HackerTrans
トップ新着トレンドコメント過去質問紹介求人

adameasterling

no profile record

コメント

adameasterling
·2 年前·議論
> Everyone being surprised at the bridge collapsing needs to reconcile with the amount of force that struck the bridge ... I am also a bit surprised at how many people don't grasp this or grasp engineering, magnitude of forces and design principles.

A spokesman for CalTrans claimed today that Bay Bridge could have taken the same hit without damage, thanks to fenders that protects all pylons for all bridges in the San Francisco Bay Area (1). Cargo ships are heavy, yes, but it appears we have the technology to prevent bridge collapses due to these sorts of collisions today.

1. "The Bay Bridge’s fenders insulated the span during the 2007 incident, so that the Cosco Busan ship struck a bumper, never hitting the bridge itself, Ney said. He noted that fenders on Bay Area bridges should be able to handle a ship traveling at 8 knots, the velocity at which the ship hit the Francis Scott Key span."

https://www.sfchronicle.com/bayarea/article/baltimore-bridge...
adameasterling
·2 年前·議論
> I've found very few projects where a bit of poking can't turn up memory safety issues.

I'm working on a Rust project right now, and I'm probably one of those people who are overestimating the correctness of my code! I would love to know about what sorts of memory safety issues you often uncover.
adameasterling
·2 年前·議論
Err, I just enumerated many regulations I have a problem with in the very post you quoted, and evidence is pretty strong that it's the combined effect of all of those regulations that results in higher costs. [1] I realized I left off overuse of exclusively single-family zoning, which is the worst offender. [2]

> I'm not sure we need more high-end development - those tenants have plenty of options.

Evidence is strong that market-rate construction causes richer residents to exchange their current unit for a higher-end unit, opening up supply at the lower end. [3]

The problem with BMR requirements is the increased costs borne by developers, who have to offset those increased costs by charging more for the market rate units. There's a limit to that market, so fewer units are constructed than otherwise would be. Middle class families are especially worse off, as they neither qualify for BMR lotteries, nor earn enough for the rapidly accelerating market-rate unit. [4]

Further, rents are lower in states that disallow BMR mandates (like Texas) than those that have BMR mandates (like California).

1. https://www.axios.com/2019/08/28/study-californias-land-use-... 2. https://www.cnn.com/2023/08/05/business/single-family-zoning... 3. https://www.lewis.ucla.edu/research/market-rate-development-... 4. https://escholarship.org/content/qt036599mr/qt036599mr_noSpl...
adameasterling
·2 年前·議論
You are free to choose buildings with multiple stairways if that's a requirement for you! We're talking about easing mandatory regulations, allowing builders to meet demand. We're not saying that all buildings must only have one stairway.
adameasterling
·2 年前·議論
This is a fantastic article.

Burdensome regulations on housing construction have caused costs to skyrocket. Minimum lot sizes, setback requirements, square footage minimums, floor-area ratio restrictions, overzealous height restrictions, parking requirements, abuse of environmental reviews, historic designations, community reviews, overzealous MFH requirements (like double-stair), below-market mandates, all have worked together to constrain supply, leading to skyrocketing costs.

It's the single most important economic issue for me. We need a nationwide effort to ease these restrictions, or we're just going to continue to see rents eat up more and more of young people's earnings.
adameasterling
·3 年前·議論
Oh, I see the issue. The HIBP database is SHA-1 hashed with no salt. It was created from unhashed passwords. You can't download the unhashed version (you could of course compute it, if you really wanted to; but there's no need).

So, the procedure you need to implement is, on login/registration/pw reset, you SHA-1 hash the user's unhashed password and do a indexed lookup on your copy of HIBP's database. Or if you don't want to maintain that copy, you can use HIBP's API to do something similar.
adameasterling
·3 年前·議論
One can only implement a HIBP check when one has access to the user's unhashed password. So, at login, registration, and password reset.
adameasterling
·3 年前·議論
Yes, same scenario, but far fewer logins are successful. 3 orders of magnitude sounds right, but I don't know precise numbers. (Can others shed light?) Three orders of magnitude is a lot!
adameasterling
·3 年前·議論
This is true. The story as written probably didn't happen with HIBP's database. Troy Hunt's database only includes SHA-1 hashes, and passwords in your own database will be hashed with a stronger algorithm (hopefully) and salted (hopefully), so you can't do a simple hash-to-hash comparison. The way to do a HIBP check is, when a user signs in, you hash their password in the way HIBP expects, and check that against either their API or against a local copy of HIBP's database, and if a hit is returned, you give them a nice message and direct them to the password reset flow. There's no easy way to use HIBP's data to identify users with compromised passwords until users actually try to log in.
adameasterling
·3 年前·議論
The FBI feeds data into Troy Hunt's database and FBI Director Christopher Wray gave Troy Hunt a medal for his work [1].

The Open Web Application Security Project's Application Security Verification Standard recommends that you do a hashed password check [2].

For bigger companies, sure, go talk to legal, but for young startups, my feeling is it's not worth the $200 or whatever your counsel will charge to say it's ok. I personally did not ask anyone (am cto), I just added the check.

1. https://twitter.com/troyhunt/status/1674132801837477888

2. See OWASP ASVS 4.0 2.1.7 https://github.com/OWASP/ASVS/blob/master/4.0/en/0x11-V2-Aut...
adameasterling
·3 年前·議論
Troy Hunt is such a treasure. And for us web application developers, there is no excuse for not having protection against credential stuffing! While the best defense is likely two-factor [1], checking against Hunt's hashed password database is also very good and requires no extra work for users!

I don't have anything to back this up, but my guess is that the vast majority of compromised user accounts comes from credential stuffing/password re-use. It's really surprising to me when I hear that huge companies don't do this check.[2] It's simple, easy, takes about a day to set up.

If you're a young CTO or early-stage engineer working on a web app and have never been targeted with a credential stuffing attack, let me tell you: It's coming! It's just a matter of time before it's 1AM and your phone blows up; your site is getting hammered; you think it's DDOS, but then realize most of the hits are on your login page, then realize that and then realize with a horrible feeling that some % of those hits are getting through the login page. You'll be up all night dealing with it, and then you have to make breach notifications, and that really sucks.

Troy Hunt's free database will save you that heartache (probably). Just do it.

1. https://cheatsheetseries.owasp.org/cheatsheets/Credential_St...

2. Like 23andMe. https://news.ycombinator.com/item?id=37794379
adameasterling
·3 年前·議論
> It's not on 23andMe, or anyone (other than the user) for that matter, to ensure the passwords used by the user are not copied passwords from other credentials.

In my opinion, it is, actually, on 23andMe. At my tiny startup, I implemented a simple check against Troy Hunt’s compromised password database.[1] If I can do it, 23andMe can.

If anyone reading this is in the business of making web apps and there’s literally anything of value behind your login, prioritize this mitigation. OWASP recommends it too. [2]

1. https://haveibeenpwned.com/Passwords

2. https://cheatsheetseries.owasp.org/cheatsheets/Credential_St...
adameasterling
·3 年前·議論
It is not hard and every web service really should implement this sort of check. I’m actually pretty surprised to see so many comments here that aren’t aware of it!

See: https://haveibeenpwned.com/Passwords
adameasterling
·3 年前·議論
I don’t know about criminal liability, but they’re certainly at fault for not implementing a check against known compromised passwords[1]. I believe it’s been an accepted best practice since something like 2017.

1. https://haveibeenpwned.com/Passwords
adameasterling
·3 年前·議論
Websites should mitigate credential stuffing by checking against known cracked passwords. All you have to do is download Troy Hunt’s hashed password database, check it when someone logs in and if it’s cracked do your email password reset flow. Or you can use their API.

It’s very simple, and I believe has been an accepted best practice since like 2017. This is 100% on 23andme. They are responsible.

1. https://haveibeenpwned.com/Passwords
adameasterling
·3 年前·議論
I had to deal with this problem in our product, which has a visual programming language. I opted to throw an exception if, for whatever reason, "all()" receives an empty list! I had forgotten I'd done that. There's no explanation for it in the code.

As I sit here justifying my own reasoning, though, it sort of makes sense. For ordinary people (for whom this product is supposed to be for), I figure if they put in nothing, that was probably just a mistake.
adameasterling
·3 年前·議論
A few months ago, I did some analysis on JSON data in our platform, and discovered that more than two-thirds of bytes were field names. Two thirds! That’s a lot of potentially unnecessary extra bytes.

In my case, I was thinking about storage costs for JSON data; but thinking about this use case: Isn’t it true that the CPU would have to spend basically three times as much time making FFI calls? Assuming that practically speaking, field names make up 2/3rds of the bytes in their real-world JSON data.
adameasterling
·3 年前·議論
Alpine is a trap! For a Python product, we tried to make it work for about a year before throwing our hands up and switching to a plain Ubuntu image. We’ve had no regrets.
adameasterling
·3 年前·議論
Perspective from a CTO at a small b2b saas startup:

Pricing is incredibly tough, and at my startup, we’ve had tons of hours-long conversations on pricing internally, with consultants, etc.

We also have a mix of customers, both very large companies with thousands of employees and very small ones as well. My answer is a little complicated because we have two products right now, with very different approaches to pricing.

For our first product, it worked really well to charge by the number of physical locations at the business. (We tried usage-based pricing, but it was too confusing for what that product was; and also incentivized less engagement.) The price per location is fairly high, but we do tend to discount down for larger deals.

For our second product, pricing has been very tough. For very large customers, we’ve carved out special deals, where they get billed a flat monthly negotiated amount for unlimited service. These have been a little annoying to set up, but pretty profitable for us. For all other customers, we charge by usage.

Also, I see some people saying bringing on an enterprise client is a way to kill your startup. I’m skeptical of this. Large businesses, in my experience, are very pleasant to work with, have a lot of money to spend, and, yes, are demanding, but in ways that make your product better, not worse. It’s true that you’re going to have more fire drills for your engineering staff (last-minute demands to add an important feature), but this isn’t a bad thing. Security questionnaires are probably the most annoying thing to deal with, but it’s solvable (talk to Vanta).

Feel free to hit me on Discord or send me an email; happy to say more.
adameasterling
·3 年前·議論
I had trouble finding the link to the full report; here it is!

https://survey.stackoverflow.co/2023/