This reply, while useful, only serves to obfuscate and doesn’t actually answer the question.
You can store the credentials in a key vault but then post them on pastebin. The issue is that the individual runner has the key in its environment variables. Both can be true- the key can be given to the runner in env and the key is stored in a key vault.
The important distinction here is - have you removed the master key and other sensitive credentials from the environment passed into scanners that come in contact with customer untrusted code??
It used to be worse. I operate a vpn for my extended family, some of whom are deployed overseas at any time.
They would google for things and suddenly my ads would show nightclubs near them (thousands of miles from me) and google’s default language would even change to the country they currently reside in. Just because the outgoing ip is shared across both users.
It’s actually gotten “better” but one could argue maybe they’re able to perform more precise targeting instead of throwing away signal.
> This is also a signal what what the “real cost” of these services will be once the VC subsidies dry up.
Sooooo true. Waiting for AI’s “uber” moment aka when uber suddenly needed to actually turn a profit and overnight drivers were paid less while prices rose 3x.
I find list and dict comprehensions are a lot less error prone and more robust than the “manual” alternatives.
I would say unless you have a good reason to do so, features such as meta classes or monkey patching would be top of list to avoid in shared codebases.
The backend can. But what’s exposed to customers will be a very very small subset of that capability. Hence why only the csrs can perform that function.
The business undoubtedly did a crude cost/benefit analysis where the cost to expose and maintain that public interface vastly outstrips the cost for the few people that have to call in and change their name.
> The business undoubtedly did a crude cost/benefit analysis where the cost to expose and maintain that public interface vastly outstrips the cost for the few people that have to call in and change their name.
Haha, not likely.
In reality the org is so drowned in technical debt that changing the last name involves manually running 3 different scripts that hit three different DBs directly and the estimate from the 3rd party dev consultancy that maintains the mess for how long it'd take to make a safe publicly usable endpoint is somewhere between 2 years and forever.
OK, so why not have a customer support bot add the “operation description” into a message queue (SQS, Kafka, whatever) if a formal API doesn’t exist for that operation? The csrs can then handle that task async and the customer can get a sms / email when their request is fulfilled? Why force things to be synchronous and irritate the customer?
It’s not exactly a difficult design problem. Unless I’m missing some thing.
What is “deboosting”? If I own a social media site wouldn’t you argue that I should be able to control what content I “boost” in the first place? Am I forced to compulsory “boost” your content? In which case wouldn’t that mean I am “censoring” the PoV of the social media company?
Can you share the topic contents that are subject to your accusations? If you’re able to share them here without fear of government reprisal then I would argue that’s not censorship.
A current example would be Tiktok artificially boosting ice related challenges.
Why? Because it makes searching for immigration and customs enforcement content much more difficult to find. It lower the social temperature and stops it from metaphorically boiling over.
Is crowding out content censorship? Who knows. If tilting feeds in one direction and away from another has the same effect and isn't censorship because of a definitional technicality, does it really matter?
> If I own a social media site wouldn’t you argue that I should be able to control what content I “boost” in the first place? Am I forced to compulsory “boost” your content? In which case wouldn’t that mean I am “censoring” the PoV of the social media company?
That sounds cool as long as you forfeit your Section 230 rights since at that point you’re more of a newspaper than a social network.
Yes, I know all social networks do this currently which is why they should all lose their Section 230 rights.
>If you’re able to share them here without fear of government reprisal then I would argue that’s not censorship
I mean, the definition of censorship is far larger than just that, and what you're talking about is it's more extreme form.
Moreso you ignore all the modern subtlety and nuance of modern censorship. The government doesn't need to attack you directly, they just tell the large companies that contract with the government they can't do business with companies that do certain things. Or they tell payment processors that businesses that are 'high risk' need to be audited more and will invite more government intervention in which the payment processors just drop said businesses.
I mean, if you were on a corner protesting, then the government came in and closed the roads and routed all traffic around you so no one saw you, it would be really sus, right?
I think we are starting to see that under the current administration, yes. But the question was - does it rise to the level that Chinese have? I argue no.
I also worry about some sort of policy where a site “must” carry content. That has its own risks as well, which should be obvious.
I am torn. I see this argument and intellectually agree with it (that interfaces need to be more explicit). However it seems that every time there is a choice between “better” design and “good enough”, the “good enough” wins handily.
Multics vs Unix, xml based soap vs json based rest apis, xhtml’s failure, javascript itself, … I could keep going on.
So I’ve resigned myself to admitting that we are doomed to reimplement the “good enough” every time, and continue to apply bandaid after bandaid to gradually fix problems after we rediscover them, slowly.
It depends on system boundaries. If an actor doesn't face the consequences of a decision, but another does, that's an externality. When externalities are present, it is often rational (narrowly speaking) for an actor to accept designs that look awful from a broader perspective.
In other words, many technical problems flow rather predictably from decision-making boundaries that don't internalize the externalities.
Ever heard someone say "if you care about X, run for office"? The same applies to technology. If one cares about good designs, one must promote organizational and societal structures that actually have a fighting chance at bringing those about.
The days of nerds and hackers not caring about broader dynamics and structures are long gone. Sitting back and letting the business folks have control is fine if you want them to optimize for the existing incentives. But if you want to change the rules of the game, you gotta jump in at the deep end.
They don’t say what the kWh usage is, just that the electricity cost in $$ is over $1000 on the highest month. For a unit surrounded by what should be other conditioned spaces, that’s insane to me.
A quick web search indicates that nyc $/kwh is about 31c. So that’s 3225kwh in one month! My standalone house plus pool pump, dual zone ac, and ev charger doesn’t even come close. Clearly there is a major insulation issue which is the root cause and everything else is just trying to put bandaids on an arterial bleed.
> We do have bad aluminum-framed windows, and we also have no insulation in our ceiling, so maybe all the heat goes to our upstairs neighbors. I also have various fans sucking air out of the apartment non-stop, one in each bathroom and one from the clothes dryer (when I hold an incense stick up to it I can see it pulling in air even when it’s not running), plus I have an elevator that opens into the apartment which might have a chimney effect.
They not only have zero insulation, they have negative insulation. They would have saved more money/energy by simply stopping all the heat/cold loss. And (at least in my state) they'd still get rebates for installing new insulation.
There is something seriously wrong with this person’s apartment.
I have a three bed circa 1897 coop in Brooklyn. We have the leakiest windows this side of the Mississippi with multiple in-window air conditioners and my bill never goes above $450 in the summer (that’s probably about 250-300 in comparable usage for the middle of the country).
Yeah, we live far north of NYC where it gets much colder, and have never spent nearly that much on heating. Even when we lived in a converted barn from the 1930s with single pane windows and no wall insulation, the most we ever spent was about $500/month. Now (new construction, triple-pane windows, ground-sourced heat pump) it’s more like $80/month
If they're paying $1000/month at 30c/kWh, they could quite nearly run the latest over-the-counter bitcoin miner 24/7 with that amount of electricity usage.
You can store the credentials in a key vault but then post them on pastebin. The issue is that the individual runner has the key in its environment variables. Both can be true- the key can be given to the runner in env and the key is stored in a key vault.
The important distinction here is - have you removed the master key and other sensitive credentials from the environment passed into scanners that come in contact with customer untrusted code??
reply