> To be fair, if the rest of your pipeline runs in the megabytes per second, then memory allocation might as well be free from a speed point of view.
This is important, but I think sometime people struggle with this sort of thinking. I struggled to explain a similar concept to a junior engineer recently. He was very keen to try to optimize part of a process that wasn't the bottleneck. I tried a couple approaches, like benchmarking various parts under different conditions, modeling it to calculate how speeding up different components would take.
I wasn't convincing, unfortunately, so he implemented some changes that sussessfully sped up one part but didn't improve end to end performance. I think sometimes you need to see it with your own eyes.
At my first job I spent about US$10k on a super fast compile server which didn't speed up our slow compiles because the bottleneck was the shared 10BaseT Ethernet to the NFS fileserver where we were storing both the source code and the build artifacts. I should have listened to my boss who was telling me it probably wouldn't help.
Presumably, if the customer doesn't have the right to repair then the manufacturer would be able to make parts that are exceptionally difficult to repair without specialized knowledge and tools. Or worse, enforce cryptographic locks on any software/firmware to prevent unauthorized changes.
I think right to repair is about ensuring that the customer can make reasonable repairs to the product, and the manufacturer not infringing on their rights when designing the product.
> Ah, I see you don't know that companies can "prohibit" chip manufacturers from selling specific chips to third parties [1,2]. Moreover, schematics, repair guidelines, and all sorts of other tools are not available to independent repair shops, which render repairs very difficult, Louis Rossmann has had frequent rants about this on his channel on Youtube [2], and is one of the most prominent advocates of the right to repair.
> It follows then that unless right to repair passes/exists, obtaining replacement parts for any devices is exceptionally difficult. There is therefore a stark contrast between 1960s cars and their very limited electronics and current tech that relies on often hundreds of chips and software to operate.
It is not that the right to repair applies in this case, but rather because the right to repair does not exist/has not passed, the procurement of chips and other electronics necessary to repair the hardware may be difficult or outright impossible.
The cars that we compare to (1960) are orders of magnitude simpler than modern day electronics and not reliant on megacorps allowing others to obtain schematics and microchips.
How are folks using light weight cloud resources approaching password hashing? The `10s of gigabytes of RAM` feels like an expensive requirement. Even lower memory, high iteration count sha256 seems expensive for something like AWS Lambda where you're paying by the millisecond.
From the UX perspective there's also the issue that adding a second of latency during login or registration could increase user drop off.
How many sites really incur the higher costs and higher latency?
Agreement from me, although I'd avoid double booking. Double booking means that other people are expecting you to attend, they may wait to see if more people join, or need to reschedule if the right audience isn't able to make it. I think it's best to pro-actively reject meetings versus only showing up for one.
Depends. If your schedule has a lot of flux (meetings being cancelled ad-hoc, etc.) then it can be useful to accept everything but notify the host that you probably won't be there unless something changes. That way if something does change you at least still have it on your calendar (I use Outlook, maybe other calendar/meeting apps handle this better).
I'll add my (32/M/USA) perspective as someone who subscribed to duolingo plus last month. I'm learning Arabic ahead of a _potential_ move with my spouse to an Arabic speaking country.
First Duolingo is fun to use. I didn't enjoy classroom based learning in high school. Duo gamifies the process really well, it's on my schedule, and I have a concrete reason to want to learn. Duo has been reducing my time on social media as well, always a bonus when picking up a good habit.
The $7/month premium subscription was worth it. I'm investing 30 minutes a day in the app, and ad-free means I can get through more lessons. I have unlimited lives so my learning isn't interrupted if I struggle on a hard lesson.
I'm not expecting to become fluent on Duo alone. But I think I'll get a great handle on some basics. My wife is already fluent, so that's helped me speak and figure out some things I struggled with.
I also tried the Rosetta Stone app. I didn't think that one was fun, it throws you into hard content quickly, so I haven't been using it. If our move happens, I'll enroll in a more traditional environment, and I may take a second look at the Rosetta Stone app. For now I'm happy that I have something that's making me increasingly comfortable with the idea of speaking Arabic.
Any thoughts on how customers should think about securing their skills? ChatOps exposes skills that may provide deep access to deploy code or modify system configuration. Slack doesn't have the same security as an SSH session (password protected private key). I'm seeing concerns around phone theft, evil maid, spouses, or former employees who haven't had Slack access pulled.
From my end, I think these are solvable but may require thinking about the problem differently. How are you thinking about security?
Absolutely! We think about security on multiple levels.
For our threat model, we focus on _companies_ using Slack, Discord, and Teams, though our efforts apply to communities, etc. For the sake of this question, I'll focus on companies using Slack, but most of it applies to the others.
Even without Abbot, if someone gains access to an employee Slack account, they can do immense damage. So it's very important for companies to enforce good security on Slack such as 2-factor auth, etc. If you use Abbot, that's even more important. To interact with Abbot in chat, a user must be logged into your Slack organization. So we encourage customers to take their Slack account security seriously.
Now it may happen that a Slack account is compromised despite a company's best efforts. So the next level of protection is the ability to protect skills using Abbot's access control. You can restrict skills to a limited set of users. That makes it possible to follow the principle of least privilege and reduce exposure of the most sensitive skills.
Finally, despite our best efforts, there may be the case where someone gains access to a privileged account. Abbot logs every interaction it has with users, whether through the Bot console (in the website) or via chat. So if someone does somehow get access, you can audit what activities they took, what secrets they accessed.
It's also important to look at security from the perspective of a skill author. To create a skill, a user has to be a member of the "Members" role in https://ab.bot/. This requires that they are a member of the associated Slack organization and have logged into https://ab.bot/ with their Slack account (we don't implement our own authentication).
An Abbot Administrator can choose to let anyone in the Slack organization automatically be added to the "Members" role when they log in. That may be appropriate for smaller high-trust companies. For larger companies, administrators may want have tighter control on access to the website.
Skill authors are encouraged not to embed tokens and other secrets in the code for skills. Instead, use the secrets management built in. There's also a proxy link feature for certain cases where a secret is embedded in a URL and you don't want the secret exposed even to skill authors.
That's where we are today.
In the future, we'd like to integrate with Active Directory, LDAP, etc. for managing access to the site and skills. Also, we know that many systems people want to access are going to be behind a firewall. So we are looking into onprem options, but those may be further down the road.
If you have some ideas on where we can improve or areas we should be thinking about, we are definitely interested in hearing about it. This is very important to us.
Slack is often misconfigured - mid-sized companies without a proper IAM team/engineer often enable auto-provisioning which sends an invite to @<whitelisted domain>. If you can identify a e-mail reflection vuln on the domain you can parlay that into a Slack invite, and while ChatOps might be the least of the concerns I fear this is reinforcing bad hygiene.
Additionally companies forced to be SOX compliant require separation of duties, which is often incompatible with slash commands that impact production or revenue generating infrastructure.
For teams that are concerned about whether their Slack is configured correctly, Abbot can be put into a waitlist mode where an administrator on the Abbot team has to explicitly approve any access. No matter how Abbot is configured, all commands are still logged.
SOX compliance is a bit outside of our domain of influence; our goal is to give people the most powerful tools we can, in a way that they can run it in their environment without having to reinvent the wheel.
> If you can identify a e-mail reflection vuln on the domain you can parlay that into a Slack invite
On reread, I realize that I'm not sure I understand what sort of attack you're talking about. While I think we've done a good job of making Abbot a safe entity, could you describe how this works? It's possible there's an attack vector we haven't considered. Thanks for sharing!
You need to know the Slack workspace URL, looks like the previous method I used to find this for arbitrary domains has been fixed. Workspace URLs aren't secret, though, and can often be guessed. Let's assume finding this for your target isn't an issue.
The most common reflection attack is through support systems, specifics will vary depending on the product used. Not all are vulnerable to this.
Open a support ticket with support@company.com pretending to have a valid complaint. Obtain the unique e-mail address for your ticket such as support+2392@company.com, and use "Sign up" at https://company.slack.com/signup#/domain-signup with the support ticket e-mail address.
The support ticket system can leak the contents of the Slack invitation as a ticket update. Once you know the validation URL Slack allows you to sign up.
I think it's best to migrate to a preferred formatting slowly, versus touching everything at once. I've had open pull requests that I've started over due to aggressive reformatting like that. Between that and breaking tools like 'git blame', it can be painful.
Ran into this issue where contributors editors were reformatting the whole file they touched based on the newly created code formatting config file. Some editors would pick it up and automatically reformat on save so a commit with 3 actual lines changed looked like 90% of the file had changed in the diff. So we went with the nuclear option and did one massive PR that reformatted the whole codebase.
This approach sometimes works for formatting but the issue with ad-hoc approaches is finding ways of enforcing on new commits. This is especially so with a large developer base.
Once you move on from just banal issues like whitespace and move your way up to actual structural concepts in the code, ad-hoc starts completely falling apart (at least in my experience.)
I once encountered someone who did a giant re-formatting of code by rewriting past commits. Pretty disruptive for a day but did manage to keep history in-tact. Also, a little (or a lot?) dangerous...
That was our problem. We added a git hook to reject new malformed commits. The easier way to not mess more things was to make all the code base compliant.
I recently changed my opinion on todo list type projects. I previously thought it was a crowded place and a solved problem, not worth building yet another. But a todo list is such a powerful tool and has so many different use cases that each new variation can focus on a different niche and brings new value.
This is important, but I think sometime people struggle with this sort of thinking. I struggled to explain a similar concept to a junior engineer recently. He was very keen to try to optimize part of a process that wasn't the bottleneck. I tried a couple approaches, like benchmarking various parts under different conditions, modeling it to calculate how speeding up different components would take.
I wasn't convincing, unfortunately, so he implemented some changes that sussessfully sped up one part but didn't improve end to end performance. I think sometimes you need to see it with your own eyes.