!security

(Less a rant; more just annoyance)

The codebase at work has a public-facing admin login page. It isn't linked anywhere, so you must know the url to log in. It doesn't rate-limit you, or prevent attempts after `n` failures.

The passwords aren't stored in cleartext, thankfully. But reality isn't too much better: they're salted with an arbitrary string and MD5'd. The salt is pretty easy to guess. It's literally the company name + "Admin" 🙄

Admin passwords are also stored (hashed) in the seeds.rb file; fortunately on a private repo. (Depressingly, the database creds are stored in plain text in their own config file, but that's another project for another day.)

I'm going to rip out all of the authentication cruft and replace it with a proper bcrypt approach, temporary lockouts, rate limiting, and maybe with some clientside hashing, too, for added transport security.

But it's friday, so I must unfortunately wait. :<

My employer has a dev studio in Cali.
The office is gigantic.
It has amenities.
It has a stocked fridge full of iced coffee, energy drinks, and apparently wine.
All the devs have totally enviable hardware.
And they probably earn twice what I do, or at least 50% more.

Yet they write absolute shit, never test their code, and push broken updates every day, often marked as "ready for final testing." Their codebase is full of hacks and guesses and stale cruft and worst practices. I wrote a rant recently about one of their fuckups, which involved 18 million Facebook errors per. day. So that should give you some idea as to the quality of their code, and their level of can't-be-bothered.

Again, they make 50%-100% more than I do.

Their whiny lead dev is bloody lazy when it comes to building things correctly, and totally prefers to half-ass everything and complain instead. He probably makes 150% of what I do, doing like 25% as much work, and maybe 10% as well. Doesn't quite compare though, as he's a Unity dev, not a backend dev. So his work isn't as critical.

akagdkdafavskakeuxbfh.
Bloody pisses me off.

"But their cost of living is higher!"
THEY SHOULDN'T EVEN BE EMPLOYED.

For some reason, people like to show off their mostly-samey linux desktops.

Here's mine.

Out of necessity (or rather: lack of support) I've been neglecting my test suite for the past ~month. Now that one of the beta versions of RSpec has better Rails 6 support, I can finally get back to writing tests. Yay!

I just merged staging into my testing branch, and it's now 344 commits ahead of origin! eep.

So, I've got lots of tests to write. yay.

Blehh
I just cannot stop falling asleep today.

Fortunately I finished all of my important work last week, so all I have left is trivialities. But I would still prefer being awake and chipper!

Less a rant, more just a sad story.

Our company recently acquired its sister company, and everyone has been focused on improving and migrating their projects over to our stack.

There's a ton of material there, but this one little story summarizes the whole very accurately, I think. (Edit: two stories. I couldn't resist.)

There's a 3-reel novelty slot machine game with cards instead of the usual symbols, and winnings based on poker-like rules (straights and/or flushes, 2-3 of a kind, etc.) The machine is over a hundred times slower than the other slot machines because on every spin it runs each payline against a winnings table that exhastively lists every winning possibility, and I really do mean exhaustively. It lists every type of win, for every card, every segment for straights, in every order, of every suit. Absolutely everything.

And this logic has been totally acceptable for just. so. long. When I saw someone complaining in dev chat about how much slower it is, i made the bloody obvious suggestion of parsing the cards and applying some minimal logic to see if it's a winning combination. Nobody cared.

Ten minutes later, someone from the original project was like "Hey, I have an idea, why don't we do it algorithmically to not have a 4k line rewards table?"

He seriously tried stealing a really bloody obvious idea -- that he hadn't had for years prior -- and passing it off as his own. In the same chat. Eight messages below mine. What a derpballoon.

I called him out on it, and he was like "Oh, is that what you meant by parsing?" 🙄

Someone else leaped in to defend the ~128x slower approach, saying: "That's the tech we had." You really didn't have a for loop and a handful of if statements? Oh wait, you did, because that's how you're checking your exhaustive list. gfj. Abysmal decisions like this is exactly why most of you got fired. (Seriously: these same people were making devops decisions. They were hemorrhaging money.)

But regardless, the quality of bloody everything from that sister company is like this. One of the other fiascos involved pulling data from Facebook -- which they didn't ever even use -- and instead of failing on error/unexpected data, it just instantly repeated. So when Facebook changed permissions on friends context... you can see where this is going. Instead of their baseline of like 1400 errors per day, which is amazingly high, it spiked to EIGHTEEN BLOODY MILLION PER DAY. And they didn't even care until they noticed (like four days later) that it was killing their other online features because quite literally no other request could make it out. More reasons they got fired. I'm not even kidding: no single api request ever left the users' devices apart from the facebook checks.

So.
That's absolutely amazing.

Does anyone know of any good audio book sites besides audible? Free ones are good too, of course, but I don't mind paying for them.

Likewise for a good player, since books aren't music.

I fucking hate HTML forms! Especially representing bloody nested objects within them!

Fighting with html forms has taken at least 80% of my time over the past three features. Why can't I just do this via API? It would be soo much freaking simpler! ugh.

But today.
Today is not going to be a good day.
I not only get to expand a complicated vanilla form with with one nested object today, I get to expand it to include three nested objects. Normally this wouldn't be a problem because it's just moving elements around, but two of those nested objects need to be broken up and combined into three+ segments each. I have no idea how to even approach this.

ugh.

I was totally in the zone earlier.

Plenty of caffeine, plenty of anger thanks to idiots, rocking out to Amon Amarth and Disturbed, and chewing through a difficult logic problem. It was wonderful.

Then.

Then there was a mandatory all-hands meeting. A mandatory meeting entirely consisting of someone doing a (admittedly decent) presentation on very basic marketing. (Basic as in "This is what ROI is." 🙄) It lasted for about 40 minutes, totally killing my zone and butchering my productivity. I've barely gotten anything done the rest of the day, thanks to that.

On the bright side, I worked out the logic on stickies during the talky-people bits. Maybe I'll be able to write it tomorrow.

Fucking intern.

While I was working next to her a couple weeks back, she spent half her time on social media, playing Candy Crush, or talking with her friend. She also left early almost every day.

I had given her a project to do (object crud + ui), and helped her through it. She made pretty abysmal progress in a week. I ended up finishing it for her by rewriting basically all of her code (every single line except some function names, lone `end` or `}` statements, a few var declarations, blank lines, plus a couple of comments she copied over from my code).

This week I gave her a super easy project to do. It amounts to copying four files (which I listed), rename a few things to be Y instead of X, and insert two lines of code (which I provided) to hook it up. Everything after that just works. It should have taken her ... okay, maybe a few hours because she's slow and new to the language. but it would have taken me five to ten minutes, plus five minutes of testing.

She has spent THREE FUCKING DAYS ON THIS AND SHE'S STILL NOT DONE. SHE'S BLOODY USELESS!

She has kept not pulling changes and complaining that things are broken. Despite me telling her every time I push changes that affect her work (on. my. branch. ergh!)

She keeps not reading or not understanding even the simplest of things. I feel like MojoJojo every time I talk to her because of how often I repeat myself and say the same things again and again.

Now she's extremely confused about migrations. She keeps trying to revert a drop_table migration that she just wrote so she can re-create the table differently. Instead of, you know, just reverting back to her migration that creates the table. it's one migration further.

Migrations are bloody simple. they're one-step changes to the database, run in order. if you want to make a change to something you did a few steps back, you roll back those migrations, edit your shit, and run them again. so bloody difficult!

`rails db:rollback && rails db:rollback`
Edit file
`rails db:migrate`
So. hard.

I explained this to her very simply, gave her the commands to copy/paste, ... and she still can't figure it out. She's fucking useless.

It took me ten minutes to walk her though it on a screen share. TEN FREAKING MINUTES.

She hasn't finished a damned fucking thing in three weeks. She's also taking interview calls while working on this, so I know she totally doesn't care.

... Just.
Fucking hell.

USELESS FUCKING PEOPLE!

!!psa

Terminator's broadcast feature was sending duplicate input to all non-focused terminals yesterday, and it was pissing me off.

After some digging and research, it turns out the ibus daemon was the cause. If you're having this happen, track ibus down and kill it.

Productive day!

Rewrote an intern's feature and briefly explained how/why
Gave intern a choice of projects, and explained them
Removed two unused models, one unused route
Dried up two views into a partial
Redesigned said partial
Tested validation edge cases (ex: Jan 10nd, 101bc)
Fixed an api
Simplified three models
Added scheduling and platform restriction to a feature
Le wild bug appears: a user with negative xp!?
Wrote a migration to expand players' max xp to 2^64-1 because a certain legacy game gives it away like my ex-boss makes promises. Chewed at devs, but they're all long gone so :/
Won two games of pool
Browsed devRant

Busy day, and all of this while falling asleep! 😊
I'm quite proud of myself today.

So many interruptions!
So many distractions!

I just want to fucking finish this refactor. I dont' care about meetings, texts, bloody office game tournaments, lunchtime, gossip, or people trying to be friendly. Just let me fucking work!

If you see me rocking out with my headphones on and working furiously, seriously, just don't fucking interrupt. I'll bite.

I am much too tired to go into details, probably because I left the office at 11:15pm, but I finally finished a feature. It doesn't even sound like a particularly large or complicated feature. It sounds like a simple, 1-2 day feature until you look at it closely.

It took me an entire fucking week. and all the while I was coaching a junior dev who had just picked up Rails and was building something very similar.

It's the model, controller, and UI for creating a parent object along with 0-n child objects, with default children suggestions, a fancy ui including the ability to dynamically add/remove children via buttons. and have the entire happy family save nicely and atomically on the backend. Plus a detailed-but-simple listing for non-technicals including some absolutely nontrivial css acrobatics.

After getting about 90% of everything built and working and beautiful, I learned that Rails does quite a bit of this for you, through `accepts_nested_params_for :collection`. But that requires very specific form input namespacing, and building that out correctly is flipping difficult. It's not like I could find good examples anywhere, either. I looked for hours. I finally found a rails tutorial vide linked from a comment on a SO answer from five years ago, and mashed its oversimplified and dated examples with the newer documentation, and worked around the issues that of course arose from that disasterous paring.

like.
I needed to store a template of the child object markup somewhere, yeah? The video had me trying to store all of the markup in a `data-fields=" "` attrib. wth? I tried storing it as a string and injecting it into javascript, but that didn't work either. parsing errors! yay! good job, you two.

So I ended up storing the markup (rendered from a rails partial) in an html comment of all things, and pulling the markup out of the comment and gsubbing its IDs on document load. This has the annoying effect of preventing me from using html comments in that partial (not that i really use them anyway, but.)

Just.
Every step of the way on building this was another mountain climb.
* singular vs plural naming and routing, and named routes. and dealing with issues arising from existing incorrect pluralization.
* reverse polymorphic relation (child -> x parent)
* The testing suite is incompatible with the new rails6. There is no fix. None. I checked. Nope. Not happening.
* Rails6 randomly and constantly crashes and/or caches random things (including arbitrary code changes) in development mode (and only development mode) when working with multiple databases.
* nested form builders
* styling a fucking checkbox
* Making that checkbox (rather, its label and container div) into a sexy animated slider
* passing data and locals to and between partials
* misleading documentation
* building the partials to be self-contained and reusable
* coercing form builders into namespacing nested html inputs the way Rails expects
* input namespacing redux, now with nested form builders too!
* Figuring out how to generate markup for an empty child when I'm no longer rendering the children myself
* Figuring out where the fuck to put the blank child template markup so it's accessible, has the right namespacing, and is not submitted with everything else
* Figuring out how the fuck to read an html comment with JS
* nested strong params
* nested strong params
* nested fucking strong params
* caching parsed children's data on parent when the whole thing is bloody atomic.
* Converting datetimes from/to milliseconds on save/load
* CSS and bootstrap collisions
* CSS and bootstrap stupidity
* Reinventing the entire multi-child / nested params / atomic creating/updating/deleting feature on my own before discovering Rails can do that for you.

Just.
I am so glad it's working.
I don't even feel relieved. I just feel exhausted.

But it's done.
finally.

and it's done well. It's all self-contained and reusable, it's easy to read, has separate styling and reusable partials, etc. It's a two line copy/paste drop-in for any other model that needs it. Two lines and it just works, and even tells you if you screwed up.

I'm incredibly proud of everything that went into this.
But mostly I'm just incredibly tired.

Time for some well-deserved sleep.

FUCKING WAITING FOR PEOPLE FUCKED ME OVER AGAIN. WHO WOULD HAVE FUCKING GUESSED?!

Arglebargle.

I went to buy flowers for [redacted event] and gave the florist my CC info, number, and email for a receipt. He was a nice old man who loves what he does, and makes beautiful arrangements. But. He just emailed me all of my CC info, and asked what part of it was wrong. Twice. Emailed. Plain text. SMTP.

Guess who's requesting a replacement card?

😞

I was writing tests at work and rather enjoying myself.

Boss insisted we all go home early because "holiday halfsies," so I semi-unhappily pack up and go home. At home, I write tests for a personal project instead.

Dev life.

1) Schedule an hour for the meeting.
2) Tell attendees that any excess time will be for SSBB throwdowns. Fastest meeting ever.

Oh, you asked about being productive?
Making both Adam from frontend and Karen from HR cry at the same time is productive enough for me. 😊

My previous employer still (contractually) owes me $5k. I still have push access to the repo and prod servers. Should I add a reminder to the admin dashboard? (After yet another email reminder, ofc.)

I could also mail him an invoice, since I have his addresses. Then again, it has been about a year since I was supposed to receive it, so maybe I'll just file a lawsuit. 🙄

Should @Root sue her ex-boss?

I'm trying to sign up for insurance benefits at work.

Step 1: Trying to find the website link -- it's non-existent. I don't know where I found it, but I saved it in keepassxc so I wouldn't have to search again. Time wasted: 30 minutes.

Step 2: Trying to log in. Ostensibly, this uses my work account. It does not. Time wasted: 10 minutes.

Step 3: Creating an account. Username and Password requirements are stupid, and the page doesn't show all of them. The username must be /[A-Za-z0-9]{8,60}/. The maximum password length is VARCHAR(20), and must include upper/lower case, number, special symbol, etc. and cannot include "password", repeated charcters, your username, etc. There is also a (required!) hint with /[A-Za-z0-9 ]{8,60}/ validation. Want to type a sentence? better not use any punctuation!

I find it hilarious that both my username and password hint can be three times longer than my actual password -- and can contain the password. Such brilliant security.

My typical username is less than 8 characters. All of my typical password formats are >25 characters. Trying to figure out memorable credentials and figuring out the hidden complexity/validation requirements for all of these and the hint... Time wasted: 30 minutes.

Step 4: Post-login. The website, post-login, does not work in firefox. I assumed it was one of my many ad/tracker/header/etc. blockers, and systematically disabled every one of them. After enabling ad and tracker networks, more and more of the site loaded, but it always failed. After disabling bloody everything, the site still refused to work. Why? It was fetching deeply-nested markup, plus styling and javascript, encoded in xml, via api. And that xml wasn't valid xml (missing root element). The failure wasn't due to blocking a vitally-important ad or tracker (as apparently they're all vital and the site chain-loads them off one another before loading content), it's due to shoddy development and lack of testing. Matches the rest of the site perfectly. Anyway, I eventually managed to get the site to load in Safari, of all browsers, on a different computer. Time wasted: 40 minutes.

Step 5: Contact info. After getting the site to work, I clicked the [Enroll] button. "Please allow about 10 minutes to enroll," it says. I'm up to an hour and 50 minutes by now. The first thing it asks for is contact info, such as email, phone, address, etc. It gives me a warning next to phone, saying I'm not set up for notifications yet. I think that's great. I select "change" next to the email, and try to give it my work email. There are two "preferred" radio buttons, one next to "Work email," one next to "Personal email" -- but there is only one textbox. Fine, I select the "Work" preferred button, sign up for a faux-personal tutanota email for work, and type it in. The site complains that I selected "Work" but only entered a personal email. Seriously serious. Out of curiosity, I select the "change" next to the phone number, and see that it gives me four options (home, work, cell, personal?), but only one set of inputs -- next to personal. Yep. That's amazing. Time spent: 10 minutes.

Step 6: Ranting. I started going through the benefits, realized it would take an hour+ to add dependents, research the various options, pick which benefits I want, etc. I'm already up to two hours by now, so instead I decided to stop and rant about how ridiculous this entire thing is. While typing this up, the site (unsurprisingly) automatically logged me out. Fine, I'll just log in again... and get an error saying my credentials are invalid. Okay... I very carefully type them in again. error: invalid credentials. sajfkasdjf.

Step 7 is going to be: Try to figure out how to log in again. Ugh.

"Please allow about 10 minutes" it said. Where's that facepalm emoji?

But like, seriously. How does someone even build a website THIS bad?

I extracted a tangled action to its own api, and wrote a test for it.

The test failed.

I added debugging, more debugging, all the debugging. It still fails. But I can at least see why it fails!

It turns out the api finds and updates the wrong user. It finds and updates the wrong user EVEN WHEN THERE ARE NO OTHER USERS.

WHAT THE SALAMI.

Also, the user lookup it uses is extremely roundabout and takes several seconds with ~2 million users. Normally I'd fix the lookup, but it has been in production for several years, and I'm terrified it will break something if I fix it.

Blargherhagrid.

I'm investigating PRs for a super legacy codebase. Someone else already approved the PRs -- somebody who has never even run the code or had the project set up before.

The codebase hasn't been touched in two years, and it hasn't been updated in four. It's using CoffeeScript, Node v0, Electron v0.30, and Angular 1.x. I obviously don't have a dev environment anymore, either, and my previous dev env was on Windows, so I'll have to translate my custom build utilities from batch to bash (or much more likely: node).

To make matters worse: the PRs break both the initial project setup and the project itself (NPM can no longer find some installed packages, among other problems). And. someone already merged them into master. So: fuck.

I'm going to yell at the author and tell him to fix his shit. Why? Because when I check out my last commit prior to his PRs, everything works perfectly. Surprise!

I was so done with this project two and a half years ago. I'm still so done with it. I just don't want to maintain this anymore, or honestly even look at it. I would happily rebuild the project from scratch, but updating it from the days of IE8? No way.

I HATE TESTING DB MIGRATIONS! SHIT TAKES BLOODY FOREVER!

This one takes 20 freaking minutes each attempt, and I need to run it. yet again.

$@%&!

tl;dr @Root refactors some spaghetti.

I'm refactoring an api that creates a support message. It's a post route.

When seeing a magic hardcoded message string, this route instead updates the user object, and does not create a support message.

It also returns different results if the user is muted (fine) or if saving the message succeeds or fails (fine).

But if the user is creating a duplicate message, it doesn't save the message (fine) and... redirects to listing their messages instead? Wat?

Also, when refactoring this (migrating to a new message backend), I discovered that not all routes return a response. If the message is a non-duplicate, from a non-muted player, from a non-redacted client, the route doesn't respond at all!

So, I'm having fun cleaning this up. I actually am. Except I'll need to support all of the legacy clients for the next lifetime or two. I mean, really. There are still people with Android v2 devices who are using this thing. not even kidding.

This freaking laptop.

The WiFi randomly stops working -- and by that, I mean the hardware is no longer detectable, let alone functional. It simply disappears on boot, even from dmesg.

The same happens with audio and bluetooth: on some boots they simply do not exist.

The power usage is also ridiculous: the battery dies in about two hours, and it gets soo hot. Toasty wrists unless I use my tiny bluetooth keyboard ☹ So I need to fiddle with powertop a bit more.

nVidia drivers are also a bloody pain, and having two graphics cards this is even more difficult to set up. I still haven't managed. (nvidia-driver, bumblebee, optimus, official driver messes, manual xorg configs, ...). So I have a beautiful 4k built-in display running at 4-18 fps, and a non-functional 4k external. That's fine for now, but >.>; frustrating.

In better news! I just managed to get the sound to work by backporting the new 4.19 kernel (yay!) -- I have never been so happy to hear an ad. but fixing the sound killed my bluetooth. (The `bluetooth` utility reports the adapter is present, but nothing else can seem to see it 🙄) So now I'm going to have burning hot wrists all day and want to cry because terrible sweaty awfulness.

Just. It's frustrating.

It's fast, though.
and ever so pretty.

I've run into my first nVidia driver issues. Ever. ☹

I'm attempting to install the drivers on my shiny new Dell XPS15 8750. It has both an Intel (default) and nVidia graphics card; the Intel works just fine out of the box with Nouveau, with terrible fps. Installing the nVidia drivers causes a conflict with those, and X just displays a black screen. I can still interact via the virtual terminals, but with a 4k display it's kind of annoying.

I'm currently trying to install nvidia-bumblebee and related crap, bur it is not going well.

!!good news
!!great news
!!linux dev lappy recommendations?

So, @Root might finally have a job! Woo!
(Pending a background check, drug test, cavity search, ...)

I'm excited, and kind of giddy. It's an open-office setup, but the devs are chill, the boss is chill (reminds me a bit of myself thus far, just... nice), pay is decent too. Drive is hell, but everything else feels kinda cushy. The parent company is super-stuffy corporate and has an HR and red tape fetish, but supposedly I won't have to interact with them at all. I start as soon as all of the background check nonsense comes through. (Don't get me started on that, please.)

One of the questions that came up, however, is what type of system I wanted to use. I requested a Linux lappy, and that's sadly a bit beyond the parent company's nontechnical IT department. They asked me for links to a few specific machines on amazon for options. (MacBook Pro or equivalent)

That's where this question comes in: Which lappys make great dev machines and also have decent linux (Debian/Mint/Ubuntu) support? The role is backend Rails development + some devops, so I don't need super-fancy graphics, though I will be attaching a 4k (hopefully IPS) display because space and pretty colors.

Recommendations welcome, as I should get back to them today!

Not enough rants.
Need more rants.

It's kind of neat knowing people who are famous for things I don't care about, and having their numbers / talking semi-regularly. They're a special person to so many others, but to me they're just some random person that's mildly annoying.

Like API Guy.
Freaking API Guy.
He's a millionaire musician who's adored by literally millions of people, but none of them know he writes absolutely terrible APIs, zero tests, rushes to the shiniest new things, and happily agrees to everything (often without listening) only to deny it later. Absolutely infuriating.

Or knowing one of Netscape founders as that strange and really terrible trumpet player with the great tequila. He did give me his copy of The C Programming Language (the bible) though. He was cool. Super weird, but cool.

It's just a strange feeling. I don't care, and yet others inexplicably think I should. I don't understand it. They're just people? idk.

What features would you want in a logger?

Here's what I'm planning so far:
- Tagged entries for easy scanning of log file
- Support for indenting to group similar sequential entries
- Multiple entry types (normal, info, event, warning, error, fatal, debug, verbose)
- Meta entries, so the logger logging about itself, e.g. disk i/o failures.
- Ability to add custom entry types, including tag, log-level, etc.
- Customizable timestamp function
- Support for JS's async nature -- this equates to passing a unique key per 'thread'; the logger will re-write all the parent blocks for context, if necessary. if that sounds confusing, it's okay; just trust that it makes sense.
- Caching, retries, etc. in the event of disk i/o issues.
- Support for custom writers, allowing you to e.g. write logs to an API rather than console or disk.

How about these features?
- Multiple (named) logs with separate writers (console, disk, etc.)
- Ability to individually enable/disable writing of specific entry types. (want verbose but not info? sure thing, weirdo!)
- Multiple writers per log. Combined with the above, this would allow you to write specific entry types (e.g. error, warning, fatal) to stderr instead of stdout, or to different apis.
- Ability to write the same log entry to multiple logs simultaneously

What do you think of these features?
What other features would you want?
I'm open to suggestions!