HackerTrans
TopNewTrendsCommentsPastAskShowJobs

amichal

no profile record

comments

amichal
·30 วันที่ผ่านมา·discuss
Do we care that the bug here was a horizontal scrollbar showing and the fix after all this insane tool writing was to add a very obvious overflow-x: hidden to the element?

We dont mind because its so fast a writing these tools and tricks but step back and if a human tool took this path i would seriously question thief gras of fundamentals.
amichal
·3 เดือนที่ผ่านมา·discuss
Edit: https://www.twilio.com/en-us/blog/insights/leveraging-gmail-...

Shows you how to use googles thing if you are a sender to know if @gmail folks are reporting you. It doesnt address what to do if someone's @gmail is doing this to you (a workspace custom domain yes)... @gmail are rate-limited to a few 1000s per day per gmail address but this is still a lot obviously
amichal
·3 เดือนที่ผ่านมา·discuss
I did some tiny digging because I remembered that there is a way to report individual messages in a structured machine readable way to abuse@ for these things --- i suspect that this is technically supported by gmail (if not given a lot of signal weight)

https://en.wikipedia.org/wiki/Abuse_Reporting_Format

How to bulk do this is interesting too. https://en.wikipedia.org/wiki/Feedback_loop_(email) says that gmail has a bulk format and that sendgrid is seeing some success.

Not defending just trying to see what a technical solution looks like
amichal
·3 เดือนที่ผ่านมา·discuss
PostgresSQL

"crosstab ( source_sql text, category_sql text ) → setof record"

https://www.postgresql.org/docs/current/tablefunc.html

VIA https://www.beekeeperstudio.io/blog/how-to-pivot-in-postgres... as a current googlable reference/guide
amichal
·3 เดือนที่ผ่านมา·discuss
If this code is real and complete then there are no callers of those methods other than a logger line
amichal
·4 เดือนที่ผ่านมา·discuss
Good memories of the open source world. I couldn't find my commits in either repo and i'm afraid i might have been shy to upstream them and just did them in a fork. it was tiny, There was some issue in some less number formatting variation involving currencies in multiple locales. we needed xlsx for its ability to do some nice formatting etc but i really wanted to have a need for things like generating charts, embedding scripts etc just for the sheer nerdiness
amichal
·5 เดือนที่ผ่านมา·discuss
I wonder, can we not turn all threads into a "when will AI do this creative thing better than humans".

Humans need basic income (or at least resources) and to have culturally valuable work to do. Art and craft esp as a form of human expression seems like we should ASSUME that humans want to do this, that we as a society value the human energy that goes into it.
amichal
·5 เดือนที่ผ่านมา·discuss
I would love to see alternatives of educational code that implements these things in a "compliant" way.

Security does not come from Compliance (sometimes they are at odds) but as someone who is not an academically trained security professional but who has read NIST* in detail, implements such code and has passed a number of code reviews from security professionals. And who has been asked to do things like STRIDE risk assessment on products I write code for I do appreciate the references and links along side actual code of any kind.

Now to be fair, I have not yet looked at any of the code here, it's commit history or its level of AI-induced fantasy confidence in the validity of the specific solutions. That could be good or bad but the intent of this is really on point for me.

Edit: I looked at some code:

This is missing a lot from NIST SP 800-63B

Looking at https://github.com/vhscom/private-landing/blob/main/packages...

    - the db select runs before the password has so you can detect if the account exists with timing attacks
    - there is no enforced minimum nor maximum length on the stored secret (e..g para 5.1.1.1 and 5.1.1.2 recommend length range of 8 to 64 unicode printable chars normalized to some form i forget)

    - there is no enforced min max length on the account identifier (in this case email) and no normalization
At least not in the code i saw. so there is still a lot of basics/low hanging fruit from NIST recommendations at least you would find in any production grade auth framework missing
amichal
·5 เดือนที่ผ่านมา·discuss
Marginally better for sure but in this case the path would also have been "leaked" to the sentry instance owned by developers of the the NAS device phoning home. This can happen in zillions of ways and is a good reason to use relatively opaque urls in generally and not "friendly ids" and generally being careful abou putting secrets in URLs.
amichal
·7 เดือนที่ผ่านมา·discuss
Yeah, as a salty greybeard i tried to tell our FE tech-lead to just render the proper HTTP Cache-Control headers in the Next.js site we recently built. He tried and then linked me to https://nextjs.org/docs/app/guides/caching and various version of their docs on when you can and cannot set Cache-Control headers (e.g. https://nextjs.org/docs/app/api-reference/config/next-config...) and I got several hours of head-ache before calling it a problem for another day. That site is not high traffic enough to care but this is not the first time that i've gotten the "not the Next.js way" talk and was not happy.

I obviously can be done but clearly is not the intended solution which really bothers me
amichal
·7 เดือนที่ผ่านมา·discuss
this too...
amichal
·7 เดือนที่ผ่านมา·discuss
I feel the same, 72 million monthly page views is about 8 pages per second even if in a single timezone (72e6 / 8h * 30d * 3600h/s) - even with today's heavy weight pages we are talking under well under 1000 req/s. Assuming they are not super image/asset heavy i would expect this to comfortably be served by a couple of reasonable old school ngnix servers[1]. If each page was a full megabyte of uncached content we are < 10Gbits/sec. Probably under 1

The build logic to decide which things to rebuild of course is probably the interesting bits but we dont need all these services... </grey-beard-rant>

[1] https://openbenchmarking.org/test/pts/nginx&eval=c18b8feaeca...

edit: to be less ranty they are more or less building static sites out of their Next.js codebase but on-demand updated etc which is indeed interesting but none of this needs cloudflare/hyerscaler tech

Not sure how many customers/sites they have. Perhaps they don't want to spend CPU regenerating all sites on every deployment? They do describe a content-driven pre-warmer but I'm still unclear why this couldn't be a content-driven static site generator running on some build machine
amichal
·9 ปีที่แล้ว·discuss
The complexity was more in our customers application logic then in Stripe. Stripe understandably enforces quite a few sensible limits that 'normal' usage probably wouldn't hit. For us the 2 biggies were:

* There is a (undocumented?) limit of 25 subscriptions per customer. Our client sells a la carte services and some large customers have quite a bit more then 25 things. Subscription items partially solve this EXCEPT everything in a subscription must bill on the same-cycle and...

* Our client had a requirement to maintain the existing billing cycles for all customers (and enforce specific start dates for new subscription).

These two limits meant we had to bundle existing services into Subscriptions during the migration and use the "trial period" feature (as a "start_date") to force the billing cycle for each bundle. The worst case customer had I believe 18 different billing cycles for their services in the end so we got lucky. (we also had to figure out a way to name the bundles in the UI and the CC statement descriptor etc).

In the end this saves on transaction fees and reduces the clutter on their CC statements but cost quite a bit of development effort to do and makes the code managing "subscription" starts and stops a bit complex.
amichal
·9 ปีที่แล้ว·discuss
I am just now in the process of completing a migration from Paypal PayFlow (Recurring Profiles) to Stripe (Subscriptions)

While Stripe's API documentation is MUCH easier to understand on the face there is a lot of undocumented complexity hidden away in there that was documented in Payflow Pro (mostly -- in a hard to find 400 page pdf).

In the end it is worth it for our specific use case. But like anything involving money over time it is much harder then it seems. Obviously, WAY more then "7 lines of code" to do it even halfway right.

I have to give massive credit to both organizations support engineers who helped us move the card details across without us ever seeing them. In the end they even ended up having to do a complex customer_id mapping for us to get it done in a way that allowed us to recreate the behaviour we had in PayFlow in Subscriptions