thesmokingman @ thesmokingman @programming.dev

Posts

1

Comments

630

Joined

2 yr. ago

That’s not how that works.

There is literally no way to opt out of Google’s data collection if you are going to use their products. Using another frontend shifts the data profile but it still exists and provides value to them. It’s reasonable to say it’s a bad thing. It’s unreasonable to say there are no other ways. I grew up in a public library and I can still get most of the information I need from a public library without Google products (things I can’t get usually come through inter-library loan or direct connections with subject matter experts at, say, a maker space). This seems to be less of “I’m against invasive corporations” and more of a “I don’t like the solutions available to avoid invasive corporations.”

If you care about that you don’t use YouTube at all or support creators that do. Even using 3rd party apps or services feeds into that. This feels like a serious non sequitur on any thread about any Google product.

I pay for YouTube Family. I consume a lot of YouTube and I want to support the creators I watch. At its current price point, YouTube Family is reasonable. Several households in my family get ad-free YouTube for what is a reasonably low price point for each household.

If the price goes up much (eg if I were paying the single price of $11 per household), the creators I really enjoy continue to get pushed out or change content because of shitty ad rules, or they pull the whole “must be in the same household” bullshit I would drop it in a heartbeat just like I’ve dropped most streaming providers. Streaming has become cable and YouTube has been shooting itself in the foot by forcibly changing content for advertisers. I come to the platform for content, not advertisers.

Other answers have only called out rotating the secret which is how you fix this specific failure. After you’ve rotated, delete the key from the repo because secrets don’t belong in repos. Next look at something like git-secrets or gitleaks to use as a local pre-commit hook to help prevent future failures. You’re human and you’re going to make mistakes; plan for them.

Another good habit to be in is to only access secrets from environment variables. I personally use direnv whose configuration file is globally ignored via the core.excludesfile.

You can add other strategies for good defense-in-depth such as a pre-receive hook checking for secrets to ensure no one can push them (eg they didn’t install hooks).

Thanks for citing for me. This is exactly what I was referring to!

Teens are constantly sleepy because that’s how teens work. School start times especially make it impossible to for them to get proper sleep. I’d say it’s ridiculous that someone who has authority over teens doesn’t understand the fucking basics of teens but it’s the Us criminal justice system where authority is made up and the credentials don’t matter.

To be clear, usually there’s an approval gate. Something is generated automatically but a product or business person has to actually approve the alert going out. Behind the scenes everyone internal knows shit is on fire (unless they have shitty monitoring, metrics, and alerting which is true for a lot of places but not major cloud or SaaS providers).

Speaking from 10+ YoE developing metrics, dashboards, uptime, all that shit and another 5+ on top of that at an exec level managing all that, this is bullshit. There is a disconnect between the automated systems that tell us something is down and the people that want to tell the outside world something is down. If you are a small company, there’s a decent chance you’ve launched your product without proper alerting and monitoring so you have to manually manage outages. If you are GitHub or AWS size, you know exactly when shit hits the fan because you have contracts that depend on that and you’re going to need some justification for downtime. Assuming a healthy environment, you’re doing a blameless postmortem but you’ve done millions of those at that scale and part of resolving them is ensuring you know before it happens again. Internally you know when there is an outage; exposing that externally is always about making yourself look good not customer experience.

What you’re describing is the incident management process. That also doesn’t require management input because you’re not going to wait for some fucking suit to respond to a Slack message. Your alarms have severities that give you agency. Again, small businesses sure you might not, but at large scale, especially with anyone holding anything like a SOC2, you have procedures in place and you’re stopping the bleeding. You will have some level of leadership that steps in and translates what the individual contributors are doing to business speak; that doesn’t prevent you from telling your customers shit is fucked up.

The only time a company actually needs to properly evaluate what’s going on before announcing is a security incident. There’s a huge difference between “my honeypot blew up” and “the database in this region is fucked so customers can’t write anything to it; they probably can’t use our product.” My honeypot blowing up might be an indication I’m fucked or that the attackers blew up the honeypot instead of anything else. Can’t send traffic to a region? Literally no reason the customer would be able to so why am I not telling them?

I read your response as either someone who knows nothing about the field or someone on the business side who doesn’t actually understand how single panes of glass work. If that’s not the case, I apologize. This is a huge pet peeve for basically anyone in the SRE/DevOps space who consumes these shitty status pages.

This is a common problem. Same thing happens with AWS outages too. Business people get to manually flip the switches here. It’s completely divorced from proper monitoring. An internal alert triggers, engineers start looking at it, and only when someone approves publishing the outage does it actually appear on the status page. Outages for places like GitHub and AWS are tied to SLAs that are tied to payouts or discounts for huge customers so there’s an immense incentive to not declare an outage even though everything is on fire. I have yelled at AWS, GitHub, Azure, and a few smaller vendors for this exact bullshit. One time we had a Textract outage for over six hours before AWS finally decided to declare one. We were fucking screaming at our TAM by the end because no one in our collective networks could use it but they refused to declare an outage.

They’ve renamed Kyber512 and still recommend it. If you believe DJB this is bad. If you believe in a government agency avoiding even the slightest appearance of backdooring (which they have consistently done), this is bad. If you trust NIST, this is fine.

I live in the US. I don’t really get any protections.

Edit: found the Reddit thread I used to fix it back in the day; it was a very well-known issue

I bought two different Bluetooth controllers from them. The first one had a known issue with the shoulder buttons. Like an idiot, I bought a second one. Same problem. SteelSeries support told me it was a known issue and they wouldn’t do shit.

I refuse to support SteelSeries.

Your response was to call my argument sarcasm. That is directed at me rather than what I said. That’s quite literally, not figuratively, the definition of sarcasm.

I wish you the best of luck. You don’t seem to be interested in the comments unless it agrees with you and you have yet to share a perfect resource. Have fun!

I took the things defined in the comments responding to mine and extended them. If we can’t share a mixed bag, all of the things I highlighted are out. It would be logically inconsistent to think otherwise starting from your conclusions. Either we have perfect resources or we have, as I called out, to pick and choose our battles. I want to see a perfect resource not ad hominem.

Edit: genuinely surprised to see someone on a CS instance not understand reductio ad absurdum/impossibile (depending on how you feel about Gang of Four)

I’m all for it! What’s the resource that solves this problem?

It must be perfect since we can’t ever give mixed bags of advice. There are apparently better resources although I didn’t see one in the article and things like Code Complete and Pragmatic Programmer address a lot of the same things. Hell, we probably shouldn’t talk about The Mythical Man-Month anymore either. Do we also throw out Design Patterns since singletons are arguably bad design these days?

I feel like it’s wrong to idolize anything in the same way that it’s wrong to throw out many things (there are some clear exceptions usually in the realm of intolerance but that’s unrelated to this). Clean Code, like every other pattern in software development, has some good things and some bad things. As introduction to the uninitiated, it has many good things that can be built on later. But, like Gang of Four, it is not the only pattern we apply in our craft and, like Agile, blind devotion, turning a pattern into a prescription, to Clean Code is going to lead to a lot of shit code.

Cognitive load helps us understand this problem a lot better. As a junior with no clue how to write production code, is Clean Code going to provide with a decent framework I can quickly learn to start learning my craft, should I throw it out completely because parts are bad, or should I read both Clean Code and all its criticism before I write a single line? The latter two options increase a junior’s extraneous cognitive load, further reducing the already slim amount of power they can devote to germane cognitive load because their levels of intrinsic are very high by the definition of being a junior.

Put a little bit differently, perfection (alternatively scalable, maintainable, shipped code) comes from learning a lot of flawed things and adapting those patterns to meet the needs. I am going to give my juniors flawed resources to learn from to then pick and choose when I improve those flaws. A junior has to understand the limitations of Clean Code and its failures to really understand why the author is correct here. That’s more cognitive science; we learn best when we are forming new connections with information we already know (eg failing regularly). We learn worse when someone just shows us something and we follow it blindly (having someone solve your problem instead of failing the problem a few times before getting help).

I’m gonna be super hand-wavy with citations here because this a soapbox for me. The Programmer’s Brain by Felienne Hermans does a good job of pulling together lots of relevant work (part 2 IIRC). I was first introduced to cognitive load with Team Topologies and have since gone off reading of bunch of different things in pedagogy and learning theory.

What you’re describing is closer to the nuance I’m interested in than WotC’s settings. If you read some of the later Lolth stuff, it’s the exact opposite of that. Evil is bad and the justification for anything always involves this trite movement from evil to good. They’re not presented as counterbalances or equal combatants. Even evil characters seem to always be working under the assumption that good characters are ultimately better.

The 40k universe has a lot of similarities. However, I’d argue its authors are somewhat better at presenting why Chaos is an equally valid choice or why the Orks can do whatever they want. There isn’t a clear choice (some authors are fucking terrible at this and drive WotC-style to the goodness of the Imperium).

The only reason WotC has to remove alignment from races is because WotC has made it very clear there is the thing people should want and there is the thing people should not want. That’s not an even layout of nine alignments. That’s a huge bias and all of their content reflects that.

I think a huge problem with this is trying to frame everything through D&D as well as our perspective. Fuck modern D&D and its desire to control the entire dialogue. Wizards of the Coast aside, there’s also a fantasy component here. I personally dislike requiring all races to act exactly like humans with human motives. From a specific perspective, we view the wanton murder and sacrifice of wood elves by the drow as a terribly evil thing. From the drow perspective, why can’t the opposite be true? I’m not talking about Salvatore’s one-sided writing that makes it clear the whole thing is a massive con. D&D is very biased toward human motive and perspective. Why can’t both be true? Drow are evil to us and we are evil to them? That’s a much more interesting story and completely changes the narrative around someone like Drizzt.

This is a really nuanced take on speculative fiction in general. I also strongly feel that, the way WotC writes things, removing racial alignment is very important. There is no nuance in their universe. Even when we see other races, we always evaluate their action through a human lens rather than being presented a cogent paradigm contrary to ours.

The Delta board post doesn’t contradict the accusations at all. It’s possible for that person to have worked through the night and for Delta to still be overly fucked. Direct contradiction is going to involve receipts. DeWalt specifically has a vested interest in the appearance of cybersecurity success as his firm, NightDragon, is heavily invested in cybersecurity and probably upsells for CrowdStrike.

Without receipts, we just have two very shitty companies taking swings at each other in the media. We should hate both for their exploitation and wait for receipts that will come with discovery.