pointytrees's comments

I hadn't read this submarine article before. This just blew my mind. I've got so many ideas for promoting my side business now.

I'm familiar with that process. I was trying to illustrate a picture of how a poor developer might stumble their way into this situation. It's technically possible to store the userid in the cookie rather than using JWTs, but obviously it's not secure in the slightest.

I'm hesitant to agree with you because it happens so frequently. I'll admit that I've had my share of receiving newbie bashing.

More often than not, I feel like talking with those folks and explaining to them that they should just ask and not ask if they can ask it seems like they just don't recognize what they're doing. Thus, it's usually good to tell them they don't need to ask and to just ask now and in the future.

Have you considered making the question the first line?

I think I understand your reasoning. If you lead with the question, then write a bunch of stuff. When they finish reading and get to the end, they may have forgotten the initial question. I guess I have found in my professional experience that leading the with question is often more effective when talking to management. They're often quite busy and may skim the email to judge the importance.

I find that when they skim they are very likely to miss the question and I usually have to bug them a couple times. If I lead with the question and make it concise and direct, it is often answered very quickly. ;) Yes, this is filler text to share my opinion.

I think the feedback was, this looks like a very simple (but possibly useful) app, it should not have such heavy dependencies.

In my experience, many tables don't have a userid on the table that would be associated with the user. It would be a table join or two or three away.

So the developer may think it is safe to say select value from stock positions left join account on account.id = stock position.id left join user_accounts on user_accounts.accountid == account.id left join users on user_accounts.userid == user.id where user.id == session.userid.

Safe right? We checked userid. But then clicking on the position to drill in on the position data, they just select * from stock_position where stock_position.id = params.stock_id... there's no "and stock_position.userid" on that table, and the developer might be too lazy to spin up the entire join again especially if you don't need account data for this view. Whoops, suddenly a vulnerable page query.

I imagine there are other ways to screw up. Like insecure cookies, and just checking cookie.userid, ah yes, you're the right user. Whoops, didn't realize cookies could be spoofed.

I'm in CA, single earner family, we don't pay even half of my salary in (property/income/sales) taxes. I'm not sure I agree with your sentiment.

I suppose if you decided to buy a property that was more than you could afford, and you're using credit card debt to buy more than you can afford, then you may have a large tax burden. Those are reckless decisions though.

Nginx is giving away an ebook with email newsletter subscription.

Thank you for the excerpt.

I prefer to use `ls -lah` which always shows the dot files. It sure would be nice if these were placed in a different folder. Maybe ~/.../ to put all the things. Sure, cat ~/.bash_history would need to be cat ~/.../.bash_history which isn't as convenient.

But, I sure do agree with the frustration. My work machine has nearly a hundred hidden things. My Chrome usually downloads things to ~/Downloads/ but Firefox often likes to store the file in ~ which then is often hard to find when I jump over to a console.

I've made an effort to clean things up. Trying to set firefox to download to the Downloads folder, deleting everything personal out of the home folder. But, of course, then that just goes to prove that I do not have control of my ~ folder. I'm doing everything I can to keep my own stuff out of it. Which is sad.

Yes, we're quite familiar with MS license audits and the auditors don't even know how everything should be licensed.

Good point, thanks.

I see these comment sections get somewhat rowdy and negative. Anyone care to comment on the other side of things?

Are there any "it may be down, but it is up quite often and saves us heaps of time and labor, totally worth the occasional outage" type experiences?

We're considering G Suite and O365 soon.

My brother-in-law lives in LA, and parks there every day. He honestly tries not to get parking tickets, but he's been towed once or twice because the street wasn't clear. I know he isn't intentionally trying to break the law. I also got a parking ticket when visiting once. I very carefully looked at the signs, there were 2 other cars on that side of the street. I parked there, and went into visit thinking I was fine. I got back to a parking ticket, and looked at the sign again, and had Monday/Tuesday mixed up. I didn't intend to break the law. It is accidental.

Sounds like advertising. I don't want any ads in my imgur feed. I don't want any ads in the magazines I _BUY_ I don't want any ads in the movies I PAY to go to watch (trailers and "buy candy and popcorn clips").

If an email is an email about a thing or service which is related to my interests, but I don't recognize the company, I suppose that falls under spam, but that's better than random emails for prescriptions or scams.

They have quite a few zero fee index funds.

Thanks, some sales, some support, some customer inquiries.

We've looked at salesforce, but that got a no.

I'll check out the other links you've provided, thank you.

Another unfortunate factor is.... if you take the plea for 2, case closed. If you don't take the plea, then that makes a lot more work for everyone involved (justice department) to take it to trial.

Heh. This is a copy/paste comment from the last dozen leaks.

What's worse about dev is that chrome auto-forwarded to the https version even if you were using it internally for testing using your hosts file.

It's from folks visiting his site. (Linked.)