eralpb's comments

Hey everyone I want to share my personal and real-world experience about credential stuffing attacks. These are very hard to solve because fundamentally it's users fault, especially the ones with password-reuse habit. Nevertheless we responsible developers are the ones who should keep the internet safe, so feel free to chime in, evaluate my solutions and maybe we come up with "the" best practice against this type of attacks.

If there's interest I want to make this into a library and open source a django-specific solution as it's my everyday framework. The discussion applies to ALL web frameworks.

If you don't like Medium's UX, find the article here: https://eralpbayraktar.com/blog/django/2020/caching-with-dja...

Hey everyone, I wanted to share some tips and insights about caching. I'm a firm believer caching is very important/effective but you have to be very careful and engineer-minded while designing it. It's a 7-minute read.

Some problems include serving stale objects or not having central logic to calculate cache efficiency. This part 1 is more like an introduction but I'm willing to share a very good library and middleware that will help you in 2 things. First is solving cache-related bugs, and second is measuring cache efficiency. Tune in for part 2 :)

Hi! Normally when you rotate secret key, users are logged out, which is a big inconvenience if you have millions of users and might cost your business valuable users, and this pushes companies not to rotate keys, which is not the best practice..

that's why I wanted to make this process transparent to the user, I created a library "django-rotate-secret-key" which helps you rotate your secret key and still accept sessions with the old key for limited amount of time, and I explained how to use in this medium post.

obviously this is not something you want if your key is compromised, but if you want to rotate just as a best security practice this library is for you!

what I love about this library is, once you pass that window where you accept both keys, you can delete/revert everything so there is no residue with this solution! not a single line of code you need to maintain in the future.

Feedbacks welcome, thank you very much!

looks amazing! keep it up

great idea, which also warns about the websites it won't work on.

some require session authentication, so bot needs to login and THEN verify.

Thanks for seeing the value, after releasing this I got to know some services require session authentication, so without your password (or cookies) the bot cannot verify.

I think this was a nice experiment and still usable for many services.

you make a very good point, thanks for the warning.

I will open source whenever I have time, I just did it last night and decided to share.

For future awesomeness please follow @eralpbayraktar on Twitter :)

Thanks!

Interesting to see this get so many upvotes & discussion. Blockchain is an agreed protocol not a god-given thing, any time we need more we can just increase the block-size.

This blog post would make sense if it talked about why incrementing block-size is not feasible, which is feasible. Storage gets cheaper every year and block-size has no effect on compute power.

Upvoted because of the use of AWS Lambda instead of a cron job, I believe Bitstamp offer such a feature as there is clearly demand for DCA :)

Coinbase already has, but with 1.5% fee!!

How do you make sure the transaction happens? What if my order doesn't get executed, and then 5 of them executed next week then it's not DCA anymore.

I don't even ask for email.. how can I spam? :/ There is no "subscription" on the website.

It should now be implemented ;) .. half of it lol

It is interesting that IOTA is missing.. because I already query 1300 coins. Let me check what is wrong :)

Yours looks really nice, keep it up ;)

Thank you, I may implement couple of features this weekend, I agree it'd be much better to see a bit of history!

Changed my database server, should give no errors as of now ;)

I had the Debug mode on, which gives MANY information about the stack and all that :)

Maybe you tried to include too many features? :) My friends just wanted to give cryptocurrencies a try, and all these charts and orders are too complicated! This is where they can create a portfolio in couple of clicks and check it weeks later if they feel like it!

Haha sorry to offend you, I meant to say like Username/Password is kind of old-school in this era where the importance of digital identities are realised and there are many startups around it, Twitter uses an Authorization protocol (OAuth) which makes them "new school". I quite dislike Twitter.

I didn't want to convert this to a full-fledged trading platform with Stop Losses and orders etc. it requires too much effort. but if you want to test that I can recommend you Etoro's virtual mode. But thanks for your comment :)