I’m a huge ledger fan (hledger specifically) and have used it to run my entire accounting life for the past 8 years or so.
A few tips:
* Resist the urge to break up your various accounts into too many separate files. I tried that and went back to one file per account per year (aka “venmo-2024.hledger”). Also helps with below…
* GitHub CoPilot is remarkably and shockingly good at working with ledger files. It will do the balance addition/subtraction on following lines almost perfectly. Also, if you need to manually enter a new line, you can often just enter a shortcut one-line comment and it’ll fill the entire entry, aka:
Israel is geographically pretty small though -- I'm guessing you could live an hour up or down the coast and have it be an outrageous commute for people accustomed to the Bay Area?
Disclaimer: I am NOT a big company guy, and I generally fight tooth-and-nail against the enshittification that happens when startups grow beyond a certain point, so I've got a bias here.
I think, for once, pg is dead-on with this post, and I'm glad it's being brought to light. Too many managers and founders live in fear of the dreaded "micromanager" label and stand back and watch their companies turn to crap.
The thing is - if you have a vision for what's needed to make your product or company truly successful and the people working for you aren't hitting the mark, you have to get in the trenches and make it work.
Here's the dreaded scenario:
Your company is working on a new product (or a new version or whatever) and you, the stalwart CEO, have left it to your team to build without getting too into the mix lest you be labeled a micromanager. It's not going in the right direction and for whatever reason it's not hitting the mark.
Do you have the cajones to tell the team to go back to the drawing board, even if your delegated manager thinks it's going well? The launch will be late, the team will be annoyed ("Damn that CEO getting into our business again"). I bet a lot of CEOs don't, and this is why companies turn to crap over time. pg's point here is that the CEO needs to be willing to think like a startup CEO and be willing to go into founder mode and get his or her hands dirty to make sure the product nails it.
I’m a tech nerd rare coin & currency dealer! I took my two hobbies and combined them into a real business and I’m having the time of my life. Just launched a proper retail site here:
About 50% of my days are spend doing the coin dealer stuff - hunting for inventory, buying collections/doing appraisals, going to coin shows and buying and selling in person, etc.
The other 50% I’m writing code and building out the tech stack for this business. I’ve written the whole backend for the retail site myself, which includes my own inventory management system, sync with eBay and other marketplaces, etc.
I’ve also built out a research tool which includes an ML price prediction engine engine (which sounds fancy but is really just a tabular regression model).
Backend is written in Crystal because I love the language and there’s nobody stopping me from using it :) Frontend is all Svelte and they’re glued together using a mini framework I wrote:
I probably have 5 years worth of ideas I still want to build and I wish I could spend even more time building it all, but it’s super fun actually using it in the real live marketplace so I’d never give that up.
Happy to chat about this stuff with anyone who’s interested or vaguely interested in numismatics.
I have a question - I've seen TikToks of people who buy rolls of coins from the bank and sort through them for rare imperfections then sell them on eBay. I've always wondered whether it would be possible to develop an automated system where a camera takes high res photos of the coins on a conveyor belt, compares to a DB of known imperfections and sets them aside?
Is anyone doing this? It's an interesting business model as the product is money so you'd only stand to make a profit never a loss.
Nobody that I know of is doing this, and see no reason why it wouldn't be possible from a technical standpoint. I think the only reason I can imagine NOT to do is that the ROI probably isn't that high in reality. Now, granted, I don't watch the coin TikToks because 95% of it is clickbait, exaggerate, etc. But my actual impression is that there simply isn't that much actually-valuable material out there hiding in bank rolls (despite what TikTok says).
Most of the people I know who do bank roll hunting and doing it because it's just kinda fun and there's a thrill when you find a silver quarter from 1964 (worth about $5) hiding in a roll of otherwise-normal quarters. But so much of the good stuff has already been plucked from circulation.
Having said that, nothing should stop a good hacker from doing something just for the hell of it :)
do you know why vendors take credit cards, square and applepay, even though those services charge several percent fees? part of it is for convenience for the customer, but another part is that shuttling cash around to the bank and back is time consuming, risky, and takes you away from running your business (let's say you are a breakfast place, you don't make your own cups and napkins or farm your own eggs and coffee either)
>product is money so you'd only stand to make a profit never a loss
you're grabbing the expense part of the business that everybody else is trying to shed. Let's talk also about time value of money. All the money that you've invested in cash is not making money passively as other investments do. Compared to putting the money in the stock market, you're losing 7% a year on this scheme, plus the expenses of running your business, and opportunity cost of not doing something else that generates income.
I did this for personal collections a while back and went through a lot of Canadian quarters to get one from each year and never even found the 1991 I was looking for which is somewhat rare. I guess if you do it full time or automate a bunch maybe you could make money, seems hard though.
One of my favorite design elements is the Guilloche patterning on currency, along with the history behind the use of Guilloche as a form of anti-counterfeiting.
Your site is very simply visually appealing.
Also - I like to order $2 bills from the bank. You can order then, mine delivers them on tuesdays - and they give you a stack of brand new $2 sequentially serialized bills. They are great for tips and gifts.
100% agree! I often get folks asking if their $2 are valuable, and tell them exactly what you do -- no, alas, they're not worth more than $2, but they are super fun to leave as tips because people still get a kick out of 'em.
Infra: I was hosted on Google Cloud for a while -- literally a single VM running Docker Compose, but I decided I wanted something a bit more flexible and interesting, so last month I switched everything over to Fly.io and I am incredibly happy with them. It's just so easy and fun to manage.
The retail site (rarity7.com) is just a small VM running a Crystal server process to handle web requests. Image hosting is all done on Cloudinary. My backend / inventory management / trading + research engine is a separate Crystal process in a separate VM. Both connect to a Fly Postgres DB. There's one other service which is a small python process on another VM which is doing inference on my regression model. That's super lightweight and I don't need any GPUs to do the inference (tabular data is nice like that).
Overall it's really nothing fancy and it works quite well. A few web-serving VMs and an inference service for my pricing model. I train/retrain the model a few times a year on a local box (my repurposed gaming rig running a 2080Ti).
I did it all in about 2-3 years. I was a big collector as a kid but didn't get back into it in a serious way until 2021. Becoming an authorized dealer is basically, fundamentally about building trust. The whole coin industry operates in a very old-school relationship-based trusted way. To become a member of most professional orgs or become an authorized dealer, you need to have 5-10 VERY solid references from other members or authorized dealers, and the only way to get those references is to be a part of the community, build trust, and build relationships by doing business with others (which means honoring your commitments and your word and writing good checks, etc.). In the end, you need to ask 5-10 people to personally vouch for you, so they'd better know you and actually trust you.
This is great, my brother is a history buff and a few years ago I bought him a Hadrian coin for his birthday. I'll look through this and see if I can find something else he'd be interested in, holidays are coming up and I'm always looking for nice gifts.
EDIT: is there any way I could set up an alert for when you add some non-US currency into stock?
That's awesome and a very thoughtful gift for him! Yes I'm planning on building alerting - BUT - I'm probably not going to expand beyond US-based stuff for the foreseeable future. It's just the niche I know and even though there's a big wide world out there, I haven't spun up my brain to learn about it all yet.
If there's any country in particular you're looking for, shoot me an email. I know a ton of other dealers in the business and I'd be happy to point you to someone who might have something he'd enjoy.
Awesome -- thanks! Tell your son to join the Instagram coin community if he hasn't done it already - there are tons of kids & adults on there and it's a real community that meets up regularly at coin shows, etc. Send me an email and I can give you a heads-up on some starter accounts to follow and get involved.
So let's say I have a few hundred silver dollars. Is this a tool to help me sort them, or does such a tool exist? Like take a picture and it identifies it, looks for common errors, and provides a base price estimate?
There really should be, but the fact is there isn't a tool that does this yet. It would not be deeply hard to build, but it would mean training a model which means getting good enough training data which means taking the time to actually do it. It hasn't been done because it requires someone who is deeply knowledgable about coins AND someone who knows how to train a model and build an app, and the fact is that intersection is pretty small (it's me and probably 20 other people? Give or take). This is very much on my long-term roadmap.
In the short term, the easiest way is to find someone who does this (eg me) and just email me some pictures. I'd be happy to tell you if you've got anything good. The old school neural net between my ears can assist.
That's fair. I have to imagine that there's a market for a product like that. My mind goes to auctioneers and estate sales. I know the local auctioneer would kill for a tool like that.
Something to keep in mind if you do build that: have a one time purchase or month long purchase option. When my wife's grandma died, we had to go through her coins looking for good ones. I would've killed for something like this but for a month.
Great question. Authenticity is easy - I mostly deal with certified coins, which means they’ve all been authenticated and guaranteed by a 3rd party service which stands behind their mark (they will pay you for the coin if they make a mistake, which does happen).
For shipping, that’s just pretty standard across most industries - I have shipping insurance and if USPS fails, they’ll pay for it. But losses happen and it’s just a matter of business (thankfully they’re rare).
Yes! Very much so. And in fact, the grading services are owned by the same parent companies. NGC and PCGS are the big coin graders and I think their card graders are CGC and PSA respectively?
Counterpoint: OP is a security researcher and couldn’t find a single human email address at one of the most well-known VC firms on the planet? LinkedIn? Twitter? Facebook friends? Come on. They’re not hard to reach if one really wants to.
Trying more than one email is not jumping through hoops when it's one of the worst possible vulnerabilities hitting all of their databases/platforms. Being a research means being an adult and having a basic level of responsibility. Just like being a gun owner, it's a powerful tool that needs to be treated with utmost respect.
A lot of pentesters are just kids who are angry at the world and the poor state of security, which I get, but it's not a huge barrier to try a bit more. He would have been rewarded if he did.
A researcher should not have to “try different emails”. Period. There should be a clearly disclosed email provided by the company to report such issues. Very obviously plastered. Or just use the standard abuse@, security@, infosec@, etc.
It is by far in the company’s best interests for this to happen because the alternative is public disclosure or disclosure to black hats instead.
Anything more is jumping through hoops. It should not be the researcher’s responsibility or burden to go out of their way to help a company that hasn’t done the bare minimum to welcome white hats helping them secure their own systems.
Yes of course company's should do that, but in the real world a lot of companies don't think to do that, especially a marketing site for a VC firm.
Any dev knows what it's like having a million responsibilities, a lot of things get put on TODO lists that never get completed. Them being owned by a wealthy company doesnt mean they have a huge dev team running 247 to handle this stuff. Which is probably why such a obvious failure even happened...
Security researchers get high and mighty extremely quickly, which is immature IMO.
The security researcher in this case worked for free to find a hole in their security, reached out via a provided email address, had that bounce, so then chose to reach out via a different messaging system to let them know that there was an issue. ALL OF THIS WAS UNPAID. They have 0 or less responsibility to this firm. The researcher was doing them a huge favor.
> Security researchers get high and mighty extremely quickly, which is immature IMO.
Immature would have been not trying to responsibly disclose this, or disclosing the hole before it was patched.
>Any dev knows what it's like having a million responsibilities,
Any airplane mechanic has a million responsibilities, and if they are not followed people fucking die. Maybe software devs should step up and take a little responsibility for their lack of action that can have consequences for their users.
Security researchers owe you nothing. If you make the path of least resistance selling sploits to blackhat groups the world will be a worse place.
Alright then: you go to Andreessen Horowitz's website[1] and see if you can find a SINGLE email address in any of the normal places a business would list the (not-social-media) contact information. Because they did their damnedest to make sure you won't find any.
See 4 links to social media pages where every single one has DMs open
Wait at least a couple business days to see if anyone replies, if no one does or it’s not being taken seriously then you can announce it publicly on social media you found something but can’t reach them
Okay. There’s 4 front office emails and 4 social media accounts, both presumably manned by non-technical folks.
So now you have to go back and forth just to get routed to the right place. Which may not even happen if this is the first time that employee handled a security incident.
You’re making it sound like sending the email or DM is the end of the work. That is usually far from the case.
Emailing an office manager with a company security issue would be incredibly irresponsible. They're in charge of managing the physical office and are about as "outside" as you can get in a company while still being employed by that company.
I don't think the onus should be on the researcher, and I think A16Z should have paid them. But if they actually wanted to get in touch, I'm just saying they could have.
If they're putting the effort into vuln scanning the site, they can also put in the effort to get in touch like a professional. You could just as easily say "why should the onus be on the researcher to find vulnerabilities when it's A16Z's job to secure their own site". The researcher is in this to find holes and make a few bucks (which is fine!). The job is complete when you get in touch.
> If they're putting the effort into vuln scanning the site, they can also put in the effort to get in touch like a professional.
They did. They emailed, and when that was bounced, they used a different medium to reach out. Twitter is a place that many companies actively engage with the public.
> The job is complete when you get in touch.
They got in touch. If A16Z aren't going to respond to people via email, but they do on twitter, they don't get to decide that twitter isn't a viable communication platform.
> You could just as easily say "why should the onus be on the researcher to find vulnerabilities when it's A16Z's job to secure their own site". The researcher is in this to find holes and make a few bucks (which is fine!). The job is complete when you get in touch.
Presumably, the company wants to be as secure as possible. It’s in their best interest to make this process as painless as possible. A security researcher has many options for what to do with a found exploit, some far less moral than others. The company has very few, relatively. They are the ones that are limited and therefore should be doing everything in their power to ensure the best outcome, a responsible disclosure that is fixed as quickly as possible.
The best way to ensure they do this is to provide an obvious, easy to find avenue for these things. This includes reasonable, well-displayed emails (or using something like a standard abuse@, etc) and a bug bounty.
Simply put, the company is the one that should be going out of their way or else they will just have researchers either disclosing it publicly or selling the exploit for likely far more money than a bug bounty.
I understand where you're coming from, but you're using "should" a lot. Companies should do a lot of things! They should make their sites secure. They should have a formal bug bounty program. They should have security@ and engineering@ and lots of other emails easily visible. We agree.
But many don't. And a lot of things in the business world are not as they should be. And in this real world of imperfection, others sometimes need to put in effort (and be paid for that effort) to make up for the failings of companies. This is one of those cases of imperfection.
Of course I’m using “should” a lot. Because “should” clearly didn’t happen.
That doesn’t change anything. Just because a company has shitty security reporting practices doesn’t suddenly mean the onus is on the researcher to do the company’s job.
Exactly, if he even just browsed their website a bit he'd have stumbled across loads of email addresses that could have been a useful point of contact.
It’s more fun getting attention by doing it publicly and being the victim (security researchers love hitting the 'nobody respects us' button) than putting basic effort in.
A single email bouncing is frustrating of course, but he then posted that an easily found vulnerability existed on Twitter, while a16z:
- has a contact page page https://a16z.com/connect/ with 4x emails to their offices at the bottom (despite claims the main site had no other emails)
- links to their Twitter where DMs are open https://x.com/a16z same with instagram, FB, and linkedin, all open
it would be easy to just email all of them at once and waiting a couple days to see if it gets escalated.
It’s a fair and totally reasonable question but clashes with reality. Many hosts have data that others want/like to scrape (eBay, Amazon, Google, airlines, etc.) and they setup anti-scraping mechanisms to try and prevent scraping. Whether or not to respect those desires is a bigger question but not one for the scraping library - it’s one for those doing the scraping and their lawyers.
The fact is - many many people want to scrape these sites and there is massive demand for tools to help them do that, so if APIFY/Crawlee decide to take the moral ground and not offer a way around bot detection, someone else will.
Ah yes, the old 'if I don't build the bombs for them, someone else will'. I don't think this is taking the moral high ground, this is saying we don't care whether it's moral, there's demand and we'll build it.
There are many legitimate and legal use cases where one might want to circumvent blocking of bots. We believe that everyone has the moral right to access and fairly use non-personal publicly available data on the web the way they want, not just the way the publishers want them to. This is the core founding principle of the open web, which allowed the web to become what it is today.
It’s an “old” law that did not consider many intricacies of internet and the platforms that exist on it and it’s mostly made obsolete by EU case law, which has shrunk the definition of a protected database under this law so much that it’s practically inapplicable to web scraping.
(Not my opinion. I visited a major global law firm’s seminar on this topic a month ago and this is what they said.)
I'm not gonna feel bad if a corporation gets its data scraped (whenever it's legal to do so, and this is another kind of question I'm not knowledgeable enough to face) when they themselves try to scrape other companies' data
You seem to have a massive category error here. To my understanding, this is not only going to circumvent the scraping protection of companies that scrape other people's data.
One of the greatest quotes I've ever heard from a founder buddy was when his startup was going through a particularly dark moment and struggling: One of the investors said to him "Maybe you should seriously think about shutting down and giving us our money back", to which he replied:
Yeah, then the investors call a board meeting and bring in a new CEO to provide adult supervision after a 2/3rds vote. The give that guy more equity than you to keep the ship afloat. "It's not your company anymore."
Not realistic to maintain control past A unless you built a real rocketship. The board doesn’t usually want to run your company - they have enough other companies, some evidently better than yours as they don’t require this intervention.
Each round carves out 10+% for employee options, on top of 10-30+% to investors (Seed can be anywhere from 10-30%, Series A is typically 20% to just the lead, Series B 10%+).
Equity ownership and voting control are also different things. After the B you commonly have 2 investors and an independent director on the board, alongside 1-2 founders.
It can get much worse. Companies can have multiple “seed” rounds. It may not be doing well enough for a real “A” round. The naming of the rounds doesn’t matter. Valuation at each round does. If your valuation goes lower from one round to the next (“down round”) you’ll give up more equity, diluting everyone else faster.
Can never happen, the guy who says that this ain't ur money no more has made sure that investors know their place on board, they r afterall just passive investors who r spreading risks around, even wework a company that has fucked up financials had to give their founder close to a billion dollars just for stepping down, as long as the founder is a majority stakeholder, he will always remain in control
While we're on the topic, what SQL-based BI tools do we all recommend? I'm in agreement wit OP that writing SQL is generally a best-practice, but I'm still a bit clueless about the State of the Art tools. Metabase? Looker? (it's still so expensive though). Something else?
It's a big canvas that multiple people can use at once, with SQL and Python, text annotations, comment threads, shapes and drawing etc.
Connects into the regular cloud database / warehousing systems.
It's great because it allows you to get the flow of data quite literally visualised on a big board and it exposes the underlying SQL so that, over time, non technical users can learn by exposure and osmosis, as things aren't super hidden away "behind the scenes".
Oh man that looks cool - BUT - $199/month for the "starter" version and $1k/month for a team prices me wayyyyyyy out on this. I am but a humble solopreneur trying to use SQL to build some nice dashboards (and not go broke while doing it).
A few tips:
* Resist the urge to break up your various accounts into too many separate files. I tried that and went back to one file per account per year (aka “venmo-2024.hledger”). Also helps with below…
* GitHub CoPilot is remarkably and shockingly good at working with ledger files. It will do the balance addition/subtraction on following lines almost perfectly. Also, if you need to manually enter a new line, you can often just enter a shortcut one-line comment and it’ll fill the entire entry, aka:
; 10/1/24 -$250 for new business cards