Hacker Newsnew | comments | show | ask | jobs | submit | login

For our corporate API, we the Apiary markdown with aglio to convert into nice documentation. I've tried RAML (I didn't like the giant YAML file) and apidoc (I didn't like to put 100 lines of user documentation next to 20 lines of implementation). I use protagonist to convert the md file to JSON which my Python code can load and compare with the decorated API endpoints -- I can then verify they and all their parameters are properly documented. I don't use the fancy Apiary features yet.

reply


You never decrypt a password however. You only compare the hashed version of the claimed one to the stored hashed version, a one-way operation.

What could you do with a one-way encrypted phone number? I'm not able to enter a phone hash to make a call.

reply


Encryption isn't the same as hashing. Encryption is two-way.

The previous comment did make the encryption / hash distinction - though I can totally understand how his post might have been misread that he was recommending the same mechanisms for both sets of data.

reply


OK, so slack stores a username, name and email address for each user. This is visible to everyone else in the same Slack team at minimum. You also need it for e.g. password resets, perhaps billing.

We can assume they aren't total idiots and there's a Internet facing application server that connects to a internal-only database server that has this data. Also, assume SQL injection is not the attack vector.

How would you apply encryption to protect the username, name and email from an attacker that has gained access to the application server? I've gained some shell on the server and have 24 hours minutes to extract data. I can see all the files on the server but maybe as non-root but just the user that runs the application. How can you, as a security sensitive application developer, stop me if I've gotten so far?

reply


I wouldn't. I don't agree with his point either (see my response to him: https://news.ycombinator.com/item?id=9277659).

reply


I find the /etc/httpd/logs symlink more annoying. If you want to grep through your Apache configuration you have to explicitly grep through conf and conf.d otherwise just going to /etc/httpd and doing a grep -r you're searching through gigs of Apache logs.

reply


grep -r shouldn't follow symlinks, -R does however:

      -d, --directories=ACTION  how to handle directories;
                            ACTION is 'read', 'recurse', or 'skip'
      -D, --devices=ACTION      how to handle devices, FIFOs and sockets;
                            ACTION is 'read' or 'skip'
      -r, --recursive           like --directories=recurse
      -R, --dereference-recursive  likewise, but follow all symlinks

reply


requires someone to know there will be symlinks they don't want to follow, though :-)

reply


I asked a few people that at the excellent pgnordic conference and got some hand-waving about how repmgr fixes everything: https://github.com/2ndQuadrant/repmgr/blob/master/QUICKSTART...

Having tried that out, I didn't find it particular user friendly compared to the various fancy NoSQL database where it's just something like... database-server --connect the_master:12324 -- and you've got your cluster even with automatic replication of data depending on your sharding rules.

I suppose that ACID-SQL makes it harder to set this up reliably.

Is there one of the commercial things like EnterpriseDB that fixes that? Effortless, reliably clustering with a nice status that says: slave2 is 95% sync'ed with master1 ETA 2 hours.

reply


That's going to get you instantly arrested in Albuquerque, NM.

reply


They outlaw science there?

reply


Perhaps the opposite: Maybe he was referencing the physics research there?

reply


The current proposed hack to encourage them to use all the lanes is this: https://i.imgur.com/F8eKjp5.jpg -- periodic narrowing of the lanes so those that don't need to turn stay in the middle.

reply


Interestingly enough, while it looks bizarre in a video game, this is functionally how left/right turn bays work in some large urban one-way streets in real-life. See, for example, this NYC intersection: https://goo.gl/maps/SCFrQ . The left turn lane is a parking lane until one is within half a block of the intersection in question. While it isn't as extreme as 2 lanes to 6, it's very similar. So... is it a hack for the game, or is it a hack for real-life, or neither?

reply


I walk through that intersection most days. What they've done in NYC is interesting. That part of First Avenue used to be, like most in mid and upper Manhattan, six (or sometimes more) undifferentiated lanes.

The first change was the addition of dedicated bus lanes (right-most lane, painted reddish), complete with violation cameras and automated ticketing. This reduced competition among buses and cars -- in favor of buses, leading to somewhat better bus throughput. Cars now had five lanes -- although with parking in at least the left-most lane, and delivery trucks double-parked adjacent to the cars, more like three.

Then came the big bike lane initiative. In the book Traffic, by Tom Vanderbilt, some of the takeaways are that parked cars can form a buffer between flowing traffic and bike lanes, and that narrowing roads at intersections through the addition of islands with trees on them increases pedestrian safety (in no small part by reducing the speed of turning cars at intersections). To varying degrees they've applied these ideas -- the left-most lane is now entirely a bike lane (painted green, complete with its own traffic signals). Next to that is a dedicated parking lane -- yes, in lane two -- often buffered by concrete islands at intersections, with a tree or two. You can see this here [1]

Cars now have three or perhaps four lanes for general travel. For left turns, the bike and parking lanes are cut by a dedicated left-turn waiting lane [2] (usually with its own left turn signal, so left turners are not fighting pedestrians in the crosswalk).

On some avenues they then added "Select Buses", which work on a "trust-but-verify" honor system so riders can enter and exit quickly through any of three wide doors without queueing to dip a Metrocard.

Finally, they cut the city-wide speed limit to 25 miles per hour, adjusting the timing of avenue traffic signals accordingly.

The result of all this has been much gnashing of teeth and rending of garments, but as a whole it's made the city substantially better for bikers and pedestrians, and in many cases left turns are much easier for drivers.

[1] https://www.google.com/maps/@40.771088,-73.9538,3a,75y,53.97...

[2] https://www.google.com/maps/@40.771088,-73.9538,3a,65.7y,194...

[Edit: clarity]

reply


I've been casually following the same issues for a few years and this is a good summary.

reply


Stuff like that is pretty common in suburban Northern Virginia (for example). There are lots of busy roads with two lanes in each direction which expand to three, four, five, or even six lanes at intersections with dedicated turn lanes. I think the only reason that "proposed hack" screenshot looks so weird is because the distance between intersections is much, much shorter than it would be in real life, relative to the width of the road. For example, you can see it in action in various amounts for all four directions of this intersection:

https://www.google.com/maps/@38.9770719,-77.3149885,438m/dat...

But it doesn't look comical, because the roads are proportionately much more slender and the transitions more gradual.

I haven't played the game, but it sounds like it ended up being accurate here!

reply


It sounds like the game is inaccurate in how it models traffic, because in real life people do move out to make use of empty inner lanes (outer lanes? I can never remember). NB: I've not played the game so I'm not 100% on what the traffic problem is, exactly.

reply


The problem stems from the car AI being crazy aggressive in it's lane switching. They will switch to the lane for their exit the instant they can, even if they still have to travel around the entire city to get to it. Leading to middle lanes not getting as much use (At least without careful planning to ensure there is something they can exit the road from the middle lanes with) and potentially large backups of a single line of cars waiting to turn right (Even when the lane right next to it is also a right turn lane). They also cannot merge properly so I end up placing exits on both side of my highways (For both incoming and outgoing traffic) with one side coming up and over the road to join into the other sides exit to limit congestion.

Not that any of these things are completely unrealistic but it is occasionally annoying when your traffic is backed up solely because they're ignoring the adjacent lane.

reply


I like http://www.halfbakery.com/ -- ideas there aren't quite serious.

-----


For algorithms, I like Skiena's Algorithm Design Manual. That's a practical-oriented book, where theoretical learning is mixed with anecdotes about real life problems solved.

The same cannot be said for TAOCP, but it certainly looks very good on a shelf. Practical usage? Limited. You don't need Knuth to learn basics of time complexity.

-----


For every other location BUT Africa you can get a speed test from this site: http://www.webpagetest.org/ -- this also lets you different browsers and run an initial + repeated (with something cached) test.

-----


Well, it's a client side library. By that reasoning, jQuery can be said to be vulnerable to XSS if you call .html() with untrusted user input. It seems reasonable to me that the label of each bubble can contain HTML code, it's up to the user to ensure any user input is escaped.

-----


Then, I think it should be documented.

-----


Agreed. In fact, to build on 'Erwin's example, jquery makes note of the potential for XSS when calling .html(), .append(), .after(), etc.[1]

> Do not use these methods to insert strings obtained from untrusted sources such as URL query parameters, cookies, or form inputs. Doing so can introduce cross-site-scripting (XSS) vulnerabilities. Remove or escape any user input before adding content to the document.

[1] http://api.jquery.com/html/

-----


Why doesn't jquery have taint-checking/tagging, at least for data brought in through jquery's methods that read from URLs, etc.

-----


Yeah, I'm having a hard time seeing this as having an XSS vulnerability in and of itself. If you're not escaping user input onto the page, it doesn't matter if some library is taking that data and wrapping it in a span. You're done far before you add a third-party javascript library.

-----


When I call that library, I shouldn't have to worry about the fact that it uses HTML. It is a leaky abstraction since a field that is, intuitively, supposed to be text for the label, is actually just treated as HTML for plain insertion into the page.

-----

More

Guidelines | FAQ | Support | API | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: