Wednesday, January 28, 2015

the new greek economics minister,the old Valve economist

from lizard's ghost

about ghost! on ghost! ha!

From :

--[ 3 - Mitigating factors ]--------------------------------------------------

The impact of this bug is reduced significantly by the following reasons:

  • A patch already exists (since May 21, 2013), and has been applied and tested since glibc-2.18, released on August 12, 2013:

  • The gethostbyname*() functions are obsolete; with the advent of IPv6, recent applications use getaddrinfo() instead.

  • Many programs, especially SUID binaries reachable locally, use gethostbyname() if, and only if, a preliminary call to inet_aton() fails. However, a subsequent call must also succeed (the "inet-aton" requirement) in order to reach the overflow: this is impossible, and such programs are therefore safe.

  • Most of the other programs, especially servers reachable remotely, use gethostbyname() to perform forward-confirmed reverse DNS (FCrDNS, also known as full-circle reverse DNS) checks. These programs are generally safe, because the hostname passed to gethostbyname() has normally been pre-validated by DNS software:

    . "a string of labels each containing up to 63 8-bit octets, separated by dots, and with a maximum total of 255 octets." This makes it impossible to satisfy the "1-KB" requirement.

    . Actually, glibc's DNS resolver can produce hostnames of up to (almost) 1025 characters (in case of bit-string labels, and special or non-printable characters). But this introduces backslashes ('\') and makes it impossible to satisfy the "digits-and-dots" requirement.

from lizard's ghost

Sunday, January 25, 2015

oops, this is light music club..

from lizard's ghost

the mongolian chop squad, furi kuri, god and was it the light music club?

from lizard's ghost

the go player is on wikipedia, she's not..

from lizard's ghost

我願意 vs 涙そうそう

from lizard's ghost


from lizard's ghost

she pretending to be nervous..

from lizard's ghost

i cant catch most of her mandarin..

from lizard's ghost


from lizard's ghost


from lizard's ghost

Tina Turner - We Don't Need Another Hero

from lizard's ghost

Tina Turner - What's Love Got To Do With It

from lizard's ghost

Tina Turner - Simply The Best

from lizard's ghost

hard to count

from lizard's ghost

Saturday, January 10, 2015

planning poker

  • The skills and talents of individual programmers are the main determinant of software quality. No amount of management, methodology, or high-level architecture astronautism can compensate for a poor quality team.

  • The motivation and empowerment of programmers has a direct and strong relationship to the quality of the software.

  • Hard deadlines, especially micro-deadlines will result in poor quality software that will take longer to deliver.

  • The consequences of poor design decisions multiply rapidly.

  • It will usually take multiple attempts to arrive at a viable design.

  • You should make it easy to throw away code and start again.

  • Latency kills. Short feedback loops to measurable outcomes create good software.

  • Estimates are guess-timates; they are mostly useless. There is a geometric relationship between the length of an estimate and its inaccuracy.

  • Software does not scale. Software teams do not scale. Architecture should be as much about enabling small teams to work on small components as the technical requirements of the software.


from lizard's ghost

Logging, logging, logging

karterk 10 hours ago | link

The most difficult thing is going to be getting to 10K active users :)

These days RAM is cheap and SSD storage is also widely available. For a very long time, one of my side projects with 50K users was hosted in a EC2 small instance. With that out of the way, here are a few things you will need to take care of:

  • Security (especially passwords) - Rails should take care of most of this for you, but you should ensure that you patch vulnerabilities when they are discovered. Also, stuff like having only key-based login to your servers etc.

  • Backups - Take regular backups of all user data. It's also VERY important that you actually try restoring the data as well, as it's quite possible that backups are not occurring properly.

  • One click deployment - Use Capistrano or Fabric to automate your deployments.

  • A good feedback/support system - this could even be email to begin with (depending on the volume you expect), but it should be accessible.

  • Unit tests - as your app grows in complexity, you will never be able to test all the features manually. I'm not a big fan of test driven development, but really, start writing unit tests as soon as you have validated your product idea.

  • Alerts, monitoring and handling downtime - Downtimes are inevitable. Your host or DNS could go down, you might run out of disk space, etc. Use something like Pingdom to alert you of such failures.

  • Logging, logging, logging - I can't stress on this enough. When things break, logging is crucial in piecing together what happened. Use log rotation to archive old logs so they don't hog the disk space. reply

icehawk219 9 hours ago | link

Backups - Take regular backups of all user data. It's also VERY important that you actually try restoring the data as well, as it's quite possible that backups are not occurring properly. The part about testing your backups is huge. I can't count how many projects I've been on that had problems where we needed to restore and we looked only to find any number of problems. Oh, backups actually stopped last month when we ran out of space, oops the backups only backed up these 3 db's and not the one you want, things like that. I'd also stress the importance of off-site backups. If you're using AWS for everything and your account is compromised can they delete your backups (assuming they have full, 100% unlimited, admin access to AWS)?

Which is also why if you're using stuff like AWS, Heroku, or any other third party provider (hosted Mongo, hosted ElasticSearch, Stripe, NewRelic, etc.) it's very important to ensure those passwords are secured and only the people absolutely necessary have access. Also, when offered, two-factor authentication should always be used.


Rapzid 8 hours ago | link

And don't use keys on your console admin accounts.


JoshTriplett 8 hours ago | link

  • Logging, logging, logging - I can't stress on this enough. When things break, logging is crucial in piecing together what happened. Use log rotation to archive old logs so they don't hog the disk space. Depending on the service you're building, you can log too much. Consider the privacy and security implications of the existence of those logs; anything you log can be subpoenaed, but logs that don't exist cannot be.

    Consider anonymizing your logs from day 1, and only turning on non-anonymous logging upon a report from a user. Alternatively, give users a "report a problem" button, and save their last N minutes of otherwise-ephemeral logs only when they hit that button.

    You absolutely want to log enough to help you debug the service, but do you really need to archive old logs, or should you delete them entirely?


landr0id 8 hours ago | link

Logging, logging, logging - I can't stress on this enough. When things break, logging is crucial in piecing together what happened. Use log rotation to archive old logs so they don't hog the disk space. How do most people manage activity logs? Currently what we have set up is the user id (if the user is logged in), IP address, URL they hit, user agent, and timestamp are all inserted into an activity logs table. For one particular site with an API that's being polled the size of the DB grew pretty large.


oisinkim 3 hours ago | link

Logging, logging, logging - I can't stress on this enough. There is no easier way to offload, view, filter, alert and search than logentries:


chrissnell 7 hours ago | link

Off-machine logging. There are commercial services (we're using Papertrail but there are tons of them), roll-your-own solutions (Elasticsearch-Logstash-Kibana), and simple solutions (syslog).

For an easy and simple solution, spin up a second instance and send logs to it via rsyslog over a private network interface. Most mature frameworks provide a method to send logs over syslog. It's UDP and very lightweight. Another plus: if you are compromised, you have another server with your logs and that server isn't running your vulnerable app.


clogston 6 hours ago | link

We're running the Elasticsearch, Logstash, Kibana (ELK) stack with the recommended approach i.e.:

logstash client \ logstash client --> redis -> logstash "server" process -> elasticsearch <- kibana / logstash client

We have a high logging load (we log every request) due largely to IRS requirements. I've been really happy with it over the past 6 months but something that cannot be overstated is that you'll really need to become familiar with each one of the technologies used as each requires it's own setup and configuration. Not being familiar with any of them, it took me a solid 3 days to get to where the whole thing was usable and performant. Troubleshooting it is a breeze, and the whole system scales really easily, but a lot of that time was invested up front.


daigoba66 8 hours ago | link

Logging every hit will always require a lot of space. But there are some tricks you can use to "compress" it: hash long strings like the URL and user agent and store the hash as binary instead of a string. A 100+ byte string can compress to just 16 or 32 bytes depending the hash your pick. Store the hash lookup in a separate table.


mandeepj 4 hours ago | link

what is the benefit of your approach? The lookup table will still have data growth issues


tonglil 6 hours ago | link

We keep the last 30 days and also send it out to Rollbar for notifications and analysis. It's working great!


porker 10 hours ago | link

  • Logging, logging, logging - I can't stress on this enough. When things break, logging is crucial in piecing together what happened. Use log rotation to archive old logs so they don't hog the disk space. +1 You can't log too much. The user who claims an important email never arrived - does your system say it was sent? This bug 3 users have reported yet no one can reproduce - what were they doing at the time and what else was going on? No, I'm not at that stage yet (of effectively being able to rewind application state in the log files to see what was going on), but for debugging issues in production it's exceedingly useful.


edmack 9 hours ago | link

Getting loads of core services out into third parties is really wonderful for logging. E.g. if email sending happens in Mandrill, then you never need to write decent logging calls for that and you have a reliable source of truth!


tlack 8 hours ago | link

Except you won't know if your server ever sent it to Mandrill. :) Always be extremely verbose with logging!


porker 3 hours ago | link

This brings up a tangential problem I've yet to solve: how do you warn that something didn't happen when it should?

E.g. you have a script that does backups. You log the script's output, but one day something fails and the script is no longer executed.

Some form of dead man's handle is needed; the only way I can think of is to set up a monitoring service to check your log store for these entries every X hours.

Any alternatives?


reymus 8 hours ago | link

I have always heard the opposite, that too much logging is as bad as no logging. I see the point of having the logs to be able to find out what happened, but what happens when there' s so much logging that the information needed is just buried into huge amount of noise?


msielski 7 hours ago | link

This is true, without the right tools. I am moving to logstash with kibana to do this, and it's looking very promising. See


revo13 5 hours ago | link

Concur with this. Log everything, and use Logstash/Kibana to sift through it for what you are looking for.


exelius 6 hours ago | link

This was true before Splunk. If you logged too much, your logs could start to outstrip the assumptions behind your log rotations and cause trouble. Now the common wisdom is to just log everything so you can Splunk it later if you have a problem. Verbose logging + Splunk have made production incident identification so much easier than it used to be.

Splunk DOES charge by the GB, but it's not very expensive in the long run.


gizmo686 7 hours ago | link

My favorite systems to work with are the ones with overly verbose logs, where the overly verbose parts were clearly tagged and could be filtered out. Generally, we would never look at the verbose lines, and even when we did, we would normally have some idea what we were looking for, and be able to filter somewhat for it. reply

icehawk219 8 hours ago | link

I'd actually argue it is possible to log too much if you aren't using good tools to make your logs easily searchable. Which is why you should use such tools if at all possible. Otherwise the logs can become so big that finding the entries for that bug or that email becomes pretty much impossible. This is also why it's important to take a few minutes and think about what you're logging and how. Things like request and user IDs can be invaluable. My test is usually "if I have nothing but this error message/log entry, do I have enough to begin investigating?". This is hard to get right until a bug or problem occurs and you actually need to use the logs but investing a bit of time into it can be a life saver.


from lizard's ghost

Wednesday, January 07, 2015

how to copyright facts?

get them wrong. lie. now its fiction. heh.

from lizard's ghost

kickstarter switches from amazon payments to stripe

hn discussion:

fiblye 16 hours ago | link

I have no experience with Stripe, but Amazon Payments was a huge pain in the ass for me when trying to set up my Kickstarter. Kickstarter verified me just by asking for a bit of personal info. When I tried making an Amazon Payments account, it locked me out after one failed attempt of verification with absolutely no reason for why it failed. I was pretty sure I should've gotten 3 attempts, but nope.

I then had to fax a bill proving I exist to Amazon in order to unlock it and try again. Got another attempt, and it locked me out once more. I then got a warning saying the next failed attempt would permanently disable my account.

Called up Amazon and they unlocked it for me. The rep was about to hang up, but I made sure she stayed on the line to walk me through the issue step-by-step. Turns out Amazon's system didn't like the way I input my street address, even though it verified just fine on Kickstarter. Verification normally takes a few hours/days to tell you that you failed, but the rep stayed on the line and made sure it went through fine that time.

Sorry for rambling on, but Amazon Payments gave me more trouble than any other payment service. Even Paypal was better. Googling for answers to my problems gave me countless results from other people who had the same mysterious problems, and it seemed many couldn't even get a response from customer service. If Stripe is even marginally better, then I'm glad they're moving on to them.


johnmaguire2013 12 hours ago | link

I used Amazon Payments for about 6 months for little freelance projects when I was 18. I loved it. Quick deposits to my bank, super-low fees, and I convinced a lot of people to join it.

Then they started saying they couldn't verify me. There was no "Talk to support," only "try verifying again." I tried about 3 times, and then it finally locked me out. I finally found a way to call up support and they said "Okay, we'll get back to you in a few days about what's wrong."

A few days later I got an email saying my account had been banned, would not be unbanned, and any further requests for information would be ignored.

Still wish I knew what I did wrong.

In the meantime, I've never been able to support Kickstarters because I couldn't use Amazon Payments.


xorcist 2 hours ago | link

Sounds exactly like Paypal.

The companies which handle your money seems to have the worst customer service. I don't understand how they get away with it in the marketplace.


sdoering 53 minutes ago | link

The silent majority uses it, is not interested in the workings of the system and the small amount of gone bad edge cases.

Imho it's sloth - or exactly the same reason, why all these "great leaders" (aka politicians) get voted into office time after time. ;-) And I am as guilty as everybody else.


sethd 14 hours ago | link

Same exact experience as well. We ended up creating a new Amazon account linked to a different bank account and EIN (subsidiary of the main company) just to get around the lockout after submitting information to verify and waiting quite awhile. Months later we received a notice saying the first account was unlocked after review but by then the Kickstarter was over and the money already deposited in our other account.


habosa 16 hours ago | link

I had the exact same experience. I have to have my friends buy things on Kickstarter for me since I don't feel like faxing Amazon proof of my existence (which they don't seem to require when I want to Amazon Prime some more USB cables).


free2rhyme214 16 hours ago | link

Funny how big companies continually do this.

Only a few big companies avoid doing this which is why startups will thrive until they too become big slow companies.


jakejake 13 hours ago | link

You can kinda tell when a process is designed around fraud prevention, rather than being designed around user experience. Big companies make big targets and so they naturally become more risk averse.


rhizome 6 hours ago | link

Yet they also have the resources and manpower with skills to smooth it all out if they wanted to. That is, if it's even possible; the financial system's burdens may be insurmountable to provide a good UX.


rebootthesystem 15 hours ago | link

This does not surprise me at all.

Amazon, behind the curtains, is an ugly smelly mess. Just ask anyone who sells on Amazon professionally. The stories I've heard are beyond belief.


leeoniya 15 hours ago | link

yes, it's bad; not just bad, it's borderline insane, given the resources they have to make something awesome.

there are no fewer than 4 different APIs and endpoints to do the same thing, each with strange feature omissions / quirks and differing names for the same variables (sometimes just case). there is a separate sign-up for each service, with all-new verification; it's like they absorbed 10 different competing payment services, kept their original APIs and rapidly churned each of them into some additional shitty branded product. what's worse is that FPS was the best option as it could do what you wanted, how you wanted without being forced into a specific UI/pipeline.

now FPS is being discontinued [1] and everyone is being shoved into the widget-only "Login and Pay with Amazon"

if anyone knows of a way to retain the "leave-to-log-in -> select funds source -> come-back-with-token" process, please let me know. we're trying to keep our UI the same for all payment processors/methods, this widget requirement is not going to work for us.

[1] reply

ChrisNorstrom 14 hours ago | link

I hate selling on Amazon. Hate it. Ebay fees are 11%, Amazon fees are 40-50%. I've seen a seller almost cry watching amazon take over $140 in fees out of a $300 transaction. And ruetinely take 50% of gross receipts. Yes this is normal. I read the email customer service sent back about it. Sellers have started canceling large transactions and directing their buyers to the same product listing on etsy, ebay, or their own store. Don't get me started on the inability to control shipping rates like every other marketplace. Amazon is the dinosaur of online shopping.

And the biggest insult is Amazon saying they make so little profit. Where is all this money going?


Alupis 12 hours ago | link

Amazon fees are 40-50%. I've seen a seller almost cry watching amazon take over $140 in fees out of a $300 transaction That's a little exaggerated. My company sells a lot of stuff on Amazon... for a Pro Merchant account ($40 a month and gets you no per-item listing fees), Amazon commission rates are based on which selling category you list your items in... they range from 10% - 30% generally, but do fluctuate from time to time. For any items on Amazon that is listed at or less than $6 there is a minimum commission rate of $1 or $2 depending on the category (the reason most cheaper items have disappeared from amazon lately).

Regardless, you have to bake the Amazon commission rate into your sale price, otherwise you will lose money.

It's often considered an "insider secret" that almost everything listed on Amazon is more expensive than if you just did a search for the seller's actual website. Few people do this, and a lot of people just assume Amazon is cheaper always (which is absurdly false).

The pricing formula is often:

product cost * 2 == your normal markup for selling on your website

Amazon formula is often:

(product cost * 2 ) / (1 - commission rate in decimal) So, say you acquire a product for $10. Your website will probably list it for $20 retail price. On Amazon (assuming a 20% commission rate) you will likely list it for $25 (10 * 2 / .80 = $25)

Amazon then takes their 20% commission cut ($5 in this case), which leaves you back at your original target retail price, $20.

The customer eats the Amazon commission fee.


pbhjpbhj 12 hours ago | link

It's often considered an "insider secret" that almost everything listed on Amazon is more expensive than if you just did a search for the seller's actual website. // See, I'd assumed that, but at least in the UK the things I've looked at buying on Amazon have been equitably priced and sometimes cheaper on Amazon that on the sellers own sites. Didn't Amazon get in trouble for having a contract term that requires that they be able to sell at the low price offered to anyone else .. or did I dream that.

Once you factor in postage and having to make a new account Amazon has worked out cheaper for me [versus sellers own site] each time I've looked.

Any examples you can give?


Alupis 12 hours ago | link

requires that they be able to sell at the low price offered to anyone else .. or did I dream that. That's very false, at least for regular products on Amazon, ebooks and books have special rules and maybe that's what you recall...

You can list your products at any price you want. Browse to any product that has the "More from $xx" button below the main listing, it will take you to a list of all sellers listing that same product

(matched usually by UPC or similar, but can also just be hand selected when the listing is being created, however usually only small-time sellers bother with that since it's very difficult to manage a catalog of 20K+ products and handle each one by hand) Each will list it at different prices. Some sellers even list the same item multiple times at different prices. There's no perfect strategy, but obviously they think it benefits them somehow.

Once you factor in postage Well, it seems you are overseas and not in the US, so shopping on is probably not going to save you a lot because your shipping fees will be much more significant than most people buying domestic. Have you tried shopping on These should be mostly domestic sellers (if you are in fact from the UK). There's also a Japan amazon and a few others.

and having to make a new account Amazon has worked out cheaper for me Making an account is free on almost all (sane) ecommerce websites. So this is just a laziness thing (no really it is, I'm not being smart with you, we go through great pains to make account creation as simple and easy as can be since it often does turn away customers). I do agree that having a common account is nice and simpler... which is why a lot of ecommerce websites now allow you to checkout with an amazon account (well, maybe not anymore?), Facebook account (to grab you name, email, address, etc), google account, etc.

Any examples you can give? There's loads. Some categories and really really big sellers (think Target/Walmart sized sellers) get special deals/treatments on Amazon and are called "Platinum Sellers". The electronics items generally will be round-about what you will pay on or similar, but in my experience will be a few bucks cheaper and/or have more selection that is easier to browse.

Here's a few quick ones I found: Listed at $57.95 + shipping per each

And from the manufacturer: Listed at $28.00 + shipping per each

Here's a better example of the same seller on Amazon, and on their own website: Listed at $6.63 per each Listed at $0.26 per each

~~~~ Another dirty little secret is the Buy Box (what the "Add to Cart" button on the main product page is called) is not always the cheapest offer for an item. You often have to click the "More from $xx" link to see all offers and find the cheapest one. The Buy Box is awarded based on a convoluted algorithm that weighs a lot of factors including feedback ratings, email message response times, number of feedbacks in the past 12 months (it's average to have about 4%-8% of sales leave feedback), on time shipments, on time deliveries, etc etc etc... They all add up and allow some sellers to list an item at a higher price than others, but still get awarded the Buy Box.


JohnTHaller 2 hours ago | link

requires that they be able to sell at the low price offered to anyone else .. or did I dream that. That's very false, at least for regular products on Amazon, ebooks and books have special rules and maybe that's what you recall... As per Amazon's guidelines: "General Pricing Rule: By our General Pricing rule, you must always ensure that the item price and total price of an item you list on are at or below the item price and total price at which you offer and/or sell the item via any other online sales channel."


You are required to offer the item at the lowest price available on or they can cancel your listing and/or account.


pbhjpbhj 10 hours ago | link

re: geography. Yes, I meant considering the parallel situation in the UK with

re: making accounts, it takes time; if pricing is comparable then using your established account is usually quicker. Yes that's "laziness" if you like; I prefer to consider it consideration of the value of time.

Your examples:


Canakit sell the item for $57.60 + $12.95 shipping on their website: On Amazon it's $57.95 + $15 shipping ... which is $2.40 more.

However SparkFun, which aren't even in the list - despite it saying "by sparkfun" in the product header [what's with that?] do sell that item at a lower price from their own website. Digi, the manufacturers, don't appear to sell it at all.


Cotton finger guards are a pack of 4 .. but still vastly over-priced. has at 100 for $5 (5¢ each) but it's an add-on item.

With your I tried ordering 4 from their website and the subtotal with shipping (to mainland USA) + taxes comes to $10.77. That's more than the vastly inflated Amazon price!

// I never said you couldn't find things cheaper elsewhere, just that IME the sellers external price was pretty close to the Amazon price for things I'd looked at buying. We're one-all on your examples. I suspect niche products probably have more Amazon markup?

Looking at top sellers in Home & Kitchen ( for example NutriBullet sells at $69.99 whilst it's 6 x $19.99 + $39.50 on their own website ... that's probably a special case. The top 2 items in that dept. weren't available via the sellers own site.


pbhjpbhj 9 hours ago | link - Amazon price parity policy (it was dropped), didn't think I'd really dreamt it up though.


rasz_pl 7 hours ago | link

There is plenty of stuff that is somehow cheapest on Amazon, or Amazon exclusive. Whats up with that?

for example Seiki TVs


ChrisNorstrom 8 hours ago | link

Here's a screenshot of my fees this year:


buovjaga 13 hours ago | link

And the biggest insult is Amazon saying they make so little profit. Where is all this money going? I guess they make the profits disappear by using tax havens:


mschuster91 11 hours ago | link

Even "sunk" or "disappeared" money must end up somewhere. In Amazon's case, they have a shitload of investment costs (warehouse/datacenter building and staffing, both need massive upfront investment and take quite a time to go black) and costs for failed/under research-projects like the Fire Phone.


moe 14 hours ago | link

Where is all this money going?

Presumably into keeping their retail prices slightly below the competition, and free shipping.


mandeepj 13 hours ago | link

Amazon fees are 40-50% That is enormous. I do not see that fee structure anywhere here - reply

ChrisNorstrom 8 hours ago | link

I didn't either but:


vacri 9 minutes ago | link

The reason is right there in the footnote: the user only charges a penny for the items. The user is doing a hacky trick, and firing off a higher percentage take by amazon.


from lizard's ghost

how about a ban on speaking any language other than English

because, you know, law enforcement doesn't understand french..

Federal and state governments should consider passing laws that forbid smartphones, tablets and other such devices from being “sealed off from law enforcement,” Manhattan District Attorney Cyrus Vance said today in an interview at a cybersecurity conference in New York. -

from lizard's ghost