by steventey on 11/8/23, 8:50 PM with 54 comments
by erulabs on 11/8/23, 10:16 PM
A few things can be true at the same time:
- Airbnb is an inspiring story for any entrepreneur
- it has had arguably detrimental impacts
- the founders came from privileged backgrounds
- they also worked their ass off and are fiercely intelligent and risked plenty
On the tech side - it’s always funny to hear the (correct) critiques of early Rails. It reminds me of when I was talking trash about Java as a kid. My boss laughed and said “Java bought me my house, so it’s good in my book”. Or the first Tesla I ever saw with the license plate “PHP LOL” in the Facebook parking lot.
Pragmatism must beat idealism. In business and in database primary keys and everything in between.
by londons_explore on 11/8/23, 10:39 PM
Sure, they could pay a study group to do that. But doing it themselves will probably let them make better decisions overall.
by emmanueloga_ on 11/8/23, 11:28 PM
To address these leaks, one option is to generate synthetic keys for each resource. However, this method is costly because it requires indexing the new key alongside the primary key (PK). Indexing is not without overhead, and synthetic keys are often larger, like 128 bits for UUIDs or ULIDs compared to a 64-bit numeric PK. This means that every record insertion necessitates dual indexing. Generating UUIDs can sometimes be challenging too because of reasons.
An alternative involves obfuscating the ID in such way that can be easily reversed in the server. Effective algorithms for this purpose are "squids" [1] (the second version of "hashids"), Skip32 Cypher [2] and ... more math :-p [3] [4]. Chaining both algorithms could provide an additional layer of obfuscation.
Before someone mentions this, yes, obfuscation is not encryption, so not a thorough security measure. But I think obfuscation is a practical way to prevent casual URL leaks, even though more determined attackers may attempt to reverse-engineer the IDs.
More options:
* Add a "salted hash" to the id, ex: website.com/thing/1-hash/children, "hash" could be something like SHA-256("--{id}--{salt}--"). Now the "attacker" would need to know how to generate the hash if trying the id "2". Could also be combined with ID obfuscation as mentioned bedfore. "salt" would be a single string per resource type, or even for the whole app.
* Encrypt the ID: only the server would know the password to decrypt the ID, so this would be secure as long as the password and method of encryption is not leaked.
--
2: https://stackoverflow.com/a/4200193
3: https://github.com/c2h5oh/hide
4: https://en.wikipedia.org/wiki/Modular_multiplicative_inverse
by maximinus_thrax on 11/8/23, 10:33 PM
> It's wild (vulnerable, transparent, kind, generous, and humbling) for the CEO of a $60B company to welcome complete strangers into his home to host them – including cooking together and showing them the city – for a weekend.
This phrase is outright insulting in my view. Do you really think you will be in the company of a billionaire (and CEO of a PUBLIC company) without even basic vetting? Give me a break.
by wilg on 11/8/23, 9:35 PM
by ulizzle on 11/8/23, 9:43 PM
Be born to the right people and toe the party line. That’s what Brian’s story will show you. But that’s basically a cliche right now so I doubt you’re in any way surprised
by Rebelgecko on 11/8/23, 10:29 PM
by davetron5000 on 11/8/23, 9:25 PM
by xkcd1963 on 11/8/23, 9:44 PM
by narner on 11/8/23, 11:02 PM
by polishdude20 on 11/8/23, 9:59 PM
"I told him it's a bad idea. I didn't think it was going to work, and I didn't really understand it. If he listened to me, Airbnb wouldn't be here now.""
I mean, in the end, isn't it turning out to be a bad idea? Removing homes from the rental market, increasing housing prices. Encouraging more treatment of housing as an investment.Sometimes, Brian, your mom is right.