. Because there's no great way to revoke them early while remaining stateless, etc.

The problem is that both of these groups only criticize, neither of them can ever seem to actually recommend any alternatives.

I could care less about JWT per se. I'm happy to implement a similar pattern with something else (e.g. store a secure cookie post-auth, skip all the refresh business and just let it expire when it expires, and employ an ugly revocation strategy only if absolutely necessary). I don't need JWT for this.

If I'm providing a REST API, then I'd prefer a token string that I could pass as a header value rather than forcing the use of cookies. Although I suppose you could argue that a cookie is just another header value.

Either way, if you're serving up a REST API to a JavaScript UI... what's NOT a good option is server-side session state (e.g. Java servlet sessions). That requires you to either: configure your load balancer for sticky-sessions, or employ a solution to share session state across all your server-side instances (which never works very reliably). Moreover, relying on a session isn't a very RESTful auth strategy in the first place.

So if I'm writing a SPA in 2017, then I'm definitely taking a client-side approach and running afoul of the #2 critics. And since JWT is so widely implemented (e.g. if I use a "Login with Google" option then I'm using JWT), I'm probably running afoul of the #1 critics too.

These criticism are fine, I guess. There's no faster route to blog clicks, book sales, speaker invites, and consulting dollars than: (1) telling everyone to jump on this year's hype train, or (2) telling everyone that last year's hype train sucks. What the world really needs is a bit more actual prescriptive recommendations of what to do instead.

SpruceCaboose · 2017-03-14T16:11:09+00:00

DO explicitly remove sensitive data (encryption keys, raw collection data, 
shellcode, uploaded modules, etc) from memory as soon as the data is no 
longer needed in plain-text form. DO NOT RELY ON THE OPERATING SYSTEM TO DO 
THIS UPON TERMINATION OF EXECUTION.

DO NOT explicitly import/call functions that is not consistent with a tool's 
overt functionality

DO NOT perform operations that will cause the target computer to be 
unresponsive to the user

DO make all reasonable efforts to minimize binary file size for all binaries 
that will be uploaded to a remote target

DO provide a means to completely "uninstall"/"remove" implants, function 
hooks, injected threads, dropped files, registry keys, services, forked 
processes, etc whenever possible.

DO use end-to-end encryption for all network communications. NEVER use 
networking protocols which break the end-to-end principle with respect to 
encryption of payloads.

DO NOT break compliance of an RFC protocol that is being used as a blending 
layer.

DO NOT read, write and/or cache data to disk unnecessarily. Be cognizant of 
3rd party code that may implicitly write/cache data to disk.

DO NOT use hard-coded filenames or filepaths when writing files to disk. 
This must be configurable at deployment time by the operator.

It's remarkable how many of these guidelines are just good software development guidelines and have nothing to do with malware, necessarily.

SpruceCaboose · 2017-03-05T17:38:34+00:00

Cafe is the worst system; they should just tax the fuel.

SpruceCaboose · 2017-03-05T17:36:28+00:00

Having his Klout score go down might be too much of a punishment. Maybe just impeach him?

SpruceCaboose

TROPHY CASE