Threads for bitslayer

  1. 1

    I miss office hallways. “explaining the bug to a friend and then figuring out what’s wrong halfway through”

    1. 20

      After I learned about “ci” in vim I got hooked. All of the sudden replacing text in quotes became as simple as ci” and now I’m having a hard time to use other editors. Sometimes a little detail is all that it takes.

      1. 8

        This was extremely helpful thanks.

        Just to clarify to others. In vim if you are on a word “c” starts a change and the next keystroke determines what will be changed. For example, “c$” removes text from where the cursor is to the end of the line.

        Now what is new for me is vim has a concept of “inner text”. Such as things in quotes, or inbetween any two symmetric symbols. The text between those two things are the “inner text”.

        For example, in this line, we want to change the “tag stuff” to “anything”.

        <tag style="tag stuff">Stuff</tag>
        

        Move the cursor anywhere between the quotes and type ci then a quote and you are left with

        <tag style="">Stuff</tag>
        
        1. 8

          This is a good example of why to me learning vi is not worth the trouble. In my normal editor, which does things the normal way, and does not have weird modes that require pressing a key before you are allowed to start typing and about which there are no memes for how saving and quitting is hard, I would remove the stuff in the quotes by doing cmd-shift-space backspace. Yes, that technically is twice as many key presses as Vi. No, there is no circumstance where that would matter. Pretty much every neat Vi trick I see online is like “oh if you do xvC14; it will remove all characters up to the semicolon” and then I say, it takes a similar number of keystrokes in my editor, and I even get to see highlight before it completes, so I’m not typing into a void. I think the thing is just that people who like to go deep end up learning vi, but it turns out if you go deep in basically any editor there are ways to do the same sorts of things with a similar number of keystrokes.

          1. 14

            There is not only the difference in the number of keystrokes but more importantly in ergonomics. In Vim I don’t need to hold 4 keys at once but I can achieve this by the usual flow of typing. Also things are coherent and mnemonic.

            E.g. to change the text within the quotes I type ci”(change inner “) as the parent already explained. However this is only one tiny thing. You can do all the commands you use for “change(c)” with “delete(d)” or “yield(y)” and they behave the same way.

            ci”: removes everything within the quotes and goes to insert mode di”: deletes everything within the quotes yi”: copies everything within the quotes

            d3w, c3w, y3w would for example delete, replace or copy the next 3 words.

            These are just the basics of Vim but they alone are so powerful that it’s absolutely worth to learn them.

            1. 3

              Just a small correction; I think you meant “yank(y)” instead of “yield(y)”.

              1. 1

                Haha yes thanks I really got confused :)

              2. 2

                And if you want to remove the delimiters too, you use ‘a’ instead of ‘i’ (I think the logic is that it’s a variation around ‘i’ like ‘a’ alone is).

                Moreover, you are free to chose the pair of delimiters: “, ’, {}, (), [], and probably more. It even works when nested. And even with the nesting involves the same delimiter. foo(bar(“baz”)) and your cursor is on baz, then c2i) will let you change bar(“baz”) at once. You want visual mode stuff instead? Use v instead of c.

                This goes on for a long time.

              3. 6

                One difference is that if you are doing the same edit in lots of places in your editor you have to do the cmd-shift-space backspace in every one, while in vi you can tap a period which means “do it again!” And the “it” that you are doing can be pretty fancy, like “move to the next EOL and replace string A with string B.”

                1. 2

                  Sublime Text: ctrl+f search, ctrl+alt+enter select all results, then type your replacement.

                  1. 2

                    Yeah I just do CMD-D after selecting a line ending if I need to do something like that.

                2. 3

                  I would remove the stuff in the quotes by doing cmd-shift-space backspace

                  What is a command-shift-space? Does it always select stuff between quotes? What if you wanted everything inside parentheses instead?

                  and then I say, it takes a similar number of keystrokes in my editor, and I even get to see highlight before it completes, so I’m not typing into a void

                  You can do it that way in vim too if you’re unsure about what you want, it’s only one keypress more (instead of ci" you do vi"c; after the " and before the c the stuff you’re about replace will be highlighted). You’re not forced to fly blind. Hell, if your computer is less than 30 years old you can probably just use the mouse to select some stuff and press the delete key and that will work too.

                  The point isn’t to avoid those modes and build strength through self-flagellation; the point is to enable a new mode of working where something like “replace this string’s contents” or “replace this function parameter” become part of your muscle memory and you perform them with such facility that you don’t need feedback on what you’re about to do because you’ve already done it and typed in the new value faster than you can register visual feedback. Instead of breaking it into steps, you get feedback on whether the final result is right, and if it isn’t, you just bonk u, which doesn’t even require a modifier key, and get back to the previous state.

                  1. 2

                    What if you wanted everything inside parentheses instead?

                    It is context sensitive and expands to the next context when you do it again.

                    Like I appreciate that vi works for other people but literally none of the examples I read ever make me think “I wish my editor did that”. It’s always “I know how I would do that in my editor. I’d just make a multiselection and then do X.” The really powerful stuff comes from using an LSP, which is orthogonal to the choice of editors.

                  2. 2

                    I do not disagree. For vim, as for your editor, the process is in both places somewhat complex.

                    Like you I feel I only want to learn one editor really well. So I choose the one which is installed by default on every system I touch.

                    For which I give up being able to preview what happens and some other niceties. Everything is a tradeoff in the end

                  3. 2

                    In a similar way, if you want to change the actual tag contents from “Stuff” to something else:

                    <tag style="tag stuff">Stuff</tag>
                    

                    you can use cit anywhere on the line (between the first < and the last >) to give you this (| is the cursor):

                    <tag style="tag stuff">|</tag>
                    

                    Or yit to copy (yank) the tag contents, dit to delete them etc.. You can also use the at motion instead of the it motion to include the rest of the tag: yat will yank the entire tag <tag style="tag stuff">Stuff</tag>.

                    Note that this only works in supported filetypes, html, xml etc., where vim knows to parse markup tags.

                  4. 2

                    I really like that I keep stumbling on tidbits like this one that continue to improve my workflow even further.

                    1. 8

                      What about auth? There are various approaches. Hasura does its own auth built in which can be hooked up to different systems, and PostGraphile uses the database’s permissions.

                      1. 3

                        Looks like it uses database permissions as well https://supabase.github.io/pg_graphql/configuration/

                        Table and column visibility in the GraphQL schema are controlled by standard PostgreSQL permissions.

                        I assume that would include row-level permissions as well

                        1. 5

                          {supabase ceo}

                          That’s correct - it works with native PG grants and RLS.

                          the idea is that you set role before running a query inside the database, or you can combine it with an HTTP proxy of some sort like we do with our HTTP APIs + Auth helpers - https://supabase.com/docs/guides/auth/row-level-security

                      1. 8

                        Actually the main thing I took away from that article was, “Don’t develop on Windows.”

                        1. 1

                          Yeah this is a continuing WTF for me.

                          I occasionally need to provide tooling support to developers for one of my clients; it’s always the most idiotic basic issues with those who use Windows: stuff like “tool XYZ doesn’t work properly because git on windows defaults to converting all the standard unix newlines into windows newlines because $REASONS”

                        1. 1

                          I fiercely protect my phone number from most companies. Can someone tell me if the following fear is justified: I go to a restaurant and they ask me to scan a QR code to see the menu on my phone. Now the restaurant company knows my phone number and, presumably, once I’ve paid with a credit card, my identity is attached to it.

                          1. 7

                            No, they would not get your phone number. A QR code is just a bar code of a URL.

                            1. 1

                              My worry is that their website captures my number. So their QR menu would be a trap.

                              1. 4

                                No, it would be the same as any other website. They don’t see your number. They get your IP address, which could determine roughly where you are, and maybe the type of device and browser you are using. If you have any tracking cookies, they might get a little more.

                            2. 4

                              QR codes are basically just URLs, so the restaurant doesn’t get your phone number. They may get metadata from you visiting the URL.

                              Merchants (restaurants) usually don’t get any user-identifying info about cards when you make a payment. Not because card processors want to protect your privacy, but because they want to sell this data separately.

                            1. 15

                              There are a few (many) issues with this post. I feel like the author didn’t completely grasp the idea behind 2FA.

                              2FA solutions usually combine 2 elements of the following categories (more information here):

                              • Something you know
                              • Something you have
                              • Something you are

                              Services asking for a phone number for 2FA don’t treat it as an additional password, they use it to send out tokens which are used to verify the “possession” of this phone number. Otherwise, a phone number is an easy to guess and worse than average password. After many SIM swapping incidents, most of the big services also allow you to create an TOTP token, which is completely anonymous (and not the same as a password!)

                              Additionally, just taking a plain hash of a phone number doesn’t actually improve the security all that much. The input space of phone numbers is relatively small and easily enumerated: an attacker might just do a brute-force search for the correct phone number. Using a slower hash and a salt will slow this down, but to properly mangle phone numbers some form of encryption is needed. (and even then, there might be some issues)

                              As for collisions, you should be able to test this yourself and verify that no 2 phone numbers hash to the same SHA256 hash. I think this will even be the case for md5. Generally, to hash a secret, you should use a hash that is specifically created to hash passwords (Scrypt/Argon2id). These hashes are slow by design, so brute forcing passwords becomes more difficult.

                              1. 4

                                Not sure you fully got it, I think the idea is that they hash the phone number so that it isn’t available in case a hacker gets access to the database, but they can still send an SMS verification token if you type in your phone number.

                                1. 14

                                  A hacker will be able to use dictionary attack to recover the phone numbers from their hashes. Phone numbers have too little entropy to resist that. It’s going to be a only small road bump, even if you use a relatively expensive hash function.

                                  1. 3

                                    On top of that I’m pretty sure for every major service you’ll be able to determine the subset of numbers your target may use. Simply by looking at the TLD of their email (you already have that info, or you wouldn’t try to break the 2FA at that point) and then looking at wikipedia which numbers are used by the top 3 mobile providers. When we’re talking about amazon you might just look at the language I do my reviews in and you know which country to look for, same problem for any other service that has localized user content. And last but not least you’ll have to explain other people why entering your mobile number anywhere else is suddenly a security hazard for this specific 2FA algorithm.

                                    (Please just use a hardware key, TOTP or something else that isn’t based on how cheap an IMSI catcher or number transfer is in your country. We’ve had state wide attacks on peoples accounts via SMS 2FA.)

                                    1. 0
                                      1. 9

                                        The salt doesn’t make it significantly harder to guess one particular user’s phone number. The input space is still just all legal phone numbers, which, coupled by a fast hash algorithm, isn’t that big. In fact, my desktop runs sha256 on every single 7 digit number (the size of phone numbers in Norway), with a 64-byte salt, in under 4 seconds, using fairly naïve (but multi-threaded) C.

                                        The salt just means that you have to spend on average <2 seconds per user, it makes it so you can’t make a complete table which maps a hash to a phone number. Throw a few GPUs at the problem and those <2 seconds per user becomes milliseconds per user.

                                        (The source code I threw together to test, in case you wanna check my work: https://p.mort.coffee/alh.c - with the sha256 implementation from https://github.com/ckolivas/cgminer/blob/master/sha2.h and https://github.com/ckolivas/cgminer/blob/master/sha2.c)

                                        EDIT: I messed up the code. I was accidentally running through almost the entire range of numbers in parallel and then running through it again single threaded. Here’s the fixed code: https://p.mort.coffee/NPQ.c - It actually runs through the entire range of Norwegian phone numbers, from 0 to 9999999, in 231 milliseconds. You don’t even need the GPUs anymore. Those 11-digit UK and US phone numbers will still be a problem, but depending on context, there may still be tricks you can do to knock a few bits of entropy off the search space.

                                        1. 1

                                          Salt is a protection against rainbow tables. Phone number space is so tiny you don’t even need to bother with raindbow tables. A single Raspberry Pi can brute-force all phone numbers in the world in under an hour.

                                      2. 1

                                        I’m sure I don’t get it. If the company only stores my hashed number, how do they reverse it to send me an SMS?

                                        1. 2

                                          The idea is that you have to reenter your phone number, which they then use to both verify and text you.

                                          1. 1

                                            They don’t, they ask you for it every time you log in.

                                      1. 4

                                        Oops, typo. You mean assess, not asses.

                                        1. 1

                                          lol! thank you very much, fixed