Readit News logoReadit News
x0x0 commented on Avoid UUID Version 4 Primary Keys in Postgres   andyatkinson.com/avoid-uu... · Posted by u/pil0u
stickfigure · 4 hours ago
With a single sequence and a busy system, the ids for most high-level tables/collection are extremely sparse. This doesn't mean they can't be enumerated, but you will probably notice if you suddenly start getting hammered with 404s or 410s or whatever your system generates on "not found".

Also, if most of your endpoints require auth, this is not typically a problem.

It really depends on your application. But yes, that's something to be aware of. If you need some ids to be unguessable, make sure they are not predictable :-)

x0x0 · 2 hours ago
> Also, if most of your endpoints require auth, this is not typically a problem.

Many systems are not sparse, and separately, that's simply wrong. Unguessable names is not a primary security measure, but a passive remediation for bugs or bad code. Broken access control remains an owasp top 10, and idor is a piece of that. Companies still get popped for this.

See, eg, google having a bug in 2019, made significantly less impactful by unguessable names https://infosecwriteups.com/google-did-an-oopsie-a-simple-id...

x0x0 commented on Avoid UUID Version 4 Primary Keys in Postgres   andyatkinson.com/avoid-uu... · Posted by u/pil0u
stickfigure · 8 hours ago
In Postgres I often like to use a single sequence for everything. It leaks some information yes but in a busy system it tends to be "obscure enough".
x0x0 · 6 hours ago
It's not leaking that's the concern. It's that not having the names of objects be easily enumerable is a strongly security-enhancing feature of a system.

Yes of course everyone should check and unit test that every object is owned by the user or account loading it, but demanding more sophistication from an attacker than taking "/my_things/23" and loading "/my_things/24" is a big win.

x0x0 commented on Roomba maker goes bankrupt, Chinese owner emerges   news.bloomberglaw.com/ban... · Posted by u/nreece
SoftTalker · 9 hours ago
They could improve the design and get people to replace their machines with the improved ones, repeat and repeat.

Or they could sell the broken design and people would just buy more as they broke. They don't care if Costco was eating the cost with their in-house warranty.

The fundamental problem though is the same with all "household gadget" products. They look cool, and appear to solve a problem, but that is actually all a perception based on novelty. They actually don't work very well, they are not built very well, and they don't last very long. There's no point in improving them because the concept is fundamentally something people don't need in the first place.

Just buy a good canister vacuum and you're set for a decade or more. It will cost more than the latest gadget from Shark or Dyson or iRobot but it won't frustrate you and it will just reliably do what it is supposed to do without uploading anything to an IP address.

x0x0 · 7 hours ago
a roomba, in a perfect world where it could avoid cat/dog toys scattered around the living room floor, makes pet ownership much more pleasant
x0x0 commented on AI agents are starting to eat SaaS   martinalderson.com/posts/... · Posted by u/jnord
lateforwork · a day ago
This article made no sense to me. It is talking about AI-generated code eating SaaS. That's not what is going to replace SaaS. When AI is able to do the job itself — without generating code — that's what is going to replace SaaS.

AI-generated code still requires software engineers to build, test, debug, deploy, secure, monitor, be on-call, handle incidents, and so on. That's very expensive. It is much cheaper to pay a small monthly fee to a SaaS company.

x0x0 · 7 hours ago
The bit about building an internal app for eg marketing or sales is super fun. Getting calls starting at 8am EST because they then (reasonably!) expect it to work less so. Software still has an enormous ktlo tax and until that changes, I'm skeptical about the entire thesis.

Not to mention the author appears to run a 1-2 person company, so ... yeah. AI thought leadership ahoy.

x0x0 commented on Shai-Hulud compromised a dev machine and raided GitHub org access: a post-mortem   trigger.dev/blog/shai-hul... · Posted by u/nkko
t0mas88 · a day ago
But the attacker could just create a branch, merge request and then merge that?
x0x0 · a day ago
We require review on PRs before they can be merged.
x0x0 commented on Apple has locked my Apple ID, and I have no recourse. A plea for help   hey.paris/posts/appleid/... · Posted by u/parisidau
tonymet · 2 days ago
What tools are you performing live backups with ? I can think of rclone running , but gdrive/icloud doesn’t send change lists
x0x0 · 2 days ago
Google Photos deliberately broke all backup tools in March, so there's that.

Yes you can still mostly do Takeout, but it's garbage. (not incremental. Requires me to remember. duplicates files for every album (total incompetence). downloads regularly fail. Requires more room than I have on my mac to decompress so I have to put it on an external drive.)

x0x0 commented on Poor Johnny still won't encrypt   bfswa.substack.com/p/poor... · Posted by u/zdw
zbentley · 2 days ago
Perhaps it’s a marketing problem, then. Signal is marketed as a secure and full-featured alternative to things like WhatsApp and iMessage. Most people start reading that sentence after the word “secure”, and then are surprised and disappointed when a device replacement loses all their history.

I think it would be better if Signal more loudly communicated the drawbacks of its encryption approach up-front, warning away casual users before they get a nasty surprise after storing a lot of important data in Signal.

I’ve heard Signal lovers say the opposite—that getting burned with data loss is somehow educational for or deserved by casual users—and I think that’s asinine and misguided. It’s the equivalent of someone saying “ha! See? You were trading away privacy for convenience and relying on service-provider-readable message history as a record all along, don’t you feel dumb?”, to which most users’ will respond “no, now that you’ve explained the tradeoffs…that is exactly how I want it to work; you can use Signal, but I want iMessage”.

It shouldn’t take data loss to make that understood.

x0x0 · 2 days ago
Or compare the nasty surprises lurking in Whatsapp.

We'll see it intentionally backdoored this decade. Signal can afford to, eg, tell the UK or EU to go fuck themselves. Meta won't.

x0x0 commented on Epic celebrates "the end of the Apple Tax" after court win in iOS payments case   arstechnica.com/tech-poli... · Posted by u/nobody9999
ralferoo · 3 days ago
Shared the same in a comment below, but probably worth adding as a top level comment.

Google are doing exactly the same as Apple previously were doing, mandatory from end of next month - January 28, 2026.

Their new requirements: https://support.google.com/googleplay/android-developer/answ...

x0x0 · 3 days ago
The US court order still remains in effect afaik, so not in the US.

https://support.google.com/googleplay/android-developer/answ...

x0x0 commented on Is it a bubble?   oaktreecapital.com/insigh... · Posted by u/saigrandhi
simianwords · 5 days ago
Why not? AI assisted shopping for example will boost growth. Productivity also boosts growth.
x0x0 · 5 days ago
How does AI assisted shopping create more economic activity? Even assuming you can do it, and people do find it helpful, it likely just shifts who people buy from, not how much?
x0x0 commented on How Google Maps allocates survival across London's restaurants   laurenleek.substack.com/p... · Posted by u/justincormack
shermantanktop · 5 days ago
A tone of breathless wonder is now the coin of the realm. Quality research and interesting analysis gets the same treatment as everything else, because that's what gets clicks and responses. Dinging an individual article for this is arbitrary and capricious.

Don't hate the player, hate the game. I hate the game too, fwiw.

x0x0 · 5 days ago
Still a lie though. If you don't know / aren't familiar with a ranker, the author is priming you through the entire article to believe google is doing something wrong or malicious by ranking the results. Rather than the same thing search engines have been doing for 30 years. Whether their ranker is good or bad (and for whom) is separate.

Including, of course, the way many popular chain restaurants got there is they make food a lot of people like.

x

u/x0x0

KarmaCake day9490May 29, 2013View Original