koreth

@koreth@lemm.ee
3 Post – 53 Comments
Joined 1 years ago

"We'll wait a few more minutes for person X to join, then get the meeting started," like the other ten people who made the effort to show up on time deserve to be punished with extra meeting time for being responsible. Bonus points if this causes the meeting to run a few minutes long.

8 more...

SQL, where injection is still in the top 10 security risks

This is absolutely true, but it's not what it looks like on the surface, and if you dig into the OWASP entry for this, you'll see they talk about mitigation.

You can completely eliminate the possibility of injection attacks using well-understood technologies such as bind variables, which an ORM will usually use under the covers but which you can also use with your own queries. There are many, many database applications that have never once had a SQL injection vulnerability and never will.

The reason SQL injection is a widespread security risk, to be blunt, is that there are astonishingly large numbers of inexperienced and/or low-skill developers out there who haven't learned how to use the tools at their disposal. The techniques for avoiding injection vulnerability are simple and have been well-documented for literally decades but they can't help if a lousy dev decides to ignore them.

Now, a case could be made that it'd be better if instead, we were using a query language (maybe even a variant of SQL) that made injection attacks impossible. I agree in principle, but (a) I think this ends up being a lot harder than it looks if you want to maintain the same expressive power and flexibility SQL has, (b) given that SQL exists, "get bad devs to stop using SQL" doesn't seem any more likely to succeed than "get bad devs to use bind variables," and (c) I have too much faith in the ability of devs to introduce security vulnerabilities against all odds.

lemm.ee's admin is Estonian, so that one at least makes sense.

The "developed or supplied outside the course of a commercial activity" condition is part of why people are up in arms about this. If I'm at work and I run into a bug and submit a patch, my patch was developed in the course of a commercial activity, and thus the project as a whole was partially developed in the course of a commercial activity.

How many major open-source projects have zero contributions from companies?

It also acts as a huge disincentive for companies to open their code at all. If I package up a useful library I wrote at work, and I release it, and some other person downloads it and exposes a vulnerability that is only exploitable if you use the library in a way that I wasn't originally using it, boom, my company is penalized. My company's lawyers would be insane to let me release any code given that risk.

As a software engineer: the degree to which poorly-conceived product requirements can make my work life a living hell.

SEO is an industry devoted to undermining search engines' ability to organically surface good content. Good content will still be surfaced on its own, just maybe not quite as quickly.

9 more...

I find that setup an obnoxious user experience. Instead of one hotkey that tells my password manager to fill out the login form, now I have to switch to my mail app, wait for the login email to arrive (if my mail provider or the site’s mail provider is having trouble, no login for me!) then back to my browser where I need to close the original tab because clicking the email link opened a new one.

If I am on a shared computer, now I need to either manually copy a long URL from my phone or read my email on that computer, a much bigger security risk than just entering a password and 2FA code.

1 more...

it would be great to “just” have a DB with a binary protocol that makes it unnecessary to write an ORM.

Other people have talked about other parts of the post so I want to focus on this one.

The problem an ORM solves is not a problem of SQL being textual. Just switching to a binary representation will have little or no impact on the need for an ORM. The ORM is solving the problem that's in its name: bridging the conceptual gap between an object-oriented data model and a relational data model. "A relational data model" isn't about how queries are represented in a wire protocol; instead, it is about how data, and relationships between pieces of data, are organized.

So, okay, what if you get rid of the relational data model and make your database store objects directly? You can! NoSQL databases had a surge in popularity not too long ago, and before that, there have been lots of object databases.

What you're likely to discover in an application of any real complexity, though, and the reason the industry has cooled somewhat on NoSQL databases after the initial hype cycle, is that the relational model turns out to be popular for a reason: it is extremely useful, and some of its useful properties are awkward to express in terms of operations on objects. True, you can ditch the ORM, but often you end up introducing complex queries to do things that are simple in SQL and the net result is more complex and harder to maintain than when you started. (Note "often" here; sometimes non-relational databases are the best tool for the job.)

And even in an object database, you still have to know what you're doing! Storing objects instead of relational tuples won't magically cause all your previously-slow queries to become lightning-fast. You will still need to think about data access patterns and indexes and caching and the rest. If the problem you're trying to solve is "my queries are inefficient," fixing the queries is a much better first step than ditching the entire database and starting over.

Being rich is often the answer, but also, it is possible to travel much more inexpensively than most tourists do if you don’t care so much about comfort and predictability. Go in off seasons. Ride the cheapest class of public transport to get around. Couchsurf or stay in sketchy hostels. Cook your own food or eat where the locals eat instead of at the places where the staff speaks perfect English.

Do they already have savings enough to support until they retire?

No reason to assume they won’t get jobs after they’re done traveling.

My frustration is less with the people who are late and more with the meeting host making the rest of the attendees sit around twiddling their thumbs waiting for the late person. Unless the late person's presence is the point of the meeting, just get started and let them catch up.

“Rogue One” is a pretty well-regarded prequel.

1 more...

I think this is a more subtle question than it appears on the surface, especially if you don't think of it as a one-off.

Whether or not Scientology deserves to be called a "religion," it's a safe bet there will be new religions with varying levels of legitimacy popping up in the future. And chances are some of them will have core beliefs that are related to the technology of the day, because it would be weird if that weren't the case. "Swords" and "plowshares" are technological artifacts, after all.

Leaving aside the specific case of Scientology, the question becomes, how do laws that apply to classes of technology interact with laws that treat religious practices as highly protected activities? We've seen this kind of question come up in the context of otherwise illegal drugs that are used in traditional rituals. But religious-tech questions seem like they could have a bunch of unique wrinkles.

Yes, and I even have it as an automatic scheduled payment so I don't forget. Even with its flaws, it remains one of the shining gems of the Internet, and a resource I use frequently in both my professional life and my personal one. I remember how it was to suddenly want to learn more about a random topic before Wikipedia and I don't want to go back.

I also donate to The Internet Archive.

This is spot on. I would add one little wrinkle: you not only have to accept that not everything works like it does in your home country, but also that not everything should.

You can be the kind of expat who spends all day griping about how much worse things are in your new home than your old one, or you can be the kind who shifts their mindset such that the new country’s ways become second nature.

I don't understand why people are saying this will reduce misinformation. The fringe sites peddling things like genocide denial aren't news organizations to begin with, so users will still be able to share their content freely. It'll become harder for other people to counter the misinformation by linking to legitimate news sources.

The current system of job seeking often requires to lie on resume.

This has not been my experience at all, but maybe it depends on what kinds of jobs you’re seeking.

In my line of work, detecting lies on resumes is one of the reasons we spend time interviewing candidates. If you are caught out in a lie, you can kiss any chance of an offer goodbye. As an interviewer I have never knowingly given a “hire” vote to a lying candidate and if I did, I wouldn’t have my job much longer.

What metric did they use to determine what “top 10%” means? Because that’s the part of this that seems most ridiculous to me given how situation-dependent most engineering decisions are. To illustrate with an extreme example: is “daily+ deployment frequency” a sign of an amazing engineering org if the thing being deployed is updates to your heart monitor firmware?

It Takes Two is a good one to play with a significant other.

1 more...

When I first heard AC/DC’s “Dirty Deeds Done Dirt Cheap” as a kid, I thought they were singing, “Dirty Deeds and The Thunder Chief” and assumed it was the street names of a pair of Native American hit men. I didn’t learn the actual lyrics until a decade or so later, but I choose to continue hearing it the other way.

Especially infuriating when the other person is in a very different time zone. I once worked on a project with a partner company in a time zone 10 hours ahead of mine and it was common for trivial things to take days purely because the other person insisted on typing "Hi," waiting for my "Hi, what's up?" response (which they didn't see until the next day since our hours didn't overlap), and then replying with their question, which I didn't see until my next day. Answering the actual question often took like 30 seconds, but in the meantime two or three days had gone by.

I came to believe they were doing it on purpose so they could constantly slack off and tell their boss they were blocked waiting for my answer.

GDPR protects things implicitly (albeit completely untested–perhaps even problematic)

I will grab my popcorn the first time someone seriously tries to pursue a GDPR erasure request for their fediverse content. I don't think it's even possible to honor such a request in theory, let alone in practice, given that nodes can come and go from the network and when they go, they could easily keep their local copies of everything.

The paper (linked from the article) has a photo of the actual tablet in question, which was apparently discovered circa 1900.

Agreed. All this reminds me a little of some of the discussions that inevitably appear in professional-photographer circles whenever some online service with photo-sharing features changes its terms and conditions. Everyone is convinced that the giant multinational company is spending millions in a laser-focused effort to steal business from photographers, because "making money with photographs" is the lens through which they view the world. And from that point of view it's hard to see that the entire industry of professional photography is too tiny to be worth Google's or Meta's time to even try to steal.

1 more...

No, just broadcast thinly-veiled resentment at them (in my experience having been the person with allergies in that situation).

Got 20/20, was rewarded with a message, “You're more resilient to misinformation than 100% of the US population!” and looked for the Fake button because as a member of the US population, that is a mathematical impossibility.

2 more...

That assumes people’s usage is all-or-nothing, though. I started using Lemmy and I now use reddit a lot less, but still use it for communities that don’t exist or aren’t active here. I don’t imagine I’m the only one in that boat.

I think this is about Waze, the mapping/navigation app.

Counterpoint: True Facts is a great series of humorous nature documentaries.

Probably true for most languages. The one that bugs me is when they hire a Chinese-American actor to speak Mandarin but the actor doesn’t actually speak Mandarin fluently or speaks it with such a thick accent that I stop being able to believe the character is from China.

I think the value of standups depends a ton on the team's composition and maturity.

On a team with a lot of junior or low-performing devs who don't have the experience or the ability to keep themselves on track, or a team with a culture that discourages asking for help as needed, a daily standup can keep people from going down useless rabbit holes or unwittingly blocking one another or slacking off every day without anyone noticing.

On a team of mostly mid-level and senior devs who are experienced enough to work autonomously and who have a culture of communicating in real time as problems and updates come up, a daily standup is pure ceremony with no informational value. It breaks flow and reduces people's schedule flexibility for no benefit.

When I'm thinking about whether it makes sense to advocate for or against daily standups on a team, one angle I look at is aggregate time. On a team of, say, 6 people, a 15-minute daily standup eats 7.5 hours of engineering time a week just on the meetings themselves. The interruption and loss of focus is harder to quantify, but in some cases I don't even need to try to quantify it: when I ask myself, "Is the daily standup consistently saving us a full person-day of engineering time every week?" the answer is often such a clear "yes" or "no" that accounting for the cost of interruptions wouldn't change it.

ChatGPT is certainly no good at a lot of aspects of storytelling, but I wonder how much the author played with different prompts.

For example, if I go to GPT-4 and say, "Write a short fantasy story about a group of adventurers who challenge a dragon," it gives me a bog standard trope-ridden fantasy story. Standard adventuring party goes into cave, fights dragon, kills it, returns with gold.

But then if I say, "Do it again, but avoid using fantasy tropes and cliches," it generates a much more interesting story. Not sure about the etiquette of pasting big blocks of ChatGPT text into Lemmy comments, but the setting turned from generic medieval Europe into more of a weird steampunk-like environment, and the climax of the story was the characters convincing the dragon that it was hurting people and should stop.

How do multi-account containers differ from Chrome profiles?

4 more...

I’ve been under a few times but the most memorable (in one sense) was when I had some minor surgery as a kid. From my point of view, it was like teleportation: I was in the operating room, I blinked, and I was suddenly on a bed in a completely different room. No sense of the passage of time.

Here's some Apache-licensed code that addresses this exact problem. The language files are in CSV format and get turned into JS files as a build step. It prints warnings for strings that are missing from other languages. In dev environments, there's middleware that watches for edits to the CSV files and rebuilds the JS files.

My parents are teachers. In the 1970s, my mom’s school gave her a newfangled “personal computer” to take home for the summer and try to figure out some use for.

7-year-old me was addicted to the thing from day one and my mom barely got a chance to touch it all summer. Out of the box it didn’t do much, but the manuals showed you how to program it to do whatever you wanted to. I read those books cover to cover and inhaled all the other books and magazines on the subject I could find. Thinking up a program from scratch and seeing it do things on its own was unlike any experience I’d ever had.

Coming up on 50 years later, making computers do things is still a joy, I’m pretty good at it, and people pay me money to do it. Can’t complain about how that turned out!

Wish people wouldn't do this, though I do understand the motivation. IMO it ends up punishing other Internet users (who are the ones getting value from years-old comment threads) vastly more than it punishes the owners and employees of Reddit, Inc. (who get most of their value from people participating in active discussions and seeing ads along the way).

The end result is that you search for "how to fix a broken curtain rod" on Google and the search results are full of comment threads like

  • Anyone know how to fix a broken curtain rod?
    • [deleted]
      • Oh, that's a good idea. How do you unscrew the end if you do it that way?
        • Hello! I have removed my comment from reddit because I don't like the way they're running their company. You can find me on Lemmy.
          • Thanks! That worked.

Reddit still gets the revenue from the ad at the top of the page, so the only person you've successfully stiffed is the person who was looking for an answer.

6 more...

As a fan of Ms. Marvel, I enjoyed the main campaign well enough, but all the MMO stuff is obnoxious. Luckily you can mostly ignore it and go through the campaign missions single-player. I uninstalled it after getting to the end of the story.

Their track record isn't that bad, is it? Castlevania and Edgerunners were pretty good adaptations. Dragon Age was all right. And Arcane was amazing, though Netflix wasn't involved in that one early on. So there's reason to be at least cautiously optimistic, IMO.

US here, and yes, easily. I have WhatsApp installed on my phone but it's probably been over a year since I used it last. SMS, email, and Facebook Messenger are the media of choice in my social circle. Work communication is over Slack and email.

But if someone wanted to use WhatsApp to talk to me, I'd use it without being bothered much.

You're not missing much power with jOOQ, in my opinion as someone who has used it for years. Its built-in coverage of the SQL syntax of all the major database engines is quite good, and it has easy type-safe escape hatches if you need to express something it doesn't support natively.