Hacker Newsnew | past | comments | ask | show | jobs | submit | mrduncan's commentslogin

Yammer - San Francisco, London

At Yammer, our mission is to change the way people work, and that mission starts with us. We use our own product every day to promote and encourage our culture of openness and transparency. Yammer provides each user with a voice, empowering individuals to share ideas, ask questions, and voice concerns. We're passionate about building a great product that people love to use, and we're looking for similarly product-minded engineers to join us.

We work with all kinds of languages (Java, Ruby, Javascript, to name a few) and technologies (anything from Postgres, Riak, and Berkley DB to Rails, Dropwizard, and Backbone). We're also never afraid to try new things but not just for the sake of trying new things.

We've got all the standard perks: free food, free booze, lots of dogs, and amazing benefits.

Check our our blog or shoot me an email (mduncan@yammer-inc.com) - I'd love to talk.

http://eng.yammer.com/blog/


CouchDB uses SHA-1 hashes for passwords - you've got to be kidding me. What is the rationale for that over bcrypt?


At the time we choose sha1 because the password hashing for creating new user documents was done by the client, often in the browser. At the time there were no good bcrypt implementations in JavaScript. Here is the related bug tracker issue https://issues.apache.org/jira/browse/COUCHDB-1060


Speed. Bcrypt is much slower.


That's part of bcrypt's reason for existing. In order to protect against brute-forcing stolen hashes, bcrypt has to be slow enough to make brute force impractical. This isn't a bug; it's a necessary feature. If the server they're running npm on is so old or so overloaded that the slowdown from using bcrypt would even be particularly noticeable, then they have other problems.


Oh it can surely run bcrypt for a few users. The question is if it can run it for a couple thousands a minute.

I am not so sure of that.


The sites that have easily scaled bcrypt include many so large that this argument has basically been mooted, but if you want to nerd around with it: you would hypothetically just turn the cost factor down to accommodate load.


It doesn't need to run it for a couple thousand a minute, there aren't that many people registering with NPM at any given time.


Sure, but how many people are using it? You would need to verify the password on each request (since you can't use browser cookies).


The operations npm needs to log in for are a fairly small percentage of the total. If you need to upload a new version of a package, then that takes a password. If you just need to search for a package, or download its latest version, those don't need authentication. The overhead from using proper slow password hashing would be minimal.

And evidently the CouchDB guys agree with me, because they switched to using PBKDF2 for password storage -- essentially, iterate SHA several thousand times to make it slower.


Wouldn't npm client be sending the hashed version of the password rather than the password itself? then the server only has to compare the two hashes.


I've found Lanyrd to usually be the best bet for finding conferences - unfortunately, they don't list any either.

http://lanyrd.com/topics/common-lisp/


I agree with using Lanyrd for tracking conferences.

And to bring this back around ... don't forget to check out http://lanyrd.com/2011/clojure-conj/


It's not that easy though, for example, Jacobellis v. Ohio - how would you go about defining the threshold of pornography?

http://en.wikipedia.org/wiki/I_know_it_when_I_see_it


Great point. Your question reminded me of the scene from Aviator: "Dr. Branson is a mathematician of some note...yes. And he will prove that, in fact, Ms. Russell's mammaries are no more prominant than any of these other fine ladies. Doctor? Doctor... you forgot your calipers."


that's my point. If something can't be specified unambiguously in code, it shouldn't be in a law. Whether the verdict is innocent or guilty shouldn't rest on who happens to be sitting on the bench that day.


Also, don't forget about Google Books.

http://en.wikipedia.org/wiki/Google_Book_Search_Settlement_A...


The numbers on cards become a lot harder to read after the coloring wears off of the numbers. Even as a human it can be hard to read them at times depending on the lighting.

Card layouts also vary a lot, even from the same issuers (for example: the Amex PASS).

Reading the mag stripe prevents fraud and therefore is subject to lower fees by CC companies.

Not to mention, having someone take a picture of my credit card would spook me out a little (yes, even if I'm familiar with the product).


To your last point, how is letting someone scan the magnetic stripe less spooky?

Considering that augmented reality app that translates words on signs in real time, I suspect there is far less entropy in the raised numbers on a credit card... though you may be right that the variety of layouts would make it harder than it would at first seem.


Technically, it is not at all.

Socially however, I'd wager that fewer people would let you take a picture of their card compared to swiping it. People are simply used to having credit cards swiped, they aren't used to having pictures taken of them.


If you've never seen it, their pitch deck is also pretty interesting:

http://www.slideshare.net/hnshah/mintcom-prelaunch-pitch-dec...


That's actually a pitch deck made by a university class doing a case study on Mint


Sorry, I never realized that - it is still interesting in any case.


Since this article doesn't have much substance, if you're looking to do something similar, check out this article on CSS rotation transformations.

http://snook.ca/archives/html_and_css/css-text-rotation


Indeed. This crashed my browser (Dolphin HD).


A heads-up for anyone upgrading - 2.2.4 is now released.

    Warning, going to release 2.2.4 in seconds as I decided
    to change the semantics of OBJECT command to avoid
    problems in the future.
https://twitter.com/#!/antirez/status/55621384126201856


True, the change is really minimal, but will prevent some incompatibility in the future. Btw 2.2.4 already released.

The change is about the return of the "OBJECT encoding" command against a sorted set. Since sorted sets have no special encoding yet (the special internal encoding Redis uses to save space for small lists, sets, ...) 2.2.3 used to return "raw". But since Pieter Noordhuis coded an awesome patch to bring specially encoded sorted sets to us, and a few cool guys are testing it since weeks with no problems, I think that we'll soon get it merged in the 2.2 branch.

When we'll have specially encoded sorted sets OBJECT encoding against a sorted set will return either "skiplist" or "ziplist", so I modified the return value to return just "skiplist" now. So after the merge everything will still be compatible.

A lot of words for a simple change, but semantics is important!


Care to elaborate on what is so bad about them (or, what you'd like to see improved)?


They cannot keep me logged in for more than a few minutes.

They charge a ridiculous fee for texts.

You can't give multiple people access to your account, which is really important given we use Pingdom to notify multiple people... If someone wants to change their contact info, I have to do it.

You can't set individual notifications. For example, I want to receive push notifications to my iPhone. David would prefer to receive emails. We can't enable one style for one person. Instead, I have to receive his emails and he has to receive my iPhone chirps.

The iPhone app is amazingly buggy.

So, why do we use it? Someone recommended them to me, and we've already paid for it. I just assumed something that expensive and oft-recommended would be better.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: