Can you expound on the data modeling they missed out on? Is the UML code generator a bad way to go in your opinion or did they just not do due diligence with data modeling?
(Asking because I'm starting a new data-heavy project and I'm considering generating code from UML.)
At the core, they sort of missed the problem. With the advent of ACA, you could no longer use medical history to set rates. You had age, sex, smoker -- and the killer location. What they were actually after is a bit of a rules engine, as one person may have 30k+ offerings, another location none. Think actuarial tables at the zip code level. The data model itself was a bit ... modeled around people and missed the rate part. I think they had about 2 years - and spent much of that time modeling. The cracks were not evident until way too late.
One of my favorites was the way they serialized the POJOs. Data object turned to XML. Send to a process that added more stuff. Send to another process, lose all the non-base stuff. Lots of data corruption. The model being wrong required them to try and tack on all sorts of extra stuff... but the framework really did not support it.
They tried to match a handful of A players with a bunch of C grade developers. Then they pulled all the A players into never ending meetings. I saw little to no code review of what was actually going on. Folks literally copied switch blocks, because the code worked, and left in the old case statements. Exceptions eaten. Text book example after example of what you might expect in the daily wtf type code.
I can't blame people for trying to build things in what they find introduces the least friction to shipping. With traction, this app could be rewritten as native, supposing it's tenable as a first iteration. I use an Electron app on my Mac that's been open for days and is only using 100MB ram at the moment. RAM is cheaper than time for many folks.
It looks like they aren't demonstrating a least common denominator fix there. This is understandable, as least common denominator probably doesn't look great for most modern icons.
Is it though? Is anywhere else really any better? Won't CloudFlare be reviewing everything now? Will they be more secure after this and more trustworthy? I'm asking myself these questions now.
Really, I don't know the answers, but I'm not leaving because this seems like something that could happen anywhere at anytime. I honestly don't know though.
Poor judgement in leadership is reason enough for me. Will they be reviewing everything? Perhaps. The person overseeing that review may not be erring on the side of caution though. Concerns me. Draw your own conclusion I guess.
That's a bit of a straw man. Bug bounty payout isn't any indication that one company is better at security than another. Also, any one of those companies could be sitting on some obscure bug that is currently unknown to anyone in the company until it tragically makes itself known.
Look at Tarsnap's bug bounty: http://www.tarsnap.com/bounty-winners.html . This guy has given out more than a thousand dollars and this is (as far as I know) a one man shop. How big is cloudflare? How secure should it be given that it asks for customers' private SSL keys? I would say they should have the biggest bounty program.
This leads to one of the two conclusions: 1) They are too cocky to think that they may have security problems (which is a big problem) 2) They know they may have security problems but don't care enough (which is a bigger issue).
There is no way you can cut this to make them look good.
I'm not making any argument for or against CF. I'm saying that equating the size of a bounty program to the perceived level of dedication to security or code quality of a company is a straw man argument.
If you offer less than $50 for something someone else in the market (albeit for a likely unethical purpose) is willing to pay $10k for, what do you expect people to do?
It isn't a strawman to state economic incentives matter. Or do you genuinely believe people everyone experienced in security will take the $50 because of "ethics"?
I just skimmed the video, but seems like there should have been a lot of photos/videos in such a segment showing the aftermath. Hmm..Maybe I just missed them in my quick skimming. Edit: okay.. See around 3 minutes.
I can tell you from personal experience. When you have a baby or toddler who is curious about wires and quick about it, those safety features are very handy!
Even as an adult, I like Apple chargers because I know they were engineered well enough to not shock me. I have no problem leaving the connector on the couch, accidentally sticking my finger on the contact points, etc.
It is a nice peace of mind when my brain is not on edge that it might be plugged in when I see it laying around. I could not say the same thing for my cheaper USB phone charger.
I think this (edit: blue lights) is intentional, at least in some cases. A highway police officer on night patrol is probably well served by this potentially disorienting effect.
I disagree. I once almost didn't see an officer who was standing in the halo of her car's flashing blue lights on a rainy road. Intentionally disorienting drivers is dangerous.
(Asking because I'm starting a new data-heavy project and I'm considering generating code from UML.)