Skip Navigation
You'll regret using natural keys
  • I don't think that is true. Not much at Google really bought into the UUID hype. At least not for internal interfaces. But really there is no difference between a UUID v4 and a large random number. UUID just specifies a standard formatting.

  • Can someone explain me USA obsession with prom and similar school rituals?
  • I don't really mean literally to practice asking people out. But there are times in your life where you need to ask people for things. It is hard to get over the anxiety, risk of social embarrassment and practice showing confidence (even if you are not). These are valuable skills in all sort of social circumstances.

  • You'll regret using natural keys
  • It is true, don't do it.

    Even at huge companies like Google, lots of stuff was keyed on your email address. This was a huge problem so Google employees were not allowed to change their email for the longest time. Eventually they opened it up by request but they made it very clear that you would run into problems. So many systems and services would break. Over time I think most external services are pretty robust now, but lots of internal systems still use emails (or the username part of it) and have issues.

    IIUC Google accounts now use a random number as the key. But there are still places where the email is in use, slowly being fixed at massive cost.

  • Can someone explain me USA obsession with prom and similar school rituals?
  • FWIW I think it is actually a valuable social skill to be encouraged to ask someone out to prom. A lot of people don't have many similar experiences throughout their lives.

  • Can someone explain me USA obsession with prom and similar school rituals?
  • Prom is fun. You get to hang out with all of your classmates, ask someone out. A subset of people are always going to go overboard, but keep in mind that you don't see the "normal" cases. Most people just walk up to someone and ask them out. They find a date from the school or go alone.

    I'm from Canada so I don't know if the US is wildly different, but here it is a bit of a big deal, but I think part of that is what makes it fun, you sort of build a bit of hype around what would otherwise be just another school dance.

  • EFF Dice-Generated Passphrases | Electronic Frontier Foundation
  • It depends a lot on the hash functions. Lots of hashes are believed to be difficult to parallelize on GPUs and memory hard hash functions have different scaling properties. But even then you need to assume that an adversary has lots of computing power and a decent amount of time. These can all be estimated then you give yourself a wide margin.

  • Project Announcement: RSS Temple
  • Yeah, the fact is today that the more advanced bots are probably better at captchas than humans. There isn't really a great solution here. But I tried at least 10 times before I got one right.

  • Project Announcement: RSS Temple
  • One thing that I noticed is that reading items is very difficult because basically as soon as they appear on the screen they are marked as read and become light-grey on white. Either the "read" style needs to be more readable or the marking of read should be deferred until I am done reading the article.

  • Project Announcement: RSS Temple
  • Wow, that captcha is impossible.

  • Trying to buy right size bicycle wheel online
  • I thought that was the problem at first too. But unless there are fields that are searchable but not visible at all to end users I have definitely found many cases where the term (and no stemmed version of it etc...) was in the listing.

  • Trying to buy right size bicycle wheel online
  • Not to mention that Amazon search is happy to ignore most of the words in your search. So you end up sorting through pages of results that don't match. Absolutely infuriating and one of the reasons that Amazon is my last choice now. Someone decided that it was unacceptable to show "no matching results" and lost my business.

  • Trying to buy right size bicycle wheel online
  • What I do is take a capture of the page, then if they haggle on the refund I can clearly show that the product is not the one I ordered.

  • Too powerful for their Euro arteries
  • I don't even know if that counts as on at all. It is really just laid on top partially covering it.

  • EFF Dice-Generated Passphrases | Electronic Frontier Foundation
  • Yeah, but my point is that I use my master password enough that random characters are still memorable while being faster to type. For me personally there isn't really a use case where the easier memorability is worth the extra characters to type. But of course everyone is different, so it is good that this system is laid out for them with a great guide.

  • EFF Dice-Generated Passphrases | Electronic Frontier Foundation
  • Yeah, that is what I meant by "strength of the hash". Probably should have been more clear. Basically the amount of resources it takes to calculate the hash will have to be spent by the attacker for each guess they make. So if it takes 1s and 100MiB of RAM to decrypt your disk it will take the attacker roughly 1s and 100MiB of RAM for each guess. (Of course CPUs will get faster and RAM will get cheaper, but you can make conservative estimates for how long you need your password to be secure.)

  • EFF Dice-Generated Passphrases | Electronic Frontier Foundation
  • It is a good technique to be sure, but I haven't found it useful in my everyday life. In practice 99% of my passwords are stored in my password manager. I only remember like 3 passwords myself. For those I want them to be easy to type as I do it semi-regularly (whenever I turn on my computer or phone, my phone sometimes re-verifies, ...). These may be slightly easier to remember but end up being much longer. I find that I don't have issues remembering the 3 passwords that I actually regularly type.

    In fact I recently switched my computer passwords to be all lowercase, just to make it easier to type. I've offset this reduced entropy by making them longer (basically shift+key is similar entropy to key+key and easier to type, especially on phones or on-screen keyboards).

    The recommended 6 words produces incredibly strong passwords. The equivalent with all lowercase would be 16.5 characters. Personally I went for 14 characters and in my threat model that is very very secure. But this will also depend on your attack model. If it is a disk encryption password or other case where you expect that the attacker can get the hash then it will depend on the strength of the hash and possible attacker's computing power. If it is protected by a HSM that you trust you can get away with short PINs because they have strict rate limits. Any decent online service should also have login rate limits reducing required entropy (unless the leak the hash without resetting passwords, then see the above point where the attacker gets the hash). All of my memorized passwords fall into the category of needing very strong security but I still found that remembering a random character password that only only took about a week when entering it once a day.

  • EFF Dice-Generated Passphrases | Electronic Frontier Foundation
  • Technically yes. But the method is by far strong enough that this isn't an issue. This is sort of always the issue with calculating entropy. We say that password has less entropy than 8(A>Ni'[. But that is baking in assumptions about the search space. If password is a randomly generated string of lower, upper, numbers and symbols it is just as secure as the latter. (808 ≈ 1015 candidates) but if password was generated as just lowercase characters it is far less secure (268 ≈ 1011 candidates) but if it was a random dictionary word it is not very secure at all (≈ 105 candidates) and if it was chosen as one of the most popular passwords it is even less secure. How can one password have different entropy?

    The answer is basically it matters how the attacker searches. But in practice the attacker will search the more likely smaller sets first, then expand to the larger. So the added time to search the smaller sets is effectively negligible.

    What may be more useful is the "worst case" entropy. Basically the attacker knows exactly what set you picked. For the password case that is 1 because I just picked the most common password. For the rolling method described above it is 65^6 ≈ 1023 because even if they know the word list they don't know the rolls. You may be able to go slightly higher by building your own word list, but the gains will probably be fairly small and you would likely get far more value just by rolling one more word on the existing list than spending the time to generate your own.

  • EFF Dice-Generated Passphrases | Electronic Frontier Foundation
  • select a set of words from the list

    I would be very careful doing this. It is very easy to introduce significant bias. Humans are terrible at picking random numbers.

    If you can't find dice I would recommend:

    1. Having a computer pick random items for you.
    2. Renumber the list into binary and flip a coin 12 times for each word. (This results in a slightly shorter word list but should be string enough).
  • Newbie Question
  • If you want to use proprietary apps the best option is probably dumping the APK from your "Googled" phone then sideloading it onto the new phone. However it may be difficult to keep up with updates unless you have a dedicated phone to download them.

  • As a new, one year, software developer who retrained late. How do you know when you're ready to apply for a new role with more money?
  • It's never too early. If you see an interesting job posting reach out and go thorough the process. At worst you learn a bit about what they were looking for and gain some interview experience. At best you get a job offer. Even if you decide not to take the offer you learn a bit about the positions available to you.

    It costs effectively nothing to apply. Just a few hours of your time.

  • Why can't you return empties in downtown Toronto?

    This is frustrating. I live in a small apartment and my nearest beer store is over 20min walk. I can get to at least 6 LCBOs in that time and dozens of grocery stores that sell alcohol. I'm not even the worst off..

    Note that in the map posted the middle location is Yonge and Dundas which doesn't accept bottles. So if you live in the downtown core you can be walking 30min easy (each way).

    You can see a map here, but which ones accept bottles or not aren't indicated until you click "show details".

    How is this acceptable? I am forced to pay a deposit on every bottle but have nowhere to return them. Either I save up and haul a giant bag 20min or drive. Either way a waste of space in my apartment and I don't even drink that much.

    It seems that we need a solution.

    1. Make LCBOs take bottles back. (or anywhere that sells alcohol, including Beer Store delivery)
    2. Remove the deposit and recommend recycling (sucks for bottles which are better washed and reused rather than crushed and reformed).
    3. At least make the Yonge and Dundas store accept empties. This would at least give options in downtown core that are less than 15min away. Still not great but closes a gaping hole.
    Please recommend me some blogs about Linux or FOSS or similar that you follow through RSS. Please recommend me some blogs about Linux or FOSS or similar that you follow through RSS. -

    Hi. I have a category Little Tech Blogs in my rss reader where I put those cool niche blogs mostly about Linux, FOSS, programming, etc… Many of them I found by articles linked in this community, so I was wondering if you guys know about more blogs like that. By little I mean it’s run by one person o...

    What is your favorite terminal emulator.

    I'm reconsidering my terminal emulator and was curious what everyone was using.

    General Programming Discussion kevincox
    Default to Less Than Quadratic
    nixos kevincox
    Bisecting the Linux Kernel with NixOS

    cross-posted from:

    > Recently my kernel started to panic every time I awoke my monitors from sleep. This seemed to be a regression; it worked one day, then I received a kernel upgrade from upstream, and the next time I was operating my machine it would crash when I came back to it. > > After being annoyed for a bit, I realized this was a great time to learn how to bisect the git kernel, find the problem, and either report it upstream, or, patch it out of my kernel! I thought this would be useful to someone else in the future, so here we are. > > Step #1: Clone the Kernel; I grabbed Linus' tree from with git clone > > Step #2: Start a bisect. > > If you're not familiar with a bisect, it's a process by which you tell git, "this commit was fine", and "this commit was broken", and it will help you test the commits in-between to find the one that introduced the problem. > > You start this by running git bisect start, and then you provide a tag or commit ID for the good and the bad kernel with git bisect good ... and git bisect bad .... > > I knew my issue didn't occur on the 5.15 kernel series, but did start with my NixOS upgrade to 6.1. But I didn't know precisely where, so I aimed a little broader... I figured an extra test or two would be better than missing the problem. 😬 > > > git bisect start > git bisect good v5.15 > git bisect bad master > > > Step #3: Replace your kernel with that version > > In an ideal world, I would have been able to test this in a VM. But it was a graphics problem with my video card and connected monitors, so I went straight for testing this on my desktop to ensure it was easy to reproduce and accurate. > > Testing a mid-release kernel with NixOS is pretty easy! All you have to do is override your kernel package, and NixOS will handle building it for you... here's an example from my bisect: > > > boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux_6_2.override { # (#4) make sure this matches the major version of the kernel as well > argsOverride = rec { > src = pkgs.fetchFromGitHub { > owner = "torvalds"; > repo = "linux"; > # (#1) -> put the bisect revision here > rev = "7484a5bc153e81a1740c06ce037fd55b7638335c"; > # (#2) -> clear the sha; run a build, get the sha, populate the sha > sha256 = "sha256-nr7CbJO6kQiJHJIh7vypDjmUJ5LA9v9VDz6ayzBh7nI="; > }; > dontStrip = true; > # (#3) `head Makefile` from the kernel and put the right version numbers here > version = "6.2.0"; > modDirVersion = "6.2.0-rc2"; > # (#4) `nixos-rebuild boot`, reboot, test. > }; > }); > > > Getting this defined requires a couple intermediate steps... > Step #3.1 -- put the version that git bisect asked me to test in (#1) > Step #3.2 -- clear out sha256 > Step #3.3 -- run a nixos-rebuild boot > Step #3.4 -- grab the sha256 and put it into the sha256 field (#2) > Step #3.5 -- make sure the major version matches at (#3) and (#4) > > Then run nixos-rebuild boot. > > Step #4: Test! > > Reboot into the new kernel, and test whatever is broken. For me I was able to set up a simple test protocol: xset dpms force off to blank my screens, wait 30 seconds, and then wake them. If my kernel panicked then it was a fail. > > Step #5: Repeat the bisect > > Go into the linux source tree and run git bisect good or git bisect bad depending on whether the test succeeded. Return to step #3. > > Step #6: Revert it! > > For my case, I eventually found a single commit that introduced the problem, and I was able to revert it from my local kernel. This involves leaving a kernel patch in my NixOS config like this: > > > boot.kernelPatches = [ > { patch = ./revert-bb2ff6c27b.patch; name = "revert-bb2ff6c27b"; } > ]; > > > This probably isn't the greatest long-term solution, but it gets my desktop stable and I'm happy with that for now. > > Profit! > >

    SaaS RSS hosting RSS hosting

    Simple and cheap cloud hosting for your RSS feeds and content. You can create or import RSS feed, edit it, add messages, get a download link for sharing and check statistics.

    I started an RSS to Email Service

    I know the Email isn't everyone's favourite RSS reader but it works really well for me. I wasn't happy with any of the existing services so I started my own. is a low-cost RSS-to-Email service with nice clean templates. I'm happy to answer any questions.

    Open Standards kevincox
    Thoughts on Monetization
    kevincox kevincox

    Posts 14
    Comments 641