2) BAD website says “We’ve sent you an email, please enter the 6-digit code! The email will come from GOOD, as they are our sign-in partner.”
3) BAD’s bots start a “Sign in with email one-time code” flow on the GOOD website using the user’s email.
4) GOOD sends a one-time login code email to the user’s email address.
5) The user is very likely to trust this email, because it’s from GOOD, and why would GOOD send it if it’s not a proper login?
6) User enters code into BAD’s website.
7) BAD uses code to login to GOOD’s website as the user. BAD now has full access to the user’s GOOD account.
This is why “email me a one-time code” is one of the worst authentication flows for phishing. It’s just so hard to stop users from making this mistake.
“Click a link in the email” is a tiny bit better because it takes the user straight to the GOOD website, and passing that link to BAD is more tedious and therefore more suspicious. However, if some popular email service suddenly decides your login emails or the login link within should be blocked, then suddenly many of your users cannot login.
Passkeys is the way to go. Password manager support for passkeys is getting really good. And I assure you, all passkeys being lost when a user loses their phone is far, far better than what’s been happening with passwords. I’d rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money.
There's actually a very good reason to implement a delay in switching submenus.
Recent versions of Apple's human interface guidelines don't make any mention of it, because those decisions are baked into the toolkit and not under control of application designers, but the earlier editions of Apple's guidelines went into some detail about why and how pop-up submenus were delayed.
1995 edition of Macintosh Human Interface Guidelines:
>pp. 79: Hierarchical menus are menus that include a menu item from which a
submenu descends. You can offer additional menu item choices without
taking up more space in the menu bar by including a submenu in a main
menu. When the user drags the pointer through a menu and rests it on a
hierarchical menu item, a submenu appears after a brief delay. To indicate
that a submenu exists, use a triangle facing right, as shown in Figure 4-36.
The original 1987 version of the Apple Human Interface Guidelines can be checked out from the Internet Archive, and should be required reading for serious user interface designers, the same way that serious art students should contemplate the Mona Lisa, and serious music students should listen to Mozart. Even though it's quite dated, it's a piece of classic historic literature that explicitly explains the important details of the design and the rationale behind the it, in a way that modern UI guidelines just gloss over because so much is taken for granted and not under the control of the intended audience (macOS app designers using off-the-shelf menus -vs- people rolling their own menus in HTML, who do need to know about those issues):
>pp. 87: The delay values enable submenus to function smoothly, without jarring distractions to the user. The submenu delay is the length of time before a submenu appears as the user drags the pointer through a hierarical menu item. It prevents flashing caused by rapid appearance-disappearance of submenus. The drag delay allows the user to drag diagonally from the submenu title into the submenu, briefly crossing parent of the main menu, without the submenu disappearing (which would ordinarily happen when the pointer was dragged into another menu item). This is illustrated in Figure 3-42.
>I run into this problem all the time on the Web. Web site designers forget to incorporate a menu show delay, resulting in frustration when trying to navigate around them. For example, let's look at the navigation bar on the home page of The Discovery Channel. Hover over TV Shows, and the menu appears. Suppose you want to go to Koppel on Discovery, but instead of moving the mouse straight downward, the way you hold your arm on the desk moves the mouse in an arc that happens to swing to the right before it arcs downward. You touch TV Schedules and your navigation is screwed up. You have to start over and make sure to move the mouse exactly straight down.
You can even solve the problem with CSS and without JavaScript, by using ":hover":
>This is a fairly old UX concept that I haven't heard talked about in a while, but is still relevant in the case of multi-level dropdown menus. A fine-grained pointer like a mouse sometimes has to travel through pretty narrow corridors to accurately get where it needs to in a dropdown menu. It's easy to screw up (have the mouse pointer leave the path) and be penalized by having it close up on you. Perhaps we can make that less frustrating.
There're so many alternatives to Airflow nowadays that you really need to make sure that Airflow is the best solution (or even a solution) to your use case. There's plenty of use cases better resolved with tools like Prefect or Dagster, but I suppose the inertia to install the tool everyone knows about is really big.
I start taking notes and have endless questions for everyone.
By the end of the first days it is clear to me that most people there, even some veteran product managers have a very incomplete ideas.
By the end of the first few weeks I generally end up being the most knowledgeable person in the team (or at least among the top) because generally most people don't give two damns and are there for the paycheck so I'm reminded of how low the bar is in pretty much any environment.
A nice side effect of my approach is that you end up learning a terrific amount about the other team mates and you force people into questioning their knowledge themselves.
This might just be a contrarian take on my part, but maybe we'd be better off without Google News--and most of the publishers it features.
When was the last time you read a news article in any "major" news source, of the kind that typically appears on Google News, about a subject you know well and you thought, "This demonstrates an accurate understanding of even the big picture elements of the story"?
I don't remember having had this experience since I was a child, decades ago. I was a teenager when I first extrapolated that if they couldn't report with even big picture accuracy on the things I did know something about, odds were that they were similarly wrong about all the things I didn't know about too.
With that perspective in mind, it's come down to a question for me of whether it is good or bad for my life to be immersed, near-constantly, in stories about (usually awful) things happening in parts of the world that I can't do a thing about. I don't think it is.
I think that's what leads people to feel powerless and to live in fear. It leads to this "victimer than thou" culture where people act like (and largely feel like) their only hope for surviving something difficult that might happen in their own lives would be to get enough sympathy from a large enough audience that people would actually help. Nobody feels like an agent anymore because they're constantly immersed in stories of awful things in which they don't have any agency.
There's this broad cultural assumption that "one must be informed about world affairs," but it's at the expense of local affairs, the affairs we could affect. If you know about violence on the other side of the planet, but don't know that your neighbor three doors down is having trouble getting to work and at risk of losing their job because their car broke down, I'd strongly argue that your priorities are out of whack. People's lives everywhere are getting worse because we're all worrying about things far away that we can't affect rather than local problems we could actually solve.
I'd just as soon see Google News shutter. I think we would all be better off without the 24-hour global news cycle.
These are mostly learning resources rather than certifications....
For backend engineering specific, some free & paid resources are
- O'Reilly Membership - This is a gold mine. For the $400 I believe you can purchase a yearly membership, where you get access to the entire O'Reilly catalogue. Designing Data Intensive Applications is included of course. They also have some video courses & conference talks in addition to the books. If you don't want to spend the $400 then they also offer a 7 day trial and don't ask for a credit card....
- quastor.org is a good read (but it's free). They follow all the big tech engineering blogs and send summaries of the interesting backend-dev blog posts.
- bytebytego - this is also free. It's mostly diagrams and provides a very high level overview but it's a good subscription. You can also purchase their books on their website.
- LeetCode membership - good for interview prep if you're looking for a FAANG-job, pretty much useless for everything else (could be helpful if you like competitive coding though!).
- Udemy Courses by Hussein Nasser - I really liked his course on databases. Delves into the different database engines, tradeoffs, query optimization, etc. He also has a YouTube channel with lots of free content.
- codecrafters - I haven't done this myself but it's a bunch of interesting challenges where you build a toy version of Redis, build a bittorrent client, build a toy version of Git, etc. Could be useful to understand how tech works. In terms of a free version, there's also (https://github.com/codecrafters-io/build-your-own-x) which is a collection of blog posts where you're building different things in various languages.
On a mature project in a small team, the only tickets left were hard bugs that nobody wanted. The kind of bugs where you can invest days and have nothing really to show for it except crossing out some suspicions. Or maybe incorrectly crossing one out and then going on a wild goose chase until you circle back to it in a week, flustered.
You're expected to commit all of your mental energy to these tickets day after day, and then once you finally triumph and solve the bug after coffee or amphetamine binges, you turn in the code, close the ticket, and you're expected to immediately work on the next ticket.
You don't get a real break. But you can mentally rest at the start of the next ticket since nobody expects instant results. But now it's been a couple days and people are asking you what you've been doing so far—you must be blocked, right?—but you've barely started and you're pressured to invent small lies and excuses about why you're behind, each one risking yet another slip of the mask.
And when you need some time off the most, it's when you're the most behind of all and people have begun to notice, so taking the time off doesn't even seem like an option.
Seemed like a great project. Hope to see it come back!
There are some great open-source projects in this space – not quite the same – many are focused on local LLMs like Llama2 or Code Llama which was released last week:
Mozilla essentially did a "get woke, go broke". They fired Brendan for ridicolous reasons, they focused on products that were useless and were really focused on spreading propaganda for woke causes.
I still use Firefox everyday since it's the best browser for linux but I also use Brave. Mozilla as a company in my eyes are a bit lost and they need more focus on their technology. It seems like they have realized this in the last two years or so and I hope that trend will continue. Firefox is awesome, focus on privacy is awesome. MDN is awesome. If they need money from other sources than Google, why not create some kind of subscription service for their MDN docs?
There is a bunch of things they actually need to fix like lack of PWA support in firefox (still) which is pretty bad that they don't have that enabled by default.
Focus on what matters, no one cares about your woke politics in the long run.
One of the key points of the talk happens around the 32-37 minute mark, comparing the crew sizes of various ships. He makes the point that the core of development is really putting together the requirements, not writing code. Unfortunately we've put nearly all of the resources of our industry into engineering rather than science (tactics rather than strategies). What he stated very succinctly is that a supercomputer can work out the tactics when provided a strategy, so why are we doing this all by hand?
That’s as far as I’ve gotten in the video so far but I find it kind of haunting that I already know what he’s talking about (brute force, simulated annealing, genetic algorithms, and other simple formulas that evolve a solution) and that these all run horribly on current hardware but are trivial to run on highly parallelized CPUs like the kind that can be built with FPGAs. They also would map quite well to existing computer networks, a bit like SETI@home.
Dunno about anyone else, but nearly the entirety of what I do is a waste of time, and I know it, deep down inside. That’s been a big factor in bouts with depression over the years and things like imposter syndrome. I really quite despise the fact that I’m more of a translator between the spoken word and computer code than an engineer, architect or even craftsman. Unfortunately I follow the money for survival, but if it weren’t for that, I really feel that I could be doing world-class work for what basically amounts to room and board. I wonder if anyone here feels the same…
1) User goes to BAD website and signs up.
2) BAD website says “We’ve sent you an email, please enter the 6-digit code! The email will come from GOOD, as they are our sign-in partner.”
3) BAD’s bots start a “Sign in with email one-time code” flow on the GOOD website using the user’s email.
4) GOOD sends a one-time login code email to the user’s email address.
5) The user is very likely to trust this email, because it’s from GOOD, and why would GOOD send it if it’s not a proper login?
6) User enters code into BAD’s website.
7) BAD uses code to login to GOOD’s website as the user. BAD now has full access to the user’s GOOD account.
This is why “email me a one-time code” is one of the worst authentication flows for phishing. It’s just so hard to stop users from making this mistake.
“Click a link in the email” is a tiny bit better because it takes the user straight to the GOOD website, and passing that link to BAD is more tedious and therefore more suspicious. However, if some popular email service suddenly decides your login emails or the login link within should be blocked, then suddenly many of your users cannot login.
Passkeys is the way to go. Password manager support for passkeys is getting really good. And I assure you, all passkeys being lost when a user loses their phone is far, far better than what’s been happening with passwords. I’d rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money.