1. Short session expiration does not help security
Total comment counts : 68
Summary
The article discusses the topic of session timeouts in web applications. It questions the common security advice of using short session timeouts, such as logging out after 15 minutes of inactivity. It argues that shorter session timeouts do not necessarily reduce overall risk and may have disadvantages in terms of user experience and security.
The article mentions that session takeover can occur through various means, such as stealing session cookies or exploiting session fixation vulnerabilities. It suggests that an absolute timeout does not necessarily prevent session takeover, as attackers can use the stolen session immediately. However, session timeouts may protect against session takeover in certain scenarios, such as if an attacker sees an old session token in logs or on a stolen computer.
The article also discusses the threat of shared computers without user separation and compromised devices. It suggests that in most web applications, the threat of shared public computers is not realistic, and session expiration may not necessarily prevent access to other sensitive information on compromised devices.
The article concludes that short session timeouts have disadvantages and may not effectively prevent certain types of attacks. It mentions that major companies like Facebook, Google, Amazon, and GitHub have sessions that never expire, indicating that they consider it an acceptable risk.
Overall, the article challenges the notion of short session timeouts as a universally effective security measure and raises considerations about user experience and alternative security measures.
Top 1 Comment Summary
The article discusses the use of short session expirations in banking and financial apps. The author presents several reasons why short session expirations are defensible in these apps. Firstly, these apps are used by a diverse range of people, including those without access to computers or backup devices, making them more vulnerable to scams. Secondly, opportunistic attackers find them attractive targets. Additionally, people often use these apps in stressful or unusual circumstances, such as when traveling or making emergency payments. Lastly, most sessions in banking apps are not very long, usually involving simple tasks like checking balances or making transfers. Although major corporations like Google do not use short sessions, the author suggests that providing tools to monitor and detect session misuse may be a more effective solution. Overall, while short session expirations may have their advantages, the author acknowledges it may not be the best solution in the future.
Top 2 Comment Summary
The article discusses the use of short session expiry as a solution to authentication standards that lack a reliable method for expiring sessions. This workaround is used to ensure that third-party services regularly connect with the identity provider, thereby ensuring that changes made by the identity provider are reflected in all third-party services within a certain timeframe.
2. StarLite 12.5-inch Linux tablet
Total comment counts : 55
Summary
The article discusses the availability of different region options for purchasing a product called StarLite. It also provides details about the specifications and features of the product, such as its compact size, processor, memory, display, and connectivity options. The article highlights that the product uses open-source firmware, offers security features, and provides firmware customization options. It also mentions the keyboard design, display resolution, charger size, and battery power. The article emphasizes the ease of firmware updates, open warranties, and customizability of the hardware and firmware. It further mentions the different software distributions available for the product. The article also mentions a payment option and provides information about tax and deposit.
Top 1 Comment Summary
The author conducted an experiment using various Linux distributions on an old Surface tablet. They found that Ubuntu, Manjaro, and Fedora had issues ranging from a broken on-screen keyboard to problems with screen rotation and login screen bugs. The author concluded that touch screen-only computers may not be adequately considered during the development of desktop environments and display servers. They speculate that the Steam Deck’s popularity may incentivize the KDE team to improve touch screen support.
Top 2 Comment Summary
The author questions the use of a micro HDMI port in a device, suggesting that dual USB-C ports could have been used instead, with one port serving as the DisplayPort output. The author criticizes the micro HDMI port, claiming that it is not an ideal connector due to the number of pins and the mechanical stress caused by heavy HDMI cables typically attached to it.
3. Railway Oriented Programming
Total comment counts : 26
Summary
The article is about an approach called Railway Oriented Programming, which is a way to handle errors and other issues in functional programming. The author provides slides and code for a talk they gave on the topic and also mentions that they plan to write more posts on the subject. They mention that their approach is a more comprehensive one than just using the Either monad, and they provide a template that is versatile yet consistent. The author explains why they didn’t use standard Haskell terminology and also mentions that F# doesn’t have reusable ways to do monads. They provide additional resources for those interested in learning more about the topic.
Top 1 Comment Summary
The article discusses the use of the with
keyword/macro in the Elixir programming language. The with
keyword allows functions to be executed in a specific order, and if the return value of each function does not match what is expected, the execution is stopped and the mismatching value is returned. This eliminates the need for functions to handle both success and error cases separately, as error propagation is automatically handled by pattern matching in the with
block. The article suggests that this approach allows developers to focus on the happy path of their code and let the caller handle error scenarios if desired.
Top 2 Comment Summary
The author of the article argues against the use of railway-oriented programming, stating that it often reinvents exception handling poorly. They believe that exceptions provide a cleaner and more effective way of handling error conditions in most cases. Exceptions make the safe option the default and automatically propagate errors up the call stack, while railway-oriented programming requires extra code that is easy to forget or get wrong. The author acknowledges two specific use cases for railway-oriented programming: handling specific errors at the point of occurrence and situations where exception handling is not available. However, they note that with modern JavaScript’s async/await feature, exception handling can now be used in these scenarios.
4. micro – A Modern Alternative to nano
Total comment counts : 47
Summary
The article is about Micro, a terminal-based text editor. It boasts features such as easy installation, configuration options, and the ability to rebind keys. It supports over 75 languages, has multiple colorschemes, and offers syntax files and colorschemes customization. Micro also supports Sublime-style multiple cursors, has a plugin system, full mouse support, and the ability to run an interactive shell within the editor. Users have praised its simplicity and functionality. The article provides links to the full list of features, a help system, GitHub project, and Gitter chat for further information and support.
Top 1 Comment Summary
The article highlights the author’s recommendation of using the nano text editor for beginner programming classes. The main advantage of nano, according to the author, is that all the commands are listed at the bottom of the screen, which is not the case with micro.
Top 2 Comment Summary
The author expresses surprise at learning that some people use nano as their primary code editor. They personally use nano frequently when working on Linux servers. They also mention encountering resistance from certain experienced Linux admins who insist on using vi as the only editor, despite nano being a small and safe package.
5. TypeScript is surprisingly ok for compilers
Total comment counts : 21
Summary
The article discusses the choice of implementation language for compiler-related tasks. It mentions that OCaml is suitable for language-centric tasks while C++ is often chosen for implementation-centric and production-ready projects. Rust is also mentioned as a new addition that combines the strengths of ML and C++. The article then explores the idea of using TypeScript as an alternative, highlighting its out-of-the-box experience and flexible type system. It proceeds to provide a tutorial on building a type checker in TypeScript, showcasing its conciseness and natural correspondence to the problem being solved. The author concludes by stating that they will likely use TypeScript for small language hacks.
Top 1 Comment Summary
The article discusses the benefits of using TypeScript, specifically highlighting the ability to treat functions as objects and have properties/methods. It mentions that TypeScript provides a good mix of object-oriented (OO) and functional programming. The author also appreciates how TypeScript allows for gradual design evolution without requiring extensive rewrites. Examples are given to demonstrate how functions can be used flexibly, without the need to define classes prematurely. The article emphasizes the avoidance of naming conflicts and states that using functions instead of classes simplifies the process.
Top 2 Comment Summary
The article states that TypeScript, as a programming language, has incorporated many features from ML languages. Despite lacking real pattern matching, it is considered fine but not as good as OCaml. The author compares it to other languages such as C#, Swift, Dart, and Kotlin.
6. GIL removal and the Faster CPython project
Total comment counts : 25
Summary
The Python Steering Council has announced its intent to accept a no-GIL (Global Interpreter Lock) version of the Python programming language. The GIL has been a major barrier to increasing the performance of Python programs using multiple threads. The no-GIL feature has garnered excitement and support from several companies. There have been discussions and debates about the implications of removing the GIL, including concerns about the impact on single-threaded programs and Python extensions written in C. The Python community is cautious about making the switch and wants to avoid any disruptions like the Python 2 to 3 transition. The decision to accept the no-GIL feature is not final, and a phased approach is being considered. The core developers and the community will need to gain experience with no-GIL Python and ensure a smooth transition before it becomes the default and only version of Python. The process will involve experimentation, periodic reviews, and addressing backward compatibility concerns. The Faster CPython team, which has been working on improving the single-threaded performance of the interpreter, is excited to overcome the challenges of a no-GIL interpreter with minimal impact on single-threaded code. Funding commitments have been made to support the development of the no-GIL interpreter and address packaging challenges. The Python community is optimistic about the future of Python without the GIL, but there is still a lot of work to be done before it becomes a reality.
Top 1 Comment Summary
The article discusses the history of the debate surrounding the Global Interpreter Lock (GIL) in Python. However, it focuses more on the arguments against the GIL and the potential problems that can arise. It does not sufficiently highlight the positive aspects of Sam’s work, such as the high quality and performance improvements. The article also praises Sam for playing the open-source game well and being patient with the slow reaction from the steering council. It mentions that sub-interpreters have yet to prove their usefulness in Python and that the community has shown great interest in Sam’s project. The steering council has expressed its intention to accept the proposed PEP 703, although the details are still being worked on. The author acknowledges that they are not a GIL enthusiast and suggest trying sub-interpreters first, but emphasizes the importance of being fair in evaluating the situation.
Top 2 Comment Summary
The author of the article is reflecting on their initial excitement about the NoGIL (Global Interpreter Lock) concept, but now they are beginning to change their mind after reading and reflecting on their own experiences. The author has worked on backend systems that involve exposing endpoints to the network and systems that involve reading messages from a queue and sending them to other queues. They have found that for systems where latency is important, the ability to spin up threads and share connections to databases (which NoGIL provides) is useful. However, for systems where throughput is important, in-process parallelism and concurrency with shared resources can be confusing and hard to reason about. The author emphasizes the importance of not compromising on the quality of the second type of system and mentions that their focus is primarily on improving those systems.
7. FP-Go: Functional programming library for Golang
Total comment counts : 47
Summary
The article discusses a functional programming library for Golang that aims to provide data types and functions for writing maintainable and testable code. The library encourages writing small, simple functions and emphasizes the use of function composition. It distinguishes between operations that can fail and those that cannot, handling errors explicitly. The library also offers support for cancellation and coordination of IO operations. It promotes the use of pure functions and effectful functions, and provides methods for converting between idiomatic Go signatures and functional signatures. The library implements monadic operations using generics and provides higher-level type definitions for convenience. It addresses the limitations of Go’s type system and introduces higher kinded types as individual types for generic algorithms.
Top 1 Comment Summary
The article discusses a library that enables functional programming (FP) using the Go programming language syntax and toolchain. However, it raises concerns that code written using this library may not be easily understandable by most Go programmers and may make it awkward to call normal Go libraries. The writer questions if there is another way to make writing maintainable and testable code in Go without creating a new language. They suggest using a functional style and incorporating static analysis tools like go vet to track which functions are pure and provide visual cues for mutated input parameters. The article also references John Carmack’s essay on functional programming in C++.
Top 2 Comment Summary
The author expresses their affinity for expressive functional programming languages like F#, Scala, and Rust, but they find the recent trend of incorporating Haskell-like features into imperative languages to be awkward. They mention their first encounter with Golang, where a blog post suggested using monads to avoid repetitive error checking. However, the author recognizes that their personal values in software engineering do not align with Go, and that is acceptable.
8. Ask vs. Guess Culture
Total comment counts : 73
Summary
error
Top 1 Comment Summary
The author, who comes from the northern US, and their wife, who comes from the southern US, used to have conflicts regarding how to treat each other and guests. They realized that their upbringing had shaped their different approaches to hospitality. The author’s wife felt insecure about responding to guests’ needs, while the author was oblivious to those needs. This led to misunderstandings and assumptions about guests. They eventually learned that southerners prefer a “guess” culture, while northerners prefer an “ask” culture. They have since adjusted their behaviors and learned from each other. Despite these differences, both still prefer their native cultures. The author also mentions their amusement at how well they get along with northern Europeans and how their wife’s family operates similarly to proper hosting culture in the UK.
Top 2 Comment Summary
The article discusses the concept of high context culture and low context culture. High context culture, also known as “Guess” culture, requires a lot of shared context and clues to understand the intended meaning and be polite. On the other hand, low context culture, also known as “Ask” culture, is more direct and may be perceived as rude by outsiders. Some individuals can navigate both cultures, while others default to the culture they grew up with.
9. A new instrument found unusual success
Total comment counts : 29
Summary
The harpejji, a guitar-piano hybrid instrument, is gaining popularity and generating millions in revenue. The invention gained traction when Stevie Wonder expressed interest in it after trying it out at a trade show. Other famous musicians such as Jacob Collier and Harry Connick Jr. have also supported and performed with the harpejji. The instrument, created by Tim Meeks, has sold nearly 1,500 units and has become a successful new invention. Instrument design is evolving rapidly, with universities and competitions dedicated to exploring new instrument concepts. However, many inventions struggle to move past the prototype stage due to the vast capabilities of computer-generated music. Meeks believes that inventors should focus on creating usable instruments that musicians actually want to play and learn. Despite the challenges, the harpejji has experienced significant success and is projected to exceed $1 million in sales in 2023. Meeks recently had a moment of realization when he heard a harpejji song playing randomly on a Spotify-curated playlist, showcasing the instrument’s growing presence and independent recognition in the music world.
Top 1 Comment Summary
The Harpejji is a musical instrument based on the StarrBoard, which was invented by John Starrett in the 1980s. The Guardian incorrectly described someone else, Meeks, as the inventor without realizing this. The original StarrBoard can be seen in a photo taken in 1997. The Harpejji website acknowledges Starrett as the inventor. The article provides links to Starrett’s website, his research citations, the StarrBoard Wikipedia page, and the Harpejji website for further information.
Top 2 Comment Summary
The article discusses the importance of having a multiscale design in musical instruments, specifically guitars. It mentions that treble sounds can strain and sound whiny when there is too much tension and the length is too long, while bass sounds can appear unfocused and farty when there is too little tension and the length is too short. The article also mentions that bass guitars are typically larger than regular guitars for a good reason. It notes that multi-scale guitars have been out of patent for some time, and speculates on the upcoming expiration of the patent for the harpejji, hoping that increased competition will lead to improved quality.
10. λ Calculus (2013) [pdf]
Total comment counts : 12
Summary
error
Top 1 Comment Summary
The article discusses a video by David Beazley that explains the topic of lambda calculus. Beazley does a great job of breaking down complex mathematical notation and explaining it in a way that is easy to understand. He uses Python to derive the basic concepts of lambda calculus. The video is enjoyable and informative to follow along with.
Top 2 Comment Summary
The article discusses a new number representation system in lambda calculus, where 0 is represented as the identity function and the successor function is represented as the constant function. The article raises the question of whether it is possible to write a function that tests if a numeral represents 0. It also brings up a similar proposal to represent numbers in combinatory logic using basis {S,K}, which is convertible to Church numerals.