Forem: Evan

How to make your product look good

Evan — Tue, 29 Jun 2021 20:12:17 +0000

If you're wearing the design hat before for the first time, here's some tips that might be helpful on your way.

More of a video person? This post is available as a video podcast at evan.streambus.com.

Avoid the temptation to decorate an early product

You're used to using things that are feature complete, so you look at your early product and feel that it's "dull" or "sparse".

This isn't an aesthetics problem, it's a your-product-is-early problem. Be comfortable with this stage; don't try and add extra fonts, colors, borders, and other decorations.

Instead, build features, and your product will evolve naturally.

Keep a spacing palette

You likely already have a color palette, but keeping a spacing palette can help you avoid unintentional contrast, especially when you have multiple people working on one project.

For example:

.p-big {
  padding: 24px;
}

.p-medium {
  padding: 12px;
}

.p-small {
  padding: 4px;
}

Avoid ambiguous hierarchy

Make sure it's clear what you want a user to do. If you add a big background to one button, but make another one big and blue, it's not clear which one is "more" important.

To avoid this, plan out what an "primary" button looks like, what a "secondary" button looks like, and so on.

Don't make your icons huge

Most icon sets are meant to have roughly the same size as the text. They're meant to be similar to a character.

If you need something big, consider using a stock photo or illustration. Or, consider removing the icon and just letting the text speak for itself.

Grayscale isn't always grayscale

Many professionally designed websites don't use pure gray-scales (like #000000 black). Instead, their grays are darker, desaturated versions of their other brand colors.

Consider using palx.jxnblk.com to generate a grayscale color palette for your brand color.

Avoid stiff vector art

Some vector art is better than others, and can distract from your design. Consider using blush.design to get some professional assets instead.

Consider using unsplash images instead of art assets. Or, if it works for your project, consider letting your design exist without art assets entirely! Not everything needs illustrations.

Quirk - Open Source Cognitive Behavioral Therapy

Evan — Tue, 06 Aug 2019 22:59:07 +0000

I work on Quirk, an open source Cognitive Behavioral Therapy app for iOS and Android. Quirk started as a small command line tool that I used to help my own panic attacks and eventually grew into a company.

Originally my goal was just to stop having panic attacks (I'd been having them multiple times a week for most of my life). I don't really have attacks anymore, at least not like I used to. CBT and Quirk specifically helped me overcome them.

When Quirk started helping other folks overcome their difficulties, the goals got bigger. Today, Quirk's mission is to create accessible, on-demand CBT. We want to make the difficulty of getting help so little that most people can benefit from CBT.

Imagine if every time you wanted to eat healthier, you saw a nutritionist. Likely people would only see a nutritionist when things got really bad; no one would create healthier habits earlier on. This is basically the way mental health treatment works today. The evidence-based, real solutions are only applied to the most severe cases, because only the most severe cases will jump through the hoops to see a therapist. Plus, depression (and some forms of anxiety) can make you less likely to take steps to help yourself; it drains your energy and convinces you that nothing could really work. Worse, some folks who want access to mental health resources can't afford it or otherwise can't access it due to structural inequities. Even if folks were willing and able to afford it, there's simply not enough mental health professionals to see the overwhelming numbers of people with a mental health disorder (1 in 4).

Many companies try to solve this problem by "scaling" therapists. Maybe they build software to let therapists see more people or maybe they do some form of telemedicine. We wish them the best of luck; we're going to scale people. Or rather, we're going to help people take more control over their mental health earlier on, before they develop a severe condition.

To do this, we're taking advantage of CBT's exercise and goal based nature. If you've never seen a therapist before; it's easiest to understand by analogy to a physical therapist. With a physical therapist, your clinician assigns you exercises that make up a large part of your recovery. CBT is quite similar; it’s heavily reliant on what you do outside the therapists office.

Quirk is basically building those exercises, but for folks who might never see a therapist. It’s a 50% solution. You can use it with your existing clinician, but if you’re not seeing anyone, it’s much better than doing nothing. If you think “oh I don’t really have anything seriously wrong, I don’t think I really need to see a therapist,” Quirk makes a cheap and easy “baby step” you can take.

Most people can be benefited from CBT; a lot of folks I meet are quite surprised to see how much it can help them even though they don’t have any diagnosed disorder.

You might find Quirk useful if you're managing imposter syndrome, interview anxiety, or frustration with your boss or team. CBT can help you make better decisions, be more empathetic, and generally feel happier.

There’s a future where CBT is as common as jogging. If it was, my panic attacks would have never gotten as bad as they did. If it was, we could dramatically reduce stigma around mental health. And if it was, the average person could be a lot happier.

If you want to support Quirk, go check it out on Product Hunt. We're launching our new version today, an entirely redesigned app with a focus on privacy and personal evidence building.

What Developers Are: Why an Unprofitable Company Can Have 70% Margins

Evan — Thu, 01 Aug 2019 03:50:30 +0000

If you're at a company that's quite open about how the business gets run (a lot of well-run companies are), you might notice something particularly strange: you're often not included in the margins of the business.

This is really weird when you think about it. Surely you, the software engineer, should be a massive part of the margins of the business right? Engineers get paid a lot. Somehow tons of tech companies are operating unprofitably yet claim 60-90% margins.

How? How can you even have margins if you are spending more money than you make?

The answer to this question is something all new developers should know. It can guide your career, your salary negotiations, and give you perspective on what you actually do.

Unfortunately, it's not obvious to most new software engineers what they actually do.

Most folks entering the industry assume they're a highly paid, highly specialized factory worker. Tickets come in, code goes out, everyone gets a paycheck at the end of the day. Often the language we use in software exaggerates this comparison. We say we "build" things or that we are some sort of "craftsperson."

But this is very far from the truth. It's also the reason why devs on average make a lot of cash and why it's fairly unlikely that will change anytime soon.

To understand what's going on, let's take a look at how other industries work. When you buy a pair of shoes, you're paying a premium on top of what it cost to make that particular shoe. Making that shoe cost the materials, the shipping, and the assembly. Somewhere the company purchased the leather, and a factory worker likely helped stitch everything together. Then the shoe was shipped to the store and maybe the store puts a bit of a premium on top of that.

That has to happen for every shoe. What's more is that your shoe is more or less consumable. The company is banking on this; they assume you'll buy more pairs of shoes from them in the future. But when that happens, we go this process again of making the shoe, assembling it and shipping it.

So for every shoe, there's an assembly cost.

But you, the consumer, don't have just one option in shoes, you have lots of options. There's tons of companies that make shoes. If you're not super concerned about brand name, you have a lot of people you can buy your shoes from.

This means that in order to compete, the company has to sell their shoes for a lower cost. Since the materials, assembly and shipping can only be optimized so much, the business has to cut into their profits. This creates a "race to the bottom" effect where shoes get lower and lower in cost at the same time that the company aggressively tries to improve their margins by reducing the cost of the materials, assembly, and shipping.

But here's the kicker: in software, we have effectively none of these costs. In software, the actual cost of creating each individual product is almost nothing.

In most cases, there's really only an upfront cost to basically everything you make. You have to pay yourself or another engineer to build your Snapstagram, but once it is working, you can sell millions of copies with almost no added cost.

That means that the engineer is not generally an assembly cost to each unit sold. There's maintenance, sure, but the cost of maintenance is generally never nearly as high as materials, assembly and shipping like we'd see in other businesses. Even SREs build an automated solution and then they move on to the next problem.

That's basically the job of an engineer. As an engineer, you're always building the next thing. There's not tens of thousands of people at Google building Google. There's tens of thousands of people building the next Google.

Therefore the job of an engineer isn't that of a factory worker. It's growth. You don't make the company $X amount of dollars every month, you make them $X more dollars per month. You're acceleration, not fixed velocity.

It's not uncommon for tech folks to join small companies, leave when they become big, and then join another small company only to repeat the process. Regardless of whether or not you realize it, this is generally the job of an employee of a tech company.

But if you understand this unspoken job requirement it goes a long way towards understanding the incentive systems of your boss, your boss's boss and so on. It puts you much more in control of your own destiny.

This is the aspect of the tech industry that creates the "nice parts" about being a developer. When you can increase the growth of the company but aren't considered an assembly cost, your salary isn't as limited by margin-improving cost cutting. When a tech company wants to improve it's margins, it pays engineers to write more efficient code. You the developer frequently do not get included in the marginal costs of the business.

It's also the reason that it's feasible to jump jobs so often; if you can come to a company, build something that adds value and then leave, that's still a good deal for the company. Even after you leave, your code still lives on. You produce value even when you're not there.

Because your job is growth, you naturally create more software jobs in the process. If you work at a tech company, you grow their business, which causes them to have more money to invest in larger and larger projects.

It also means that your salary can be related to your impact or ability to convince others that you had impact. The effect of what you built and how you contributed can bring you more success than talent. This is something you should be aware of since you won't always have control over whether what you build is actually successful. This is often not explicitly stated anywhere and can feel unfair to folks that assume technical talent purely translates into success.

Caveats and Disclaimers

This type of thinking is heavily dependent on companies that make software products, not dev shops, contracting agencies, or support centers. When you're being paid per hour, you are an assembly cost.

It also doesn't apply to all business types. Some companies have significantly more "maintenance" costs than others; though in general these costs are quite small relative to other industries.

This isn't necessarily a "good" thing; it's just the way the economics work out. Most of the time this is pretty invisible so it can perpetuate an "in-group" and an "out-group" within some orgs. When it is known, the "value" is not always easily attributed to specific engineers. That can exacerbate social inequalities since it creates a false meritocracy that's more a representation of implicit biases rather than actual value created.

How to pick a Computer Science program

Evan — Wed, 03 Apr 2019 03:41:26 +0000

So you're 18 and making the largest purchasing decision of your life

University is a weird concept. On one hand, you should pick a place that's going to make you a better, more well rounded person.

On the other hand, you're paying for the cost of a home.

All existential benefits you get become fairly superfluous relative to going 200k in debt.

The following is a ruthlessly practical guide to picking a good CS program. It acts as a checklist for students who know they want to go into computer science and have no one to guide them through the process.

Most students have a conceptual idea of "Stanford and then everything else." Most students will not go to Stanford or any other big name school; which leaves a large portion of high school kids trying to "guess" at a program's effectiveness by meaningless metrics like US News college rankings.

Screw that.

This guide is a ruthlessly practical guide of actionable and researchable steps you can take to find a good program. Use it as a checklist when applying to schools or wind up buying a house you don't want to live in. A school doesn't need all of them, but having none is a sign of a school to avoid.

TL;DR: Checklist

Does the university protect you against exploding offers?
Does the school have regular career fairs with tech companies attending?
Does the university have course offerings for interviews?
Does the school have "dorm room" investment opportunities? (Contrary Capital, DormroomFund, roughdraft.vc, school sponsored).
Does the school have access to hackathons?
Does the school have access to a tech hub?

Does the university protect you against exploding offers?

An exploding offer is where an employer comes to you with a job offer, but you have to decide extremely quickly. Like, make up your mind by the end of the day.

Universities that have legitimate career opportunities for Computer Science and Computer Engineering grads have policies against exploding offers. If a company gives a student an exploding offer, they can report it to the uni and the company is banned from recruiting.

If a university doesn't have a policy, it's a good sign they're struggling to bring job offers to the school. If you see this, bail.

A university protecting you against exploding offers isn't hugely important; but it's a good litmus test for a school that has pull with companies and one that does not.

How to find out

Try the following search queries in Google:

{COLLEGE I WANT} exploding offer
{COLLEGE I WANT} offer guidelines
{COLLEGE I WANT} employer guidelines
{COLLEGE I WANT} internship guidelines

If they have nothing available, copy/paste this email and send it to their career center:

Hi!

I'm a prospective student doing research on your university. 
I was wondering if you have any policies against exploding 
offers or other unreasonable pressure for computer science 
students.

Thanks!

Tiers

Really Good

The offer guidelines give multiple months for internship decisions made in the fall.

Good

The offer guidelines give at least 3 weeks for internships and full time offers.

Okay

The offer guidelines only protect internships.

Example: University of Illinois

The engineering department of University of Illinois has a program that looks like this:

Source

Does the school have regular career fairs attended by tech companies you've heard of?

This is your primary access to employment opportunities. If the university does not have companies coming to their career fair, something is very wrong.

Many companies only hire university grads through these fairs, so by going to a school without a real career fair, you're paying 200k to have less access to jobs.

Questions to ask

Does a company have to pay? Many universities charge companies to attend their career fair. This is a sign that the university has so many companies who want to attend that they have to limit it. If the career fair is free, the university is lacking applicants.

Does the university have a CS only career fair? Some schools are so popular that they move CS into its own fair. This is primarily at bigger schools, but hits midsize as well.

Are companies that attend traveling? If a company had to travel to the fair, they really want to hire people here. It also means that the company is offering internships that pay for housing elsewhere, which typically is a sign of higher paid and higher quality internships. Companies that can afford housing typically can afford higher pay.

Example: San Jose State University

Source

Does the school have course offerings for interviews?

When you go to interview for jobs, you'll be asked to solve coding challenges, often in a timed, under-pressure situation. This practice may change in the future, but it's extremely common.

Any university worth its salt has created a class that preps students for this.

If a school does not have this course, it means their CS department is extremely disconnected from the industry or they do not adapt well. This is a red flag; if you do not see this, bail.

How to find out

Try the following search queries in Google:

{COLLEGE I WANT} interviewing cs course
{COLLEGE I WANT} technical interviews cs

If they have nothing available, copy/paste this email and send it to a CS Professor at the school or their office of admissions:

Hi!

I'm a prospective student doing research on your university. 
Do you have a course dedicated to passing technical interviews as a computer science major?

Thanks!

Example: Boise State University

CS-HU 390 TECHNICAL INTERVIEWS, JOBS, AND CAREERS (1-0-1)(F). Prepare students for computer science technical interviews. Demonstrate how knowledge gained in classes can be used to solve new problems. Encourage teamwork and peer feedback. Learn how to negotiate jobs and manage career growth. A Hatchery Unit (HU) course is a short course to develop specific professional skills for computer science. (Pass/Fail) PREREQ: CS-HU 130, CS 253, CS 321.

source

Do students have access to investment and capital?

Much of tech is funded by venture capitalists: investment firms who specialize in small startup companies. There's a number of investment firms that do small investments solely in companies started by college kids.

Some examples are:

Many universities have their own version of this. Some will offer N thousand dollars to students as part of a grant.

Even if you don't want to start a startup, having these opportunities are extremely valuable. Maybe you didn't start something, but Sally did and now she's hooking you up with a sweet job.

Companies that start out of a university often go back and hire from that university. That creates a network of opportunity for you, even if you're not making the next Facebook.

Plus, having outside funding means that some market somewhere has effectively "bought in" to this school and its programs. Those investors likely did better research than you or I did, so it's reasonable to take their hint here.

How to find out

You can go to the big three college funds websites, though many of them are only available at brand name schools.

Another way is to email their admissions department the following:

Hi!

I'm a prospective student doing research on your university. 
Have any tech companies been founded by your students while they were 
students here? If so, how did they get initial funding? Are there 
grants or other services that the university provides to CS students?

Thanks!

Be skeptical of places that have money only for business majors.

Example: University of Maryland

UMD has access to Contrary Capital and Oculus Rift was born here. Lesser known companies like FiscalNote came out of this program as well, along with bioscience companies, like Digene and Martek Biosciences.

Does the university have access to a tech scene?

Preferably, it's one of the big 3 tech scenes:

San Francisco and the Bay Area (the largest by far)
New York
Seattle

But it doesn't have to be. You want a place that has local companies interested in hiring local people. This is where you could get a part time co-op job or a summer internship without having to leave campus.

A lot of cities have tech scenes, but the size doesn't guarantee anything. Take Boise and Spokane.

Boise's current population is 226k and Spokane's is 217k. They're both about the same size, they both have a few universities that rest there, but only one has a tech scene.

One of Boise's primary distinguishers is the presence of "key stone" companies like HP and Micron. These companies put major offices in the town, which attracted a number of tech workers. After some time, these tech workers left and started their own companies. Some of these formed into midsized places and small startups.

How to find out

When looking at a school, search for tech companies in the area. If you're only seeing smaller or mid-sized places, be skeptical. You want a large company to have invested resources into building an office there. Those big companies are making a larger investment than you are and frequently do a lot more research on the market there.

Does the school have access to Hackathons?

A Hackathon is where many programmers go to a college campus, program for 24 hours straight and then maybe win cash money. They may be for you, or maybe they're not, but there's no denying that access to them can be effective.

Many students get jobs from hackathons. Winning one is a resume item when often you don't have a whole lot to put down. They're opportunities to meet other smart programmers and to explore new tech.

Even if you never go to a hackathon, you'll still benefit. The people who do go will network for you and be your 2nd or 3rd connection to job opportunities.

Questions to ask

Does the university host a hackathon?
If not, is it in the local area?
If not, does it sponsor students to go?
If not, are students finding other ways to go?

Summary

Overall, you're looking for a school that:

Has a solid understanding of the tech industry
Has support for students entering the tech industry
Succeeds at getting students into the tech industry

These should be your base line goals. The feel of the university, the professors, and the campus are good tie breakers.

But they're frosting.

If you're going to pay the cost of a house, make sure you end up with a job at the end.

Change your perspective

Evan — Sat, 29 Dec 2018 18:58:48 +0000

Let’s imagine a language that asks you to bring your own runtime.

To understand what I mean, let’s review a little bit about how programming languages work.

Start with a Calculator 🧮

When you type things into your ti-89 or whatever overpriced 1980s technology schools have students using these days, you’re typing a language. That language has a lexer and a parser and a runtime and everything.

Take the following:

1 + 1

When the calculator encounters 1 + 1, it goes through and converts the string of characters it receives into tokens, something like this:

INT(1) PLUS INT(1)

Then it runs those tokens through a recursive descent parser that looks something like this:

int() {
  return items.pop()
}

expr() {
    left = int()
    op = items.pop()
    right = int()

    return int() + int()
}

Finally, it will call expr() and return that to the user.

Programming languages end with an expression

At the end of the day, a programming language will evaluate its literals and then call some operating system functions via its runtime.

So a more “program-y” language, might do something like this:

print(1 + 1)

Which would transfer into this:

PRINT LEFT_PAREN INT(1) PLUS INT(1) RIGHT_PAREN

Which would turn into something like this:

root() {
  system.print(expr())
}

Back to our fantasy language

In existing programming languages, the runtime is hidden far below the compiler. In fact, the whole point of the language was to abstract the runtime away from you.

You don’t need to know what system command executes printing a function or opening a file because you can just run print() or open().

What would happen if we made runtimes a first class citizen?

Instead, let’s imagine a language where you were encouraged, supported, and supposed to write an alternative runtime.

For example, if the programming language says print, you could define exactly what print means.

Instead, your print could call arbitrary text-to-speech code. If it was in the web, it could return a component. Or it could just call some arbitrary function.

Change your perspective

Often, we think about software as an ever-changing system that runs on an extremely unchangeable base: the languages runtime. The whole point of most languages is to give you a tool that runs the same on every person's computer.

The runtime abstracts away multiple operating systems and hardware so you can always be sure that the logic stays constant.

But by doing so, we often accidentally coupled the logic of the code to the domain it runs on. Countless hours have been wasted rewriting the same “web server that talks to a database” solution.

Instead, what if instead of working with a constant runtime, we worked with constant code.

What if you just pulled the “web server code” from a package manager and rewrote what lower level pieces did? Rather than rewrite the the whole thing yourself?

Your CRUD app could be rewritten to work on iOS, Android, and web by just rewriting the outputs of the language.

Woah, woah, woah isn’t this super insecure?

Probably. Though it could also be a security boon. Imagine being able to give the power of the runtime to an individual user.

Anyone who ran the program could no-op unsafe calls. No more chmod or network calls for untrusted programs.

What’s the point of this?

Building something like this would be dumb. Most of the problems that could be solved with a language like this have been solved in other ways.

Operating systems have better access controls, modularity lets us have our own pseudo-runtime, and this may be too odd to be useful.

But exploring alternative ways to solve existing problems can work interesting muscles in your brain. It’s also a little fun.

Releasing Quirk & Developing for Health

Evan — Fri, 28 Dec 2018 20:34:04 +0000

Several months ago, I was using a mental health app that asked me for a $200 in app purchase.

No one pays $200 dollars for a dark mode.

At least no one of reasonable mind does so willingly.

Now, I get everyone's got to support themselves somehow. It costs a lot of money just to put the app on the store, let alone spending the time and skill to develop an app.

And surely no one was ever forced to pay $200 at any given point. But health apps deal with extremely vulnerable people; and... you just can't do that.

Mental Health Apps need Rules

Many poorly created, lackluster mental health apps have been spit out in the last couple years. It's unfortunate that there's no reasonable standards about these apps.

So let's make some:

Don't be bloated
Don't be evil

Since Cognitive Behavioral Therapy (CBT) is one of the most widespread and common forms of treatment, we'll focus on those for the moment.

Those seem like simple goals, yet many existing mental health apps seem to fail on both.

Don't be bloated

Don't include features for one particular condition at the expense of other conditions. For example, don't couple mood tracking to thought tracking. If a user has to enter a mood in order to track a thought, then the entire app is ruined for people who use it for panic, OCD or another condition where mood isn't the primary focus.

Don't include non-CBT related treatments without good reason. No relaxation audio tracks or meditation guides. It's a CBT app, keep it focused on CBT.

Don't include things that could be better accomplished by another app. No one needs an in-app diary when a diary works just fine. No one needs an in-app heart rate tracker when a heart rate tracker works just fine.

Be quick and efficient. Thoughts shouldn't take 5 minutes to enter and you should be able to skip fields if it's reasonable. Don't let the perfect be the enemy of the good.

Don't be Evil

Thoughts are more valuable than passwords, treat them that way. Most people would rather give over their passwords than their CBT thoughts. They're incredibly private, occasionally involve other people, and frequently are embarrassing.

Don't have $200 dollar in app purchases. I'm looking at you CBT Thought Diary. I get it, developers need to make money. It costs a lot to just keep the app on the app store. But you're preying on vulnerable people. Very few people of rational mind will purposely spend $200s for a dark mode. Gimme a break.

Don't have dumb notifications. Scheduling is fine, abusing push notifications so your app has better traffic is scummy and gross.

Be open. Not every app has to be open source; it's a hard choice to make. But be clear and obvious within the app about what's going on with the user's data. Don't be sending it to some server without making that clear within the app, not within some dumb privacy policy no one will ever read.

Don't push people to be unhappy. I cannot believe I have to state this, but do not purposefully or accidentally force people to be unhappy to use their app. Don't force people to state their unhappy in order to access a feature.

Be extremely cautious about making engagement your core metric. User engagement is fine to be concerned about. We all want people who need help to be actually engaging in the help. But holy moly be careful about this. You do not want to drive something that is for many people a treatment into a self-perpetuating engagement loop. A ruthless focus on engagement has caused many a product to become skinner boxes. No one should ever be addicted to your mental health app.

An App to Follow those Rules

On my weekends, I've been working on an iOS iteration of a Cognitive Behavioral Therapy health app.

Today that app, Quirk, is on the app store and you can get it here.

How to get and support Quirk

Request for Comments: Quirk, an Open Source Cognitive Behavioral Therapy App

Evan — Mon, 10 Dec 2018 03:08:12 +0000

Disclaimer: I am not a doctor nor medical researcher. I'm not giving advice nor diagnosing anything and my only experience is myself.

About two months ago, I built a little tool to measure my panic attacks. Before you get concerned this is a coming-out-to-dev type story; this isn’t a secret. I tell most people in my dev circles about panic because panic is the reason I started programming.

I'm not here to shame you against stigma, tell you it's illegal to say "crazy" or make a case for better working hours. I'm here to show you something I'm working on.

Welcome to my private life

Here’s a graph of the attacks I’ve had over a roughly 2 month period.

This graph comes from that tool I built, affectionately called freak. It's a simple command line tool that records a timestamp and an intensity:

$ freak 8

Episodic disorders like panic are easy to forget about. When it's bad, it's easy to forget that it could ever be good, and when it's good, you forget how bad it ever got.

It's easy to "forget" which treatments are effective and which are hogwash.

freak is simple way for me to record hard data about when they occur and when they stop. That way no armchair psychologist can claim that my attacks are just "caused by the moon's orbits" or whatnot.

I can point to any treatment and definitively say "yeah that seems to work for me."

Wait, slow down, what actually is a panic attack?

Lots of people describe this differently, so I'm not able to give you a one-size-fits-all description. I can tell you what my attacks are.

For me, panic is not stress, it's fear.

A panic attack is an intense physiological experience of fear in response to something that isn't dangerous. It's that shot of adrenaline you get in your belly when you're almost in a car wreck. It's knowing there's a murderer in your basement after having watched a scary movie. It's the "flight" in fight or flight; it's running from the tiger but without the tiger.

Panic is your body putting the foot to the floor, pedal to the metal, balls to the wall in your driver's ed parking lot.

It lasts about an hour or two and can sometimes happen in "clusters." It's not generalized anxiety because generally, you're happy and healthy.

Cognitive Behavioral Therapy and Your Brain

I've had these attacks for as long as I can remember and for as long as I can remember people have suggested dumb, back-of-the-internet, armchair treatments to me. After trying a lot of them, it's really easy to become skeptical.

After a particularly bad episode when I was in high school, I started seeing a doctor who recommended CBT.

I passed on the offer.

At the time, I had no idea what therapy might mean. When everyone around you suggests treatments, you tend to associate them in to hard treatments and soft treatments.

Since many lay people have an unfortunate moral objection to medication, they tend to provide soft treatments. And since they generally don't know what they're talking about, their "treatments" don't work.

You become biased against soft treatments, even when a doctor suggests them.

For several years, I ignored the concept of any form of therapy. It wasn't until this past year that I explored Cognitive Behavioral Therapy (CBT), the gold-standard of "soft" treatment options.

It has been by far, the most effective

Not only has it reduced the overall amount of attacks, but reapplication during clusters dramatically reduces their intensity and duration.

In my most recent cluster, captured by freak, it halted the attacks.

And I'm not the only one to suggest that CBT is effective, plenty of studies have shown it to be at least as good as treatment with SSRIs. It's been around since the 80s and is often the first treatment attempted when you see a psychologist.

So wait, what is CBT?

There are a lot of formats of CBT since it's popularization in the 1980s. CBT encompasses many different exercises; my explanation will focus on the "simplified" versions of the treatment.

Automatic thoughts

CBT asks you to recognize that your thoughts cause feelings, not the other way around. While it's certainly true that your existing moods can make some thoughts easier, generally destructive and unhealthy moods are caused by illogical and "distorted" thoughts. It also suggests that many of these thoughts are "automatic" and self-fulfilling prophecies.

For example, often my attacks will start because I think they're going to start. Something small and brief will frighten me, I'll pick up on it, and I'll automatically think:

I felt a bit of panic, therefore I'm about to have a panic attack.

The image of past attacks flashes in my head and I start to think about how bad it would be if I actually did have an attack. Maybe I'm at work and about to give a super important demo. What if I got hit on a performance review? What if I had to run out in the middle of the demo?

Cognitive Distortions

CBT would ask me to notice the cognitive distortions (effectively the psychological words for logical fallacies) in the original thought.

In this example, I'm catastrophizing. Would really anyone care if I screwed up a demo? Most people know that I have these attacks. I would just explain what was going on. Plus any of my teammates could have taken that demo; they're all fantastically smart.

Would it really be a big deal if I had to run out in the middle of the demo? Surely that's happened before. Plenty of folks have gotten sick before a big event.

Challenge the thought

CBT would then ask me to record these logical arguments. Writing them down helps solidify the concepts so they come more naturally before your brain has jumped from one terrifying thought to the next.

Find an alternative

Finally, CBT would ask you to find a logical way to interpret the situation. For example:

I felt a bit of panic, but that doesn't mean it'll lead to more panic nor an attack.

That's it.

You record your thought, you challenge it, and you find an alternative thought. And you do it for every illogical, unreasonable, and terrifying thought you might have.

In the 80s when treatment was formalized, they suggested patients do this in three columns:

But anyone who's ever done this in the modern world has likely noticed that it's much easier with a device. Software gives you two major advantages:

discrete recording
cumulative metrics

Having it on your phone means you'll always have a way to record.

Current apps are fugly, costly, and clunky

There's a few apps that currently exist, namely "Thought Diary" and "MoodNotes." ThoughtDiary is free but it's quite fugly.

MoodNotes is 5 dollars but much better looking.

Both suffer from an intense focus on mood. They assume that the user is using CBT for depression and therefore strongly couple "mood" therapy to cognitive change.

In both apps you can't record if you're happy

The very first thing you have to do when you record something is tell the app how you're doing. If you're happy, it will not let you record and challenge a thought.

Which means if you're having a fine day, but notice yourself thinking something illogical that could bring you down, you have to either wait for that thought to spiral out of control or lie to the app and tell it that you're unhappy.

That's a pretty bad flaw in an app that's trying to help you disassociate your illogical thoughts from catastrophic moods.

Each app takes forever to enter anything

Because they're so focused on mood therapy, they add plenty of diverging steps which mean more taps and more fields to fill out.

If it takes you 30 seconds to fill something out, you can easily sneak that in, even if you're in a meeting. If it takes you 2 minutes, it's much harder.

We could do a lot better

More importantly, we could do a lot less. Many of these apps suffer from feature creep. They're trying to make a very specific solution with all the bells and whistles but marketing it to everyone.

Instead, we could trim down the features and make something more focused.

ShowDev: Quirk, an open source CBT app.

For the past few weeks, I've been prototyping a CBT app. It's still in really early stages, but here's the general gist of what it could/will be:

Licensed under aGPL with a repo on Github
Stores data on device for privacy
Non commercial

Note that non commercial and open source does not mean "free," just that the purpose of this endeavor is not to make money. There's no business being created; this is just a project I'm doing on my weekends. That said, it's not cheap to put or keep an app on the various stores.

All the mockups below are done really quickly and are in a very malleable state. They're not final and may not even be remotely close to the finished state.

From a code perspective, this app is really small and I already have a solid but ugly prototype of it working. So this write-up is much more about how we can make a great product.

Cross Platform, but iOS as a focus

The code's written in React Native, so I plan to publish it on both the Google Play store and the Apple App Store.

That said, I currently don't own an Android device and haven't worked on Android for awhile. Your Mileage May Vary.

Two Screens

To limit the scope as much as possible, there's only really two main screens. One for recording and one for later viewing. The transitions between these screens will be swipes, so you can think of the recording screen as "on the left" and the listing screen as "on the right."

To help highlight that, we'll put the transition buttons on opposite sides and even change the place of the period in quirk. to really sell the effect.

Onboarding

When the user hops on, we'll give them a crash course on CBT. This has to be really minimal otherwise they won't remember it, so we'll add some illustrations to make it more memorable.

If this is something you're interested in

Then let me know. I'm building this first and foremost for myself. But I'm planning on releasing it because I doubt I'm the only one who needs it.

So if you're interested in either helping build this or using it let me know! And if you could, fill out this 4 question survey.

Project status

There's about three iterations of this project so far, all of them prototypes. It's currently not released nor on Github. It will be in the future once I can properly clean it up and have reasonable entry points.

Critique Welcome

I'd love critique on this app. I can't guarantee that I can do everything; the scope of this app is very small for a reason. But there's certainly ways to improve this product.

Bang! Old Email, Usenet and the End of the Cold War

Evan — Sun, 02 Dec 2018 22:08:22 +0000

In 1981, sending an email could take days.

Or so says an unverified wikipedia source. When you wanted to send an email, you needed to know every hop skip and jump that you were sending through.

If I wanted to send my mail from Stanford to MIT, I might need to specify that it's got to go through 🚀 NASA AMES, Moffett Field, UC Berkeley, ~~Area 51~~, and University of Illinois.

I'd do that with a special address called a 💥bangpath💥 that would list the steps we're zipping through:

!ames!moffett!berkeley!illinois!theactualpersonimtryingtogettowtf

When the mail hit a node, the forwarder would strip off one bang-segment and send it to the next address.

That sucks, let's build the foundation of social networking on it

The bangpath was a system inside of UUCP (Unix-to-Unix Copy). In the late 1970s, UUCP was primarily used to send mail, but it's suite of tools included ways to send and receive commands to be run on other computers.

It would be another 10 to 15 years before Tim Berners-Lee started work HTTP.

So when Tom Truscott and Jim Ellis started working on what would become Usenet in 1979, their idea was heavily coupled to UUCP. Even the name "Usenet" was meant to be similar to the Unix user's group "Usenix."

Behind the scenes, Usenet would take the bangpath away from the user. Instead, a user would post to the server they belong to and the servers would then share that information between each other. (EDIT: note that you still would need the bangpath of your server; e.g. hplaps!hpftc!econrad)

It's hard to not be unreasonably optimistic about Usenet

Like many parts of the internet, Usenet was a product of the western world in the middle of the cold war. For many, it was taken for granted that folks living behind the iron curtain would never be involved in any early flame wars.

It was taken for granted that most of the world would end in a much more real flame war.

But 1990, something weird happened. Programmers from Moscow's nuclear energy research institute created their own operating system, managed to access the internet, and quietly registered the Usenet *su domain. src

One year later the Berlin wall fell. And you can still find the post from eunet.politics about it:

Unbelievable!
Incredible!
Historic!

Actually a lot of historical events can be found on Usenet

Linus Torvalds introduced Linux on Usenet in 1991 with the phrase:

Are you finding it frustrating when everything works on minix? No more all-nighters to get a nifty program working?

On net.space, the Challenger explosion was announced:

At 8:39 AM PST today, the shuttle Challenger exploded at about a
minute into the flight.  NASA is searching for survivors now.  It appeared
that the orbiter and external tank exploded completely: television pictures
showed the SRBs moving away from a cloud of debris.  Thus it appears that
the first inflight disaster of the NASA space program has claimed the
lives of six astronauts and NASA's first passenger.

The disaster occured 17 years and 1 day after the Apollo I tragedy.

-- Rick.

On mi.jobs, Jeff Bezos seeks Unix Developers for a "well-capitalized Seattle start-up."

Well-capitalized start-up seeks extremely talented C/C++/Unix
developers to help pioneer commerce on the Internet.  You must have
experience designing and building large and complex (yet maintainable)
systems, and you should be able to do so in about one-third the time
that most competent people think possible.  You should have a BS, MS,
or PhD in Computer Science or the equivalent.  Top-notch communication
skills are essential.  Familiarity with web servers and HTML would be
helpful but is not necessary.
Expect talented, motivated, intense, and interesting co-workers.  Must
be willing to relocate to the Seattle area (we will help cover moving
costs).

Your compensation will include meaningful equity ownership.


Send resume and cover letter to Jeff Bezos:

mail:    be...@netcom.com
fax:     206/828-0951
US mail: Cadabra, Inc.
         10704 N.E. 28th St.
         Bellevue, WA  98004

We are an equal opportunity employer.

-------------------------------------------------------------------
"It's easier to invent the future than to predict it."  -- Alan Kay

In 1989, we get eye witness accounts of the Tiananmen Square Massacre.

The situation is Beijing is MUCH WORSE that what is reported by the
media. A friend of mine just made a phone call to her brother at
Beijing Normal Univ. Her brother said that thousands have been killed,
many of them run over by tanks.

I dunno about you all, but I'm starting to think this "internet" thing could be a really big deal moving forward.

Things I Can't Build: Podcasting on ActivityPub

Evan — Sun, 25 Nov 2018 23:19:54 +0000

EDIT: 2019 --> 🎉 I'm reviving this project. My work on Quirk is hitting a much more stable point which lets me come back to this. Feel free to read it though. 🎉

I normally like to write stories that teach some technical subject; if you like those as much as I do, then this article may not be for you. It's not particularly polished and not meant to be anything more than a call for maintainers. 📺 Regularly scheduled programming will return shortly.

Over the last year, I realized that there's plenty of things that I would like to build, but I probably won't get to.

In order to better maintain balance in my life, I limit myself to two types of programming attire:

A single core project (currently Segment)
Individual learning

Although a side project can fit into individual learning, the purpose is self growth, not the product itself. At the moment, becoming a better writer and researcher is my current individual learning theme.

But some stuff should be built

There's a number of projects I would love to see built, both because I think they're insanely valuable for the world and also because I think they'd be fun to work on.

If you're looking for a large meaty project, will these into existence for me, wontcha?

ActivityPub should Save Podcasting

Podcasts are having a bit of a moment. Listenership is way up as better and better podcasts are released and more folks learn that they too can fill every waking moment of their life with two dudes talking.

At the same time, the technology that podcasts are built off of, RSS, is slowly dying. The death of RSS in a single graph at andrewchen

Many larger players have noticed this, mainly Spotify and have swooped in to try and fill this need. Within the next 5 years, Spotify could take it’s place as the “YouTube of Podcasts.”

But that begs the question, why, after many years of podcasting success, has there not already been a YouTube of Podcasts?

Podcasters will lose control

However, it’s very easy to predict a future in which a larger player like Spotify comes in to give Podcasters both more features than RSS can provide but also less control; potentially for the detriment of the medium.

We’ve actually already seen this exact situation play out with blogs. As RSS readers died out, bloggers had a harder and harder time connecting with an audience and were forced to either implement their own subscription service or hop on an existing platform like Medium.

Yet, this now means that Medium is in charge of who sees what. Their algorithms are the ones deciding what’s popular and seen rather than a user’s individual choices. We left Medium. Here’s why. – Latterly – Medium

At the same time, YouTubers suffer from a similar problem because they have no real way to connect with their audience in a world where youtube shows you what it thinks you want instead of what people actually want.

But wait, wait, wait RSS isn’t dead yet, why would podcasters switch over?

Because as it stands now, a centralized system can offer podcasters significantly better tooling and features than RSS.

Spotify can offer you up to date, accurate metrics on who listens to your podcasts. They likely could offer you exactly when people stop listening and metrics about your audience. These are all serious business concerns for podcasters who survive off advertising. A lack of knowledge puts them at a disadvantage as having a bigger audience and not knowing it will lose you leverage in a sponsorship negotiation.

Plus, Spotify can give a more clear and understandable rating system for listeners, unlike the existing one that’s “somehow” based on Apple iTunes ratings.

And Spotify has a huge network and can pitch new listeners on shows they might not already know about. For podcasters, this means a whole new audience!

These advantages come at the cost of losing ownership over your audience though. Yet, once podcasts move to Spotify, it’s hard to go back. Spotify has the money and influence to advertise itself to a growing podcasting market as THE place for podcasts.

It’s likely that in 5 years, many lay people will associate podcasting with Spotify.

A solution and path forward

What we need is a new, open and distributed standard. RSS succeeded because anyone could setup something.

However, it’s very difficult to create a new standard and instantly acquire adoption.

So instead, let’s look to standards that already exist.

Mastodon and ActivityPub

At the moment, there exists a federated twitter clone that’s gaining steam. It’s got roughly a million and a half active users.

Mastodon is based on a network protocol called ActivityPub. ActivityPub lets several different websites talk to each other.

That’s how a single mastodon instance can talk to another mastodon instance.

But also, it’s how Mastodon can talk to other sites based on ActivityPub. A weird quirk of this system is that someone on Mastodon can subscribe to the feed of someone on PeerTube, a youtube clone based on ActivityPub.

That provides a ridiculous advantage.

We’ll put the podcasts on the ActivityPub

We need to put the pub in public radio. (Sorry Laugantias).

ActivityPub would allow anyone to spin up a podcast without ownership by a centralized authority, but with all the benefits of one.

ActivityPub is extensible enough that we can make our own features on top of it, just like how mastodon does, but interoperable enough that we can instantly plug-in to a large audience of people (the fediverse).

We should build a Mastodon for Podcasts.

There's 💸 money 💸 here to support development

If open source doesn't get funding it can die due to burnout.

ActivityPub servers have to be hosted and someone's gotta pay for it. Many podcasters already pay for media hosting; they might as well pay for one where they get better insights into their audience.

A Hypothetical Case of a Phishing Attack

Evan — Sat, 24 Nov 2018 16:58:40 +0000

Let’s say, hypothetically, that we receive an email from an old university address that looks like this:

Looks 👌legit.👌

It came from a .edu email address! It doesn't look spoofed. The headers match the address.

Maybe it's just someone who graduated 5 years ago and really likes to use their birthday as their password. We might even recruit a current senior, Maxwell Dulin to help us explore.

Let’s say, purely for story-purposes, that we clicked on this “verify now” business to see what all the fuss was about.

Password plz

It may look something like, I dunno, this:

And maybe it's coming from some url like:

https://bougurh.club/%20yaga/legit.edu/index.html

Let's do some peeking

We should checkout who this https://bougurh.club site is at the root.

They just show you their structure. They're even hitting multiple universities at once:

Well what can we find out?

The site's using https, so where did that certificate come from? We can use SSLHopper to see where it came from. Our SSL was only created a few days ago, so this guy probably hasn't been at this for very long.

Well, we can use dig to peer into his DNS. This guy isn't using www! The horror! He's also got an IP like this:

184.95.x.x

If we google the IP, that tells us he's using Secured Servers LLC, which doesn't have the greatest reputation for dealing with abuse claims.

What happens when we log in?

If we try to enter our details into this site, they try to send a POST to a /post.php which just logs the email and password in plaintext, then redirects us to Microsoft Outlook.

Since most students are already logged into their emails, it will appear as if the login worked. Victims might not even notice.

And that's... probably bad.

So what can we do?

Well we can reach out to the IT departments of the schools. But it's the holidays and no one's going to get back to us.

We could reach out to their domain name provider. But again: holidays.

Host provider? Lemme spell it out for you:

them.stuffFaceWithTurkey();

So what could we really do?

Well, we could send them ascii art pictures of dogs:

                                              _.-.._         _._
                                     _,/^^,y./  ^^^^"""^^\= \
                                     \y###XX;/  /     \    ^\^\
                                       '\Y^   /   .-==||==-.)^^
                   ,.-=""""=-.__       /^ (  (   -/<0>++<0>(
                 .^      .: . . :^===(^ \ (  (  /'''^^^^^^^)
                /      .: .,GGGGp,_ .(   \   /    /-(o'~'o))
              .^      : . gGG"""YGG}. \   )   / /  _/-====-\
             /       (. .gGP  __ ~~ . .\  \  (    (  _.---._)
            /        (. (GGb,,)GGp. . . \_-^-.__(_ /______./
           (          \ . '"!GGP^ . . . . ^=-._--_--^^^^^~)
           (        /^^^\_. . . . . . . . . . . . . . . . )
           )       /     /._. . . . . . . . . . . . . ._.=)
           \      /      |  ^"=.. . . . . . . ._++""\"^    \
            \    |       |       )^|^^~'---'~^^      \     )
            )   /        )      /   \                 \    \
            |'  |        \     /\    \                (    /
            |   |         (   (  \ . .\               |   (
            )   |         )   )   ^^^^^^              |   |
           /. . \         |  '|                       )   (
           ^^^^^^         )    \                      /. . \
                          / . . \                     ^^^^^^
                          ^^^^^^^

                     s'ko go dem zig zags
                        zippity zooms

See, if I was a l33t hacker, I would definitely love to see my ~~victims~~ best friends sending me ascii art pictures of dogs as the username and randomized compliments and fun facts as the password:

const passwords = [
    'hello mr hackerman we love you very much',
    'mr hackerman come join our club, we need new members',
    'do it dude we wana be your friends',
    'did you know bunnies actually die if they eat too many carrots',
    'https://i.ytimg.com/vi/Lv4SQy_9VLI/maxresdefault.jpg',
    'https://b0bcbb6c170cbb78f6d6-94268459969555eabeaba635a28d70e3.ssl.cf2.rackcdn.com/landing/april2015/bunny5.jpg',
    'http://3.bp.blogspot.com/-xfI3IZT7-8E/UgQb6czrRpI/AAAAAAAAEvA/FOICuW1x_YY/s1600/36+forgot+to+stop+being+a+fetus.jpg',
    'https://readjack.files.wordpress.com/2012/02/cute_bunny.jpg',
    'mr hackerman dont feed bunnies too much lettuce; its like candy for them and theyll get fat',
    'mr hackerman feed your bunnies a lot of lettuce so theyll get fat its adorable',
    'mr hackerman you should rate our bunnies 0-10 how good of a bunny is it (this is a test the answer is 11)',
    'if our ascii art doesnt show up correctly blame cpanel not us',
    'mr hackerman did you red pandas use their tails as blankets',
    'mr hackerman did you know sheep can recognize facial expression and they like smiles',
    'mr hackerman did you know polarbears touch noses when they meet each other',
    'mr hackerman did you know baby elephants suck on their trunk for comfort',
    'mr hackerman did you know that monkeys make snowballs and throw them at each other',
    'mr hackerman did you know that a cat has been the mayor of a town in alaska for 17 years',
    'mr hackerman did you know that dogs exist',
    'mr hackerman did you know that cats exist',
    'mr hackerman did you know that you can save 15% or more when you switch to geico'
]

And nothing would make my day more than seeing my logs flooded so that it's hard to read any "legit" requests.

Well okay, we can send them compliments and dogs? So what? Won't they just filter it out?

Well yeah. But what if we did something a little more devious.

Instead, what if we sent them "real" requests? We could craft a little cURL like this:

const curl = (username, password, userAgent) => {

  const cmd = `curl '${kiddysite}' 
    -H 'User-Agent: ${userAgent}' 
    -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' 
    -H 'Accept-Language: en-US,en;q=0.5' --compressed 
    -H 'Referer: https://bougurh.club/%20yaga/someuni.edu/Sign-In.html' 
    -H 'Content-Type: application/x-www-form-urlencoded' 
    -H 'Connection: keep-alive' 
    -H 'Upgrade-Insecure-Requests: 1' 
    --data
    'UserName=${username}&Password=${password}&AuthMethod=FormsAuthentication'`

  exec(cmd, (err, stdout, stderr) => {
    console.log(`stdout: ${stdout}`);
    console.log(`stderr: ${stderr}`);
    if (err !== null) {
        console.log(`exec error: ${err}`);
    }
  })
}

Then, we could use something like faker.js to generate real sounding email addresses like:

jwhite@someUniversity.edu
mMcarthy2@otherUniversity.edu

Then we could generate "real sounding" passwords with a little function like this:

function randomFakePassword() {
    switch (Math.floor(Math.random() * 10)) {
        case 0:
            return randomFakeEmail()
        case 1:
            return faker.date.past() + faker.commerce.color()
        case 2:
            return faker.hacker.abbreviation + Math.floor(Math.random() * 10)
        case 3:
            return faker.address.streetAddress()
        case 4:
            return faker.address.country() + Math.floor(Math.random() * 10) + faker.address.state()
        case 5:
            return "passw" +  Math.floor(Math.random() * 10) + "rd" + faker.commerce.color()
        case 6:
            return faker.company.companyName()
        case 7: 
            return faker.finance.bitcoinAddress()
        case 8:
            return faker.address.streetName() + Math.floor(Math.random() * 10) + "pass"
        default:
            return faker.finance.accountName()
    }
}

For extra fun, we can even create different user agents using faker again.

Then, we could create random timeouts and drip requests in as the day goes on. That way our hacker gets "caught" with the ascii art, but also can't easily filter out the "good" data.

Is this actually doing anything?

A lot of l33t hackers are newbs. They're copy/pasting code and setting things up pretty poorly. They're not experts.

That means they're often skittish. In this case, it only took a hundred requests or so before they shut down their site.

But let's say they didn't shut it all down in a fit of panic. What could this have accomplished?

It could slow them down.

They're reading emails and passwords off CPanel logs; they're not the NSA. Lots of their work is going to be manual.

If we can load them up with a bunch of fake passwords and emails, we can give the chance for the IT departments to block the domain and issue warnings to students.

We also give ourselves time to reach out to their hosting providers and report abuse.

Is this the correct way to handle the situation?

No. Report it to the authorities and let them deal with it. This is all just hypothetical after all.

This article was heavily helped in creation, content, and misadventure by Maxwell Dulin, a fantastic security enthusiast and engineer who's looking for a job! Send me a message and I'll give you his contact info.

What Wait Why: Heroku Doesn’t Want You to be Naked

Evan — Mon, 19 Nov 2018 21:05:03 +0000

www. is a subdomain. It took me forever to realize that.

When reddit switched to their new UX, they created an old.reddit.com that you could use to go back if you really wanted ~~a sane usable experience~~ the crusty old thing.

For the longest time, I thought it was broken. I’d go up to my address bar and in between the www and the reddit.com, I’d put .old so you’d wind up with:

https://www.old.reddit.com

That would cause my browser to panic and hit me with an SSL error:

My mental picture of www was not as a subdomain like old. or blog., but as “part of that junk in the beginning.”

Every site has www right? It's just like https:// or whatnot right?

Some Sites are Naked 😱

If a domain doesn't have a subdomain (ex: dev.to) we say it's a naked domain.

A lot of sites choose to live in their birthday suit for the same reason that I couldn't figure out how to go to ~~better~~ old Reddit: www is weird.

Most users don't understand how www works or why it's there. Browsers autocomplete and even hide the www nowadays. Many sites that use www will redirect their naked domains to their www version anywhoo, so most folks forget it exists.

From the perspective of the user, www feels like some Web 1.0 jazz, complete with fire gifs and hit counters.

We need more than just "A" record

If you've read my last post, you know that domains are managed with Resource Records.

When we're setting up a site, there's two common ones that we could choose to use: A records and CNAME records.

With an A record, we specify a hard-coded IP for the "Apex" or root of domain. For example, dev.to (as of this writing) has the A records that look like this:

dev.to.         299 IN  A   151.101.2.217
dev.to.         299 IN  A   151.101.194.217
dev.to.         299 IN  A   151.101.66.217
dev.to.         299 IN  A   151.101.130.217

Big Sites need Big Clusters

Behind the scenes of your favorite cat-picture-providing websites, a miracle is happening. A rotating centrifuge of computers is picking up your interweb searches. Computers blink in and out of existence for pennies on the dollar. Beeps boop. The world spins.

Most "big" sites run on multiple computers that operate independently of each other. If a site suddenly gets a tremendous amount of traffic all at once (like Segment does during Cricket games), new computers get spun up automatically to handle the load.

Those computers need their own IP addresses so we can start sharing traffic. Many managed cloud providers like Heroku, will do this all for you.

You give them the code, they monitor your traffic and then 3D print a preconnected macbook with a Heroku sticker to handle your spikes. Or something like that; I dunno, I'm not an expert.

A Becomes Cname

You can add a whole bunch of A records to your domain to support a bunch of different servers but ultimately, an A record cannot support dynamic ips.

You can't just add a new IP and expect it to work. DNS can take up to 24 hours to fully propagate!

By the time your site can tell the world about your new machines, your spike is over.

Instead, what we could do is use a CNAME record here. CNAMEs are special because they don't need to point to an IP address, they can point to another domain:

app.segment.com.    252 IN  CNAME   segment.com.

That lets us shove the problem of new IPs onto our host provider (like Heroku). In fact, this is exactly what Heroku tells you to do in its docs.

CNAME is a prude

According to the DNS spec, you can't use a CNAME on a naked domain.

So we're gonna need to bust out our ✨subdomains.✨ What's the most common subdomain for this problem?

Woah, woah, woah, but DEV is naked

I know, it's terrifying. It's probably not that big of a concern though. Dev is mainly shipping static content and it's doing it over a CDN.

That 151.101.x.x ips we saw before? Those are Fastly IPs. If I had to guess, each of the four IPs are Anycast IPs. This is a bit of a workaround some CDN services like Fastly offer, but according to the Fastly docs, it's more expensive and less performant than just using a CNAME for www.

So wait, should dev change?

Probably not. There's likely a whole host of issues that could be caused by changing the domain at this point. Plus, Dev probably should be concerned about url usability.

Computers get faster over time, but usability, usability never changes.

But when you're setting up your site, you should carefully consider the www. It may lead to headaches in the future.

DNS and an Evolving Political Crisis: a Saga of the .cat Domain

Evan — Mon, 19 Nov 2018 00:09:54 +0000

In 2017, the Spanish government shut down several websites with the top level domain .cat. 🔥🐱🔥

To understand why, let’s learn about DNS, how the internet works, and the political crisis in Spain.

The Internet was created so UCLA grad students could hit up their Stanford pals

Every discussion of DNS starts at the beginning, because the more you learn about DNS, the more it feels like it was just never meant to get this big.

In the late 1960s, ARPA, a branch of the US government founded to screw the soviets out of a Civ 5 Science Victory, fixed a problem.

ARPA had put some of their ~~large and costly monstrosities~~ early computers far away from the places they were needed.

California was a big place.

The first packets sent across the wire were from UCLA to the Stanford Research Institute. Within a couple years, the ✨ARPAnet✨ would not only connect multiple places across the world, but be interoperable with several other independently created internets.

They just dumped it all into one file

When ARPAnet was only a few hundred computers hooked together, mapping names to a computer was done via a HOSTS.TXT.

If you’re on a Mac or Linux computer you have a remnant of that HOSTS.TXT at /etc/hosts, which is what lets you type localhost into your browser instead of 127.0.0.1.

If you wanted to add a new name to ARPAnet, you emailed Stanford Research Institute (SRI) your changes and it would be compiled into the HOSTS.TXT.

The file was retrievable by anyone on the net and each host maintained their own copy.

As we started to push beyond a few hundred hosts, things got difficult. Someone could easily overwrite an existing host; there was no guaranteed unique name.

So if our hosts file looked like this:

3.0.0.1  nuclearpoweranddishwashers 
12.0.0.1 ringadingding
... some hundreds of sites

Someone might come along and overwrite ringadingding with their own address:

25.0.0.1 ringadingding

Plus, each HOSTS.TXT would look different since the speed at which new sites were being added was quicker than folks were refreshing the file.

Computer people solve problems with trees 🌲

Out of these problems came the Domain Name System. At it’s root, DNS is a hierarchical tree for retrieving names.

Much like how a file system divides things into folders, DNS divides things into domains. At the top of each tree is a top level domain (TLD) like .edu or .com.

DNS delegates both the storage and the management of domains to the subdomains below it. So example.com would be given ownership of the domain by the owner of .com and blog.example.com would be given ownership by whoever owned example.com.

Although it’s common to see only one subdomain, it’s possible to have a whole bunch. The following is a totally valid domain:

http://cs121.depalma.cs.gonzaga.edu

We can manage domains through resource records.

Each resource record is a key-value that’s used to administer a domain. If you’ve bought a domain before, you may have been asked to setup an A record or a CNAME record.

An A record points to an IP address and a CNAME acts as an alias for other records.

So if you wanted to redirect blog.foobang.com to foobang.com, you might have records like this:

blog.foobang.com CNAME foobang.com
foobang.com A 192.168.2.2

If you're curious, you can find the resource records of any domain with the unix command dig. So if you're on a mac or linux, try out the following in your terminal:

$ dig www.amazon.com

At least in 2018, you'll see a section with several CNAME records pointing to Amazon's CDN and an A name:

;; ANSWER SECTION:
www.amazon.com.     1056    IN  CNAME   www.cdn.amazon.com.
www.cdn.amazon.com. 20  IN  CNAME   www.amazon.com.edgekey.net.
www.amazon.com.edgekey.net. 260 IN  CNAME   e15316.ci.akamaiedge.net.
e15316.ci.akamaiedge.net. 1 IN  A   23.74.61.104

The first 7 TLDs

The people making this system were first-and-foremost a US government agency. No-one expected ARPAnet to become the international capital-I Internet that it is today.

As such, the first 7 top level domains are very US-centric:

com - commercial orgs like IBM
edu - universities like Berkeley
gov - the US government 
mil - the US military 
net - organizations providing network infrastructure
org - non-comercial organizations
int - international organizations like NATO

Top level domains weren't just technical artefacts anymore, they were something more.

Because ownership of the TLD meant management of the websites, the TLDs weren't just categories, they were definitions of culture. A TLD could define rules for what was in and out of the group.

Yet, at this point we don't even have country codes.

Well shoot, we've got to add countries

Countries mean a lot of issues. Our desire as programmers to have things neat and organized does not fit well into the real world.

Saying who gets a TLD means technologists are forced to weigh in on some of the most difficult geopolitical conflicts in the world. This isn't just timezones, this is the governing of human beings.

So when we go down the line of countries, do we include both Israel and Palestine? Taiwan? Kurdistan? Scotland?

Well yeah. ICANN (the current governing body) approved TLDs for all of these places. If there was a big enough group to back it, it would become a TLD.

Wait, wasn't this article about Spain?

Actually no. It's about Catalonia.

Catalonia is a region in Spain with a long history of independence conflicts. Like the Basque country, Catalonia speaks a different language and sees itself as culturally different than the surrounding Spain.

In 2005, .cat became a sponsored top-level domain specifically for Catalan culture and language developed by Fundació puntCAT and approved by ICANN.

Like many cultural TLDs, you can't get a .cat domain unless you're actually doing something related to Catalan culture.

In 2017, the region held an independence referendum that would have breached the constitution of Spain; most country's constitutions don't support regions splitting off.

In response, the Spanish government raided the offices of puntCAT, arrested their head of IT and shut down multiple .cat domains.

Let's remember what we're talking about

Fundació puntCat maintains lines in a database on a system designed so UCLA researchers could play fair with Stanford on a 1970s computer system.

No one thought they'd be weighing in on a cultural conflict thousands of miles away.

Yet the technology we build as a way to keep researchers from tripping over each other is now part of legal and cultural conflicts of one of the historically powerful countries.

So what's the point?

Well for one thing we're not going to get .🐱 domains anytime soon.

But more importantly, technical decisions can have a weight and impact far beyond what you originally prepare for. As you go off into your career, don't turn a blind eye to the way your software is being used and what it means if it 100x'd in size.

How would your software change if you knew it would be use by billions of people?