patrick.net
An Antidote to Corporate Media
1,196,602 comments by 14,079 users - Ceffer, Onvacation online now
invite response« First « Previous Comments 38 - 77 of 95 Next » Last » Search these comments
38
Tenpoundbass
2023 Jun 14, 9:16am
Tenpoundbass
2023 Jun 14, 9:16am
Tenpoundbass says
I would add, that I preferer to custom script out my own code generation per each project. I do not use Entity Frameworks because it adds way too much buggy sluggish overhead, it's hogs more resources than all of your project's code combined. All of my code generation is external and I plug it into the pages and classes I'm working on by hand. But I can script for any language and any model, for any purpose. Client HTML code, Object Classes, and Data Classes. EFF can not do that. Frameworks can generate cookie cutter code, but it's all the same code from project to project. You can't use Microsoft EFF to generate Python or Java code.
If the data model is good, and the enterprise is happy with it. Then the best and quickest way to do a rewrite is to use Code Generating SQL against the tables. I can stub out a whole Enterprise suite in under a week. Then only need to write the business logic layer and the client Scripts.
I would add, that I preferer to custom script out my own code generation per each project. I do not use Entity Frameworks because it adds way too much buggy sluggish overhead, it's hogs more resources than all of your project's code combined. All of my code generation is external and I plug it into the pages and classes I'm working on by hand. But I can script for any language and any model, for any purpose. Client HTML code, Object Classes, and Data Classes. EFF can not do that. Frameworks can generate cookie cutter code, but it's all the same code from project to project. You can't use Microsoft EFF to generate Python or Java code.
39
NuttBoxer
2023 Jun 14, 10:53am
NuttBoxer
2023 Jun 14, 10:53am
Tenpoundbass says
I spent a month testing some API's for a guy who was monetizing a domain purchasing site. He hired an oversea's programmer who slapped a bunch of stuff together with no standardization, and some pretty big security gaps. I pointed it out to him, but due to the fact that he hadn't even launched yet, there wasn't much interest in doing anything beyond plugging the security gaps.
I work in software quality, so my first instinct is always to push for maintenance NOW, but it really does depend on where the business is at.
Always do a rewrite. Normally by time you are called to bring a Customer's software to the next level. The previous developer had already coded the project into a hard corner. And the new business requirements would be impossible to factor in without creating a buggy broken system.
I spent a month testing some API's for a guy who was monetizing a domain purchasing site. He hired an oversea's programmer who slapped a bunch of stuff together with no standardization, and some pretty big security gaps. I pointed it out to him, but due to the fact that he hadn't even launched yet, there wasn't much interest in doing anything beyond plugging the security gaps.
I work in software quality, so my first instinct is always to push for maintenance NOW, but it really does depend on where the business is at.
40
Tenpoundbass
2023 Jun 14, 1:57pm
Tenpoundbass
2023 Jun 14, 1:57pm
The hardest part for any Enterprise software, is getting it to the point to where it is now.
One of the biggest problem with rewrites is they come in thinking they are going to do a total data model redesign. These days they want to shoehorn software written for a unique business case in a unique industry with unique requirements. Into a one size fits all Cloud CRM and ERP. So they are forced to rewrite the whole business process logic and requirements. Any gaps not meeting previous requirements, they outsource to a third party service, lots of third party cloud services, to do what 90% of the companies should be home growing on their own. I try to understand the business reasons for the most fucked up head scratching code, and understand why the previous guy did it so ungracefully. There was always a reason, that even those cloud guys eventually run into. No matter how hard they try to ignore that complicated backwards, stupid way the previous guy was forced to do it. .
But if you take time to understand that you probably would have met the same trap, because you understood, what it was doing, how that process got added on after the fact. And you understand what it does and why it's important.. You can then figure how to gracefully make that process. You can make some of your most elegant impressive code you ever did. And in many ways, you owe it to the previous guy, and the problem he was faced with. That you then built on and made it work.
Most migrations and updated enterprise rewrite development lead, do not understand that process today.
One of the biggest problem with rewrites is they come in thinking they are going to do a total data model redesign. These days they want to shoehorn software written for a unique business case in a unique industry with unique requirements. Into a one size fits all Cloud CRM and ERP. So they are forced to rewrite the whole business process logic and requirements. Any gaps not meeting previous requirements, they outsource to a third party service, lots of third party cloud services, to do what 90% of the companies should be home growing on their own. I try to understand the business reasons for the most fucked up head scratching code, and understand why the previous guy did it so ungracefully. There was always a reason, that even those cloud guys eventually run into. No matter how hard they try to ignore that complicated backwards, stupid way the previous guy was forced to do it. .
But if you take time to understand that you probably would have met the same trap, because you understood, what it was doing, how that process got added on after the fact. And you understand what it does and why it's important.. You can then figure how to gracefully make that process. You can make some of your most elegant impressive code you ever did. And in many ways, you owe it to the previous guy, and the problem he was faced with. That you then built on and made it work.
Most migrations and updated enterprise rewrite development lead, do not understand that process today.
41
GNL
2023 Jun 14, 2:33pm
GNL
2023 Jun 14, 2:33pm
Tenpoundbass says
I found your comment quite insightful. Yes, we've added many things after the fact because these add-ons were not envisioned at the time. Mission creep has to stop at some point also.
met the same trap, because you understood, what it was doing, how that process got added on after the fact. And you understand what it does and why it's important.. You can then figure how to gracefully make that process. You can make some of your most elegant impressive code you ever did. And in many ways, you owe it to the previous guy, and the problem he was faced with. That you then built on and made it work.
Most migrations and updated enterprise rewrite development lead, do not understand that process today.
I found your comment quite insightful. Yes, we've added many things after the fact because these add-ons were not envisioned at the time. Mission creep has to stop at some point also.
42
NuttBoxer
2023 Jun 14, 2:51pm
NuttBoxer
2023 Jun 14, 2:51pm
Last company I worked at for a year and a half was supposed to be migrating their legacy infrastructure to the cloud. We were the last team in line to do this, so not charting new waters by any means. But the code was inherited probably a few times over, and almost no one on the team was there when it was written. I remember one of the engineers after an outage(there were many), comparing what he saw to duct-taping shit together, it was that fragile. Right before I left they had decided to pivot to just migrating to Kafka from MSMQ, and push the rest off, but I seriously suspect the team dev lead, and product owner will be fired when this stuff never completes.
Worst part, they kept dumping new feature requests on the team. I spent more than a few meetings telling them they needed to stop if they wanted migration to ever finish, but there was always an excuse.
My time at that company was split into 1/3 testing(my actual job), 1/3 helping manage process, and 1/3 on call for production issues(usually outages). I don't even want to look at prod support at my current place, still scarred from having to get up and answer alerts in the middle of the night.
Worst part, they kept dumping new feature requests on the team. I spent more than a few meetings telling them they needed to stop if they wanted migration to ever finish, but there was always an excuse.
My time at that company was split into 1/3 testing(my actual job), 1/3 helping manage process, and 1/3 on call for production issues(usually outages). I don't even want to look at prod support at my current place, still scarred from having to get up and answer alerts in the middle of the night.
43
HeadSet
2023 Jun 14, 4:43pm
HeadSet
2023 Jun 14, 4:43pm
richwicks says
Funny you should say that. The current C++ redistributable somehow omits the msvcr100.dll which causes a graphics program I loaded yesterday to not run. Once I figured that out it was just a copy and paste from a computer that still had that dll.
BTW: C++ has improved VASTLY since I last used it. It no longer sucks!
Funny you should say that. The current C++ redistributable somehow omits the msvcr100.dll which causes a graphics program I loaded yesterday to not run. Once I figured that out it was just a copy and paste from a computer that still had that dll.
44
richwicks
2023 Jun 14, 6:05pm
richwicks
2023 Jun 14, 6:05pm
HeadSet says
I don't ever work under Windows. I just got fed up with their bullshit ages ago. It won't be long before you have to rent MS Windows, and pay a monthly fee for it. That's already true of MS Office.
I am never going to work under Windows again, ever.
richwicks says
BTW: C++ has improved VASTLY since I last used it. It no longer sucks!
Funny you should say that. The current C++ redistributable somehow omits the msvcr100.dll which causes a graphics program I loaded yesterday to not run. Once I figured that out it was just a copy and paste from a computer that still had that dll.
I don't ever work under Windows. I just got fed up with their bullshit ages ago. It won't be long before you have to rent MS Windows, and pay a monthly fee for it. That's already true of MS Office.
I am never going to work under Windows again, ever.
45
HeadSet
2023 Jun 14, 6:39pm
HeadSet
2023 Jun 14, 6:39pm
richwicks says
I hear you, but the software I like will not run on Linux, and Apple is just a pricey way to do the same thing.
I am never going to work under Windows again, ever.
I hear you, but the software I like will not run on Linux, and Apple is just a pricey way to do the same thing.
46
richwicks
2023 Jun 14, 6:51pm
richwicks
2023 Jun 14, 6:51pm
HeadSet says
If I have to use Windows, I fire up a virtualbox virtual machine.
richwicks says
I am never going to work under Windows again, ever.
I hear you, but the software I like will not run on Linux, and Apple is just a pricey way to do the same thing.
If I have to use Windows, I fire up a virtualbox virtual machine.
47
Patrick
2023 Jun 14, 10:37pm
Patrick
2023 Jun 14, 10:37pm
GNL says
@GNL
I used node.js to rewrite patrick.net a few years ago, and I'm very happy with it. Clearly I'm no visual artist, but performance and maintainability of my current version are the best of any website I've ever seen, if I may say so myself.
Having worked with React, and I learned to detest it as a low-performance ball of yarn. Hell, avoid all front-end frameworks and get people who've actually read most of https://developer.mozilla.org/en-US/ The browser already does everything you need, you just need to figure out how.
This site is one file, patrick_net.js, and all the code is in it except for some unavoidable npm libraries, such as for interfacing to mysql.
I was taught that css and client-side js should go in separate files. That's bullshit. You get dependency problems because of version skew, and clearly lower performance. Yes, external js and css files can be cached, but it's still faster performance-wise to have a single file and include the js and css just where you need them in the generated html. If you're pulling in giant external js and css files you have serious problems to begin with. Don't do that.
And the development speed from a single file is priceless! I literally never need to figure out what file any function or js snippet or css is in, because it's all in the same fucking file. Most programmers spend half their time searching various files for things. I never have to do that. And using ALE in vim to detect errors as I'm typing has saved me vast amounts of debugging time: https://medium.com/@victormours/better-linting-in-vim-with-ale-1e4b1d5789af
I got the single-file idea when I heard that a popular travel site was all one php file. The guy who made it was a newbie programmer, but damn, he hit on something super-useful with that naivete.
I also optimized the shit out of the database, and have a strict naming convention in the db that every column starts with the singular of the table name. So the users table has columns user_id, user_email, user_pass, ... Then when I'm looking in the code at fields I got from the db, I know exactly which table they are from, instantly.
Tons of lessons like that acquired over the last 25 years or so.
If you were starting from scratch, what would you use to create a commercial website?
@GNL
I used node.js to rewrite patrick.net a few years ago, and I'm very happy with it. Clearly I'm no visual artist, but performance and maintainability of my current version are the best of any website I've ever seen, if I may say so myself.
Having worked with React, and I learned to detest it as a low-performance ball of yarn. Hell, avoid all front-end frameworks and get people who've actually read most of https://developer.mozilla.org/en-US/ The browser already does everything you need, you just need to figure out how.
This site is one file, patrick_net.js, and all the code is in it except for some unavoidable npm libraries, such as for interfacing to mysql.
I was taught that css and client-side js should go in separate files. That's bullshit. You get dependency problems because of version skew, and clearly lower performance. Yes, external js and css files can be cached, but it's still faster performance-wise to have a single file and include the js and css just where you need them in the generated html. If you're pulling in giant external js and css files you have serious problems to begin with. Don't do that.
And the development speed from a single file is priceless! I literally never need to figure out what file any function or js snippet or css is in, because it's all in the same fucking file. Most programmers spend half their time searching various files for things. I never have to do that. And using ALE in vim to detect errors as I'm typing has saved me vast amounts of debugging time: https://medium.com/@victormours/better-linting-in-vim-with-ale-1e4b1d5789af
I got the single-file idea when I heard that a popular travel site was all one php file. The guy who made it was a newbie programmer, but damn, he hit on something super-useful with that naivete.
I also optimized the shit out of the database, and have a strict naming convention in the db that every column starts with the singular of the table name. So the users table has columns user_id, user_email, user_pass, ... Then when I'm looking in the code at fields I got from the db, I know exactly which table they are from, instantly.
Tons of lessons like that acquired over the last 25 years or so.
48
gabbar
2023 Jun 15, 3:16am
gabbar
2023 Jun 15, 3:16am
richwicks says
Student is already registered to take assembly language in Fall 2023. Thank you for the recommendation.
You have to learn many high level languages, and a few lower level languages. You don't have to learn higher level languages well, it just introduces you to many concepts which you can implement elsewhere. The concept of a class in C++, brilliant idea, but it's trivial to implement that in C. You're just passing around a pointer to a C structure to every function. There, that is basically C++. C++ used to be nothing more than a preprocessor for C - it took in the C++ code, and through a bunch of macros and conversions, made a C file, and compiled that.
Student is already registered to take assembly language in Fall 2023. Thank you for the recommendation.
49
gabbar
2023 Jun 15, 3:17am
gabbar
2023 Jun 15, 3:17am
Tenpoundbass says
How can a sophomore in computer science learn Enterprise software?
The hardest part for any Enterprise software, is getting it to the point to where it is now.
How can a sophomore in computer science learn Enterprise software?
50
richwicks
2023 Jun 15, 4:42am
richwicks
2023 Jun 15, 4:42am
gabbar says
If they're like me, they have to understand "how" always. Assembly explains it the "memory" of a chip is TINY. You have registers (the real memory) cache (fast memory), regularly memory (this is just fetched to put in the cache, and periodically written back), then virtual memory is sometimes incorrect called "cached memory" - this is when memory isn't being used very often, so it's written to disk for later retrieval.
IF they want, they can learn binary logic to compose gates, and ALUs and so on. This isn't necessary, but I had to know. I'm actually trained as a computer chip designer, very glad I didn't go into that. It's ridiculously complex and it's just really verilog and VHDL now. I can lay down metal and poly-silicon layers to make a chip. If they want to know this, just learn logic, learn what a CMOS gate is, just simple stuff.
Student is already registered to take assembly language in Fall 2023. Thank you for the recommendation.
If they're like me, they have to understand "how" always. Assembly explains it the "memory" of a chip is TINY. You have registers (the real memory) cache (fast memory), regularly memory (this is just fetched to put in the cache, and periodically written back), then virtual memory is sometimes incorrect called "cached memory" - this is when memory isn't being used very often, so it's written to disk for later retrieval.
IF they want, they can learn binary logic to compose gates, and ALUs and so on. This isn't necessary, but I had to know. I'm actually trained as a computer chip designer, very glad I didn't go into that. It's ridiculously complex and it's just really verilog and VHDL now. I can lay down metal and poly-silicon layers to make a chip. If they want to know this, just learn logic, learn what a CMOS gate is, just simple stuff.
51
GNL
2023 Jun 15, 5:51am
GNL
2023 Jun 15, 5:51am
Thanks guys. I can't imagine what a rewrite of my site would cost in terms of $$ and time.
52
Tenpoundbass
2023 Jun 15, 6:36am
Tenpoundbass
2023 Jun 15, 6:36am
GNL says
A common mistake for mission creep is what I call "the Fred exception" when a principal comes to you and says...
"You know that very elegant efficient process you made for the company that processes payments and late fees?
Well there's a customer named Fred, and we need to process treat Fred totally different, and you need to write an algorithm that will calculate what he owes and how he owes it differently but only on the second Thursday of every month. The rest of the time, treat Fred the same."
Most developers will begrudgingly go on and plug in verbose Fred exceptions, with if and nested case statements, parsing the name of every customer that comes through the system, every single time, wasting valuable resources and littering the code.
I always go back to the model first and add a new field in a table that will identify a new class of customers, and field for any qualifiers like aging and dates that I will use to treat those class of customers. So now any time anyone else needs a Fred exception, all you have to do is change their classification identifiers. Because there will always be another Fred, then your doing if or statements.
The turn around to treat Fred special might be a week longer often not though. But in the long run I save a ton of time, by not having Fred create more mission creep where I'm accommodating more process exceptions for Fred.
Believe it or not, it's the principals in meetings that will be against extending the project to accommodate a new classification. In their mind, it was their brilliant idea to quick and dirty just parse the whole enterprise for one single name treat differently. These are the same assholes that likes to bring up in those meetings if the Project is Sarbanes-Oxley compliant.
I found your comment quite insightful. Yes, we've added many things after the fact because these add-ons were not envisioned at the time. Mission creep has to stop at some point also.
A common mistake for mission creep is what I call "the Fred exception" when a principal comes to you and says...
"You know that very elegant efficient process you made for the company that processes payments and late fees?
Well there's a customer named Fred, and we need to process treat Fred totally different, and you need to write an algorithm that will calculate what he owes and how he owes it differently but only on the second Thursday of every month. The rest of the time, treat Fred the same."
Most developers will begrudgingly go on and plug in verbose Fred exceptions, with if and nested case statements, parsing the name of every customer that comes through the system, every single time, wasting valuable resources and littering the code.
I always go back to the model first and add a new field in a table that will identify a new class of customers, and field for any qualifiers like aging and dates that I will use to treat those class of customers. So now any time anyone else needs a Fred exception, all you have to do is change their classification identifiers. Because there will always be another Fred, then your doing if or statements.
The turn around to treat Fred special might be a week longer often not though. But in the long run I save a ton of time, by not having Fred create more mission creep where I'm accommodating more process exceptions for Fred.
Believe it or not, it's the principals in meetings that will be against extending the project to accommodate a new classification. In their mind, it was their brilliant idea to quick and dirty just parse the whole enterprise for one single name treat differently. These are the same assholes that likes to bring up in those meetings if the Project is Sarbanes-Oxley compliant.
53
Tenpoundbass
2023 Jun 15, 6:56am
Tenpoundbass
2023 Jun 15, 6:56am
gabbar says
About a year after reading my first VB4 book from not knowing a damn thing about anything. Got my first job for a mail order catalog company.
It was converting a Data Flex Unix Server based CRM to a VB6 project. It paid for Shit, like $43K a year IIRC. I interviewed for the job and the guy that was leaving and moving on, which I was replacing. Gave me a quick Data Flex syntax tutorial.(He bought land in NC and was moving up there to farm)
Then he brought up Data Flex code for one of the forms, (it was a Dos client) and opened VB 5 at the time, VB 6 came out a few months after he left.
And had me migrate the code from Data Flex to VB. He saw I had the knack for it, and knew there was no damn way they were going to get a seasoned developer to work for $43K to do a job that typically was paying $60 to $80K a year even in 1997. He told the boss I was a great fit and I was there for three years before moving on. I moved on because the cheap fuck wouldn't raise beyond the 3% typical pay raise. Which was still keeping me below $50K after 3 years. I left there and got a job for $60K and never looked back.
I would tell the kid to put himself out there. I was damn lucky that my first job was a one man shop job. I was forced on the high dive that I would have never seen in a typical dev team environment. I wouldn't know 1/10th of what I know if not for that. I was in charge of setting up new HP servers, managing a Novel network in the graphics department, and moving it to a MS network with apple talk protocols. Installed and managed Exchange server, Biz Talk server. The guy that left had an agreement with the boss that he got the MSDN Enterprise subscription every year. Which I inherited. So I had all of MS toys at my disposal to really dig in and play with as a lab of sorts, both at home and at work on old defunct servers. It was how I justified staying there for three years for so cheap.
My explanation was how to get in the door. But how to learn it. He can do it the same way I did, by just jumping in the code and step debugging through it until he understands what the processes are doing. He should look for some sample project developers may have posted, that runs a business.
Like MS Adventure Works, or Nerd Diner, the MS sample Book publisher project. there's quite a few out there.
But the enterprise is being dominated by project leaders that want's to use out of the box CRM and ERP or Cloud services. It's the trend that has me looking for a new career path. I hope this is just a passing phase. Enterprise software development these days is more of a end user of a kluge management suite that you have to set up by filling in form values, than actually writing code. And roles I just took for granted something I need to do first before I can do other parts, now are separate duties held by gatekeepers who are behind 5 layers of SOP and process ticket systems and meetings before you can get done what I used to just do in a minute.
The IT admins have elevated themselves to the only hands on technical people in the organization, and their developers are nothing more than convoluted word processer users.
How can a sophomore in computer science learn Enterprise software?
About a year after reading my first VB4 book from not knowing a damn thing about anything. Got my first job for a mail order catalog company.
It was converting a Data Flex Unix Server based CRM to a VB6 project. It paid for Shit, like $43K a year IIRC. I interviewed for the job and the guy that was leaving and moving on, which I was replacing. Gave me a quick Data Flex syntax tutorial.(He bought land in NC and was moving up there to farm)
Then he brought up Data Flex code for one of the forms, (it was a Dos client) and opened VB 5 at the time, VB 6 came out a few months after he left.
And had me migrate the code from Data Flex to VB. He saw I had the knack for it, and knew there was no damn way they were going to get a seasoned developer to work for $43K to do a job that typically was paying $60 to $80K a year even in 1997. He told the boss I was a great fit and I was there for three years before moving on. I moved on because the cheap fuck wouldn't raise beyond the 3% typical pay raise. Which was still keeping me below $50K after 3 years. I left there and got a job for $60K and never looked back.
I would tell the kid to put himself out there. I was damn lucky that my first job was a one man shop job. I was forced on the high dive that I would have never seen in a typical dev team environment. I wouldn't know 1/10th of what I know if not for that. I was in charge of setting up new HP servers, managing a Novel network in the graphics department, and moving it to a MS network with apple talk protocols. Installed and managed Exchange server, Biz Talk server. The guy that left had an agreement with the boss that he got the MSDN Enterprise subscription every year. Which I inherited. So I had all of MS toys at my disposal to really dig in and play with as a lab of sorts, both at home and at work on old defunct servers. It was how I justified staying there for three years for so cheap.
My explanation was how to get in the door. But how to learn it. He can do it the same way I did, by just jumping in the code and step debugging through it until he understands what the processes are doing. He should look for some sample project developers may have posted, that runs a business.
Like MS Adventure Works, or Nerd Diner, the MS sample Book publisher project. there's quite a few out there.
But the enterprise is being dominated by project leaders that want's to use out of the box CRM and ERP or Cloud services. It's the trend that has me looking for a new career path. I hope this is just a passing phase. Enterprise software development these days is more of a end user of a kluge management suite that you have to set up by filling in form values, than actually writing code. And roles I just took for granted something I need to do first before I can do other parts, now are separate duties held by gatekeepers who are behind 5 layers of SOP and process ticket systems and meetings before you can get done what I used to just do in a minute.
The IT admins have elevated themselves to the only hands on technical people in the organization, and their developers are nothing more than convoluted word processer users.
54
NuttBoxer
2023 Jun 15, 9:12am
NuttBoxer
2023 Jun 15, 9:12am
Tenpoundbass says
Nothing wrong with the Fred exception if you charge for it, and make it clear any additional work needed for the Fred exception will be treated to a separate bill. That way you avoid endless customized maintenance for free. And I mean to the level that when you do a major refactor, if Fred's shit doesn't work anymore, you invite Fred back into the core product fold, or Fred pays again...
A common mistake for mission creep is what I call "the Fred exception"
Nothing wrong with the Fred exception if you charge for it, and make it clear any additional work needed for the Fred exception will be treated to a separate bill. That way you avoid endless customized maintenance for free. And I mean to the level that when you do a major refactor, if Fred's shit doesn't work anymore, you invite Fred back into the core product fold, or Fred pays again...
55
Tenpoundbass
2023 Jun 15, 9:58am
Tenpoundbass
2023 Jun 15, 9:58am
NuttBoxer says
The other problem with doing it that way. When the next company comes behind you, you have a reputation for writing spaghetti code.
My motto is "There's always time to do it right!".
You can put time up front to prep and create the foundation for any task at hand. Or you can just hack it in, and butcher it until it's good enough.
The butchered solution requires constant massaging and manual manipulation. Eventually boiling over to the point that they have to rewrite it and do it right, months or years after tolerating the inferior work around solution.
And I have proven it time and time again. When I have integrated a new classification in a data model to accommodate future Fred exceptions without having to update the code next time. My counterparts from outside vendors end up taking months of rewrites, and work arounds, and often scratching that roll out, until the next big update. After my code was ready within hours, days or a week of the request.
Nothing wrong with the Fred exception if you charge for it, and make it clear any additional work needed for the Fred exception will be treated to a separate bill. That way you avoid endless customized maintenance for free.
The other problem with doing it that way. When the next company comes behind you, you have a reputation for writing spaghetti code.
My motto is "There's always time to do it right!".
You can put time up front to prep and create the foundation for any task at hand. Or you can just hack it in, and butcher it until it's good enough.
The butchered solution requires constant massaging and manual manipulation. Eventually boiling over to the point that they have to rewrite it and do it right, months or years after tolerating the inferior work around solution.
And I have proven it time and time again. When I have integrated a new classification in a data model to accommodate future Fred exceptions without having to update the code next time. My counterparts from outside vendors end up taking months of rewrites, and work arounds, and often scratching that roll out, until the next big update. After my code was ready within hours, days or a week of the request.
56
Tenpoundbass
2023 Jun 15, 10:01am
Tenpoundbass
2023 Jun 15, 10:01am
NuttBoxer says
Also I consider tasks like that as a Data Plumber. The last thing I want to do is manual data entry, or sit there and plunger shit data through leaky code plumbing. I'll resign within a week.
My goal when I start work at a company. Is to write code that someone that isn't a programmer can manage with the tools I made them. After that its time for me to move on. If I were into that sort of thing, then I would have gone the IT route instead of the Developer route. I don't want to be that guy that has to log in at 3am to make sure a faulty shitty process completed without error codes.
Nothing wrong with the Fred exception if you charge for it, and make it clear any additional work needed for the Fred exception will be treated to a separate bill. That way you avoid endless customized maintenance for free. And I mean to the level that when you do a major refactor, if Fred's shit doesn't work anymore, you invite Fred back into the core product fold, or Fred pays again...
Also I consider tasks like that as a Data Plumber. The last thing I want to do is manual data entry, or sit there and plunger shit data through leaky code plumbing. I'll resign within a week.
My goal when I start work at a company. Is to write code that someone that isn't a programmer can manage with the tools I made them. After that its time for me to move on. If I were into that sort of thing, then I would have gone the IT route instead of the Developer route. I don't want to be that guy that has to log in at 3am to make sure a faulty shitty process completed without error codes.
57
NuttBoxer
2023 Jun 15, 10:36am
NuttBoxer
2023 Jun 15, 10:36am
As much as possible, give your users the ability to customize things on their end. A good CRM is worth years of development work. Current company is in the process of pulling all the customization back and focusing on just putting out a standard platform. Spoke with a couple people when I started as part of onboarding. Most common complaint I heard was how customization fucks everything up, and this was mostly coming from the business side.
58
SunnyvaleCA
2023 Jun 15, 11:26am
Patrick says
This is one of the best websites out there. If I wanted to see the work of a "visual artist" I'd visit a museum.
Instead, we have:
• Clear, high-contrast text
• nothing animating, giggling, or making noise
• everything on the page searchable in local browser text search
• pertinent information displayed without information overload
• responds properly to browser window width resizing
• zero CPU usage after initial load and layout
• fast load times
I used node.js to rewrite patrick.net a few years ago, and I'm very happy with it. Clearly I'm no visual artist
This is one of the best websites out there. If I wanted to see the work of a "visual artist" I'd visit a museum.
Instead, we have:
• Clear, high-contrast text
• nothing animating, giggling, or making noise
• everything on the page searchable in local browser text search
• pertinent information displayed without information overload
• responds properly to browser window width resizing
• zero CPU usage after initial load and layout
• fast load times
59
Tenpoundbass
2023 Jun 15, 12:44pm
Tenpoundbass
2023 Jun 15, 12:44pm
NuttBoxer says
The last company I worked for did Dye-sublimation printing on fabrics. The users could pick or upload a pattern, and order a sample size or a quantity of full yardage. I gave him a html based GUI that not only batched like fabrics, and a graphical layout of the samples before printing it. He could remove items, or move them around to accommodate their needs. Also to bring up a batch or a single item and reprint it. I gave him many tools for every gotcha we ever ran across that was outside of what my application could manage. Like report on the real available fabric at hand, or a report that shows stock needs to be moved to fulfil the order. Show the image didn't download for what ever reason, or the print error was due to the image being an improper format or wrong dimensions per the step repeat instructions(A serious error when that happens). The huge International consultant team ported that process to a cloud based MS 360 Cloud ERP. The end user I designed it for, says now the batch is just a list. It tells me nothing. The XML instructions that drives the print press is generated minutes after he batches it. Not Realtime, so if something fails or doesn't print. They don't find out about it until customers are moaning they didn't get it. With my system, he knew immediately . And because the new cloud system is purely a onetime one shot operation. The only way to reprint, is to tell the customer to cancel the order and send a new one. No guarantee it will make it either, if they don't' know that the image is screwed up.
More idiots that wondered. "What in the fuck did he do it like this for? All of this shit shouldn't be the guy that is printing the orders job!"
They are damn lucky they have that guy, I wrote him what he needed, and it was elegant and the industry leader. The consultant idiots wrote what they wanted him to have and it sucks and is nothing but problematic. When I wrote them the software, one of their Competitor/Partner developers were struggling generating a batch XML like I created. So the owner had me send them my code and massage them until they understood it. That really hurt, I should have left then rather than doing that.
As much as possible, give your users the ability to customize things on their end.
The last company I worked for did Dye-sublimation printing on fabrics. The users could pick or upload a pattern, and order a sample size or a quantity of full yardage. I gave him a html based GUI that not only batched like fabrics, and a graphical layout of the samples before printing it. He could remove items, or move them around to accommodate their needs. Also to bring up a batch or a single item and reprint it. I gave him many tools for every gotcha we ever ran across that was outside of what my application could manage. Like report on the real available fabric at hand, or a report that shows stock needs to be moved to fulfil the order. Show the image didn't download for what ever reason, or the print error was due to the image being an improper format or wrong dimensions per the step repeat instructions(A serious error when that happens). The huge International consultant team ported that process to a cloud based MS 360 Cloud ERP. The end user I designed it for, says now the batch is just a list. It tells me nothing. The XML instructions that drives the print press is generated minutes after he batches it. Not Realtime, so if something fails or doesn't print. They don't find out about it until customers are moaning they didn't get it. With my system, he knew immediately . And because the new cloud system is purely a onetime one shot operation. The only way to reprint, is to tell the customer to cancel the order and send a new one. No guarantee it will make it either, if they don't' know that the image is screwed up.
More idiots that wondered. "What in the fuck did he do it like this for? All of this shit shouldn't be the guy that is printing the orders job!"
They are damn lucky they have that guy, I wrote him what he needed, and it was elegant and the industry leader. The consultant idiots wrote what they wanted him to have and it sucks and is nothing but problematic. When I wrote them the software, one of their Competitor/Partner developers were struggling generating a batch XML like I created. So the owner had me send them my code and massage them until they understood it. That really hurt, I should have left then rather than doing that.
60
HeadSet
2023 Jun 15, 8:13pm
HeadSet
2023 Jun 15, 8:13pm
Tenpoundbass says
THIS!!! People are running a business and the computer is just a tool. Just like how a traveler uses a car to go places and does not want to stop every few miles to reset engine timing.
My goal when I start work at a company. Is to write code that someone that isn't a programmer can manage with the tools I made them.
THIS!!! People are running a business and the computer is just a tool. Just like how a traveler uses a car to go places and does not want to stop every few miles to reset engine timing.
61
richwicks
2023 Jul 25, 9:44pm
richwicks
2023 Jul 25, 9:44pm
I just asked ChatGPT to make an algorithm that would
1) scramble the bytes of the input randomly with a function
2) unscramble the output to produce the original data
It couldn't do it. It lied to me. It gave me code, that didn't work.
The more I play with AI, the less functional I realize it is. It's GREAT for starting with simple coding in languages you don't know, but ask it a somewhat difficult or unusual problem? It's worthless.
This idea that it will replace skilled workers, is bullshit. It's nowhere near that. It will always give you an answer, but if it's a tough one, it's most likely wrong, and there's no way to input data into it to correct it so it cannot learn from its errors. When you indicate it's made an error, this is apparently regarded as "hostility" and will disconnect. They really fucked up on the algorithm.
1) scramble the bytes of the input randomly with a function
2) unscramble the output to produce the original data
It couldn't do it. It lied to me. It gave me code, that didn't work.
The more I play with AI, the less functional I realize it is. It's GREAT for starting with simple coding in languages you don't know, but ask it a somewhat difficult or unusual problem? It's worthless.
This idea that it will replace skilled workers, is bullshit. It's nowhere near that. It will always give you an answer, but if it's a tough one, it's most likely wrong, and there's no way to input data into it to correct it so it cannot learn from its errors. When you indicate it's made an error, this is apparently regarded as "hostility" and will disconnect. They really fucked up on the algorithm.
62
Blue
2023 Jul 26, 12:51am
richwicks says
Very likely, the model they use in production has a cutoff with high probable nodes in the graph to be more 'reliable' and generic.
This idea that it will replace skilled workers, is bullshit. It's nowhere near that.
Very likely, the model they use in production has a cutoff with high probable nodes in the graph to be more 'reliable' and generic.
63
zzyzzx
2023 Jul 26, 7:01am
zzyzzx
2023 Jul 26, 7:01am
Tenpoundbass says
You should have charged them for it.
So they asked me if they could use the test project I sent them as the foundation to build their software.
You should have charged them for it.
64
gabbar
2023 Jul 28, 10:48am
gabbar
2023 Jul 28, 10:48am
Tenpoundbass says
Thank you very much. He appreciates this recommendation.
I would tell the kid to put himself out there.
Thank you very much. He appreciates this recommendation.
65
richwicks
2023 Aug 2, 3:20pm
richwicks
2023 Aug 2, 3:20pm
gabbar says
I would also suggest your kid to make use of ChatGPT - it's not the wizard being sold to the public - I've used it.
It's tremendously good at basics, but ask it a hard problem, and it will produce nonsense.
For example, I asked it to produce a program to create two windows using curses (that's a very old library for terminals), and it did it. That saved me hours of work. I asked it to write a program to take in characters using Apache as they were typed, this is websockets, it suggested CGI which doesn't work.
It's great for a STARTING point, but worthless at new solutions. Apache can do this, but it requires a plugin. It didn't recognize this.
Tenpoundbass says
I would tell the kid to put himself out there.
Thank you very much. He appreciates this recommendation.
I would also suggest your kid to make use of ChatGPT - it's not the wizard being sold to the public - I've used it.
It's tremendously good at basics, but ask it a hard problem, and it will produce nonsense.
For example, I asked it to produce a program to create two windows using curses (that's a very old library for terminals), and it did it. That saved me hours of work. I asked it to write a program to take in characters using Apache as they were typed, this is websockets, it suggested CGI which doesn't work.
It's great for a STARTING point, but worthless at new solutions. Apache can do this, but it requires a plugin. It didn't recognize this.
66
AD
2023 Aug 26, 10:43pm
AD
2023 Aug 26, 10:43pm
Open source AI that helps you write code, it is offered by Facebook and called "Llama AI for Coding"
https://about.fb.com/news/2023/08/code-llama-ai-for-coding/
https://about.fb.com/news/2023/08/code-llama-ai-for-coding/
67
Tenpoundbass
2023 Aug 27, 9:10am
Tenpoundbass
2023 Aug 27, 9:10am
richwicks says
New Solutions, require using existing technology or libraries, in an off label fashion.
I'm often impressed, that I reuse a Library I wrote for one solution, but was able to tweak it to handle another problem that I originally didn't intend it to do.
AI will not make that connection. It uses the code libraries out there, in accordance to the documentation. I think it starts producing nonsense, because it took documentation too literal, with a broader stroke than intended.
I could write a parser that could pull relevant code out of documentation and provide a starting point.
I employ a method to crank out the working prototype and starting point, in a day or two that would take a team of 3 developers a couple weeks to do.
I build a few tables that hold meta data of the data models and structures, and then I script a SQL script to spit a long concatenated string that provides the Classes needed. .I have several flavors, for making the class objects, the data classes, code for the forms, as well as appropriate html, and javascript.
This is where I impress myself on how with a little tweaking these scripts bang out code for totally different methodologies, and design patterns for various solutions. I mean I can see it wouldn't be a far stretch to take what I have and convert it into some AI code gen thingy, that would impress the Hype Tech consumers..
It's great for a STARTING point, but worthless at new solutions.
New Solutions, require using existing technology or libraries, in an off label fashion.
I'm often impressed, that I reuse a Library I wrote for one solution, but was able to tweak it to handle another problem that I originally didn't intend it to do.
AI will not make that connection. It uses the code libraries out there, in accordance to the documentation. I think it starts producing nonsense, because it took documentation too literal, with a broader stroke than intended.
I could write a parser that could pull relevant code out of documentation and provide a starting point.
I employ a method to crank out the working prototype and starting point, in a day or two that would take a team of 3 developers a couple weeks to do.
I build a few tables that hold meta data of the data models and structures, and then I script a SQL script to spit a long concatenated string that provides the Classes needed. .I have several flavors, for making the class objects, the data classes, code for the forms, as well as appropriate html, and javascript.
This is where I impress myself on how with a little tweaking these scripts bang out code for totally different methodologies, and design patterns for various solutions. I mean I can see it wouldn't be a far stretch to take what I have and convert it into some AI code gen thingy, that would impress the Hype Tech consumers..
68
richwicks
2024 Jan 9, 3:21pm
richwicks
2024 Jan 9, 3:21pm
ECC encryption and why it's superior to RSA.
ECC works with an elliptic curve, a quick explanation of what such a curve is can be found here:
https://www.youtube.com/watch?v=dCvB-mhkT0w
It works over a Galois Field (i.e. using modulo arithmetic). The video above explains point addition. Point multiplication is repeated addition just like it is with standard math. Scalar multiplication is when you have only one point - this is a special condition when you're adding the point P to P X number of times.
To understand why point addition follows the commutative property, you have to understand number theory to know why - just accept it does. The commutative property means that
G +
2G +
4G
----
7G
Where G is the generator point, which is the initial point where you do scalar multiplication. In order to quickly calculate any scalar point multiplication G is computed, then 2G, 4G ... 256G etc - but just doing repeated point addition. Again, see the video.
The secret key of ECC is just a random number usually in the range of:
0 - 2^{252} +27742317777372353535851937790883648493 (for Curve25519)
ECC curves have an order normally called n, which is the total number of points a generator G can reached with scalar multiplication. You can have a larger secret key than this, it doesn't matter, since it uses modulo addition, but you end up with a key that is larger than it needs to be. Generally the private key is a 256 bit number.
You can easily do scalar multiplication using the commutative property, but division is (so far) impossible.
To do Diffie-Hellman key exchange:
Alice picks a random number for her private key, and then computes the scalar multiple of this private key. The result of this calculation is the public key. Bob does the same. When Bob and Alice share their public keys, Alice takes Bob's public key (which is a point on the curve), and does scalar multiplication with her private key. Bob takes Alice's public key, and does scalar multiplication with his private key. The result is both end up with the same point on the curve.
For additional security, the result of the shared secret is hashed sometimes with a shared OPEN secret (a nonce), and the public keys in a given order.
The advantage of ECC key generation is that unlike RSA, it's immediate. Generating a private key is just picking a random number, and scalar multiplication is also very fast on the order of milliseconds, they keys are also smaller.
In short, RSA is crap, although ECC might have a fatal weakness. RSA depends on the inability to factor very large numbers, ECC depends on the inability to do point division although it's trivial to do point subtraction.
ECC works with an elliptic curve, a quick explanation of what such a curve is can be found here:
https://www.youtube.com/watch?v=dCvB-mhkT0w
It works over a Galois Field (i.e. using modulo arithmetic). The video above explains point addition. Point multiplication is repeated addition just like it is with standard math. Scalar multiplication is when you have only one point - this is a special condition when you're adding the point P to P X number of times.
To understand why point addition follows the commutative property, you have to understand number theory to know why - just accept it does. The commutative property means that
G +
2G +
4G
----
7G
Where G is the generator point, which is the initial point where you do scalar multiplication. In order to quickly calculate any scalar point multiplication G is computed, then 2G, 4G ... 256G etc - but just doing repeated point addition. Again, see the video.
The secret key of ECC is just a random number usually in the range of:
0 - 2^{252} +27742317777372353535851937790883648493 (for Curve25519)
ECC curves have an order normally called n, which is the total number of points a generator G can reached with scalar multiplication. You can have a larger secret key than this, it doesn't matter, since it uses modulo addition, but you end up with a key that is larger than it needs to be. Generally the private key is a 256 bit number.
You can easily do scalar multiplication using the commutative property, but division is (so far) impossible.
To do Diffie-Hellman key exchange:
Alice picks a random number for her private key, and then computes the scalar multiple of this private key. The result of this calculation is the public key. Bob does the same. When Bob and Alice share their public keys, Alice takes Bob's public key (which is a point on the curve), and does scalar multiplication with her private key. Bob takes Alice's public key, and does scalar multiplication with his private key. The result is both end up with the same point on the curve.
For additional security, the result of the shared secret is hashed sometimes with a shared OPEN secret (a nonce), and the public keys in a given order.
The advantage of ECC key generation is that unlike RSA, it's immediate. Generating a private key is just picking a random number, and scalar multiplication is also very fast on the order of milliseconds, they keys are also smaller.
In short, RSA is crap, although ECC might have a fatal weakness. RSA depends on the inability to factor very large numbers, ECC depends on the inability to do point division although it's trivial to do point subtraction.
69
Patrick
2024 Jan 9, 3:31pm
Patrick
2024 Jan 9, 3:31pm
Is it possible to implement a replacement for SSL with no change to browsers and no centralized certificate authorities?
That would take care of encryption and MITM attacks and leave all the spook agencies out of it.
That would take care of encryption and MITM attacks and leave all the spook agencies out of it.
70
NuttBoxer
2024 Jan 9, 5:45pm
NuttBoxer
2024 Jan 9, 5:45pm
There are a few guys out there with alternatives to typical internet protocols that touch on this. I think Corbett had a few on in the past year. There's onion routing, although it should always be pointed out, majority of the funding comes from the government.
71
richwicks
2024 Jan 16, 6:32pm
richwicks
2024 Jan 16, 6:32pm
Patrick says
@Patrick, TSL has superseded SSL and yes, certbot (which I believe you use from Let's Encrypt) can do ECC, although I've never tried to set it up. From here:
https://eff-certbot.readthedocs.io/en/latest/using.html
I if you search for "ecc" you'll find:
It looks like it might be a little nonstandard, and the main advantage of ECC is the speed. You can absolutely instantly generate a new keypair.
The weakness of ECC (possible weakness) is that the random number generator could be compromised. I'm working with libsodium, and will probably use the offered private key, and then grab a random number myself, then do something like an sha256sum on the result, so even if the random number generator IS compromised, the resulting generated number should be impossible to work out backwards.
There are cautions against doing your own thing. With libsodium for example, you have to lock the page to prevent it from being swapped from memory, and clearing secret keys before it's returned to memory. I'm not so concerned about security right now, I'm just trying to understand the concepts.
What I'm finding is that the complexity of all this shit, isn't complicated at all, it's just explained very poorly. I can condense my explanation of ECC much further.
Private key a = random number = Pa
Public key A = PKa = Pa G where is defined as G raised to the Pa'th power in scalar multiplication on an ECC field
Private key b = random number = Pb
Public key A = PKb = Pb G where is defined as G raised to the Pb'th power in scalar multiplication on an ECC field
Shared secret = PKa b == PKb a == shared secret.
Shared secrets are only about 2^252 bits large, so you can do some additional obsfucation on it, and using the shared secret AS a key is not recommended. For example: the true shared secret to be used as a hey might be HASH (PKa Server_Public_key Client_Public_key)
There's a lot of non obvious mistakes you can make, which is what cryptography is all about.
Is it possible to implement a replacement for SSL with no change to browsers and no centralized certificate authorities?
That would take care of encryption and MITM attacks and leave all the spook agencies out of it.
@Patrick, TSL has superseded SSL and yes, certbot (which I believe you use from Let's Encrypt) can do ECC, although I've never tried to set it up. From here:
https://eff-certbot.readthedocs.io/en/latest/using.html
I if you search for "ecc" you'll find:
It looks like it might be a little nonstandard, and the main advantage of ECC is the speed. You can absolutely instantly generate a new keypair.
The weakness of ECC (possible weakness) is that the random number generator could be compromised. I'm working with libsodium, and will probably use the offered private key, and then grab a random number myself, then do something like an sha256sum on the result, so even if the random number generator IS compromised, the resulting generated number should be impossible to work out backwards.
There are cautions against doing your own thing. With libsodium for example, you have to lock the page to prevent it from being swapped from memory, and clearing secret keys before it's returned to memory. I'm not so concerned about security right now, I'm just trying to understand the concepts.
What I'm finding is that the complexity of all this shit, isn't complicated at all, it's just explained very poorly. I can condense my explanation of ECC much further.
Private key a = random number = Pa
Public key A = PKa = Pa G where is defined as G raised to the Pa'th power in scalar multiplication on an ECC field
Private key b = random number = Pb
Public key A = PKb = Pb G where is defined as G raised to the Pb'th power in scalar multiplication on an ECC field
Shared secret = PKa b == PKb a == shared secret.
Shared secrets are only about 2^252 bits large, so you can do some additional obsfucation on it, and using the shared secret AS a key is not recommended. For example: the true shared secret to be used as a hey might be HASH (PKa Server_Public_key Client_Public_key)
There's a lot of non obvious mistakes you can make, which is what cryptography is all about.
72
Patrick
2024 Jan 16, 7:19pm
Patrick
2024 Jan 16, 7:19pm
@richwicks I suspect there is a way to make a replacement for SSL/TSL which is so simple that it's hard to leave any holes.
Maybe we could all browse via a local http proxy which takes in http requests and generates sftp requests. That would take care of encryption and there would be no certificates needed.
For identifying the remote server to prove it's not a fake, how do you trust that your DNS gave you the right IP back?
You just need something that only real the owner of the domain can do, l like creating a file on the server.
Maybe we could all browse via a local http proxy which takes in http requests and generates sftp requests. That would take care of encryption and there would be no certificates needed.
For identifying the remote server to prove it's not a fake, how do you trust that your DNS gave you the right IP back?
You just need something that only real the owner of the domain can do, l like creating a file on the server.
73
NuttBoxer
2024 Jan 17, 6:36am
NuttBoxer
2024 Jan 17, 6:36am
Mentioned this before, Corbett did a solutions watch last year where he spoke with a few people pioneering new messaging and internet. I'm sure they worked through some of these same questions.
74
richwicks
2024 Jan 17, 10:43pm
@Patrick - Do you want to dump TLS/SSL entirely? That CAN be done I believe. I think. I want to patent it. I don't believe central authorities should exist and I THINK I know how to accomplish that. Basically with TLS, you are depending on a Certificate Authority to say "yes, this OTHER certificate really does belong to Google, YouTube, Patrick, whomever".
Do you want to eliminate the need for a Central Authority (CA)? If you still need a CA, what's the point of moving from TLS to something else? ECC is part of the TLS standard, although I've never set up an ECC key for my webserver. I know it's possible.
Patrick says
You don't need to identify the IP or keep it constant. There's always a threat that the secret key can be stolen or guessed which is the weakness. I think DNS needs to be done away with, perhaps using a DHT instead. The problem with DHTs is that they are slow. DHT is how a file is found on bit torrent, it's just a distributed database across multiple computers. DHT could be combined with an instant database, that AFTER you connect it warns you "maybe this site isn't legit", limiting input during that time.
Patrick says
That's how certbot works, BUT you could do a man-in-the-middle attack. This is when somebody just receives and forwards traffic. They aren't the endpoint, but they appear to be and they just eavesdrop on the communication HOWEVER you can prevent a M.I.T.M.A with certificates and with Diffie-Hellman. The client needs to know that they are CERTAINLY talking to the server at this point.
If you have any interest in trying to setup ECC for TLS on Nginx, I can help you do that on a Linux machine at your home. You'd have to modify settings on your router (this is super easy) and get what is called a "dynamic name" - you need to use DNS with certificates. This is maybe a hassle, but it's not difficult. You'd have to open port 80 and 443 and forward that to a target machine where you're setting up ECC. Again, the advantage of ECC is that it's very fast in comparison to RSA.
YouTube and probably Google use ECC because it drastically reduces computational time during Diffie-Hellman.
NuttBoxer says
@NuttBoxer I've heard them. There seems to be tons of people working on this on and off.
richwicks
2024 Jan 17, 10:43pm
richwicks I suspect there is a way to make a replacement for SSL/TSL which is so simple that it's hard to leave any holes.
@Patrick - Do you want to dump TLS/SSL entirely? That CAN be done I believe. I think. I want to patent it. I don't believe central authorities should exist and I THINK I know how to accomplish that. Basically with TLS, you are depending on a Certificate Authority to say "yes, this OTHER certificate really does belong to Google, YouTube, Patrick, whomever".
Do you want to eliminate the need for a Central Authority (CA)? If you still need a CA, what's the point of moving from TLS to something else? ECC is part of the TLS standard, although I've never set up an ECC key for my webserver. I know it's possible.
Patrick says
For identifying the remote server to prove it's not a fake, how do you trust that your DNS gave you the right IP back?
You don't need to identify the IP or keep it constant. There's always a threat that the secret key can be stolen or guessed which is the weakness. I think DNS needs to be done away with, perhaps using a DHT instead. The problem with DHTs is that they are slow. DHT is how a file is found on bit torrent, it's just a distributed database across multiple computers. DHT could be combined with an instant database, that AFTER you connect it warns you "maybe this site isn't legit", limiting input during that time.
Patrick says
You just need something that only real the owner of the domain can do, l like creating a file on the server.
That's how certbot works, BUT you could do a man-in-the-middle attack. This is when somebody just receives and forwards traffic. They aren't the endpoint, but they appear to be and they just eavesdrop on the communication HOWEVER you can prevent a M.I.T.M.A with certificates and with Diffie-Hellman. The client needs to know that they are CERTAINLY talking to the server at this point.
If you have any interest in trying to setup ECC for TLS on Nginx, I can help you do that on a Linux machine at your home. You'd have to modify settings on your router (this is super easy) and get what is called a "dynamic name" - you need to use DNS with certificates. This is maybe a hassle, but it's not difficult. You'd have to open port 80 and 443 and forward that to a target machine where you're setting up ECC. Again, the advantage of ECC is that it's very fast in comparison to RSA.
YouTube and probably Google use ECC because it drastically reduces computational time during Diffie-Hellman.
NuttBoxer says
Mentioned this before, Corbett did a solutions watch last year where he spoke with a few people pioneering new messaging and internet. I'm sure they worked through some of these same questions.
@NuttBoxer I've heard them. There seems to be tons of people working on this on and off.
75
richwicks
2024 Jan 18, 12:30pm
richwicks
2024 Jan 18, 12:30pm
Here is an example of how point and scalar multiplication is used in ECDSA which is a method of making a digital signature:
1) Choose an elliptic curve and a generator point G.
2) Choose a private key k.
3) Calculate the public key Q = kG using point multiplication.
4) To sign a message m, choose a random number r and calculate the point R = rG using point multiplication.
5) Calculate the value s = (H(m) + k * x) / r mod n, where H(m) is the hash of the message, x is the private key, and n is the order of the curve.
6) The signature is the pair (R, s).
7) To verify the signature, calculate the point W = sG - H(m)Q using point addition and point multiplication.
8) The signature is valid if R == W.
1) Choose an elliptic curve and a generator point G.
2) Choose a private key k.
3) Calculate the public key Q = kG using point multiplication.
4) To sign a message m, choose a random number r and calculate the point R = rG using point multiplication.
5) Calculate the value s = (H(m) + k * x) / r mod n, where H(m) is the hash of the message, x is the private key, and n is the order of the curve.
6) The signature is the pair (R, s).
7) To verify the signature, calculate the point W = sG - H(m)Q using point addition and point multiplication.
8) The signature is valid if R == W.
76
Patrick
2024 Jan 19, 10:09am
Patrick
2024 Jan 19, 10:09am
richwicks says
@richwicks Yes, exactly.
Do you want to eliminate the need for a Central Authority (CA)?
@richwicks Yes, exactly.
77
richwicks
2024 Jan 19, 10:44am
richwicks
2024 Jan 19, 10:44am
Patrick says
@Patrick
The best that I can do is use either a distributed hash table which is what bitcoin uses which is just a distributed database, OR use a 16 byte number which is entirely randomly generated to identify an entity.
I've been going through a lot of math of probabilities for the last couple of months and studying encryption. With TRUE randomness, there is no need for central authorities. The chances that two people in this world would pick the same random number, when they are told to pick a random number in a field of 0-0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF is one out of trillions of trillions and that number isn't that large.
There would at least be no need to register your ID, but PROVING who you are, that's another problem. I think proof of identity may always require a Central Authority of some sort. The number above can easily be represented as a QR code:
That's just an example to demonstrate how easily that can be represented.
richwicks says
Do you want to eliminate the need for a Central Authority (CA)?
richwicks Yes, exactly.
@Patrick
The best that I can do is use either a distributed hash table which is what bitcoin uses which is just a distributed database, OR use a 16 byte number which is entirely randomly generated to identify an entity.
I've been going through a lot of math of probabilities for the last couple of months and studying encryption. With TRUE randomness, there is no need for central authorities. The chances that two people in this world would pick the same random number, when they are told to pick a random number in a field of 0-0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF is one out of trillions of trillions and that number isn't that large.
There would at least be no need to register your ID, but PROVING who you are, that's another problem. I think proof of identity may always require a Central Authority of some sort. The number above can easily be represented as a QR code:
That's just an example to demonstrate how easily that can be represented.
« First « Previous Comments 38 - 77 of 95 Next » Last » Search these comments
People seem to INSIST on using cloud storage, which removes your ability of privacy, so I'm going to write a strong encryption program using the NaCL librarary;
https://nacl.cr.yp.to/
The goal here is that the resulting encrypted data is impossible to recover without getting the original key. Keys are changed regularly, and being able to brute force one block will give the attacker no advantage in cracking the next block.
Also, it will be computationally expensive to attempt to crack even with specialized hardware. This increases energy consumption and slows down the encryption and decryption, but also will make brute force attacks 1000's of times slower.