In reverse chronological order Thoughts and Writings

Current interests

  • Using the Rust programming language for graphics programming. I wrote a library for collision detection in 2D: quadtree-cd.
  • BuckleScript, Bloomberg's transpiler that lets you write JavaScript using OCaml (or Reason, which is Facebook's syntax for the same language). I'm the author of bs-virtualdom, a virtual DOM library written in BuckleScript. Like Elm, it's based on the functional/reactive application model.
  • TypeScript, a typed superset of JavaScript. I'm the author of ts-postgres, a PostgreSQL client library written in TypeScript which supports pipelining.
  • Pony, an open-source, object-oriented, actor-model, capabilities-secure, high-performance programming language.

Most of my open-source contributions are available via Github.

Fri, 25 September 202022:28:03 GMT

Mitigating 2FA abuse by bad actors

A friend of mine was recently scammed into handing over a six-digit verification code to her WhatsApp account.

Six-digit WhatsApp verification code

She lost access to her account within seconds, but what's more, there was no easy way to recover it despite being able to receive SMS messages on the registered number, needed for 2FA ⸻ the scammers had effectively locked her out through efficient use of "too many attempts" abuse control.

The account would be locked for a period of 7 hours after which the same thing would repeat, seemingly to no end.

You tried to verifying your phone number too many times. Contact support for assistance.

Now six digits is not a whole lot in the face of brute force. But instead of locking the account, why not just offer to send a 2FA verification code with additional digits to provide the necessary security? This seems like an easy fix and a missed opportunity for ensuring the swift recovery of the account.

Wed, 14 August 201916:42:00 GMT

Using built-in transparent compression on MacOS

Ever since DriveSpace on MS-DOS (or really, Stacker), we've had transparent file compression, with varying degrees of automation; in fact, while the DriveSpace-compression on MS-DOS was a fully automated affair, the built-in transparent compression in newer filesystems such as ZFS, Btrfs, APFS (and even HFS+), is engaged manually on a per-file or folder basis.

But no one's using it!

On my system, compressing /Applications saved 18GB (38.7%).

MacOS doesn't actually come with a utility to do this even though the core functionality is included, so you'll need to install an open source tool in order to use it.

$ brew install afsctool

To compress a file or folder, use the -c flag like so:

$ afsctool -c /Applications

(You might need to use root for some application and/or system files).

Sat, 5 May 201808:19:00 GMT

Security questions as 2FA violate GDPR

I have an on-going discussion with Kucoin, a cryptocurrency exchange, on the issue of whether I can remember security questions that I alledgedly have entered into their system such as:

  • What is my first dog's name?
  • What is your mother's maiden name?
  • Etc.

Now, you should never put real information in such fields, but it turns out that if you put in random strings, someone might eventually prompt you for them which is why it's a good idea to write them down — which I didn't.

But here's the thing: they're still considered private information. And so as part of GDPR, I have a right to see this data, or have it removed from their system. Hence, in terms of 2-Factor Auth, using security questions is as weak as being able to reset authentication by e-mail.

QED. But Kucoin still hasn't succumbed to my argument.

Sat, 10 Dec 201608:30:00 GMT

The technical interview

Dilbert, Wednesday August 27, 2003

The key to passing a technical interview is to stop and think.

If she says she can do it
Then she can do it,
She don't make false claims

– David Bowie

Fri, 26 Sep 201411:00:00 GMT

A Skip Dict for CPython

A skip dict is a data structure that maintains a sorted set. There's an implementation of it in Redis — see for example the ZADD command — but I needed something simple that worked inside Python itself and ended up writing a package with an implementation in C that still provides a fairly idiomatic Python interface.

It's released and available on PyPi as skipdict and works on CPython 2.7+ and 3.3+. For more reference, see this answer on StackOverflow.

Wed, 26 July 200611:00:00 GMT