...and I'm surprised there's a whole section on using recursion in Python, considering Python guards against recursion depth. (tail recursion is especially applicable here). The author seems to have a solid understanding of Python, so I'm a little confused.
In general, if you use recursion in python, you're gonna have a bad time. Better to use an iterator (which is usually more memory efficient anyway because you're not slurping up the whole thing...).
I want to call particular attention to the author's point about Apple's pie chart.
Not only is Apple's pie chart used for telling lies here, I would argue that all pie charts are used for telling lies.
The only thing a pie chart gives you is it tells you that everything in a category adds up to 100%. It doesn't tell you what 100% is, or why 100% is good, or bad, or let you compare across charts, or set goals.
You can accomplish this same thing with a bullet graph, developed by Stephen Few. You make a bar chart, then put a line through it to represent your goal (or 100%). Then, it's simple to compare multiple categories and model very complex information in a simple to understand way.
So remember this: The next time you see a pie chart, know that someone is lying or trying to appear more impressive than they actually are.
The worst part about this particular way of graphing information is that it's so ingrained in our culture (it's taught in Kindergarden), that people don't even understand that they're lying, even when they are.
I can understand how pie charts can be manipulated to show whatever the presenter wants to show...
However I fail to see how they are lying because they used a pie chart... back in 2008 they are saying that Apple had roughly 20% of the market share of smart phones.
They are vague in explaining whether they are measuring - devices sold, devices in use, devices pre-ordered... however that would be the case whether they used a bar graph, line graph, or just gave the raw numbers.
Here's an experiment: Get a random set of pie charts without labels on them. Get a large group of people. Now get those people to go through the pie charts and add what % of the pie chart they think each slice represents.
Now, get a set of bar charts and do the same thing.
In both experiments time the participants. You'll need two groups, a group that knows they're being timed and one that doesn't know.
What group was more accurate? What group was able to complete the exercise faster?
The reason that using pie charts is, in and of itself, a dark pattern is because the results of this experiment support bar charts as a more concise, more easily understood way of communicating information. In other words, the only real reason you'd use a pie chart is to obfuscate information. Or, well... to lie. If you're just using it because you don't know better, then you're negligent and misleading people without even knowing it.
"then you're negligent and misleading people without even knowing it."
Is that their fault? I don't entirely think so. You might be able to claim they should have done the research before choosing that type of graph but the majority of people are not even going to give pie charts a second thought.
If there was an active campaign against pie charts and more discussion I might find fault in that persons ignorance to the matter.
Yes, pie charts are poor visualization tools. But most people who utilize them are simply unaware of their shortcomings and so they aren't 'lying' (a lie requires intent).
The misuse of language is another way to mislead and confuse people -- intential or not.
We should strive for accuracy in words and charts!
On the contrary, "It has not been broken" is exactly what I would expect a programmer to say.
If the security of an algorithm is weakened, then it's important to evaluate the use of the algorithm and make efforts to implement stronger security now. You should feel fortunate that you even get the time to move to something better before all hell breaks loose.
This is the same kind of thinking I hear daily when people say things like, "Just use bcrypt" without thinking about the consequences.
The tendency for programmers to think of security in a nihilistic way continues to boggle my mind. I don't think the article suffers from an alarmist tone. I think it's correct to look at something shitty and call it shit.
I have no idea what this comment is even trying to say. I have no idea what MD5 has to do with bcrypt, and I have no idea what "nihilism" has to do with the fact that HMAC-MD5 isn't broken. We didn't just "discover" that MD5 was weak; Paul Kocher knew it was weak when SSL 3.0 was standardized back in 1996, which is why the SSL 3.0 handshake PRF uses both SHA-1 and MD5.
Yours is the kind of comment anyone can write without knowing anything whatsoever about cryptography, so I'm wary of going into more detail.
Apologies. Perhaps I'm being a master of the obvious here, so I'll restate more simply:
When people try to implement security without actually thinking about what the system is doing, it creates weaknesses in the security, not due to algorithmic weaknesses, but because the organization and the engineering discipline for the future is compromised. Thus, while "just use bcrypt" or "just use HMAC-MD5" might work today, the organization doesn't have the mind to update it when it finally does break.
This is exactly what happened (and is still happening) today after MD5 was broken.
This is the same comment with fewer words, and while I appreciate the concision, it doesn't make any more sense to me.
Bcrypt isn't broken or even weakened.
HMAC-MD5 isn't broken.
HMAC-MD5 and bcrypt are unrelated.
Nobody is ignoring the problem of MD5; in fact, suspicion about MD5 animates the very first secure SSL specification we have, from almost 20 years ago. Nobody is saying "just use HMAC-MD5".
I think what he is saying is that many individuals and organizations will not learn the fundamentals behind why X is broken, they only learn "X is broken use Y instead."
They instead should learn that Y is also potentially broken in a given circumstance - and maybe that doesn't apply to my current situation but I need a review process to check that it still doesn't apply to me at a given time in the future.
For someone designing a cryptography application, this understanding should be very deep. I don't think it needs to be as deep for someone who is configuring their Apache server and just needs to know what ciphers to enable and which ones to prefer. In this case it is best to follow an industry best practice based on the type of data being sent over the wire and the compatibility/performance required by the clients/users. Then schedule an annual or quarterly review of those choices to make sure they don't go out of date and keep an eye on security bulletins in case one of them is severely broken.
What he's saying is these blanket statements "just use X" is what is broken. Sometime ago it was "just use md5" and we're still suffering through the fallout of that long after md5 has been shown to be broken. Now we're pointing everyone in another direction and at some point that will be broken too. His point is that we need to educate people on the reasons why one algorithm is better than another for certain security concerns rather than relying on blanket catch-all declarations.
And now I'd like to say for the third time that no, there was no "just use MD5" meme in cryptography or in software development, and if TLS is an illustration of anything, it's of not simply leaning on MD5. Once again: the TLS protocol itself is not vulnerable because of MD5, and it's not vulnerable because its designers and implementors both knew about and accounted for the weaknesses of MD5.
The author took the opposite lesson from TLS than the one that it actually demonstrates, and the commenter above is harping on that broken lesson.
As a computer scientist, it's a joy to discover when you're wrong about things. So I'm enjoying being on the wrong side of the discussion for once, because I'm learning lots.
Thank you for your replies tptacek, I've learned much from this discussion. If I could edit my top comment, I would.
Doubt about this exact case, but I've seen MD5 being (ab)used in a really weird ways, which I attributed to mindless "oh, I'll just use MD5 here, heard it's good for security!"
One particular case I remember was use of md5(md5(md5(unix_timestamp()))) to generate "secure" session tokens.
> This is the same kind of thinking I hear daily when people say things like, "Just use bcrypt" without thinking about the consequences.
Sorry to say, but "just use bcrypt" is currently the right three word statement that you can use if anybody is asking "I'd like to hash a password, and I don't want to learn all of crypto before I do." Bcrypt is currently among the algorithms that are hard to break if used correctly, deployed widely, has wide support in deployed languages and frameworks and it's fairly simple to use. There's little room for major fuckups here.
There are algorithms that are harder to break (scrypt) or an official standard (PBKDF2), but seriously, bcrypt is currently good enough. Sure, it's always better to read and learn, but sometimes people just have to get things done and I'd rather see them use bcrypt than sha1 or unsalted md5.
> The tendency for programmers to think of security in a nihilistic way continues to boggle my mind.
tptacek is appears to be too modest to say it himself, so I'll go ahead and point it out: He's not "just a programmer", he's a well-respected computer security and vulnerability researcher.
This isn't to say that you should ever simply take his word for stuff, but rather that you are on one hand preaching to the choir, and on the other that you are probably not considering practical effects on security design that he has to wrangle with all the time.
For instance, it's probably a bad idea to hop immediately from one weakened (not even broken) cryptosystem to The New Hotness just because flaws are uncovered, especially for those doing this without thinking of the consequences. For every theoretical security bug you may fix while doing the conversion, you may very well introduce two much practical security bugs.
Cargo cults are bad wherever they are encountered, even when the cult involves something as seemingly as innocuous as "Cryptosystem $FOO has been weakened, time to jump ship".
The parent seems to be implying (taking other comments into account) that people "cargo cult"-ing on ideas like "just use bcrypt" might work now, but it will become a liability in future when bcrypt is weakened or broken (making it more difficult to get people to switch to the next standard practice).
That's odd, I don't think anyone is taking the advice to mean "use bcrypt for ever", I'd imagine that everyone understands that we use it because it's good enough for the foreseeable future.
Experienced Twitch streamer here. I've been streaming for almost 2 years now to Twitch.
On Profitability: In the gaming space, it's all about the sponsorships. Yes, Twitch ads are going to be nice cash for them, but I would ultimately expect their business to ride on helping promote company's gaming events.
Stream partner payouts are trash, pure and simple. Pull in 100,000 uniques over a month? You're not even eligible for partner status. On YouTube, you can get ~$300.00 for the same viewership. Somehow I don't think that partnerships are costing them much money at all.
Own3D.tv was only a "competitor" in the sense that they promised to pay out more to stream partners. They were full of lies. Several times Own3D.tv had big pushes to gobble up popular streamers from Twitch. I was contacted several times. Overall the Own3D.tv site was trash compared to Twitch's features, and the second you ask them the hard questions, "How often do you pay / When do I see my first paycheck", they couldn't answer you.
TLDR; Twitch will be profitable by keeping their costs down, building partnerships, and building brand recognition. Advertising isn't the end game for Twitch.
Some people will skim and get the information. Some people will read and get entertainment. Some people want the details, because they need a deeper understanding. Some people want a high level overview, because they already understand things and just want the information.
Your Second Life article probably has some interesting things to say, I wouldn't know, I didn't read it. Instead I clicked the link, scrolled and scrolled and before I'd even got to the bottom I'd calculated it would take me about half an hour of my life to read the thing.
I don't want to invest half an hour of my life in learning about someone's blow-by-blow account of their Second Life experience (I'd question anybody who does and point them to one of the numerous HN articles on procrastination/wasted time). An article that long devoted only to Second Life (condescension aside, there really are more important things, honestly) seems pretentious and serving the authors Ego more than the readers curiosity.
Richard Feynman however, the secrets of the universe and world around us, yes, I would like to learn more about that.
Actually I was wrong on that one. I took for granted that you could track changes because we have a nice "Job Config History" menu option. But that is actually the job config history plugin ( https://wiki.jenkins-ci.org/display/JENKINS/JobConfigHistory... )
So, I step back on saying Jenkins lets you track main changes history. That has to be done manually I guess.
The problem isn't the efficiency of the engine, but the efficiency of storing energy. Gasoline and diesel are very good at that, and are easily replenished. If your concern is the complexity of all the moving parts, rotary engines and 2-stroke engines are significantly simpler, but ultimately 4 stroke reciprocating engines make more sense.
The huge problem with this suggestion is that society is built around the idea that you have a "High School Diploma" and a "College Diploma", so just up and quitting school isn't a good solution.
I think the best solution for someone trapped in the school system is to basically do a few things:
Middle School
1. Survive.
2. Get ahead. You're not old enough (in society's eyes) to out maneuver the adults yet. Prepare yourself.
3. Develop a love and interest in another foreign culture.
High School
1. Take every "legal" chance to get out of normal classes. Do joint-enrollment, AP, and technical classes.
2. If you must take "normal" classes, sleep in them, or do tomorrow's homework (the rest of the year's homework if you can) in class. Test well. Then study more interesting stuff with the extra time you have at night. Remember: Homework is largely graded on completion and is typically the largest part of your grade, so do the easy thing.
3. Apply for scholarships like hell. Every dollar you can get now is worth 1,000 times itself in the future.
4. Learn a language and culture of a (very) foreign country. Don't take Spanish or French. Do German, Chinese, Russian, Japanese, Korean, etc. Learning a language doesn't just allow you to interact with others from that country, it gives you perspective on your own situation. This is vital to your education.
University
1. Buy the best education you can for the value. An online degree is cheap, but not valuable. An Ivy League degree is expensive, but the value may not add up to the expense. Try Georgia Tech, not MIT. Try University of Washington, not Harvard. Use your own judgement here.
2. Don't go into debt if you can.
3. Do an exchange program. Spend a year in a country you care about. See also: High School #4. Don't stay in the "international housing" if you can. Try to stay in the dorms with other normal students.
4. While in University, do paid work in the field you are going into. The more recognizable the name of the company you work for, the better. If you're doing work at the University, don't do retail, food staff, etc. Do technical support, tutoring, or administrative. Not only are these jobs easier and pay more, but they look way better on a future resume.
5. Take an advanced finance class and an advanced programming class, even if you have to "sit in" on the class (larger universities don't take roll and you can sneak in these classes sometimes). These are the two human systems that make our world work today. If you don't get this, you're going to get swindled as a professional.
6. Join clubs. If they don't exist, make your own club. Get on the club's officer list. Put it on your resume if it looks good. You'll make lifelong friends from these people. You might even start your own business with these people.
7. Don't really bother with Frats / Sororities / Bars. The real fun and parties are with deep friendships you make and that allow you build a better lifestyle. See #6.
> An Ivy League degree is expensive, but the value may not add up to the expense. Try Georgia Tech, not MIT. Try University of Washington, not Harvard. Use your own judgement here.
If you're poor however, reverse this. UW or Georgia Tech will maybe give you enough aid to cover half the tuition.
Harvard and MIT will give you a full ride plus money for a return flight home and extra spending money each semester, all before you get a work-study job.
This is one of the greatest equalizers of income disparity available in America and I'm very glad to be able to take advantage of it.
4. While in University, do paid work in the field you are going into
That's pretty much the most important bit of advice I try to give to young people. Companies will hire a college student with no experience but will not hire a college graduate with no experience.
Wow, looking at this list, it's actually pretty surprising and impressive how much I've apparently managed to do right, at least starting at the "University" stage.
Apparently I should have taken an advanced finance class, but I'm pretty sure my finances are fine right now anyway.
> Don't really bother with Frats / Sororities / Bars.
Food for thought: Data seems to indicate that those who drink more, earn more. It is thought that the uninhibited random connections you make at those kind of social functions may open up opportunities to find better jobs.
This may explain why people who go to college, and are exposed to the stereotypical party scene, also statistically earn more. If you stick to parties with with a close nit group of friends, you may actually set yourself back career-wise, statistically speaking.
Of course there is a lot more to college than just finding a future career, but your opening statement seems to imply that focus.
The public school system in Utah provides language-immersion programs where students are taught regular subjects (math, geography, etc) in a foreign language for half the day. The elementary school nearest me offers Mandarin Chinese.
The system still may be prison-like and focused on standardized testing, but learning a foreign language at a young age is a nice benefit I'll be considering for my kids.
In general, if you use recursion in python, you're gonna have a bad time. Better to use an iterator (which is usually more memory efficient anyway because you're not slurping up the whole thing...).
Of course, you can always hack it and sys.setrecursionlimit, but WHY WOULD YOU DO THIS. https://docs.python.org/2/library/sys.html#sys.setrecursionl...