1. 15

    Seeing the examples use floats for currency made my eye twitch uncomfortably. None of the code I’ve written for financial institutions did that. Is that really done in this space?

    1. 37

      I used to work at a firm that did asset valuation for bonds, and we used floats :).

      It’s generally fine to use floats when it comes to asset valuation, since the goal is to provide an estimate for the price of a security. Our job was to estimate the value of a bond, discounting its price based on 1) the chance that the issuer will go bust or 2) the chance that the issuer will pay off their debt early.

      My understanding is that floats are never used in places where a bank is dealing with someone’s physical assets (it would be a disaster to miscalculate the money deposited into someone’s account due to rounding errors). Since our firm was not dealing with money directly, but instead selling the output of statistical models, floats were acceptable.

      1. 9

        That makes absolute sense to me. Thanks for sharing the difference. We were dealing with transactions (and things like pro-rated fees, etc.) so even for things where it made sense to track some fraction of a cent, it was “millicents” and integer arithmetic. I wasn’t thinking in terms of model output.

        1. 4

          it would be a disaster to miscalculate the money deposited into someone’s account due to rounding errors

          IME the really really hard thing is that summing floats gives different answers depending on the order you do it in. And summation operations appear everywhere.

        2. 7

          @jtm gave you a bit more detail, the original post offers this in the Other notes section:

          One of things that tends to boggle programmer brains is while most software dealing with money uses multiple-precision numbers to make sure the pennies are accurate, financial modelling uses floats instead. This is because clients generally do not ring up about pennies.

          1. 6

            Ah I missed this, but yes – exactly this.

            This is because clients generally do not ring up about pennies.

            An amusing bit about my old firm: often times, when a bond is about the mature (i.e. the issuer is about to pay off all of their debt on time), the value of a bond is obvious, since there is a near-zero chance of the issuer defaulting. These bonds would still get run through all the models, and accrue error. We would often get calls from clients asking “why is this bond priced at 100.001 when its clearly 100?” So sometimes we did get rung up about pennies :).

            1. 2

              If that was there when I read it, I overlooked it because my eye was twitching so hard.

              1. 2

                It’s completely possible they added the Other notes section later! Just wanted to share since it addressed your question directly.

            2. 3

              I never wrote financial code, but I also never understood the desire to avoid floats / doubles. They should have all the precision you need.

              Decimal is a display issue, not a calculation issue. I think the problem is when you take your display value (a string) and then feed it back into a calculation – then you have lost something.

              It’s like the issue with storing time zones in you database vs. UTC, or storing escaped HTML in the database (BAD), etc.

              Basically if you do all the math with “right”, with full precision, then you should be less than a penny off at the end. I don’t see any situation where that matters.

              Although on the other side, the issue is that “programmers make mistakes and codebases are inconsistent”, and probably decimal can ameliorate that to some extent.

              I also get that it’s exact vs. inexact if you advertise a 0.1% interest rate, but I’d say “meh” if it’s a penny. It’s sort of like the issue where computer scientists use bank account balances as an example of atomic transactions, whereas in real life banks are inconsistent all the time!

              1. 11

                I also never understood the desire to avoid floats / doubles.

                Addition isn’t associative, so the answers you get from summations are less predictable than you would like

                1. 7

                  I think in practice the issue may actually be that floats can be too precise. Financial calculations are done under specific rules for e.g. rounding, and the “correct” result after multiple operations may actually be less mathematically accurate than if you’d just used 64-bit floats, but the auditors aren’t going to care about that.

                  1. 4

                    It’s not just that, it’s that the regulations are usually written to require that they be accurate to a certain number of decimal digits. Both the decimal and binary representations have finite precision and so will be wrong, but they’ll be differently wrong. Whether the binary floating-point representation is ‘too precise’ is less important than the fact that it will not give the answer that the regulators require.

                  2. 4

                    like @lann and @david_chisnall mentioned, it’s not about being precise, it’s about getting the answer expected by the accountants and bookkeepers and finance people. Back when they were doing it all on paper, they built certain rules for handling pennies, and you have to do it the same way if you want to be taken seriously in the finance/banking/accounting industries. Back then they couldn’t cut a physical penny in half, so they built rules to be fair about it. Those rules stuck around and are still here today and are sometimes codified into law[0]

                    As for “meh” it’s a penny, they generally don’t care much about anything smaller than a penny, but they absolutely care about pennies. I regularly see million dollar transactions held up from posting because the balancing was off by 1 penny. They then spend the time it takes to track down the penny difference and fix it.

                    0: PDF paper about euro rounding

                    1. 1

                      how do you store 1/3 with full precision ?

                      1. 1

                        Not with a decimal type either :)

                        1. 1

                          sorry I misread your post

                  1. 6

                    Whether RCS becomes the Apple/Android messaging divide healer, and ends the blue vs green bubble saga, depends entirely upon whether Apple adopts the standard for iMessage.

                    Whether Apple adopts the standard depends entirely upon whether the product managers at Apple view its lack of support as a feature or a bug. If it is about nefarious social engineering for Apple/iPhone marketshare, iMessage lacking support for RCS is a feature. If it is about reducing overall mobile user pain, iMessage lacking support of RCS is a bug. Our messaging future likely hangs in the balance of some PM’s view of Apple’s real obligation (whether that is to Apple shareholders, or to the world’s mobile users).

                    1. 10

                      We have proofs in writing (from Epic vs Apple trial) that Apple execs like iMessage having a network effect locking people in into the Apple ecosystem.

                      Fiduciary duty means the choice of shareholders vs being nice to people doesn’t exist.

                      Even if Apple implemented RCS (which I wouldn’t expect them to do), they’ll probably keep it having green bubbles out of spite.

                      1. 18

                        Fiduciary duty means […] more money for the shareholders.

                        This meme is my pet peeve. From the horse’s mouth (US Supreme Court Hobby Lobby decision): “Modern corporate law does not require for-profit corporations to pursue profit at the expense of everything else, and many do not.”

                        https://www.nytimes.com/roomfordebate/2015/04/16/what-are-corporations-obligations-to-shareholders/corporations-dont-have-to-maximize-profits

                        1. 5

                          The law might not require it, but there’s been plenty of activist shareholder lawsuits that a corporation would think twice before putting the good of consumers before profits.

                          1. 1

                            Long term good of the consumer means long term profits, as opposed to being a flash in the pan.

                      2. 7

                        Vendors with a closed network with high market share won’t willingly let it interoperate with other networks (open or not.) This happened with the previous generation instant-message networks, where well-meaning folks developed an open standard (Jabber) but the big players like Google, Yahoo and AOL wouldn’t adopt it in any meaningful way.

                        Similarly, you don’t see Twitter or Facebook supporting ActivityPub.

                        The only reason email has interoperability is because SMTP predates the commercial internet, and when all the “big” services like CompuServe joined the Internet none of them were big fish in this new sea, so they all gained by adding SMTP support.

                        1. 5

                          The listed examples seem like odd choices since AIM did embrace Jabber for awhile and Google embraced it so hard that their contributions led to the A/V infrastructure we still use to this day (and forms the basis of what became WebRTC) and for so long that people were still using Google accounts for Jabber years after they should have moved to a more featureful implementation.

                          1. 1

                            Once Google Talk gained critical mass, Google turned off federation. It was still using XMPP as a transport protocol but that didn’t matter to anyone because you couldn’t communicate with folks with non-Google Jabber accounts and so it was effectively a proprietary network.

                            1. 4

                              Honestly, federation turned off way later than most think and before it went away what mostly happened is the Jabber network started rejecting Google because Google refused to use TLS with a valid cert on their federated links. If you ran your own server or used one that had a special case config for Google it kept federating long after most people had been saying “Google abandoned” federation for years. One the federated server did die the Google Talk product and brand had itself been dead for years and client connections still worked (and were used by many I know) for years after that yet.

                              Google kills whole products and protocols on a regular basis, sudden death of popular features is kind of their rep, yet the Jabber servers they ran had the slowest death of anything I’ve seen from them. Definitely not just yanked out of spite.

                            2. 1

                              They did support it as a client protocol, but never enabled federation. So you couldn’t follow or message an AIM user from Google Messenger or vice versa. The stated reason was to avoid incoming spam, but another reason was to retain their network-effect lock-in, i.e. “all my friends use AIM so I have to use it too.”

                        1. 2

                          Tried this on Safari with TouchID (which normally works like a security key…) and it didn’t work :(

                          anyone else have any luck?

                          1. 3

                            It looks like they only support a couple of security key manufacturers, with yubikey being the biggest. I doubt TouchID provides the kind of manufacturer attestation needed for this scheme (but I could be wrong about that).

                            1. 1

                              Yeah, they say that they only support attestations by Yubikey, HyperFIDO and Thetis FIDO. TouchID probably provides attestation(though I’m not sure), but it just hasn’t been whitelisted by them yet.

                              1. 2

                                Apple does have an attestation scheme for TouchID, but it’s not the “standard” one. It’s anonymous and can’t be tracked, which probably isn’t desirable for Cloudflare’s use. Presumably they are misusing this feature so they can block “bad” users, which Apple’s feature doesn’t let them do.

                                Ctrlf for Apple Anonymous Attestation on https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/

                                1. 1

                                  You can’t “block bad users” as is right now. Each attestation key is used in at least 100,000 tokens, there’s no reasonable way to block a single one of them with the way it’s done. Apple’s way meanwhile, is quite a bit more complicated, requires connection to Apple’s servers from your machine, and creates a new attestation certificate each time that is signed by “master” Apple’s certificate on their servers (and seems like it’s opt-in?). I’m not entirely sure if there’s much difference in the privacy front besides Apple not having to worry about somebody extracting attestation keys from their machines and spoofing their attestation.

                                  1. 2

                                    I think 1 in 100k, combined with additional signals like client fingerprinting, IP, etc, is absolutely enough to identify and block a bot. Even in the worst case where you block whole batches of yubikeys, the attacker cost goes up as they buy more keys, but legitimate users just fall back to captchas.

                                    1. 1

                                      The whole point of this for them was to decrease their CAPTCHA usage. Turning users back to using them is counterproductive for them. 1 in 100k is a tiny amount, and with carefulness, a bot writer can easily blend into a group that size.

                                      1. 1

                                        Most of that 100k set of users will not be visiting any particular website at a time.

                                        If the point of this isn’t to block bad boys, then what is it? Bot writers will have a yubikey-as-a-service API from somebody soon, probably using a rotating set of some dozens of security keys. So it’ll be even easier for bots than captchas are today, if cloudflare isn’t using the key batch as a signal to block.

                          1. 5

                            This doesn’t seem to motivate why having a security key proves that you’re human. What prevents people from just automating this interaction?

                            1. 14

                              “Prove you are human” has always been the sort of marketing spin on captchas; it’s about making automation marginally more expensive than it’s worth.

                              1. 13

                                In the case of Google, I think it is also: get image recognition training data for free. Most of their image captchas are clearly image recognition for automotive. I strongly suspect that a subset of tiles that they serve are unannotated and they will then use annotations for which there is high agreement.

                                1. 2

                                  If you click wrong, someone could die. It isn’t just a captcha.

                                  1. 4

                                    First, people are incentivized to click the right tiles, since they want to bypass the captcha.

                                    Second, they would not base the label on a single annotation, but rather on thousands or even tens of thousands of annotations which have a high level of inter-annotator agreement.

                                    1. 7

                                      And yet, a lot of the time CAPTCHA insists that that mailbox is actually a parking meter.

                                2. 3

                                  Prove we should allow us to advertise to you!

                                3. 6

                                  The article addresses this toward the end:

                                  We also have to consider the possibility of facing automated button-pressing systems. A drinking bird able to press the capacitive touch sensor could pass the Cryptographic Attestation of Personhood. At best, the bird solving rate matches the time it takes for the hardware to generate an attestation. With our current set of trusted manufacturers, this would be slower than the solving rate of professional CAPTCHA-solving services, while allowing legitimate users to pass through with certainty.

                                  1. 3

                                    Essentially they are relying on the required physical presence mechanisms of FIDO security keys to limit the rate at which the challenges can be passed. So essentially having a key does not prove you are human but attempts to constrain anyone using it to the challenge passing rate roughly attainable by a human. Since these keys are issued by trusted authorities I imagine this means they probably have some mechanism implemented or planned that would ban keys with superhuman challenge rates.

                                  1. 2

                                    How did they get the source code, when it is proprietary software?

                                    Also wouldn‘t this kind of attack easily be mitigated by using open source software? Someone would‘ve found out that the signature of the distributed binary doesn‘t correspond to the self compiled one.

                                    1. 4

                                      How did they get the source code, when it is proprietary software?

                                      The screenshots look like decompiled dotnet binaries to me, given dotnet binaries are just IL with a substantial level of metadata in the resulting binary, decompiled csharp looks a lot like the original source.

                                      See: https://docs.microsoft.com/en-us/dotnet/framework/tools/ildasm-exe-il-disassembler or https://www.jetbrains.com/decompiler/

                                      1. 4

                                        Also wouldn‘t this kind of attack easily be mitigated by using open source software? Someone would‘ve found out that the signature of the distributed binary doesn‘t correspond to the self compiled one.

                                        Who? Have you or anyone you personally know ever done this for a single software package on your system?

                                        1. 1

                                          Someone would‘ve found out that the signature of the distributed binary doesn‘t correspond to the self compiled one.

                                          This would require “reproducible builds” which are currently difficult to do in most build environments and consequently uncommon.

                                          1. 1

                                            Do you have any information to back up this claim? I’d think that reproducible builds are quite common, especially in security applications.

                                            1. 2

                                              Personal experience? Reproducible builds do exist, and some projects (like Debian) even put a lot of effort into making them work. I would be…let’s say somewhat surprised if Solarwinds has reproducible builds.

                                        1. 1

                                          It’s an interesting article but the design goals of the lightphone make me question why they needed to use Android

                                          1. 2

                                            From TFA:

                                            you’ll likely have to rewrite all of the custom drivers for your alternative OS.

                                            1. 1

                                              Ah you’re right, missed that. Thanks.

                                          1. 7

                                            You know what, IMO the spookiest thing about this story is NoMachine. I’ve never heard of it before, this is the first reference I’ve seen towards it. The website is a lot of marketing fluff, but nothing about exactly how they went about securing it. So the first reference I’ve ever heard of it is a story about how somebody managed to bypass it’s security somehow to get remote access to a machine that had important credentials on it. This suggests I should stay far, far away from it, at least until I see a deep dive into how this was possible and how the company responsible for it is working to ensure that it can never happen again.

                                            I can’t say I’ve ever heard of anybody breaking into a server with access secured through SSH configured with best practices.

                                            I mean you can bash Google a bit for this I guess, but with how huge their systems and attack surface is, it’s hard to believe they could ever secure things enough that letting somebody unauthorized get your account credentials won’t result in very bad things happening. Maybe we should try and stop it before that happens.

                                            1. 1

                                              NX is typically secured with…SSH. The same best practices should apply.

                                            1. 1

                                              Any specific reason for disallowing empty structs? They would allow for tagged unions to mix elements with and without a “payload”. The optional<T> type would be equivalent to (struct{} | T), for example.

                                              1. 1

                                                I just finished adding this in the form of a void type. I was hoping to avoid it because it adds a layer of meaning which mostly exists in the type system, and not in the encoded value. I’m still not entirely happy with the constraints I had to impose on its usage and the complexity it adds to the specification.

                                                1. 1

                                                  Cool. Yeah, void types are a little odd and really only make sense in unions afaict. Speaking of which, I noticed that the spec describes unions as a “set” of types. Does this mean that a type can only be used once in a union? If so, are type A void and type B void the “same” in that context?

                                                  1. 1

                                                    No, the spec also clarifies that user defined types make a new type which is distinct from its source type.

                                              1. 2

                                                Glad to see more people talk about gemini.

                                                One question still floats around me: Why not choosing HTTP/1.1, or even HTTP/0.9, with a Content-Type: text/gemini; charset=UTF-8?

                                                1. 2

                                                  The FAQ gives some rationale. I found section 2.1.2 on privacy to be the most compelling

                                                  1. 7

                                                    2.1.2 on privacy to be the most compelling

                                                    I guess 2 things. Privacy problems with HTTP are the fault of servers and browsers. Browsers could refuse E-Tags, not send cookies, etc. But, these are also signals that servers can use to create a fingerprint.

                                                    But, if unless Gemini is incredibly successful, it’s not possible to avoid a proxy which wraps a Gemini request in HTTP, exposing all of the same privacy breaking things to the proxy.

                                                    I’m not suggesting that Gemini isn’t privacy focused, because, clearly the protocol itself leaves little room to stuff any identifying information in it. However, practically speaking, this simply doesn’t matter at this point. In fact, seeing Gemini traffic on the web at all (or, network traffic to TCP/1965) might immediately group your IP into an identifying group of “nerds” interested in privacy preserving web protocols. Surely, that IP connection with the rest of the browsing data from other sources will further identify you, or someone else in your house, reducing your privacy.

                                                    In other words, isn’t the use of Gemini just another feature of your online fingerprint?