Readit News logoReadit News
gav commented on Why your outdoorsy friend suddenly has a gummy bear power bank   theverge.com/tech/781387/... · Posted by u/arnon
usrusr · 3 months ago
And if soldering is beyond your optimization ambition, there's aliexpress where you can find small USB-PD adapters for most electric shavers. It's little niche innovations like this that drive my ordering flow, not saving a few cents.
gav · 3 months ago
For those that want to travel light the Panasonic MultiShape[1] is great as you can share one rechargeable base with multiple tools. It is annoying as it's not USB, but inexpensive cables are available[2] and work great.

[1] https://shop.panasonic.com/pages/multishape [2] https://www.amazon.com/dp/B0CMGQWM1B

gav commented on Writing "/etc/hosts" breaks the Substack editor   scalewithlee.substack.com... · Posted by u/scalewithlee
ta1243 · 8 months ago
What is their desired behaviour if not a 404? A 500? a FIN? a RST?
gav · 8 months ago
The desired result is a 500 so it's possible to audit.

As much as this is a pain, the alternative can be more painful.

I used to have a client that would forward me an email from their security team every six weeks saying "we found a SQL injection issue with your site, can you look into this and confirm that it's fixed?" and I'd reply back saying "that not possible" and they'd go "ok, we've marked this as a false positive".

Eventually I got bored of having the same conversation over and over, so I asked them to show what they were finding. It turned out their scan would do the following:

  html1 = request("https://example.com/search?query=test")
  html2 = request("https://example.com/search?query=test' or 1=1--")
  if (html1 != html2) 
    sql_injection_vulnerable = true
Which of course is total nonsense, just because it returns different content doesn't mean anything.

This is a perfect use case for a WAF, I can stick one in front and then have it return 500s for all these requests and not worry about it any more.

In our case, we didn't have a WAF, but they had a obvious User-Agent, and it turns out that blocking all of their requests passed the scan too :)

gav commented on Writing "/etc/hosts" breaks the Substack editor   scalewithlee.substack.com... · Posted by u/scalewithlee
paxys · 8 months ago
This isn't a "security vs usability" trade-off as the author implies. This has nothing to do with security at all.

/etc/hosts

See, HN didn't complain. Does this mean I have hacked into the site? No, Substack (or Cloudflare, wherever the problem is) is run by people who have no idea how text input works.

gav · 8 months ago
It's more so that Cloudflare has a WAF product that checks a box for security and makes people who's job it is to care about boxes being checked happy.

For example, I worked with a client that had a test suite of about 7000 or so strings that should return a 500 error, including /etc/hosts and other ones such as:

  ../../apache/logs/error.log
  AND%20(SELECT%208203%20FROM%20(SELECT(SLEEP(5)))xGId)
  /../..//../..//../..//../winnt/system32/netstat.exe?-a
We "failed" and were not in compliance as you could make a request containing one of those strings--ignoring that neither Apache, SQL, or Windows were in use.

We ended up deploying a WAF to block all these requests, even though it didn't improve security in any meaningful way.

gav commented on Freelancing: How I found clients, part 1   crocspace.substack.com/p/... · Posted by u/lzr_mihnea
3abiton · 10 months ago
I am curious about how you go for time estimate when you say a flat rate. I assume if a problem is difficult, this might become tough to guage right?
gav · 10 months ago
To paraphrase a previous employer's strategy: fixed fee projects are for ones you plan to do over and over where it makes sense to invest at getting good at them.

The first one you lose a bunch of money, the second you might break even if you are lucky, and the tenth onward you make a bunch of money.

gav commented on SQL pipe syntax available in public preview in BigQuery   cloud.google.com/bigquery... · Posted by u/marcyb5st
harrall · 10 months ago
Plain transpiling won’t work because when you write a SQL query, you have to know what engine is running it because they all do worse at some things than others.

For example, the same result could be fetched using a correlated subquery, a common table expression, a temporary table, a view or very hackily using aggregation and it would depend on whether you were using SQL Server, Postgres, MySQL, or SQLite because they don’t do it all fast. …and you need to know the version.

This might be able to be solved if the language was a brand new higher level one though and the compiler knew the intricacies of each engines.

gav · 10 months ago
One example is LookML, which used to build semantic data models in an analytic layer: https://cloud.google.com/looker/docs/what-is-lookml
gav commented on Developing Developers (2015)   felleisen.org/matthias/Th... · Posted by u/danielam
froh · a year ago
> There shouldn't be a lot of people that knows the Basic Dijkstra was talking about in an undergrad course in 2016.

please clarify.

few know basic in 2016?

few know Dijkstra said it in 2016?

in 2016 few knew that Dijkstra made the claim at some earlier point in time?

I don't understand what you want to say.

gav · a year ago
Dijkstra was talking about Dartmouth Basic in 1975:

  - Variables: Single letter, optional digit.
  - Control flow: FOR loops, GOTO for others.
  - Subroutines: GOSUB line, RETURN.
  - Parameters: Passed via global variables.
  - Functions: 26 (FNA–FNZ), one line each.
  - IF statements: One line only.

gav commented on Sitters and Standers   pudding.cool/2024/11/sitt... · Posted by u/feross
tarvaina · a year ago
Isn't white vs blue collar a latent variable? You have to operationalize it somehow. If you just ask "how blue collar are you?", people's answers will be influenced by all kinds of subjective biases.

I'd argue sitter vs stander distinction also makes this presentation more visceral, memorable and understandable. Collar color would feel unnecessarily abstract and boring.

gav · a year ago
When I had a blue collar job, my coworker used to divide jobs into "shower before work" and "shower after work".

It's perhaps less relevant now that a lot of people can roll out of bed and start their remote job in sweatpants, but it's stuck with me.

gav commented on California teacher dies from suspected rabid bat bite   ktla.com/news/california/... · Posted by u/Bender
IAmGraydon · a year ago
Go ahead and read up on what a death due to rabies is like. After that, you'll definitely never neglect to treat a wild animal bite seriously. It's the stuff nightmares are made of.
gav · a year ago
You need to treat any animal bite seriously.

I had to convince a coworker to go to the ER to have a cat bite looked at, and she ended up spending a couple of days in the ICU with the doctor being clear that delaying treatment another few days would have been fatal.

Loading parent story...

Loading comment...

gav commented on No tax on tips: Why politicians love it, and economists don't   npr.org/2024/08/11/nx-s1-... · Posted by u/paulpauper
kogus · a year ago
If there is no tax on tips, what is to stop me as an independent contractor from charging $1.00 for all my services, and agreeing with a client that they'll just write in the "real" balance in the "gratuity" line that suddenly appeared on their invoice? Income is income. It should all be taxed the same. Which is to say, as little as possible.
gav · a year ago
I imagine that it would be along the lines of:

If you are a service worker earning less than $44,725 (the Federal 12% bracket) your first $10,000 of tips are tax free.

This would mean that an income of $40,000 including $10,000 tips would owe roughly $1,748 Federal tax vs. $2,820 tax.

g

u/gav

KarmaCake day1629December 21, 2011
About
I work at making organizations better at digital, with a focus on content and commerce. One of my interests is "experience optimization": attempting to reduce the barriers to a sale by optimizing the entire purchase journey (from discovery to delivery and beyond).

I've been helping people sell online since 1995.

Currently based in Los Angeles, CA. Feel free to reach out if you ever want to discuss anything over coffee; I'm always in search of new stories and new ideas.

Contact: gavin@estey.com http://www.linkedin.com/in/gavinestey

View Original