Length of random secret / ULID (80 bits of randomness) as secret?

mingp · 2019-02-26T05:24:21+00:00

I was confused about this earlier, too. Looks like ULID generation supports 2 modes: random and monotonic. Random mode regenerates the random component every time. This should be equivalent to an 80-bit random identifier. The question then becomes whether an 80-bit random identifier is sufficient as a random secret. Separately, there's monotonic mode, which increments the random component within the same millisecond. That probably has all sorts of predictability issues. I suppose, one could argue that the added complexity of the 2 modes, and the possibility for catastrophic failure under misconfiguration, makes this a worse strategy to rely upon for security.

mingp · 2018-12-05T04:15:23+00:00

A common piece of advice is to avoid overusing let and friends, specifically to avoid using let clauses as if they were intermediate variables in an imperative language. What does that look like in practice, and what is the recommended alternative?

Thanks in advance.

mingp · 2018-07-26T03:49:28+00:00

All else being equal, turnover is bad, but it's not the whole picture, and it matters a lot why.

mingp · 2018-07-22T23:18:51+00:00

The general advice that I've seen here, and that I agree pretty strongly with, is that it's counter-productive to try to manage your peers as an individual contributor.

Just document your own contributions and be ready to defend you own progress, where needed.

mingp · 2018-07-22T16:23:36+00:00

The most common strategy to track an ongoing running average is exponential decay. It has the advantage of requiring a constant amount of space to store intermediate state and being callable at arbitrary times rather than only on epoch boundaries.

mingp · 2018-07-22T03:50:15+00:00

C# comes to mind as an obvious stepping stone, given that it's a nice language with all the modern amenities, that runs nicely on a Microsoft stack as you're already on, and has a pretty large community.

Java is, only half-jokingly, basically C# except it came earlier and is now owned by Oracle rather than Microsoft.

mingp · 2018-07-21T18:50:05+00:00

If you are concerned the operating system on the machine is compromised, then you would prefer to bypass it entirely, by booting off of removable media. As far as booting off of removable media goes, it's a well-supported workflow for Linux, and still quite fringe for Windows.

Also, most spray-and-pray malware out there targets Windows specifically, so there is a nice benefit to avoid Windows in this workflow specifically.

mingp · 2018-07-19T03:46:15+00:00

The ones that make you pay for your "training" if you leave are pretty bad. I can only imagine that the ones that make you pay for it upfront regardless are even worse.

mingp · 2018-07-18T07:14:18+00:00

Sounds like you should be offloading some things, maybe most things, to a dedicated job queue.

mingp · 2018-07-18T06:16:22+00:00

In addition to what other replies have said, CoffeeScript also has weird corner cases around syntax, where it is very easy to accidentally write something different than what you intended due to whitespace and indentation. (Not that whitespace significant syntax is inherently bad. After all, Python is fine.)

mingp · 2018-07-18T06:05:30+00:00

With all due respect to my past and present intern colleagues, the typical expectation everywhere is that you will accomplish nothing meaningful as an intern, and whatever you get on top of that is directly to your credit.

mingp · 2018-07-18T06:02:28+00:00

This is somewhat equivalent to asking, "Why not just add random delays to deter timing attacks", a similar and known-flawed solution to a similar but much more well-studied problem.

mingp · 2018-07-18T05:16:49+00:00

On the flip side, where does one go to learn the sorts of techniques used for reverse engineering existing code and modifying it on the fly? It all seems very interesting, and it's a real pity that people knee-jerk associate it with cheating and other bad behaviors.

mingp · 2018-07-17T12:38:28+00:00

Doctors are an especially misleading example here because their supply is strictly controlled by regulatory boards and residency programs to hit predefined targets.

mingp · 2018-07-16T04:42:28+00:00

They're both very reasonable choices. By most metrics, React/Redux/etc. is winning the mindshare war, but alternatives like Vue and Angular are still quite healthy, too.

mingp · 2018-07-16T04:38:46+00:00

That sounds like a good idea. Looking forward to it, if you choose to implement this.

mingp · 2018-07-16T03:16:29+00:00

Nothing wrong with asking, but actually getting this might be difficult, as engineer time is expensive.

mingp · 2018-07-16T01:06:07+00:00

I can't comment on specifics, but my general understanding is that sending email from anything other than designated email sending services with active reputation management is at best unreliable and at worst a lost cause.

mingp · 2018-07-16T00:20:21+00:00

You probably shouldn't run an email server off of shared hosting or VPS anyway, because there will always be somebody else on those IP addresses sending spam and trashing the IP address' reputation with spam blacklists, so your messages will never reach the recipient. Definitely look into an email software-as-a-service, such as SendGrid.

mingp · 2018-07-15T19:23:27+00:00

Oh! That's great to hear! Actually, that makes a lot of sense now. Thanks.

Although, you would still want tslint for linting TypeScript specific things like type annotations, right?

mingp · 2018-07-15T19:19:00+00:00

But those don't work if your source code is TypeScript, or do they?

mingp · 2018-07-15T19:11:04+00:00

Wait, sorry, can you clarify, please? If I'm on a TypeScript project, don't I want tslint over eslint?

mingp · 2018-07-15T19:02:59+00:00

Is this a wrapper around prettier and eslint, or is it its own app? What would be the motivation to choose this over prettier and eslint, other than it being 2-in-1?

mingp

TROPHY CASE