you don't need to store anything on the server. cookies for that ___domain are sent with the request and it is enough for the server to check its cookie with the csrf request data.
browsers would send the bank.com cookies with the bank.com request. It is security built into the browser which is why its so important to use secure browsers and secure cookies.
If the malicious user convinces the user to use an insecure browser you can circumvent CSRF, but at that point there are probably other exploits you can do.
> How does server know the cookie is valid if it doesn't store it
depending on why you'are asking the question,
* because it decrypts correctly
* because it contains some user identifier
People don't usually store sessions in cookies because cookies can't be very big, and session do become big. So what people do instead they store cookies in databases, and put session identifiers into cookies.
How does server know the cookie is valid if it doesn't store it and how does it know csrf token is valid if it doesn't store it and finally how does it know that this csrf token relates to this cookie session token if it doesn't store it?
The CSRF token can have nothing to do with the cookie session information. you can store CSRF as a separate cookie.
You can validate the CSRF is valid by keeping a key on your server and matching that the token you get can be derived from that key.
See Django's implementation of CSRF for more details. CSRF tokens are separate from session and no CSRF information needs to be stored in database to validate CSRF.
I like to tell people if you go to a carpenter to build a table, you'll get a wooden table. If you go to a stone cutter, you'll get a marble table. If you go to a welder, you'll get a metal table.
The trick is to know who to go to get what you want. In the USA with PPO there is generally zero friction to just making yourself an appointment with a speciality doctor and that specialty doctor will use his "toolbox" to create the outcome that you came to him and paid for. If you go to a psychiatrist, well their tool is prescription medicine, so that is what they'll use.
This sounds like common sense, but i think the population at large places too much trust in the doctor. In the US you have to be your own advocate.
An idle idea I’ve had is that the healthcare bureaucracy in the U.S. can get so bad that one wishes one can hire a lawyer-type of role to navigate it as a paperwork proxy of sorts. But perhaps greater scope is needed- a personal medical advisor who has the ___domain knowledge, while being independent of the incentives that drive others in the health system.
I suppose in the past that would just be your family doctor, wasn’t it.
In california (and i would have guessed nationally) at least you do need a long form test in order to get control prescription like adderall. But the test is more of a "video game" style that tests your attention
I remember there was a Soviet practice of cutting records into old XRays (called "ribs") as a way to bootleg them. I think those cutting machines were made from retrofitted old phonographs.
For black market uses, the consumers was probably willing to bear dreadful audio quality. For a modern aficionado, the quality must be good enough to give some justification for the endeavor.
In the soup story the villagers freely gave up their carrots and onions and the travelers didn't give any guarantees that they wouldn't be consumed.
In the AI analogy, it is a bit closer in my mind if the travelers would say "Don't worry your onions and carrots and garnishes won't be consumed by us! Put them in the pot and we will strain them out, they are still yours to keep!"
We, the villagers, are dumping our data into the AI soup with a promise that it won't be used when we are using the API or check a little "private mode" box.
The analogy breaks down because physical property and intellectual property are different.
When we input creative works into training sets, we do not withhold those works from someone else! Digital copies are different than scarce resources. *
Also, all the AI ToS I've read have stated they will use my inputs to improve their services. I haven't seen an AI service state they won't use my inputs.
The analogy is perfectly apt. When an AI is trained on work that you've produced, it steals your effort - your work and effort and sweat has been taken by the model and its users.
...unless you think that your employer should be able to withhold wages from you because there's no "physical property" that you've provided to them.
It would be more accurate to imagine a version of the tale where the stone soup chef rifles through people's houses to collect ingredients without permission (if they were against it surely they would've opted out of his services and obtained guard dogs?), and then opened a stand to sell the soup in the town square at premium prices while tainting the wares of his fellow vendors with his leftover slop.
Literally all “promises” mean nothing unless backed up by force.
The government was a nice backplane to ensure that, but now that its decisions are unreliable, all interactions with other parties are under these natural law rules.
I don’t think this being AI really changes the deal given that starting situation
Many social conventions are less implemented by force than by withdrawal of cooperation. That's an aggression, but of a very mild formf, but regardless one which is remarkably effective without requiring an offensive stance or the risks concomitant to same.
Psh, the companies are freely giving up the data. It is unmentioned where the villagers got the carrot initially, maybe they also stole it from the library or promised their users the carrot would not be eaten. Lol
> Note that this graph is generated remotely with the contents of your `tach.toml`
Isn't shipping off parts of your codebase to a 3rd party without warning in the CLI a security risk? Or in regulatory environments you get audited that your code was only stored on properly vetted services which is why some sales cycles for AI coding assistant tools are so long. It would be kind of frustrating to have something like that happen and get set back on licensing, etc.
Just from the video it doesn't seem like any sort of warning that you are shipping config files to your servers and the URL that you produced doesn't seem to have any authentication.
Maybe i am misunderstanding that functionality, but it gives me pause to use it.
In short, we want to make the visualization UX as smooth as possible, and this is best done with a web app. The URLs use UUIDs, and the contents being sent don't include literal source code, only module names and Tach configuration. We will also delete graphs by UUID on request, and have done so in the past.
That said, we do try to be up-front about this, which is why that disclaimer exists, and when running this command on the CLI, you must supply an explicit `--web` argument to `tach show`. Otherwise, the default behavior is to generate a GraphViz DOT file locally.
I’m mostly kidding but incidentally PHART was born in order to visualize Python dependency graphs in-line in 7-bit ASCII because I wanted the functionality in my dependency analyzing code summarizing concatenator tool I was using to aid in pair-programming with ChatGPT and Claude when codebases started outgrowing useful context lengths.
That tool is here https://github.com/scottvr/chimeracat/
(it is nowhere as slick-looking as OP’s app, but also that is by design.)
The first time someone in public said they were curious to see the chimeracat output for his company’s codebase was also the first time I considered “wow.. how do I make sure people know they can trust chimeracat isn’t stealing their code?” and started thinking of ways to give people that surety and safety for any app, because so realized that though it was my first time to think about how “code analysis” tools like this, it even linters, prettifier’s etc. are a fertile ground for subterfuge and espionage, it was no doubt not the first time the thought had occurred elsewhere, and likely to at least a handful of folks who would (and no doubt are) putting such tools out there in the wild.
> you could always write a GUI app. it's not that hard for such a self-contained project
beautiful HN comment. They might simply be familiar with web apps and want to focus on the part that provides the most value to users.
The external network requests are optional. It can run fully locally.
They’re a tiny startup that just launched, trying to ship something that helps people. Building a native app is not the most impactful thing they could spend their time on.
Why not just let users run the web app locally? There's no reason it needs to be remote.
Also, the mere fact that it sends any data, no matter what you say it contains is a non-starter at many places. And even module names can contain proprietary data.
I can understand the frustration, but I think there are legitimate reasons to run this remotely.
Tach is an installable Python package, shipping a full web app would have to come in a separate form factor and has significant maintenance implications. Given we are explicit about the remote app before anything is sent, require explicit opt-in, and we provide usable alternatives locally, we prioritize shipping a useful graph experience that is immediately usable.
If you are at an enterprise that cannot tolerate this, then you can use a local viewer with either GraphViz DOT format or Mermaid which is generated by using `tach show` or `tach show --mermaid` respectively.
I appreciate the attempt but the reasoning of "it requires maintenance" is entirely moot. You have to do this regardless. Its just whether or not you publish it open-source. You are still saying, internally, this is good enough for customers, when you push it out.
This is a (very) thinly veiled attempt at a closed garden of sorts, IMHO. Its a "clean" excuse for not giving away the milk for free, but it falls short on actual reasoning.
Looking at the license (MIT) we already got much more than what we paid for and the authors don't "have to" do anything but accept thanks of those who chose to be grateful for software they got for free.
This. It's ridiculous how often people complain about the design of free software. If you don't like it, just don't use it! Use something else! Build your own! Or fork it to work in the way you described that you'd prefer - you can do that yourself if you really want since the source is available
It is totally valid to tell people not to criticize a project offered by someone who made it for their themselves or wants to offer the value to the public but doesn't have the resources to do everything perfectly. But this is not that, and I don't see a non-profit org behind it, so it appears to be something that is being offered on a quid pro quo basis. Thus we need to figure out where the value is being extracted and if the dev are cagey about it, that rings alarm bells.
The default of the command is to generate locally. They don’t need to open source an entire web app. It’s easier to deploy themselves then deal with the burden of open sourcing and maintaining.
This isn’t some conspiracy. It’s a tiny startup trying to ship something useful.
I think you misunderstand my comment. I was addressing whether or not it can be appropriate for someone to question an aspect of an open source project, and not whether this project was part of a conspiracy.
Since you’re being somewhat brigaded by the “everything local!” mob, I just wanna say that this all sounds completely reasonable to me. Some people hate being told that their demographic just isn’t currently being catered to exactly in the way that they want. I’m sure that these people working on things so utterly Top Secret can wait a while for your new little tool to support them. They’re just mad they can’t use it at Meta or whatever.
Why doesn't it just communicate a unique conversation ID and then use a backchannel like opening up a web connection instead? It is supposing that you are able to make a call but not connect to the internet?
TBH kind of disappointed by how little it distorts, especially for cities with stereotypically difficult travel times by car like LA. almost loos like random distortions as opposed to something to pattern match. Really the only thing noticeable is bodies of water distort the map the most (which explains why LA doesn't get that distorted).
Would be kind of nice for when i click the point that all the points distort based on that point instead of globally trying to position each point relative to every other point.
And the fact that the distortion is preset and not based on where you click. This is one of those things using heat maps where the clustering is clearly large population centers. Not really as helpful/useful as people think they are
If the analogy to warped spacetime was exact, then there would be a “scale factor” for every point depending on the local transit speed. Then it would be possible to do as this page does and for the answer not to depend on starting point.
However in the real city the transit speed at any point is not isotropic, the space is 3-D, and some paths are forbidden (getting on-off the train between stops).
you don't need to store anything on the server. cookies for that ___domain are sent with the request and it is enough for the server to check its cookie with the csrf request data.
browsers would send the bank.com cookies with the bank.com request. It is security built into the browser which is why its so important to use secure browsers and secure cookies.
If the malicious user convinces the user to use an insecure browser you can circumvent CSRF, but at that point there are probably other exploits you can do.