Building little toy projects like some of these is one of my favorite ways to learn and play. Sometimes the value isn't in the initial finished product but in the concepts it exposed and knowledge or inspiration gained from that.
I guess if what you really want is only the finished product and nothing else, churning it out as quickly as possible with AI and not caring about the implementation could work for you. But it would take the fun out of it for me.
Sadly my career may eventually head in that direction. At least I'll always have a hobby to enjoy.
Well I just scraped the hell out of that. Some very pretty images. I know it is labor intensive, but they really put the effort into a massive amount of hand drawn frames for some of these movies and it shows in the final product.
I don't know what he did, but I gave gemini-cli the url and asked for a script. The LLMs are pretty good at this sort of simple but tedious implementation.
True if you think the images have no value, nor the time I saved by "outsourcing" the work, but writing the kind of trivial web scraper I've written N times before somehow does.
I just did Advent of Code in Python, which isn't my daily use language but was fun to play with. Threw together a script in a little less than 5 min that did what I wanted: downloaded all the screenshots and put into a directory for each movie.
The blog frequently refers to the LLM as "him" instead of "it" which somehow feels disturbing to me.
I love to anthropomorphize things like rocks or plants, but something about doing it to an AI that responds in human like language enters an uncanny valley or otherwise upsets me.
I do both crosswords and frequently look at the daily leetcode problem. I don't always do it if the problem doesn't interest me. But sometimes I learn something new, other times I just hammer out a solution in 2-5 min for a little brain stimulation.
Making a habit of doing small puzzles like that can compound a lot over time. I am self taught and did not study algorithms in school, but I would consider myself stronger on the topic than most of my coworkers just from my learning to solve puzzles (and enjoying it). I am currently the senior / lead dev of my team.
I also love Advent of Code and look forwards to it all year.
I do both in languages that aren't what I primarily use at work.
That's interesting, didn't know that. Bummer you can't replay it once "the event has ended."
> The OPs seems to be more cumulative lifetime stats rather than just this past year, for a lot of the slides.
I disclose that the last 5 slides are lifetime stats in my readme:
"Note: The last 5 slides are not necessarily specific to 2025 because of leetcode's graphql api only allows querying up to 20 of the latest submissions from an unauthenticated user.
However, if you pass a LEETCODE_SESSION cookie (obtained from leetcode.com, open dev tools -> application -> cookies) with your request you can query all of your accounts submissions. You could also use the calendar endpoint query all of your submissions in the past year, and thus create a much more nuanced leetcode wrapped. (ex: You struggled with this problem the most in 2025.)"
I may try to tackle this via an extension with no server side logic if I have some free time later this week, would certainly be a cooler final product. Only caveat is users would have to manually install the extension from a github repo (too scary for most people) or the chrome web store, which may add too much friction for most people.
I used to work for a brokerage API geared at algorithmic traders and in my experience anecdotal experience many strategies seem to work well when back-tested on paper but for various reasons can end up flopping when actually executed in the real market. Even testing a strategy in real time paper trading can end up differently than testing on the actual market where other parties are also viewing your trades and making their own responses. The post did list some potential disadvantages of backtesting, so they clearly aren't totally in the dark on it.
Deepseek did not sell anything, but did well with holding a lot of tech stocks. I think that can be a bit of a risky strategy with everything in one sector, but it has been a successful one recently so not surprising that it performed well. Seems like they only get to "trade" once per day, near the market close, so it's not really a real time ingesting of data and making decisions based on that.
What would really be interesting is if one of the LLMs switched their strategy to another sector at an appropriate time. Very hard to do but very impressive if done correctly. I didn't see that anywhere but I also didn't look deeply at every single trade.
>but for various reasons can end up flopping when actually executed in the real market.
1. Your order can legally be “front run” by the lead or designated market maker who receives priority trade matching, bypassing the normal FIFO queue. Not all exchanges do this.
2. Market impact. Other participants will cancel their order, or increase their order size, based on your new order. And yes, the algos do care about your little 1 lot order.
Also if you improve the price (“fill the gap”), your single 1 qty order can cause 100 other people to follow you. This does not happen in paper trading.
> And yes, the algos do care about your little 1 lot order.
I'm just your usual "corrupted nerd" geek with some mathematics and computer security background interests - 2 questions if I may 1. what's like the most interesting paper you have read recently or unrelated thing you are interested in at the moment? 2. " And yes, the algos do care about your little 1 lot order." How would one see this effect you mentioned - like it seems wildly anomalous, how would go about finding this effect assuming maximum mental venturesomeness, a tiny $100 and too much time?
Retail speculator here. Re 2 it's often quite easy to demo on thinly traded markets - I'm more familiar with crypto. Say the spread is 81.00 buy, 81.03 sell. Put in a limit buy at 81.00 and watch someone/something immediately outbid you ate
81.01. In the short term that kind of thing is done by algorithms but there are humans behind it and doing it too.
There's quite a lot of other game playing going on also.
If you actually were in the industry, you would know that most retail traders don't fail, because they lose a tick here or there on execution, they fail, because their strategies have no edge in the first place.
>Your order can legally be “front run” by the lead or designated market maker who receives priority trade matching, bypassing the normal FIFO queue. Not all exchanges do this.
Unless you're thinking of some obscure exchange in a tiny market, this is just untrue in the U.S., Europe, Canada, and APAC. There are no exchanges where market makers get any kind of priority to bypass the FIFO queue.
Anyone can be a market maker on a trade just take the other side of an offer. All they really do is make a market with you and then make a market with the other side and pocket the change. It's good for market liquidity.
I can tell you as someone who is a designated market maker on several ETFs in the U.S., none of this exists as a means of giving market makers priority fills. You're taking existing terms and misusing them. For example institutional order prioritization is used as a wash trade prevention mechanism, not as a way for designated market makers to get some kind of fill preference. Leveling rounds also do not involve exchanges, this is an internal tool used by a broker's OMS to rebalance residuals so accounts end up with the intended allocation, or cleaning up odd-lot/mixed-lot leftovers.
I am getting the feeling you either are not actually a quant, or you were a quant and just misheard and confused a lot of things together, but one thing is for sure... your claim that market makers get some kind of priority fills is factually incorrect.
I've honestly never understood what backtesting even does because of the things you mention like time it takes to request and close trades (if they even do!), responses to your trades, the continuous and dynamic input of the market into your model, etc.
Is there any reference that explains the deep technicalities of backtesting and how it is supposed to actually influence your model development? It seems to me that one could spend a huge amount of effort on backtesting that would distract from building out models and tooling and that that effort might not even pay off given that the backtesting environment is not the real market environment.
I'm not sure about deep technicalities but backtesting is a useful thing to see how some strategy would have performed at some times in the past but there are quite a lot of limitations to it. Two of the big ones are the market reacting to you and maybe more so a kind of hindsight bias where you devise some strategy that would have worked great on past markets but the real time ones do something different.
https://en.wikipedia.org/wiki/Long-Term_Capital_Management was kind of an example of both of those. They based their predictions on past behaviour which proved incorrect. Also if other market participants figure a large player is in trouble and going to have to sell a load of bonds they all drop their bids to take advantage of that.
A lot of deviations from efficient market theory are like that - not deeply technical but about human foolishness.
Profitability is not in any way considered a property of the correctness of an algorithm. An algorithm can be profitable and incorrect, and an algorithm can be correct but not profitable.
Correctness has to do with whether the algorithm performed the intended actions in response to the inputs/events provided to it, nothing more. For the most part correctness of an algorithm can be tested the same way most software is tested, ie. unit tests, but it's also worth testing the algorithm using live data/back testing it since it's not feasible to cover every possible scenario in giant unit tests, but you can get pretty good coverage of a variety of real world scenarios by back testing.
A really important part of this is the emotional component. When real money is involved, then you will sometimes face actual losses. It’s hard for a human to completely trust the machine in real world trading
This. This all day. I used to paper trade using ThinkOrSwim and I was doubling and tripling my money effortlessly. Then I decided to move my strategy to the real deal and it didn't do very well at all. It was all bs.
Anecdotally my wife came very close to finishing a 4 year degree but ultimately did not for various reasons (she comes from a very disadvantaged family...) and not having one has been a major burden or blocker for her pursuing all kinds of jobs. I am hoping to help her finish, but it is hard to restart later in life and lots of past credits will probably be lost or not count anymore due to various academic bureaucracy roadblocks.
Yep, I've seen this with a lot of my friends who did a similar thing. HR employees screening you out alone is a huge problem.
I have some middle and upper middle class gen X and older friends giving their children TERRIBLE advice about how degrees aren't worth it anymore and you get more out of getting started in your career ASAP than spending 4 years in school. The problem is that a BS now is like a high school diploma when they grew up, and if you don't have one, then in all likelihood, you will struggle to not be downwardly mobile, as it's the new middle class gatekeeping tool.
People should NOT listen to anyone over 45-50 or so who tells them college isn't necessary. Those people grew up in a world that no longer exists.
Another example of bad gen X / boomer advice is to knock out core credits in community college and transfer to university later. They don't understand that your only shot at getting significant scholarships and financial aid is when you enter as a 1st time freshman. I know someone with brilliant kids who made National Merit Scholar this year who is already setting their kids aims low by advising them to do this when there are so many good universities, both private and state, where their kids have a good shot at getting a full ride.
The correct way to do it is to utilize high school dual credit or dual enrollment offerings. Then you can shave off a year or two of college but still be eligible for freshman scholarships. Often cheaper than community college too.
Well, I’ll elaborate as a Gen-Xer; what you describe about financial aid was the exact same scenario we faced.
You are conflating the “exceptional” kid coming out if HS who is offered full rides (who clearly should take advantage of that and go straight into university with that full ride) with an average student who will have to pay for some or all of college. For the latter, community college for 2 years was and still is a good idea.
It really depends. In many states, for the latter, there are state programs that cover tuition if the student can meet some GPA and enrollment minimums. I knew someone in such a state still telling their kids to start in CC because that's what they knew from 30 years ago and they haven't bothered to research how things work now.
I think the point is that you need to feel out the options available, which are fairly unique to each kid based on geography and grades and parents and extra curriculars, not just take a one size fits all approach of going to community college.
>Another example of bad gen X / boomer advice is to knock out core credits in community college and transfer to university later. They don't understand that your only shot at getting significant scholarships and financial aid is when you enter as a 1st time freshman. I know someone with brilliant kids who made National Merit Scholar this year who is already setting their kids aims low by advising them to do this when there are so many good universities, both private and state, where their kids have a good shot at getting a full ride.
I'll have to push back on this. I'll give NJ as an example but other states have similar systems. In NJ If you are in the top 15% of your graduating school you are covered for full tuition provided for the first two years at community college. You are also given a guaranteed spot at whatever public college/program you want. (EDIT: I am not sure if this is still the case im trying to sift through the documentation but now I think it may also require minimum GPA in CC) Imagine getting that university degree and starting your professional career with potentially 0 debt.
Furthermore a variation of this program extends to families making less than 65k. If you meet that criteria. The community college degree is 0$. From there you are given a course schedule that if you follow will transfer 1:1 to a university and if you do well academically there you can be eligible for reduced or waived tuition at the public college of your choosing. This system helps people who did poorly in high school or just didnt make the cut aid wise get a second chance at tuition free college.
If you make more than 65k, you still get reduced tuition on some sliding scale. And again excellent grades translates to more savings.
At least for NJ, Community college really sets many people up for an excellent start in their career by not having any college debt.
Many private colleges like Rice cover 100% of costs for all students with parents under a fairly high salary. Almost 40% of MIT students have financial aid that's equal or greater than their tuition. This is starting to get more and more common for elite colleges and universities.
I got a full ride plus stipend to a pretty good but not great school, but one of the things I wish my parents pushed me on harder was applying to schools like MIT where I didn't bother applying because I didn't want to be saddled with debt. This was a couple decades back, and it's so much easier to get a full ride now if you can make it in (admittedly much harder now).
My point isn't to write off community college. It's that a talented and accomplished high schooler should set their sights higher because the old idea that all these elite colleges are unaffordable is rapidly changing.
Also, I am not sure if you know people taking CC courses recently, but they are often taught in a way that gives you what you paid for at $0. Prerecorded canned lectures, infuriating and curiosity crushing online worksheets, etc. I know multiple people who were excited to do free CC when it was made free for older (30+) students whose academic aims were immediately stamped out within one semester because there was no college instruction. Just endless online worksheets. These things exist in other higher ed paths too, but truly not to the extent that I've witnessed.
I understand where you are coming from in regards to elite university. Certainly if a student can get admitted into an ivy league they should at least inquire about eligible aid packages. I would assume someone with the intellect to get admitted there would put in the work to explore all options.
Ivy league is a shrinking circle of spots and does not represent the majority of where exceptionally talented students go to as a result. Lets just take the example I cited with the top 15% of high school students in each high school in NJ would likely exceed the available spots at all Ivy Leagues. You mentioned public institutions in your original message. States have programs in place to ensure exceptional students are taken care of.
>Also, I am not sure if you know people taking CC courses recently, but they are often taught in a way that gives you what you paid for at $0. Prerecorded canned lectures, infuriating and curiosity crushing online worksheets, etc. I know multiple people who were excited to do free CC when it was made free for older (30+) students whose academic aims were immediately stamped out within one semester because there was no college instruction. Just endless online worksheets. These things exist in other higher ed paths too, but truly not to the extent that I've witnessed.
I was admitted to an Engineering school but due to severe health issues with family, I was forced to move closer and enroll in community college so I have gone through this experience in a unique way (Enrolled at University -> Transfered to CC -> Transferred back to University).
This was ~15 years ago but during that time all the teachers at the CC had Masters degrees in their field and also had additional teaching credentials(some had PHDs).
I found that instruction was very focused on ensuring students learned material vs my experience at my public Research based university where either TAs taught courses or professors focused on their research would reluctantly lecture as a requirement.
I will concede that instruction in subjects like Math/Physics were not of the same caliber as university only because while CCs tended to give examinations consisting of hard versions of the practice problems assigned as homework, my Engineering university expected me to to deeply understand the material and would give very unique problems during the common exams that test the deeper understanding vs just technique.
I am surprised to hear the anecdote that you expressed as that wouldn't pass muster with the university accreditation bodies as well as the admissions departments of the public universities that renew the "transfer agreements" with the CCs. In NJ there is a requirement of a minimum standard of instruction needed or else the receiving university has the right to reject course credit from the CC and rescind transfer agreements. The universities know who comes from the CCs and they are assessing academic performance of those students. For example Rutgers does this with some CC in their CS classes as the subject material is not 1:1(they are offered as general elective credit instead so still allows the student to not fall too behind).
Let me ask you was this anecdote occuring during COVID? Maybe that accounts for the strange online instruction?
>Certainly if a student can get admitted into an ivy league they should at least inquire about eligible aid packages.
Bear in mind when I say "elite college", I'm not talking Ivy Leagues, as those have covered tuition for the non-wealthy students for a while now. I'm talking elite liberal arts colleges (Amherst, Swarthmore), elite private universities (MIT, Rice), etc. Many state schools cover a lot but your mileage varies dramatically, and it's often tied to fairly intense GPA requirements. Georgia Tech has a student suicide problem because of this, for example.
>This was ~15 years ago but during that time all the teachers at the CC had Masters degrees in their field and also had additional teaching credentials(some had PHDs).
It's much worse now. A lot of the core classes (calculus, first semester bio and chem, etc.) don't have teachers at all. You're given all of your instruction via canned videos and your homework and evaluation through online tests. There's often a way to contact a teacher of some sort, but they will mostly be terse and just link you to a resource to work on it yourself or direct you to a forum where you and your classmates can talk about it.
This isn't covid, this is from this year. A lot of this started with covid but has stuck around for budgetary reasons. YMMV but for a lot of places, this is how you cut costs to be able to easily offer free college. Some of the classes will still have teachers, but the big ones that people typically use CC for will be largely automated because that's what scales.
And the opposite is true as well. I had a friend who had no idea how to market her labor, uncomfortable even with the idea of making a linkedin profile. She has an undergraduate degree, she did eventually find something, but it was a tiresome process. On the other hand, I had just finished a Master's degree, I had made up a linkedin profile to apply to a startup I thought looked interesting--no response, but, about a month later a recruiter messaged me on linkedin to work a short term contract that turned into the job I have now. There was practically no effort on my part for a job search.
Have you verified that these "academic bureaucracy roadblocks" exist? Surprisingly, I was able to pick my studies back up after almost 20 years, and not only were all of my existing credits counted, but they also exempted me from new requirements that had been added in the subsequent 20 years.
I have always felt certain media just looks better (to my own personal tastes) on VHS and on CRTs. I know that technically it isn't the highest possible definition or quality and that both have significant drawbacks in terms of fidelity or whatever. But my taste likes what it likes. Just like how some people think vinyl records can sound more appealing and warmer than the equivalent digital media, even though the digital version has a higher bitrate and other advantages.
I do in fact still have Toy Story on VHS and recently watched a bit of it with my toddler. And while I'm sure the Blu-ray or streamed version is higher resolution, wide screen, and otherwise carries more overall video and audio data than our tape I personally got a bit of extra joy out of watching the tape version on our old TV.
I never considered the color differences pointed out in the article here, and I'm not sure how they appear on home VHS vs on 35mm. Maybe that is a small part of what makes the tape more appealing to me although I don't think it's the full reason. Some feelings are difficult to put into words. Tapes on a full aspect ratio CRT just give me a certain feeling or have a specific character that I still love to this day.
There have been enough data breaches at this point that I'm sure all my info has been exposed multiple times (addresses, SSN, telephone number, email, etc). My email is in over a dozen breaches listed on the been pwned site. I've gotten legal letters about breaches from colleges I applied to, job boards I used, and other places that definitely have a good amount of my past personal information. And that's not even counting the "legal" big data /analytics collected from past social media, Internet browsing, and whatever else.
I now use strong passwords stored in bitwarden to try to at least keep on top of that one piece. I'm sure there are unfortunately random old accounts on services I don't use anymore with compromised passwords out there.
Not really sure what if anything can be done at this point. I wish my info wasn't out there but it is.
I used per-account email with alias services and password managers.
Also started migrating old accounts in free time.
Now its pretty easy to tell the source of leak by email addresses as well as sources of spam.
---
Per-account alias might sound much, but using sieve filtering [1] is amazing, and you can get a comprehensive filtering solution going with 'envelope to' (the actual address receiving the email) + 'header to' (the recipient address you see, sometimes filtering rules don't filter for BCC or sometimes recipients are alias instead of your actual email) that are more comprehensive than normal filtering rules to sort your emails into folders.
Amusingly, I've managed to recover old accounts from emails that contains my old passwords with demands for crypto payment, it just provided me enough help to recall old variations of my passwords.
> I used per-account email with alias services and password managers.
For people who want to do this, be sure to get it right. I run a SaaS with a free tier, and I see people register with "fancy+nospam+servicename@gmail.com" addresses. Many of those become undeliverable or are left unread forever because of filtering rules. So when my system sends a warning E-mail that the account will be deleted due to inactivity, it doesn't get read, which leads to suboptimal outcomes for everyone involved.
It was infuriating to me when normal_email+site_name@gmail.com stopped working for registration on some sites.
Fucked up my Costco registration, a variety of other things.
This sort of quasi-pseudonymity is required for basic security/privacy in 2025; It's the only way to get a handle on who's allowed to send you email, since we've never bothered to fix spoofing or impose a cost on spam. I've been trying to use it since Sneakemail was a free service back in the pre-Gmail days.
I just use <myname>+<service>@gmail.com
At the end of day day it’s all delivered to myname@gmail.com mailbox, but I can use filters based on part after “+”.
This is one of the reasons I switched to a different provider using a custom domain. I can make new addresses in any format I want. There's zero risk of a spammer stripping them down to a base address for the primary account. They also don't get rejected by broken validators.
What’s your plan for when you no longer own your custom domain (think bus factor)? Someone else register your domain and now has access to all your accounts.
Everyone has their own risk profiles, mine assumes I retain control over my domains and emails. I prepay for them several months in advance to make sure I don't lose ownership. any service provider worth their salt will have a human factor for customer support who can help you if any such issues show up.
Thank you for expanding. Sure you can prepay up to a certain extent. Eventually your domain will be available to others for purchase and therefore your accounts will become vulnerable. Maybe this isn’t an issue if in the worst situation you’re not around but if this could cause chaos for your friends and family I would suggest taking it into account.
Given that domain renewals can be purchased multiple years into the future, along with the fact that there are grace periods after expiration, it would take an awful lot of failure to lose a domain unintentionally. I've held my primary domain since 1997 multiple registrars and numerous hosting / colocation arrangements over the years. It sounds harder than it is if you haven't done it before.
yep, i use fastmail with a custom domain. i have a catch all email set up, so i just register any account on sitename.com as "sitename@mydomain" and it all gets sorted into a catch all folder. I can then run rules if i want it to go into a certain category like "bills" or just straight to the garbage.
Not sure about normalizing recipients' emails but some are definitely aware of it because I've seen spam that asked to "reply back to defi.n.it.ely.not.shady+email@gmail.com" or something.
I do this as well, but there are a number of service providers that just do not handle subaddressing at all. Like creating an account will result in never receiving a confirmation or verification code because the system failed to parse the address.
I've started using grouped aliases instead for a bunch of things.
The downside is that https://haveibeenpwned.com/ can only find "exact email" addressed, as in, you must search for myname@gmail.com, myname+service1@gmail.com, etc.
>As someone who deals in breach data this is a simple regex to strip out.
Sure it is, but at least you do get later, post leak, a slight chance find out where leak originated.
Data stealers seldom strip out that +extension part before the selling or otherwise dump it somewhere. And while it's passed on, you get to see address as you gave to that party that had leak. Reason seller don't strip of it is perhaps because they sell by number of unique addresses and while +extension usage is quite rare they make more money when they don't strip it off too.
Information where it leaked can be very useful information to pass leaker at least up till point they have announced they know about the compromise happened. I've done that since turn of century too many times I've lost count already and been quite many times the first to get them know that they had a problem there.
And sure I've received thank you emails that I gave them early head-up info about the issue.
Careful with this method. I was unable to purchase plane tickets from Southwest or even change my email address because they changed their parsing rules on me and silently dropped the plus. I found out most airlines don't have a ticket counter to buy a ticket the old fashioned way! But the premier help can issue tickets. Took me two months to have CS get someone to run a DML to remove my "bad" email address.
It's probably easier to tell them "I lost access to that email, I need to set up a new account". People do this all the time.
On some level, my employer uses emails as the primary key for customer accounts, the baseline identifier which all information is filed under. It's quite ridiculous.
> On some level, my employer uses emails as the primary key for customer accounts, the baseline identifier which all information is filed under. It's quite ridiculous.
I've lost track of the number of places that use the e-mail as an unchangeable identifier. Bonus points for my company liking to change domain names for sport, which just confuses support.
And even big tech companies, who should know better, do this. Like the big blue CDN that's in the middle of half the web's traffic. Who also, for some reason, can't be arsed to send e-mails reliably if you need to change your account.
I did, but the CS agent kept trying to change the email to a new one when I told them I had lost access, and the validation failed because it wanted to send an email to the old address about the email being updated and couldn't. They didn't have the right tools to fix it.
It doesn't have to be literally the service name. Can be any unique alphanumeric suffix you make up randomly. As long as you use a password manager you don't have to remember it.
Indeed, it needs to be more than just the company name if you want it to be useful later. If the email address used is company@example.com, any idiot could guess company. But receiving email to company_wkhx46@example.com is clearly gotta be from them, or they got hacked.
I tried to start doing this. The first site I tried to sign up to said it was an invalid email address.
I would say they could fuck all the way off, but there are legitimate reasons to not let people sign up with an alias (like one person signing up for multiple free trials)
There's other issues as well: occasionally a service will not allow using their service name in your email address. My usual response to this is to misspell it and use an address cursing them instead. (Since these accounts are usually one-off to register to view something, I really don't care if they delete my account in the future and I don't bother to save the password)
When I'm signing up for one service, I don't want to have to sign up for another service, no matter how easy it is. It's not a question of difficulty, it's a question of convenience.
That's why services like Firefox Relay exists. Just generates a new email address for you whose inbox gets relayed to your regular email, no fuss needed. I don't personally pay for it but I do use the heck out of the free email addresses they provided.
Indeed. But some are easier to change than others. I switched my e-mail provider, and it took all of five minutes to launch the copy of my data. Since I kept the same domain, everyone sending me e-mails didn't notice anything.
With Apple's approach, I'd have to go through each account and move it from something@icloud to something@new-domain.
However, for people who don't want to mess around with custom domain names and e-mail providers, apple's approach is very practical. You just need to tell it to "hide your email" when you register somewhere and you're good to go.
As someone who uses both, I much rather prefer aliases to hide-my-email for the more important stuff. For one, I can choose the email address "username", which I cannot with Apple's solution. Plus, what happens when I move on from Apple to something else?
But aliases can be easily mapped back to your normal email address, unlike Apple's which are opaque. I, too, am afraid of vendor lock-in though. Sadly, couldn't find a good alternative yet
There's no solution to lock-in because there must be some massively shared domain that the email address exists on for the anonymity of the service to properly work. However if you are simply looking for an alternative to Apple, Fastmail offers a masked email service too.
Not sure where you're coming from - my original email address is not being shown in headers, so those seem fairly opaque. Probably depends on your email provider?
I do this also. I started doing it with physical mail before email existed to sort out the junk mail, so first and last name always contained a reference to the company you were dealing with. Paul Allen back in the 80s said in a Seattle Times interview that it was how he handled it.
> I used per-account email with alias services and password managers.
20-something-ish years ago I setup qmail in my VPS and a .qmail-default file captures all my me-sitename@vps emails. If they send me junk I echo '#' > .qmail-sitename and that's the end of it.
Other things that get a mixture like someone annoying who harvested my ebay/paypal addresses or something, I'll sift out the good (stuff I need) via maildrop and everything else gets junked.
Honestly one of the best, but annoying, things I've done, well worth the time invested as I have a nice clean mailbox.
> I used per-account email [addresses] with alias services
I do too (anything@mysubdomain.example.com), but but online services collude with data brokers to share so much information [0] that I don't doubt that many of these "separate" profiles have been aggregated.
Unfortunately the services that supposedly offer to have your personal data removed from data brokers don't seem to support aliasing, so no straightforward way to either find out or have the data removed.
[0] Just look at the scary list of third-party cookies you can't opt out of on Coursera [1], for example:
Match and combine data from other data sources
419 partners can use this feature
Always Active
Identify devices based on information transmitted automatically
546 partners can use this feature
Always Active
Link different devices
358 partners can use this feature
Always Active
Deliver and present advertising and content
582 partners can use this special purpose
Always Active
They've changed their cookie consent provider (or rolled their own) since my comment. Probably just a happy coincidence, but well done Coursera in any case for fixing a pretty egregious breach of regulations.
The other good news in the meantime is that the EU (who originally mandated cookie consent) has finally woken up to the ridiculousness of leaving it up to the site, and will require browsers to enforce it instead.
+1 for Bitwarden. It is literally the best solution out there. Been getting to increase uptake in personal circles with (very) limited success. The wife keeps trying to convince me that the ship has sailed in trying to protect info online. She's probably right.
Now that I'm not only using a Macbook and iPhone, I've been looking for cross-platform solutions.
For a week I've been using KeePassXC + Syncthing between four devices. Syncthing is also syncing my Obsidian vaults which has replaced Apple-only Notes.app.
Bitwarden is definitely more polished, and Syncthing is definitely (much) more fiddly than using Bitwarden's and Obsidian's ($5/mo) native syncing tools.
But I like the idea of having the same syncing solution across all apps on all devices. Curious if anybody can recommend this setup or if collisions will make it unbearable.
If you have a nas, I highly recommend you set up a VPN back to your network. It's been a bit of a game changer for me. I don't fiddle around with Dropbox or gdrive anymore, it's just on my nas and it just works. I was even mounting /home from it but that was a bit of overkill and still caused some hassles when I was completely offline- like on an airplane. Vpn has other advantages as well like no longer really having to worry about sketchy wifi networks. It felt annoying and like overkill at first, but I'm never going back to relying on any sync apps again.
> I was even mounting /home from it but that was a bit of overkill and still caused some hassles when I was completely offline- like on an airplane.
I solved this by having /home for desktops/workstations on my NAS, but laptops had their own /home (with the NAS /home mounted somewhere locally). It’s not perfect but was way easier than dealing with the offline case.
I have used this setup for 6 years or so with KeePassXC and it's fine. Just being mindful of not editing stuff on other devices before the first one has had the chance to sync has been enough to avoid pretty much all sync conflicts. I have only had to resolve those a few times so far, iirc my android client was misconfigured at the time or something.
I still recommend Bitwarden for password management for any "laypeople" since it will just work. Also worth noting that the basic functionality is free.
I do something similar with Syncthing, except I use pass and go-pass on my and my spouse's devices. Those utilities store their data in a git repo already by default, but rather than syncing those repos directly, I have set their upstream remotes to local bare repos which is what Syncthing actually syncs. This avoids contention internal to the git repos which I could see causing some problems through normal git operation and the actual sync between devices should be mostly atomic.
(go-)pass automatically does a push/pull due to several operations which keeps the password store in sync and Syncthing does its thing with the bare repos.
This has reduced my maintenance burden on my spouse's devices down to practically zero. The worst case to fix things is I need to `git pull --rebase` in the bare repo. The pass repo format uses individual encrypted files for each password entry (for better or worse) so I have yet to run into a conflict in the same entry.
Why not just push/pull git branches normally? I had previously been doing that but if you want devices to sync that may not always be online, then you must involve an always online git server (which isn't a great idea due to one of pass's weaknesses).
Even when you do get a sync conflict, Syncthing will rename one of the copies and then you can have KeePassXC merge the two files back into one. So that's still pretty much hassle-free.
Probably due to Obsidian's aggressive autosaving, I did cause a syncthing collision my first day by clicking into a note that I was editing on my other device. Kinda wish desktop Obsidian had a save system more like code editors and less like smartphone apps.
I suppose I can avoid the issue with some discipline.
This is the same setup I used for years with no issues, both KeePassXC and multiple Obsidian vaults, along with some other random files and folders. Syncthing is pretty much rock solid. Now I have the KeePassXC database stored on my NAS which is even simpler.
I use a similar setup, but with Onedrive instead of Syncthing (and, before that, Dropbox).
In the almost 10 years I've been running this setup, I think I hit a conflict one single time. I don't quite remember the details, but I think I accidentally edited something in the mobile app, and before saving, edited something else in the desktop app or vice-versa. So it was pretty much my fault.
Other than that, literally never had an issue. Password managers are by their nature mostly reads, and very occasional writes, so it's very hard to put yourself in a situation where conflicts happen, even if you don't pay attention to it. I've made an identical setup for my (fairly savvy but non-technical) fiancee, and she's never hit an issue either. I had to insist a bit for her to get on board, but years later she actually loves using KeePass. She's thanked me multiple times for how convenient it is not having to remember passwords anymore!
One consideration is that Bitwarden seems to not work fully in an offline state the same way your setup would. I constantly try to edit or add a password while offline and can't.
I think this somewhat negates the collision situation though.
That came up during my research and it's one of the reasons I couldn't choose it.
Forcing a read/write right before and after each edit probably simplifies the sync scenario for them but I don't like relying on permanent internet access in my life since it's just not the case.
Unfortunately strongbox was sold a few months ago to a somewhat notorious app firm that has the nasty habit of buying popular apps and adding a whole bunch of telemetry. Not something I'd want in a password app.
I've switched to KeePassium. Not quite as polished UX, but works for me
I'm using KeePassium and SyncTrain for the syncthing integration on iOS.
SyncTrain has been working well, but all the knobs in the advanced folder settings definitely reminds me that I would never recommend it over Dropbox/iCloud/etc to almost anyone, heh.
But as long as I don't run into frequent problems, I like the idea of p2p device syncing over LAN. The phone in my pocket ends up passing around the latest copy since my other devices are almost never on at the same time. It's kinda cute.
No matter how you sync, a Keepass file is a file. I can't be logged out. It will still be on my phone if my house burns down. Every device it's synced to is an additional backup copy.
The Bitwarden client will sometimes log you out if something happens on the server side, which has the potential to make worst case recovery from annoying to impossible. The circular dependency of having my cloud backup password in the vault made me nervous.
Yes, you can back your vault up, but it's a manual step and likely to be forgotten.
1password has better UI/UX and is faster but Bitwarden is cheaper, supports prompting of the master password for specific passwords, and better security options (such as app idle settings instead of just device idle)
I started paying for 1Password years ago when an annual family plan was $48, and to their credit, they've kept me grandfathered in to that price this whole time.
1P is closed source and have had a number of breaches in the past. Bitwarden have had none that I'm aware of, and they're FOSS. I however have been preferring ProtonPass lately (also FOSS) and really like the layout over BW.
Do you have a source for this claim of multiple past breaches? The only one I know of is the Okta breach.
For me they're still firmly in the 'one of the best options out there' category because cross-platform usability is incredibly good imho. I will admit it's been quite a while since I migrated from KeyPass so maybe these other options have improved too.
This is either ignorance or throwing shade at 1Password. Outside of their Okta thing (which didn't impact vaults as far as I'm aware, and was more Okta's fault) they never had a compromise. They are definitely an excellent provider.
I might be that guy soon. I really don't like Bitwarden's extensions, they have clunky UX, are slow and often don't even respect my settings. Autofill is a crapshoot, especially on Android. And they have performance issues with the Firefox and Chrome(-based) extensions so it's not even platform specific.
I use a similar service, I always wonder what sort of risk having one point of failure has though. I know 2FA helps, but a particularly motivated person with access to you physical still may be able to get both, espically if it for an investigation of some sort.
I switched from Bitwarden to Proton pass (because we got Proton family) and I find to be equally good. Ineven find sharing credentials a bit easier as it does not require organizations, you can just share with individuals.
Bitwarden Families plan is $40 a year and supports up to 6 users. It has TOTP built-in, is open source[1] and has been audited multiple times[2].
The individual plan is $10 a year. I've been a happy user for many years. I converted the last business I was at to exclusively using Bitwarden for Business as well.
I don’t know the “correct” answer, but here’s my answer as someone whose TOTP are split across a YubiKey and Bitwarden: I store TOTP in Bitwarden when the 2FA is required and I just want it to shut up. My Vault is already secured with a passphrase and a YubiKey, both of which are required in sequence, and to actually use a cred once the Vault is authenticated, requires a PIN code (assuming the Vault has been unlocked during this run of the browser, otherwise it requires a master password again).
At that point, frankly, I am gaining nearly nothing from external TOTP for most services. If you have access to my Vault, and were able to fill my password from it, I am already so far beyond pwned that it’s not even worth thinking about. My primary goal is now to get the website to stop moaning at me about how badly I need to configure TOTP (and maybe won’t let me use the service until I do). If it’s truly so critical I MUST have another level of auth after my Vault, it needs to be a physical security key anyway.
I was begging every site ever to let me use TOTP a decade ago, and it was still rare. Oh the irony that I now mostly want sites to stop bugging me for multiple factors again.
My Bitwarden account is protected with YubiKey as the 2FA. I then store every other TOTP in Bitwarden right next to the password.
I get amazing convince with this setup, and it’s still technically two factor. To get into my Bitwarden account you need to know both my Bitwarden password and have my yubikey. If you can get into my Bitwarden, then I am owned. But for most of us who are not say, being specifically targeted by state agents, this setup provides good protection with very good user experience.
2FA most commonly thwarts server-side compromised passwords. An API can leak credentials and an attacker still can’t access the account without the 2FA app, regardless of which app that is. The threat vector it does open you up to are a) a compromised device or b) someone with access to your master password, secret key and email account. Those are both much harder to do and you’re probably screwed in either case unless you use a ubikey or similar device.
How is it possible to have compromised password but not compromised the second factor? I don't understand the theory of leaking not enough factors. What is stopping webmasters from using 100FA?
> How is it possible to have compromised password but not compromised the second factor?
Server-side (assuming weak password storage or weak in-transit encryption) or phishing (more advanced phishers may get the codes too but only single instance of the code, not the base key).
> What is stopping webmasters from using 100FA?
The users would hunt them down and beat them mercilessly?
Mostly for the sites that insist on MFA and I need to use daily. Using two separate stores would be too annoying, and the increase in security is minimal - I consider Bitwarden to be secure enough (password + yubikey), and the main scenario somebody could get to my account would be on the server side, or phishing. For that, MFA helps somewhat, but storing MFA code in a separate app doesn't do much.
I self-host through Vaultwarden but I think I miss this. Besides, I feel like paying these guys anyway just for the great product. We use 1Password at $dayjob and it's so primitive by comparison.
Here are the things that get me, and maybe it's because I haven't configured it well yet.
1. On firefox first start-up is slow after unlocking to actually find a password for a site. The interface says, "No logins for xyz.com" for maybe 5 seconds before the login loads.
2. Along those lines when I open it first thing in FF the box for its password isn't focused and I have to click it.
3. The keyboard combo to open it also only works in Chrome.
4. To add a new login I have to go to the site. I haven't figured out how to do it from within the plugin.
5. We get alerts at least once a week about service disruptions but they don't seem to actually affect me.
6. I like Bitwarden's command line tool but I bet 1Password has something at least as good that I haven't found yet.
How is 1password primitive? It does totp. It integrates with TPM in Windows hello. It does sh keys and has its own agent which is a huge help. It's sync is nearly instantaneous. It handles multiple accounts with ease.
The moment you put TOTP in Bitwarden it is no longer a 'second factor'. Pretty bad security advice to be honest. Better to use hardware tokens or a secure phone (with enclave) instead (never SMS though).
In most cases a true second factor isn't really what any involved party cares about.
My bank (I mean, they use SMS, but pretend they use TOTP) just care about not having to spend money on support because I used "password1!" as my password for every account and lose all my money.
I just want to log in to my bank.
If I've got a long, random, unique, securely-stored password, I don't actually care about having a second factor, I'm just enabling TOTP so that I don't have to copy/paste codes from my email or phone.
> If I've got a long, random, unique, securely-stored password, I don't actually care about having a second factor
I'm not comfortable with my entire online identity being protected by a single line of defence which is a company that I'm paying a few dollars a month to. Not having to type 6 digits off a phone is a pretty minor convenience for me.
Do you then avoid syncing any passwords to your phone to avoid having your two factors in the same place? (And similarly, avoid syncing SMS to any devices where you do have passwords.)
If I only store passwords in Bitwarden, not TOTP tokens, then I don't have to pay for it. So, it's an argument for spending less money while being more secure.
I convinced my wife to start using a password manager, too (Bitwarden). Now she stores all of her very guessable, short, similar passwords in a manager. Sigh.
Addresses? Most of the time addresses are a matter of public record. I have used https://www.fastpeoplesearch.com/ a couple of times to search for people's addresses and it really works. One day a close friend excitedly told me she bought a new house and I told her the address before she told me about it.
Telephone number? There used to be phone books. And I still instinctively think they should be public.
An address can be dangerous if it's e.g. a social network site or blog, anywhere where you post under an alias. People make enemies, have stalkers, or say things online that certain regimes don't like. Granted, this is only really a thing for a minority, but if a minority isn't safe, nobody is.
> Telephone number? There used to be phone books. And I still instinctively think they should be public.
I used to think the same. Around here I feel until a few years ago most people I knew with secret phones were people I would prefer to have fewer interactions with: people who frequently got into trouble, tried to scam others etc.
These days I’m more in the camp of layered security. Whatever I can do to make it harder for an attacker, the better.
Addresses can lead you to public land and mortgage records, and phone numbers can lead you to names and addressed. I assume everyone can easily find that out about me once they know my name/phone number.
I think the headline is a bit vague, it includes passwords as well. Does anyone know if Troy's HIBP'd site reveals the passwords to verified users? I'd like to know if my current or what generation of passwords has been breached to evaluate if I have a current or past problem with my devices.
I'm in a similar situation, just make sure your credit is frozen with the 3 major US companies. I had someone steal like $50 of cable TV with my info in another state and it was a major pain to get off of my credit report.
Even better "please give us all the things which could be used by a foreign power to blackmail you, or apply pressure to relatives or other close contacts" and then poorly secure that database.
Those are the same guys who told us we must give them backdoor keys to every encryption algorithm, because nothing can go wrong with it and otherwise terrorists win.
That is awful, but it doesn't lessen the impact of someone who right now has access to your email and or other accounts. China having your DNA profile is not near as impactful as someone actively stealing your identity and potentially ruining your finances. Use 2fa everywhere, and if your email is in this list, you should change your password.
I feel like only in the US is credit monitoring something sold as an optional service.
I got a confirmation mail from System76, because apparently they feel the need to validate my credit card can’t be used without my approval, but my back does this by default…
Yes. US residents' ability to obtain credit (cards, cars, houses) is based on three shadowy for-profit organizations who each keep a secret score on each resident.
One's employment history is not a factor in the score at all (contrast this with Europe).
Furthermore, privacy in the USA is so bad, the leaking of one's personal details which criminals can use to fraudulently obtain credit and ruin said score and possibly also one's finances is a major concern. Hence, "credit monitoring" exists in order to catch this kind of criminal activity in the act, and I don't know, become completely exasperated with the amount of ass pain that dealing with this then causes.
> The data breach compromised highly sensitive 127-page Standard Form 86 (SF 86) (Questionnaire for National Security Positions).[8][18] SF-86 forms contain information about family members, college roommates, foreign contacts, and psychological information. Initially, OPM stated that family members' names were not compromised,[18] but the OPM subsequently confirmed that investigators had "a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective federal government employees, to include U.S. military personnel, and those for whom a federal background investigation was conducted, may have been exfiltrated."
I use unique email addresses per domain name, and I believe IHaveBeenPwned shows me at 39 unique email addresses breached! (So many that seeing which ones have been breached would now cost me $22 / month... IHaveBeenPwned is starting to feel like an extortion racket of its own..)
If you're using the same domain for each of your email address, HIBP has a domain-wide search feature which is free (but you need to register to validate your domain)
I've registered (years and years ago) and I get emails saying how many, but to see which emails they want lots of money.
(If I'm wrong their interface is very confusing and I cannot find the free access.)
Specifically it says this:
> Insufficient subscription. Only subscription-free breaches will be returned for this domain.
So I'm able to see 37 email addresses on my domain have been breaches, but I can't see which without paying $22 / month - https://haveibeenpwned.com/Subscription
> Domain search restricted: You don't have an active subscription so you're limited to searching domains with up to 10 breached addresses (excluding addresses in spam lists). Only results for subscription-free breaches are shown below, upgrade your subscription to run a complete domain search. If you believe you're seeing this message in error, make sure you're signing in to the dashboard with the correct email address (check your latest receipt if you're unsure).
Even if you weren't breached, the sophistication is getting higher too. New hires get emails starting literally day one because email formats follow a pattern and they posted their new job on linkedin (or something).
To confirm, data/info leaks happened on the server/application side. How does a solution like Bitwarden on the client side helps with this situation?
As per my understanding the only possible threat it saves against is someone trying to brute force for your password against the application. And may be ease the cognitive burden of remembering different passwords.
I generally don't give my real address or real phone number to anyone who doesn't legally need it. I use a virtual address as the billing address on my credit cards and for registering for things that don't need to know where I sleep.
The government can have at my real info, but private companies have bad data security.
I bet now some corporations actually want to be exposed, have data breach. If you have not been in the news, it means you have not made it yet (not popular enough to be a target worth writing about).
Right to be removed/purged and maximum retention policy. One place I'm aware of purges accounts that have been inactive 18month. Historical billing info is offline and "gapped"
Right. Having some data leaked isn't really a boolean, leaked/unleaked. It's a list of leaks, and the implicit map betweenyl your datapoints, whether by intra or interprovider mapping
For example a forum might leak a map between your mail and a password; Implicitly your affinity for that forum's topic is also now on the public record, additionally if your posts were public but under a pseudonym, that might be now known by a sufficiently motivated attacker.
Finally this may be linked with other public datasources like your public tweets or public state records, or even other leaks.
This is why the meme about all ssn's being leaked or about a list of all valid phone numbers is so asinine.
It's probably more important to keep passwords safe, but lots of people treat their email address like some kind of "sensitive secret". "Oh but I don't want to get spam" - my dude you are going to get spam.
There's a guy who lives near me who, when he parks his car, very carefully puts tape over the number plate "because otherwise people might see my registration number". Because apparently if people can see your car's registration number they can somehow just steal your car and the police won't do anything because the number plate was visible. Mad, absolutely barking mad.
I definitely support NaN not being equal to NaN in boolean logic.
If you have x = "not a number", you don't want 1 + x == 2 + x to be true. There would be a lot of potential for false equivalencies if you said NaN == NaN is true.
--
It could be interesting if there was some kind of complex NaN number / NaN math. Like if x is NaN but 1x / 2x resulted in 0.5 maybe you could do some funny mixed type math. To be clear I don't think it would be good, but interesting to play with maybe.
Doesn't "1 + x == 2 + x" evaluate to true for any x with large enough magnitude? In general we should expect identities that hold true in "real" math to not hold in FP
I guess if what you really want is only the finished product and nothing else, churning it out as quickly as possible with AI and not caring about the implementation could work for you. But it would take the fun out of it for me.
Sadly my career may eventually head in that direction. At least I'll always have a hobby to enjoy.
reply