Coding Horror

programming and human factors

Electric Geek Transportation Systems

I've never thought of myself as a "car person". The last new car I bought (and in fact, now that I think about it, the first new car I ever bought) was the quirky 1998 Ford Contour SVT. Since then we bought a VW station wagon in 2011 and a Honda minivan in 2012 for family transportation duties. That's it. Not exactly the stuff The Stig's dreams are made of.

The station wagon made sense for a family of three, but became something of a disappointment because it was purchased before — surprise! — we had twins. As Mark Twain once said:

Sufficient unto the day is one baby. As long as you are in your right mind don't you ever pray for twins. Twins amount to a permanent riot. And there ain't any real difference between triplets and an insurrection.

I'm here to tell you that a station wagon doesn't quite cut it as a permanent riot abatement tool. For that you need a full sized minivan.

I'm with Philip Greenspun. Like black socks and sandals, minivans are actually … kind of awesome? Don't believe all the SUV propaganda. Minivans are flat out superior vehicle command centers. Swagger wagons, really.

a-team-van

The A-Team drove a van, not a freakin' SUV. I rest my case.

After 7 years, the station wagon had to go. We initially looked at hybrids because, well, isn't that required in California at this point? But if you know me at all, you know I'm a boil the sea kinda guy at heart. I figure if you're going to flirt with partially electric cars, why not put aside these half measures and go all the way?

Do you remember that rapturous 2014 Oatmeal comic about the Tesla Model S? Even for a person who has basically zero interest in automobiles, it did sound really cool.

oatmeal-tesla-s-spaceboat

It's been 5 years, but from time to time I'd see some electric vehicle on the road and I'd think about that Intergalactic SpaceBoat of Light and Wonder. Maybe it's time for our family to jump on the electric car trend, too, and just late enough that we can avoid the bleeding edge and end up merely on the … leading edge?

That's why we're now the proud owners of a fully electric 2019 Kia Niro.

kia-niro-2019

I've somehow gone from being a person who basically doesn't care about cars at all … to being one of those insufferable electric car people who won't shut up about them. I apologize in advance. If you suddenly feel an overwhelming urge to close this browser tab, I don't blame you.

I was expecting another car, like the three we bought before. What I got, instead, was a transformation:

  • Yes, yes, electric cars are clean, but it's a revelation how clean everything is in an electric. You take for granted how dirty and noisy gas based cars are in daily operation – the engine noise, the exhaust fumes, the brake dust on the rims, the oily residues and thin black film that descends on everything, the way you have to wash your hands every time you use the gas station pumps. You don't fully appreciate how oppressive those little dirty details were until they're gone.

  • Electric cars are (almost) completely silent. I guess technically in 2019 electric cars require artificial soundmakers at low speed for safety, and this car has one. But The Oatmeal was right. Electric cars feel like spacecraft because they move so effortlessly. There's virtually no delay from action to reaction, near immediate acceleration and deceleration … with almost no sound or vibration at all, like you're in freakin' space! It's so immensely satisfying!

  • Electric cars aren't just electric, they're utterly digital to their very core. Gas cars always felt like the classic 1950s Pixar Cars world of grease monkeys and machine shop guys, maybe with a few digital bobbins added here and there as an afterthought. This electric car, on the other hand, is squarely in the post-iPhone world of everyday digital gadgets. It feels more like a giant smartphone than a car. I am a programmer, I'm a digital guy, I love digital stuff. And electric cars are part of my world, rather than the other way around. It feels good.

  • Electric cars are mechanically much simpler than gasoline cars, which means they are inherently more reliable and cheaper to maintain. An internal combustion engine has hundreds of moving parts, many of which require regular maintenance, fluids, filters, and tune ups. It also has a complex transmission to translate the narrow power band of a gas powered engine. None of this is necessary on an electric vehicle, whose electric motor is basically one moving part with simple 100% direct drive from the motor to the wheels. This newfound simplicity is deeply appealing to a guy who always saw cars as incredibly complicated (but computers, not so much).

  • Being able to charge at home overnight is perhaps the most radical transformation of all. Your house is now a "gas station". Our Kia Niro has a range of about 250 miles on a full battery. With any modern electric car, provided you drive less than 200 miles a day round trip (who even drives this much?), it's very unlikely you'll ever need to "fill the tank" anywhere but at home. Ever. It's so strange to think that in 50 years, gas stations may eventually be as odd to see in public as telephone booths now are. Our charger is, conveniently enough, right next to the driveway since that's where the power breaker box was. With the level 2 charger installed, it literally looks like a gas pump on the side of the house, except this one "pumps" … electrons.

level-2-ev-charger

This electric car is such a great experience. It's so much better than our gas powered station wagon that I swear, if there was a fully electric minivan (there isn't) I would literally sell our Honda minivan tomorrow and switch over. Without question. And believe me, I had no plans to sell that vehicle two months ago. The electric car is that much better.

I was expecting "yet another car", but what I got instead was a new, radical worldview. Driving a car powered by barely controlled liquid fuel detonations used to be normal. But in an world of more and more viable electric vehicles this status quo increasingly starts to feel … deeply unnatural. Electric is so much better of an overall experience that you begin to wonder: why did we ever do it that way?

Gas cars seem, for lack of a better word, obsolete.

ev-sales

How did this transformation happen, from my perspective, so suddenly? When exactly did electric cars go from "expensive, experimental thing for crazy people" to "By God, I'll never buy another old fashioned gasoline based car if I can help it"?

I was vaguely aware of the early electric cars. I even remember one coworker circa 2001 who owned a bright neon green Honda Insight. I ignored it all because, like I said, I'm not a car guy. I needed to do the research to understand the history, and I started with the often recommended documentary Who Killed the Electric Car?

This is mostly about the original highly experimental General Motors EV1 from 1996 to 1999. It's so early the first models had lead-acid batteries! 😱 There's a number of conspiracy theories floated in the video, but I think the simple answer to the implied question in the title is straight up price. The battery tech was nowhere near ready, and per the Wikipedia article the estimated actual cost of the car was somewhere between $100,000 and $250,000 though I suspect it was much closer to the latter. It is interesting to note how much the owners (well, leasers) loved their EV1s. Having gone through that same conversion myself, I empathize!

I then watched the sequel, Revenge of the Electric Car. This one is essential, because it covers the dawn of the modern electric car we have today.

This chronicles the creation of three very influential early electric cars — the Nissan Leaf, the Chevy Volt, and of course the Tesla Roadster from 2005 - 2008. The precise moment that Lithium-Ion batteries were in play – that's when electric cars started to become viable. Every one of these three electric cars was well conceived and made it to market in volume, though not without significant challenges, both internal and external. None of them were perfect electric vehicles by any means: the Roadster was $100k, the Leaf had limited range, and the Volt was still technically a hybrid, albeit only using the gasoline engine to charge the battery.

Ten years later, Tesla has the model 3 at $38,000 and we bought our Kia Niro for about the same price. After national and state tax incentives and rebates, that puts the price at around $30,000. It's not as cheap as it needs to be … yet. But it's getting there. And it's already competitive with gasoline vehicles in 2019.

2019-civic-vs-leaf-1

It's still early, but the trend lines are clear. And I'm here to tell you that right now, today, I'd buy any modern electric car over a gasoline powered car.

If you too are intrigued by the idea of owning an electric car, you should be. It's freaking awesome! Bring your skepticism, as always; I highly recommend the above Matt Ferrell explainer video on electric vehicle myths.

As for me, I have seen the future, and it is absolutely, inexorably, and unavoidably … electric. ⚡

Discussion

An Exercise Program for the Fat Web

When I wrote about App-pocalypse Now in 2014, I implied the future still belonged to the web. And it does. But it's also true that the web has changed a lot in the last 10 years, much less the last 20 or 30.

fat city

Websites have gotten a lot … fatter.

While I think it's irrational to pine for the bad old days of HTML 1.0 websites, there are some legitimate concerns here. The best summary is Maciej Cegłowski's The Website Obesity Crisis.

To channel a famous motivational speaker, I could go out there tonight, with the materials you’ve got, and rewrite the sites I showed you at the start of this talk to make them load in under a second. In two hours.

Can you? Can you?

Of course you can! It’s not hard! We knew how to make small websites in 2002. It’s not like the secret has been lost to history, like Greek fire or Damascus steel.

But we face pressure to make these sites bloated.

I bet if you went to a client and presented a 200 kilobyte site template, you’d be fired. Even if it looked great and somehow included all the tracking and ads and social media crap they insisted on putting in. It’s just so far out of the realm of the imaginable at this point.

The whole article is essential; you should stop what you're doing and read it now if you haven't already. But if you don't have time, here's the key point:

This is a screenshot from an NPR article discussing the rising use of ad blockers. The page is 12 megabytes in size in a stock web browser. The same article with basic ad blocking turned on is 1 megabyte.

That's right, through the simple act of running an ad blocker, you've reduced that website's payload by twelve times. Twelve! That's like the most effective exercise program ever!

Even the traditional advice to keep websites lean and mean for mobile no longer applies because new mobile devices, at least on the Apple side, are faster than most existing desktops and laptops.

Despite claims to the contrary, the bad guy isn't web bloat, per se. The bad guy is advertising. Unlimited, unfettered ad "tech" has creeped into everything and subsumed the web.

Personally I don't even want to run ad blockers, and I didn't for a long time – but it's increasingly difficult to avoid running an ad blocker unless you want a clunky, substandard web experience. There's a reason the most popular browser plugins are inevitably ad blockers, isn't there? Just ask Google:

chrome-best-extensions-google-search

So it's all the more surprising to learn that Google is suddenly clamping down hard on adblockers in Chrome. Here's what the author of uBlock Origin, an ad blocking plugin for Chrome, has to say about today's announcement:

In order for Google Chrome to reach its current user base, it had to support content blockers — these are the top most popular extensions for any browser. Google strategy has been to find the optimal point between the two goals of growing the user base of Google Chrome and preventing content blockers from harming its business.

The blocking ability of the webRequest API caused Google to yield control of content blocking to content blockers. Now that Google Chrome is the dominant browser, it is in a better position to shift the optimal point between the two goals which benefits Google's primary business.

The deprecation of the blocking ability of the webRequest API is to gain back this control, and to further instrument and report how web pages are filtered, since the exact filters which are applied to web pages are useful information which will be collectable by Google Chrome.

The ad blockers themselves are arguably just as complicit. Eye/o GmbH owns AdBlock and uBlock, employs 150 people, and in 2016 they had 50 million euros in revenue, of which about 50% was profit. Google's paid "Acceptable Ads" program is a way to funnel money into adblockers to, uh, encourage them to display certain ads. With money. Lots … and lots … of money. 🤑

We simultaneously have a very real web obesity crisis, and a looming crackdown on ad blockers, seemingly the only viable weight loss program for websites. What's a poor web citizen to do? Well, there is one thing you can do to escape the need for browser-based adblockers, at least on your home network. Install and configure Pi-Hole.

pi-hole-screenshot

I've talked about the amazing Raspberry Pi before in the context of classic game emulation, but this is another brilliant use for a Pi.

Here's why it's so cool. If you disable the DHCP server on your router, and let the Pi-Hole become your primary DHCP server, you get automatic DNS based blocking of ads for every single device on your network. It's kind of scary how powerful DNS can be, isn't it?

pi-hole-action-shot

My Pi-Hole took me about 1 hour to set up, start to finish. All you need is

I do recommend the 3b+ because it has native gigabit ethernet and a bit more muscle. But literally any Raspberry Pi you can find laying around will work, though I'd strongly advise you to pick one with a wired ethernet port since it'll be your DNS server.

I'm not going to write a whole Pi-Hole installation guide, because there are lots of great ones out there already. It's not difficult, and there's a slick web GUI waiting for you once you complete initial setup. For your initial testing, pick any IP address you like on your network that won't conflict with anything active. Once you're happy with the basic setup and web interface:

  • Turn OFF your router's DHCP server – existing leases will continue to work, so nothing will be immediately broken.
  • Turn ON the pi-hole DHCP server, in the web GUI.

pi-hole-dhcp-server

Once you do this, all your network devices will start to grab their DHCP leases from your Pi-Hole, which will also tell them to route all their DNS requests through the Pi-Hole, and that's when the ✨ magic ✨ happens!

pi-hole-blacklists

All those DNS requests from all the devices on your network will be checked against the ad blacklists; anything matching is quickly and silently discarded before it ever reaches your browser.

pi-hole-dashboard-stats

(The Pi-Hole also acts as a caching DNS server, so repeated DNS requests will be serviced rapidly from your local network, too.)

If you're worried about stability or reliability, you can easily add a cheap battery backed USB plug, or even a second backup Pi-Hole as your secondary DNS provider if you prefer belt and suspenders protection. Switching back to plain boring old vanilla DNS is as easy as unplugging the Pi and flicking the DHCP server setting in your router back on.

At this point if you're interested (and you should be!), just give it a try. If you're looking for more information, the project has an excellent forum full of FAQs and roadmaps.

pi-hole-forums

You can even vote for your favorite upcoming features!

I avoided the Pi-Hole project for a while because I didn't need it, and I'd honestly rather jump in later when things are more mature.

pi-hole-pin

With the latest Chrome crackdown on ad blockers, now is the time, and I'm impressed how simple and easy Pi-Hole is to run. Just find a quiet place to plug it in, spend an hour configuring it, and promptly proceed to forget about it forever as you enjoy a lifetime subscription to a glorious web ad instant weight loss program across every single device on your network with (almost) zero effort!

Finally, an exercise program I can believe in.

Discussion

The Cloud Is Just Someone Else's Computer

When we started Discourse in 2013, our server requirements were high:

  • 1GB RAM
  • modern, fast dual core CPU
  • speedy solid state drive with 20+ GB

I'm not talking about a cheapo shared cpanel server, either, I mean a dedicated virtual private server with those specifications.

We were OK with that, because we were building in Ruby for the next decade of the Internet. I predicted early on that the cost of renting a suitable VPS would drop to $5 per month, and courtesy of Digital Ocean that indeed happened in January 2018.

The cloud got cheaper, and faster. Not really a surprise, since the price of hardware trends to zero over time. But it's still the cloud, and that means it isn't exactly cheap. It is, after all, someone else's computer that you pay for the privilege of renting.

there-is-no-cloud

But wait … what if you could put your own computer "in the cloud"?

Wouldn't that be the best of both worlds? Reliable connectivity, plus a nice low monthly price for extremely fast hardware? If this sounds crazy, it shouldn't – Mac users have been doing this for years now.

mac-colocation-2019-1

I suppose it's understandable that Mac users would be on the cutting edge here since Apple barely makes server hardware, whereas the PC world has always been the literal de-facto standard for server hardware.

mac-stadium-colocation

Given the prevalence and maturity of cloud providers, it's even a little controversial these days to colocate actual servers. We've also experimented with colocating mini-pcs in various hosting roles. I'm still curious why there isn't more of a cottage industry for colocating mini PCs. Because … I think there should be.

I originally wrote about the scooter computers we added to our Discourse infrastructure in 2016, plus my own colocation experiment that ran concurrently. Over the last three years of both experiments, I've concluded that these little boxes are plenty reliable, with one role specific caveat that I'll explain in the comments. I remain an unabashed fan of mini-PC colocation. I like it so much I put together a new 2019 iteration:

2017 — $6702019 — $820
i7-7500u
2.7-3.5 Ghz, 2c / 4t
i7-8750h
2.2-4.1 Ghz, 6c / 12t
16GB DDR3 RAM32GB DDR4 RAM
500GB SATA SSD500GB NVMe SSD

This year's scooter computer offers 3× the cores, 2× the memory, and 3× faster drive. It is, as the kids say … an absolute unit. 😱

2019-scooter-computer-top-interior-1

2019-scooter-computer-bottom-interior

2019-scooter-computer-front-and-back

It also has a rather elegant dual-sided internal layout. There is a slot for an old-school 2.5" drive, plus built in wi-fi, but you won't see it in my pictures because I physically removed both.

I vetted each box via my recommended burn in and stability testing and they all passed with flying colors, though I did have to RMA one set of bodgy RAM sticks in the process. The benchmarks tell the story, as compared to the average Digital Ocean droplet:

Per-core performance
sysbench cpu --cpu-max-prime=20000 run

DO Droplet2,988
2017 Mini-PC4,800
2019 Mini-PC5,671

Multi-core performance
sysbench cpu --cpu-max-prime=40000 --num-threads=8 run

DO Droplet2,200
2017 Mini-PC5,588
2019 Mini-PC14,604

Disk performance
dd bs=1M count=512 if=/dev/zero of=test conv=fdatasync
hdparm -Tt /dev/sda

DO Droplet701 / 8818 / 471 MB/sec
2017 Mini-PC444 / 12564 / 505 MB/sec
2019 Mini-PC1200 / 17919 / 3115 MB/sec

Discourse rebuild
time ./launcher rebuild app

DO Droplet6:59
2017 Mini-PC3:41
2019 Mini-PC3:24

Power consumption could be a concern, as the 2017 version had a much lower 15 watt TDP, compared to the 45 watts of this version. That 3× increase in core count ain't free! So I tested that, too, with a combination of i7z, stress, and my handy dandy watt meter.

2019-mini-pc-i7z-testing

(idle login)800 Mhz10w
stress --cpu 14.1 GHz30w
stress --cpu 24.1 GHz42w
stress --cpu 34.0 GHz53w
stress --cpu 43.9 GHz65w
stress --cpu 53.7 GHz65w
stress --cpu 63.5 GHz65w
stress --cpu 123.3 Ghz65w

I'd expect around 10 - 20 watts doing typical low-load stuff that isn't super CPU intensive. Note that running current-ish versions of mprime jacks power consumption up to 75w 🔥 and the overall clock scales down to 3.1 Ghz … let me tell you, I've learned to be very, very afraid of AVX2 extensions.

(If you're worried about noise, don't be. This active cooling solution is clearly overkill for a 65w load, because it barely spun up at all even under full core load. It was extremely quiet.)

So we're happy that this machine is a slammin' deal for $820, it's super fast, and plenty reliable. But how about colocation costs? My colocation provider is EndOffice out of Boston, and they offer very competitive rates to colocate a Mini-PC: $29/month.

endoffice-mini-pc-colocation

I personally colocate three Mini-PCs for redundancy and just-in-case; there are discounts for colocating more than one. Here they are racked up and in action. Of course I labelled the front and rear before shipping because that's how I roll.

endoffice-colocated-2019-mini-pcs

Let's break this down and see what the actual costs of colocating a Mini-PC are versus the cloud. Given the plateauing of CPU speeds, I think five years of useful life for these boxes is realistic, but let's assume a conservative three year lifespan to be safe.

  • $880 mini-pc 32GB RAM, 6 CPUs, 500GB SSD
  • $120 taxes / shipping / misc
  • $29 × 12 × 3 = $1,044

That's $2,044 for three years of hosting. How can we do on Digital Ocean? Per their current pricing page:

  • 32GB RAM, 8 vCPUs, 640GB SSD
  • $160/month
  • $160 × 12 × 3 = $5,760

This isn't quite apples to apples, as we are getting an extra 140GB of disk and 2 bonus CPUs, but those CPUs are both slower and partially consumed by multi-tenancy compared to our brand new dedicated, isolated CPUs. (I was curious about this, so I just spun up a new $160/month DO instance for a quick test. The sysbench results are 4086 and 11760 respectively, considerably below the 2019 Mini-PC results, above.) As you can see, you pay almost three times as much for a cloud server. 🤑

I'm not saying this is for everyone. If you just need to spin up a quick server or two for testing and experimentation, there's absolutely no way you need to go to the trouble and up-front cost of building and then racking colocated mini-pcs. There's no denying that spinning servers up in the cloud offers unparalleled flexibility and redundancy. But if you do have need for dedicated computing resources over a period of years, then building your own small personal cloud, with machines you actually own, is not only one third the cost but also … kinda cool?

your-own-personal-cloud

If you'd also like to embark upon this project, you can get the same Partaker B18 box I did for $490 from Amazon, or $460 direct from China via AliExpress. Add memory and drive to taste, build it up, then check out endoffice.com who I can enthusiastically recommend for colocation, or the colocation provider of your choice.

Get something cool hosted out there; let's do our part to keep the internet fun and weird!

Discussion

What does Stack Overflow want to be when it grows up?

I sometimes get asked by regular people in the actual real world what it is that I do for a living, and here's my 15 second answer:

We built a sort of Wikipedia website for computer programmers to post questions and answers. It's called Stack Overflow.

As of last month, it's been 10 years since Joel Spolsky and I started Stack Overflow. I currently do other stuff now, and I have since 2012, but if I will be known for anything when I'm dead, clearly it is going to be good old Stack Overflow.

Here's where I'd normally segue into a bunch of rah-rah stuff about how great Stack Overflow is, and thus how implicitly great I am by association for being a founder, and all.

bragging

I do not care about any of that.

What I do care about, though, is whether Stack Overflow is useful to working programmers. Let's check in with one of my idols, John Carmack. How useful is Stack Overflow, from the perspective of what I consider to be one of the greatest living programmers?

I won't lie, September 17th, 2013 was a pretty good day. I literally got chills when I read that, and not just because I always read the word "billions" in Carl Sagan's voice. It was also pleasantly the opposite of pretty much every other day I'm on Twitter, scrolling through an oppressive, endless litany of shared human suffering and people screaming at each other. Which reminds me, I should check my Twitter and see who else is wrong on the Internet today.

I am honored and humbled by the public utility that Stack Overflow has unlocked for a whole generation of programmers. But I didn't do that.

  • You did, when you contributed a well researched question to Stack Overflow.
  • You did, when you contributed a succinct and clear answer to Stack Overflow.
  • You did, when you edited a question or answer on Stack Overflow to make it better.

All those "fun size" units of Q&A collectively contributed by working programmers from all around the world ended up building a Creative Commons resource that truly rivals Wikipedia within our field. That's ... incredible, actually.

stack-overflow-homepage-oct-2018

But success stories are boring. The world is filled with people that basically got lucky, and subsequently can't stop telling people how it was all of their hard work and moxie that made it happen. I find failure much more instructive, and when building a business and planning for the future, I take on the role of Abyss Domain Expert™ and begin a staring contest. It's just a little something I like to do, you know ... for me.

abyss-oc

Thus, what I'd like to do right now is peer into that glorious abyss for a bit and introspect about the challenges I see facing Stack Overflow for the next 10 years. Before I begin, I do want to be absolutely crystal clear about a few things:

  1. I have not worked at Stack Overflow in any capacity whatsoever since February 2012 and I've had zero day to day operational input since that date, more or less by choice. Do I have opinions about how things should be done? Uh, have you met me? Do I email people every now and then about said opinions? I might, but I honestly do try to keep it to an absolute minimum, and I think my email archive track record here is reasonable.

  2. The people working at Stack are amazing and most of them (including much of the Stack Overflow community, while I'm at it) could articulate the mission better — and perhaps a tad less crankily — than I could by the time I left. Would I trust them with my life? No. But I'd trust them with Joel's life!

  3. The whole point of the Stack Overflow exercise is that it's not beholden to me, or Joel, or any other Great Person. Stack Overflow works because it empowers regular everyday programmers all over the world, just like you, just like me. I guess in my mind it's akin to being a parent. The goal is for your children to eventually grow up to be sane, practicing adults who don't need (or, really, want) you to hang around any more.

  4. Understand that you're reading the weak opinions strongly held the strong opinions weakly held of a co-founder who spent prodigious amounts of time working with the community in the first four years of Stack Overflow's life to shape the rules and norms of the site to fit their needs. These are merely my opinions. I like to think they are informed opinions, but that doesn't necessarily mean I can predict the future, or that I am even qualified to try. But I've never let being "qualified" stop me from doing anything, and I ain't about to start tonight.

Stack Overflow is a wiki first

Stack Overflow ultimately has much more in common with Wikipedia than a discussion forum. By this I mean questions and answers on Stack Overflow are not primarily judged by their usefulness to a specific individual, but by how many other programmers that question or answer can potentially help over time. I tried as hard as I could to emphasize this relationship from launch day in 2008. Note who has top billing in this venn diagram.

stack-overflow-venn-diagram

Stack Overflow later added a super neat feature to highlight this core value in user profiles, where it shows how many other people you have potentially helped with your contributed questions and answers so far.

stackoverflow-people-reached-profile-stat-1

The most common complaints I see about Stack Overflow are usually the result of this fundamental misunderstanding about who the questions and answers on the site are ultimately for, and why there's so much strictness involved in the whole process.

I'm continually amazed at the number of people, even on Hacker News today, who don't realize that every single question and answer is editable on Stack Overflow, even as a completely anonymous user who isn't logged in. Which makes sense, right, because Stack Overflow is a wiki, and that's how wikis work. Anyone can edit them. Go ahead, try it right now if you don't believe me — press the "improve this answer" or "improve this question" button on anything that can be improved, and make it so.

stack-overflow-edit-question

The responsibility for this misunderstanding is all on Stack Overflow (and by that I also mean myself, at least up until 2012). I guess the logic is that "every programmer has surely seen, used, and understands Stack Overflow by now, 10 years in" but ... I think that's a risky assumption. New programmers are minted every second of every day. Complicating matters further, there are three tiers of usage at Stack Overflow, from biggest to smallest, in inverted pyramid style:

  1. I passively search for programming answers.

    Passively searching and reading highly ranked Stack Overflow answers as they appear in web search results is arguably the primary goal of Stack Overflow. If Stack Overflow is working like it's supposed to, 98% of programmers should get all the answers they need from reading search result pages and wouldn't need to ask or answer a single question in their entire careers. This is a good thing! Great, even!

  2. I participate on Stack Overflow when I get stuck on a really hairy problem and searching isn't helping.

    Participating only at those times when you are extra stuck is completely valid. However, I feel this level is where most people tend to run into difficulty on Stack Overflow, because it involves someone who may not be new to Stack Overflow per se, but is new to asking questions, and also at the precise time of stress and tension for them where they must get an answer due to a problem they're facing … and they don't have the time or inclination to deal with Stack Overflow's strict wiki type requirements for research effort, formatting, showing previous work, and referencing what they found in prior searches.

  3. I participate on Stack Overflow for professional development.

    At this level you're talking about experienced Stack Overflow users who have contributed many answers and thus have a pretty good idea of what makes a great question, the kind they'd want to answer themselves. As a result, they don't tend to ask many questions because they self-medicate through exhaustive searching and research, but when they do ask one, their questions are exemplary.

(There's technically a fourth tier here, for people who want to selflessly contribute creative commons questions and answers to move the entire field of software development forward for the next generation of software developers. But who has time for saints 😇, y'all make the rest of us look bad, so knock it off already Skeet.)

It wouldn't shock me at all if people spent years happily at tier 1 and then got a big unpleasant surprise when reaching tier 2. The primary place to deal with this, in my opinion, is a massively revamped and improved ask page. It's also fair to note that maybe people don't understand that they're signing up for a sizable chunk of work by implicitly committing to the wiki standard of "try to make sure it's useful to more people than just yourself" when asking a question on Stack Overflow, and are then put off by the negative reaction to what others view as an insufficiently researched question.

Stack Overflow absorbs so much tension from its adoption of wiki standards for content. Even if you know about that requirement up front, it is not always clear what "useful" means, in the same way it's not always clear what topics, people, and places are deserving of a Wikipedia page. Henrietta Lacks, absolutely, but what about your cousin Dave in Omaha with his weirdo PHP 5.6 issue?

Over time, duplicates become vast landmine fields

Here's one thing I really, really saw coming and to be honest with you I was kinda glad I left in 2012 before I had to deal with it because of the incredible technical difficulty involved: duplicates. Of all the complaints I hear about Stack Overflow, this is the one I am most sympathetic to by far.

If you accept that Stack Overflow is a wiki type system, then for the same reasons that you obviously can't have five different articles about Italy on Wikipedia, Stack Overflow can't allow duplicate questions on the exact same programming problem. While there is a fair amount of code to do pre-emptive searches as people type in questions, plus many exhortations to search before you ask, with an inviting search field and button right there on the mandatory page you see before asking your first question ...

stack-overflow-how-to-ask

... locating and identifying duplicate content is an insanely difficult problem even for a company like Google that's done nothing but specialize in this exact problem for, what, 20 years now, with a veritable army of the world's most talented engineers.

When you're asking a question on a site that doesn't allow duplicate questions, the problem space of a site with 1 million existing questions is rather different from a site with 10 million existing questions ... or 100 million. Asking a single unique question goes from mildly difficult to mission almost impossible, because your question needs to thread a narrow path through this vast, enormous field of prior art questions without stepping on any of the vaguely similar looking landmines in the process.

stackoverflow-asking-duplicate-question

But wait! It gets harder!

  • Some variance in similar-ish questions is OK, because 10 different people will ask a nearly identical question using 10 different sets of completely unrelated words with no overlap. I know, it sounds crazy, but trust me: humans are amazing at this. We want all those duplicates to exist so they can point to the primary question they are a duplicate of, while still being valid search targets for people who ask questions with unusual or rare word choices.

  • It can be legitimately difficult to determine if your question is a true duplicate. How much overlap is enough before one programming question is a duplicate of another? And by whose definition? Opinions vary. This is subject to human interpretation, and humans are.. unreliable. Nobody will ever be completely happy with this system, pretty much by design. That tension is baked in permanently and forever.

I don't have any real answers on the duplicate problem, which only gets worse over time. But I will point out that there is plenty of precedent on the Stack Exchange network for splitting sites into "expert" and "beginner" areas with slightly different rulesets. We've seen this for Math vs. MathOverflow, English vs. English Learners, Unix vs. Ubuntu... perhaps it's time for a more beginner focused Stack Overflow where duplicates are less frowned upon, and conversational rules are a bit more lenient?

Stack Overflow is a competitive system of peer review

Stack Overflow was indeed built to be a fairly explicitly competitive system, with the caveat that "there's always more than one way to do it." This design choice was based on my perennial observation that the best way to motivate any programmer .. is to subtly insinuate that another programmer could have maybe done it better.

geek-hero-motivating-programmers

This is manifested in the public reputation system on Stack Overflow, the incredible power of a number printed next to someone's name, writ large. All reputation in Stack Overflow comes from the recognition of your peers, never the "system".

stack-overflow-top-rep-by-year

Once your question is asked, or your answer is posted, it can then be poked, prodded, edited, flagged, closed, opened, upvoted, downvoted, folded and spindled by your peers. The intent is for Stack Overflow to be a system of peer review and friendly competition, like a code review from a coworker you've never met at a different division of the company. It's also completely fair for a fellow programmer to question the premise of your question, as long as it's done in a nice way. For example, do you really want to use that regular expression to match HTML?

I fully acknowledge that competitive peer review systems aren't for everyone, and thus the overall process of having peers review your question may not always feel great, depending on your circumstances and background in the field — particularly when combined with the substantial tensions around utility and duplicates Stack Overflow already absorbed from its wiki elements. Kind of a double whammy there.

I've heard people describe the process of asking a question on Stack Overflow as anxiety inducing. To me, posting on Stack Overflow is supposed to involve a healthy kind of minor "let me be sure to show off my best work" anxiety:

  • the anxiety of giving a presentation to your fellow peers
  • the anxiety of doing well on a test
  • the anxiety of showing up to a new job with talented coworkers you admire
  • the anxiety of attending your first day at school with other students at your level

I imagine systems where there is zero anxiety involved and I can only think of jobs where I had long since stopped caring about the work and thus had no anxiety about whether I even showed for work on any given day. How can that be good? Let's just say I'm not a fan of zero-anxiety systems.

Maybe competition just isn't your jam. Could there be a less competitive Q&A system, a system without downvotes, a system without close votes, where there was never any anxiety about posting anything, just a network of super supportive folks who believe in you and want you to succeed no matter what? Absolutely! I think many alternative sites should exist on the internet so people can choose an experience that matches their personal preferences and goals. Should Stack build that alternative? Has it already been built? It's an open question; feel free to point out examples in the comments.

Stack Overflow is designed for practicing programmers

Another point of confusion that comes up a fair bit is who the intended audience for Stack Overflow actually is. That one is straightforward, and it's been the same from day one:

stackoverflow-for-business-description

Q&A for professional and enthusiast programmers. By that we mean

People who either already have a job as a programmer, or could potentially be hired as a programmer today if they wanted to be.

Yes, in case you're wondering, part of this was an overt business decision. To make money you must have an audience of people already on a programmer's salary, or in the job hunt to be a programmer. The entire Stack Overflow network may be Creative Commons licensed, but it was never a non-profit play. It was planned as a sustainable business from the outset, and that's why we launched Stack Overflow Careers only one year after Stack Overflow itself ... to be honest far sooner than we should have, in retrospect. Careers has since been smartly subsumed into Stack Overflow proper at stackoverflow.com/jobs for a more integrated and most assuredly way-better-than-2009 experience.

The choice of audience wasn't meant to be an exclusionary decision in any way, but Stack Overflow was definitely designed as a fairly strict system of peer review, which is great (IMNSHO, obviously) for already practicing professionals, but pretty much everything you would not want as a student or beginner. This is why I cringe so hard I practically turn myself inside out when people on Twitter mention that they have pointed their students at Stack Overflow. What you'd want for a beginner or a student in the field of programming is almost the exact opposite of what Stack Overflow does at every turn:

  • one on one mentoring
  • real time collaborative screen sharing
  • live chat
  • theory and background courses
  • starter tasks and exercises
  • playgrounds to experiment in

These are all very fine and good things, but Stack Overflow does NONE of them, by design.

Can you use Stack Overflow to learn how to program from first principles? Well, technically you can do anything with any software. You could try to have actual conversations on Reddit, if you're a masochist. But the answer is yes. You could learn how to program on Stack Overflow, in theory, if you are a prodigy who is comfortable with the light competitive aspects (reputation, closing, downvoting) and also perfectly willing to define all your contributions to the site in terms of utility to others, not just yourself as a student attempting to learn things. But I suuuuuuper would not recommend it. There are far better websites and systems out there for learning to be a programmer. Could Stack Overflow build beginner and student friendly systems like this? I don't know, and it's certainly not my call to make. 🤔

And that's it. We can now resume our normal non-abyss gazing. Or whatever it is that passes for normal in these times.

I hope all of this doesn't come across as negative. Overall I'd say the state of the Stack is strong. But does it even matter what I think? As it was in 2008, so it is in 2018.

Stack Overflow is you.

This is the scary part, the great leap of faith that Stack Overflow is predicated on: trusting your fellow programmers. The programmers who choose to participate in Stack Overflow are the “secret sauce” that makes it work. You are the reason I continue to believe in developer community as the greatest source of learning and growth. You are the reason I continue to get so many positive emails and testimonials about Stack Overflow. I can’t take credit for that. But you can.

I learned the collective power of my fellow programmers long ago writing on Coding Horror. The community is far, far smarter than I will ever be. All I can ask — all any of us can ask — is to help each other along the path.

And if your fellow programmers decide to recognize you for that, then I say you’ve well and truly earned it.

The strength of Stack Overflow begins, and ends, with the community of programmers that power the site. What should Stack Overflow be when it grows up? Whatever we make it, together.

stackoverflow-none-of-us-is-as-dumb-as-all-of-us

p.s. Happy 10th anniversary Stack Overflow!


Also see Joel's take on 10 years of Stack Overflow with The Stack Overflow Age, A Dusting of Gamification, and Strange and Maddening Rules.

Discussion

There is no longer any such thing as Computer Security

Remember "cybersecurity"?

its-cybersecurity-yay

Mysterious hooded computer guys doing mysterious hooded computer guy .. things! Who knows what kind of naughty digital mischief they might be up to?

Unfortunately, we now live in a world where this kind of digital mischief is literally rewriting the world's history. For proof of that, you need look no further than this single email that was sent March 19th, 2016.

podesta-hack-email-text

If you don't recognize what this is, it is a phishing email.

phishing-guy

This is by now a very, very famous phishing email, arguably the most famous of all time. But let's consider how this email even got sent to its target in the first place:

  • An attacker slurped up lists of any public emails of 2008 political campaign staffers.

  • One 2008 staffer was also hired for the 2016 political campaign

  • That particular staffer had non-public campaign emails in their address book, and one of them was a powerful key campaign member with an extensive email history.

On successful phish leads to an even wider address book attack net down the line. Once they gain access to a person's inbox, they use it to prepare to their next attack. They'll harvest existing email addresses, subject lines, content, and attachments to construct plausible looking boobytrapped emails and mail them to all of their contacts. How sophisticated and targeted to a particular person this effort is determines whether it's so-called "spear" phishing or not.

phishing-vs-spear-phishing

In this case is it was not at all targeted. This is a remarkably unsophisticated, absolutely generic routine phishing attack. There is zero focused attack effort on display here. But note the target did not immediately click the link in the email!

podesta-hack-email-link-1

Instead, he did exactly what you'd want a person to do in this scenario: he emailed IT support and asked if this email was valid. But IT made a fatal mistake in their response.

podesta-it-support-response

Do you see it? Here's the kicker:

Mr. Delavan, in an interview, said that his bad advice was a result of a typo: He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an “illegitimate” email, an error that he said has plagued him ever since.

One word. He got one word wrong. But what a word to get wrong, and in the first sentence! The email did provide the proper Google address to reset your password. But the lede was already buried since the first sentence said "legitimate"; the phishing link in that email was then clicked. And the rest is literally history.

What's even funnier (well, in the way of gallows humor, I guess) is that public stats were left enabled for that bit.ly tracking link, so you can see exactly what crazy domain that "Google login page" resolved to, and that it was clicked exactly twice, on the same day it was mailed.

bitly-podesta-tracking-link

As I said, these were not exactly sophisticated attackers. So yeah, in theory an attentive user could pay attention to the browser's address bar and notice that after clicking the link, they arrived at

http://myaccount.google.com-securitysettingpage.tk/security/signinoptions/password

instead of

https://myaccount.google.com/security

Note that the phishing URL is carefully constructed so the most "correct" part is at the front, and weirdness is sandwiched in the middle. Unless you're paying very close attention and your address bar is long enough to expose the full URL, it's … tricky. See this 10 second video for a dramatic example.

(And if you think that one's good, check out this one. Don't forget all the unicode look-alike trickery you can pull, too.)

I originally wrote this post as a presentation for the Berkeley Computer Science Club back in March, and at that time I gathered a list of public phishing pages I found on the web.

nightlifesofl.com
ehizaza-limited.com
tcgoogle.com
appsgoogie.com
security-facabook.com

Of those five examples from 6 months ago, one is completely gone, one loads just fine, and three present an appropriately scary red interstitial warning page that strongly advises you not to visit the page you're trying to visit, courtesy of Google's safe browsing API. But of course this kind of shared blacklist domain name protection will be completely useless on any fresh phishing site. (Don't even get me started on how blacklists have never really worked anyway.)

google-login-phishing-page

It doesn't exactly require a PhD degree in computer science to phish someone:

  • Buy a crazy long, realistic looking domain name.
  • Point it to a cloud server somewhere.
  • Get a free HTTPS certificate courtesy of our friends at Let's Encrypt.
  • Build a realistic copy of a login page that silently transmits everything you type in those login fields to you – perhaps even in real time, as the target types.
  • Harvest email addresses and mass mail a plausible looking phishing email with your URL.

I want to emphasize that although clearly mistakes were made in this specific situation, none of the people involved here were amateurs. They had training and experience. They were working with IT and security professionals. Furthermore, they knew digital attacks were incoming.

The … campaign was no easy target; several former employees said the organization put particular stress on digital safety.

Work emails were protected by two-factor authentication, a technique that uses a second passcode to keep accounts secure. Most messages were deleted after 30 days and staff went through phishing drills. Security awareness even followed the campaigners into the bathroom, where someone put a picture of a toothbrush under the words: “You shouldn’t share your passwords either.”

The campaign itself used two factor auth extensively, which is why personal gmail accounts were targeted, because they were less protected.

The key takeaway here is that it's basically impossible, statistically speaking, to prevent your organization from being phished.

Or is it?

techsolidarity-logo

Nobody is doing better work in this space right now than Maciej Ceglowski and Tech Solidarity. Their list of basic security precautions for non-profits and journalists is pure gold and has been vetted by many industry professionals with security credentials that are actually impressive, unlike mine. Everyone should read this list very closely, point by point.

Everyone?

Computers, courtesy of smartphones, are now such a pervasive part of average life for average people that there is no longer any such thing as "computer security". There is only security. In other words, these are normal security practices everyone should be familiar with. Not just computer geeks. Not just political activists and politicians. Not just journalists and nonprofits.

Everyone.

It is a fair bit of reading, so because I know you are just as lazy as I am, and I am epically lazy, let me summarize what I view as the three important takeaways from the hard work Tech Solidarity put into these resources. These three short sentences are the 60 second summary of what you want to do, and what you want to share with others so they do, too.

1) Enable Two Factor authentication through an app, and not SMS, everywhere you can.

google-2fa-1

Logging in with only a password, now matter how long and unique you attempt to make that password, will never be enough. A password is what you know; you need to add the second factor of something you have (or something you are) to achieve significant additional security. SMS can famously be intercepted, social engineered, or sim-jacked all too easily. If it's SMS, it's not secure, period. So install an authenticator app, and use it, at least for your most important credentials such as your email account and your bank.

Have I mentioned that Discourse added two factor authentication support in version 2.0, and our just released 2.1 adds printed backup codes, too? There are two paths forward: you can talk about the solution, or you can build the solution. I'm trying to do both to the best of my ability. Look for the 2FA auth option in your user preferences on your favorite Discourse instance. It's there for you.

(This is also a company policy at Discourse; if you work here, you 2FA everything all the time. No other login option exists.)

2) Make all your passwords 11 characters or more.

It's a long story, but anything under 11 characters is basically the same as having no password at all these days. I personally recommend at least 14 characters, maybe even 16. But this won't be a problem for you, because...

3) Use a password manager.

If you use a password manager, you can simultaneously avoid the pernicious danger of password re-use and the difficulty of coming up with unique and random passwords all the time. It is my hope in the long run that cloud based password management gets deeply built into Android, iOS, OSX, and Windows so that people don't need to run a weird melange of third party apps to achieve this essential task. Password management is foundational and should not be the province of third parties on principle, because you never outsource a core competency.

Bonus rule! For the particularly at-risk, get and use a U2F key.

In the long term, two factor through an app isn't quite secure enough due to the very real (and growing) specter of real-time phishing. Authentication apps offer timed keys that expire after a minute or two, but if the attacker can get you to type an authentication key and relay it to the target site fast enough, they can still log in as you. If you need ultimate protection, look into U2F keys.

u2f-keys

I believe U2F support is still too immature at the moment, particularly on mobile, for this to be practical for the average person right now. But if you do happen to fall into those groups that will be under attack, you absolutely want to set up U2F keys where you can today. They're cheap, and the good news is that they literally make phishing impossible at last. Given that Google had 100% company wide success against phishing with U2F, we know this works.

In today's world, computers are now so omnipresent that there is no longer any such thing as cybersecurity, online security, or computer security – there's only security. You either have it, or you don't. If you follow and share these three rules, hopefully you too can have a modicum of security today.

Discussion