verandaguy (u/verandaguy)

verandaguy commented on ULID: Universally Unique Lexicographically Sortable Identifier packagemain.tech/p/ulid-i... · Posted by u/der_gopher

elias1233 · 6 days ago

I have always been a bit hesitant to use UUIDs with timestamps as it can be a security issue if the IDs are public. For example getting the age of a user account just from the id. I will say, however, that I have not heard of any major incidents stemming from this.

verandaguy · 6 days ago

The classic solution to this is to have an internal ID (UUIDv7 if you want to use UUID, nice for indexing in newer databases) and an external ID (UUIDv4 or similar) which doesn't leak information to the outside world (but which otherwise doesn't offer any benefits at the storage level).

verandaguy commented on The web runs on tolerance shkspr.mobi/blog/2025/12/... · Posted by u/speckx

ktpsns · 12 days ago

The older ones among us remember when XML took over the world and everyone was supposed to use strict XHTML. It turned out that the strength of the HTML ecosystem was its fault tolerance. HTML4 was the "sloppy" answer to XHTML. It brought HTML back from a data language to a markup language. Every Markdown parser is similarly fault-tolerant as HTML parsers.

However, CSS and JS are not error-tolerant. A syntax error in a CSS rule causes it to be ignored. An unhandled JavaScript exception is a hard stop. This way, web does not run on tolerance.

verandaguy · 7 days ago

Funny enough my impression of JS (the kind you'd write in 2007 more than the type you see now, mind you) is that it's remarkably tolerant; many idioms and operations which would cause, in other languages, runtime errors or compile errors, would just get steamrolled over in JS because of just how much built-in flexibility the uber-weak type system (plus liberal use of the prototype pattern in the stdlib) allows for.

- Wanna subtract a string from a number? That's not a type error, that's a `NaN` -- which is just a perfectly-valid IEEE 754 float, after all, and we all float down here.

  - Hell -- arithmetic between arbitrary data types? Chances are you get `[object Object]` (either as a string literal or an *actual* object), which you can still operate on.

- Accessing an object field but you typoed the field name? No worries, that's just `undefined`, and you can always operate on `undefined` values.

Frankly, while I haven't had a frontend focus in about 15 years, I struggle to think of any situation where calling a stdlib function or standard language feature would result in an actual exception rather than just an off behaviour that'll accumulate over time the more of them you stack on eachother. I guess calling an undefined variable is a ReferenceError, but beyond that...

(This comment shouldn't be taken as an endorsement of this school of language design)

verandaguy commented on YouTube Removes Windows 11 Bypass Tutorials, Claims 'Risk of Physical Harm' news.itsfoss.com/youtube-... · Posted by u/WaitWaitWha

RobotToaster · a month ago

They want everyone to have neo-clipper-chip "TPM"s.

verandaguy · a month ago

I've had to learn about TPMs to figure out if they're the right technology with which to integrate a product I've worked on. I don't agree that they're a "neo-clipper-chip" in any real way based on my exposure to them.

While I'm not a cryptographer... I never really understood the appeal of these things outside of one very well-defined threat model: namely, they're excellent if you're specifically trying to prevent someone from physically taking your hard drive, and only your hard drive, and walking out of a data centre, office, or home with it.

It also provides measured boot, and I won't downplay it, it's useful in many situations to have boot-time integrity attestation.

The technology's interesting, but as best as I can tell, it's limited through the problem of establishing a useful root-of-trust/root-of-crypt. In general:

- If you have resident code on a machine with a TPM, you can access TPM secrets with very few protections. This is typically the case for FDE keys assuming you've set your machine up for unattended boot-time disk decryption.

- You can protect the sealed data exported from a TPM, typically using a password (plus the PCR banks of a specific TPM), though the way that password is transmitted to the TPM is susceptible to bus sniffing for TPM variants which live outside the CPU. There's also the issue of securing that password, now, though. If you're in enterprise, maybe you have an HSM available to help you with that, in which case the root-of-crypt scheme you have is much more reasonable.

- The TPM does provide some niceties like a hardware RNG. I can't speak to the quality of the randomness, but as I understand it, it must pass NIST's benchmarks to be compliant with the ISO TPM spec.

What I really don't get is why this is useful for the average consumer. It doesn't meaningfully provide FDE in particular in a world where the TPM and storage may be soldered onto the same board (and thus impractical to steal as a standalone unit rather than with the TPM alongside it).

I certainly don't understand what meaningful protections it can provide to game anti-cheats (which I bring up since apparently Battlefield 6 requires a TPM regardless of the underlying Windows version). That's just silly.

Ultimately, I might be misunderstanding something about the TPM at a fundamental level. I'm not a layperson when it comes to computer security, but I'm certainly not a specialist when it comes to designing or working with TPMs, so maybe there's some glaring a-ha thing I've missed, but my takeaway is that it's a fine piece of hardware that does its job well, but its job seems too niche to be useful in many cases; its API isn't very clear (suffering, if anything, from over-documentation and over-specification), and it's less a silver bullet and more a footgun.

verandaguy commented on Becoming a compiler engineer rona.substack.com/p/becom... · Posted by u/lalitkale

munificent · a month ago

> I'm a bit shocked that it would take significant effort/creativity for an MIT grad with relevant course/project work to get a job in the niche

That bit was heartbreaking to me too. I knew the economy was bad for new grads but if a double major from MIT in SF is struggling, then the economy is cooked.

verandaguy · a month ago

While the economy's definitely in a shitty spot (and IMO heading towards shittier), I wouldn't necessarily take this specific line as a sign of the times. The author does outline reasons why demand for compiler engineers (and junior ones in particular) is likely low in her post.

Compiler development is (for better or worse) a niche that favours people who've got real-world experience doing this. The traditional ways to get in have either been through high-quality, high-profile open-source contribs, or because your existing non-compiler-dev job let you inch closer to compiler development up until the point you could make the jump.

As the author noted, a lot of modern-day compiler work involves late-life maintenance of huge, nigh-enterprise-type code bases with thousands of files, millions of LOC, and no one person who has a full, detailed view of the entire project. This just isn't experience you get right out of school, or even a year or two on.

Honestly, I'd say that as a 2023 grad with no mentors in the compiler dev space, she's incredibly lucky to have gotten this job at all (and to be clear, I hope she makes the most of it, compiler dev can be a lot of fun).

verandaguy commented on After nine years of grinding, Replit found its market. Can it keep it? techcrunch.com/2025/10/02... · Posted by u/toomanyrichies

ChadNauseam · 2 months ago

Ironically, especially when you combine it with the em-dash, it really sounds like exactly the type of completely pointless and unilluminating analogy that LLMs love to generate. These analogies are essentially a bridge between two concepts, much like how a physical bridge connects two pieces of land separated by water, except in this case the 'water' is understanding and the bridge doesn't actually help you cross it.

verandaguy · 2 months ago

Well done

verandaguy commented on Signal Protocol and Post-Quantum Ratchets signal.org/blog/spqr/... · Posted by u/pluto_modadic

saurik · 2 months ago

I am struggling to believe that the Roman Empire reference for this acronym is "so obvious". I do know about the meme: in fact, what struck me so hard about this is how, for a protocol where you'd almost expect it to be hard for them to avoid the acronym "SPQR" (as, even if it were not Sparse, it is made by Signal; I could even see them having started with Signal and decided to remove their brand from the acronym), there are not one but two top-level posts on Hacker News where "speaker" seems to have wooshed over their head and somehow this extremely niche acronym from the Roman Empire is clearly the reason why this is called SPQR. Is the tech community on Hacker News really this stereotypical?

verandaguy · 2 months ago

I dunno, SPQR is fairly obvious for anyone who covered Rome in elementary or middle school history.

Beyond that, if you’re from the part of the world where asterix comics were popular (mostly thr francosphere, but also europe more broadly), it really stands out.

That’s all to say nothing of people who’ve got formal higher education in history or even the classics.

verandaguy commented on Why is Windows still tinkering with critical sections? – The Old New Thing devblogs.microsoft.com/ol... · Posted by u/OptionOfT

eterm · 3 months ago

Mutex isn't latin. The plural of mutex is mutexes.

verandaguy · 3 months ago

It’s a running joke in the field to have exotic pluralizations. Mutex->mutices is one, box->boxen (by analogy to oxen) is also pretty common.

We need more casual light-heartedness in this line of work considering how much casual bullshit there is.

verandaguy commented on Baldur's Gate 3 Steam Deck – Native Version larian.com/support/faqs/s... · Posted by u/_JamesA_

rfarley04 · 3 months ago

I really appreciate this. But color me skeptical that the late game will work on SD. It chugs on PCs. Hopefully they conjured a miracle!

verandaguy · 3 months ago

I don't want to be one of those unbearable apologists in forum threads... but BG3's legitimately my favourite game, and IMO Larian have been excellent stewards, so I'll go up to bat for them here; have you played the newer patches?

For the first few months, act 3 (in the city) was legitimately hard to play. Performance, stability, visual glitches, all pervasive. But later patches did do a better job of improving those points.

Act 3's still the most intensive part of the game by far so on many setups it's still wise to at least crank down the crowd density, but it's come a long way since the launch version of the game.

verandaguy commented on LinkedIn will soon train AI models with data from European users hostvix.com/linkedin-will... · Posted by u/skilled

OtherShrezzing · 3 months ago

As far as I can tell, LinkedIn's content is already 99% LLM generated posts.

The resulting models might be a terrible hybrid distillation of GPT5 and Claude with a strong preference for hustle culture & banal parables.

verandaguy · 3 months ago

Frankly, at this point, I’m here for an AI feedback loop leading into model collapse.

Let it burn.

verandaguy commented on The "most hated" CSS feature: cos() and sin() css-tricks.com/the-most-h... · Posted by u/rapawel

falcor84 · 3 months ago

I actually am really looking forward to a future where we have better tooling for a true "user agent" that knows my preferences and can style every page automatically just ust the way I like it (and letting me override anything by asking it once and having it remember). I'm so tired of UX designers choosing things for me assuming I'm a 5-year old.

verandaguy · 3 months ago

Two counterpoints to this.

- A good designer will be able to produce a page whose looks are appropriately engaging, complementary to the content, unique, and easy on the eyes. For every abrasive CSS (or lack thereof) justfuckingusehtml.com, there's a masterpiece like acko.net, many of which just aren't in the mainstream.

- If everything ends up looking the same wouldn't that get... boring? I get the desire to avoid obnoxious design choices, but those obnoxious design choices are part of the web, and they should be embraced as part of the decision-making process about if and how you want to keep reading a site. A bit of friction is, IMO, a good thing when browsing the web. It's the minimum level of keeping the web an interactive medium rather than just a content pipe.

That said, you do you. You're well within your rights to browse the web how you want, up to and including using automation to re-style sites with extreme prejudice.