It's a Buddhist concept that says that to achieve tranquility (end of suffering) you need to have what you value, what you think and what you are actually doing aligned and going in the same direction.
When you're feeling lost, ask yourself these 3 questions:
At the end of the day, what really matters for most people is
1) Certifications (FIPS...)
2) Speed.
SHA-256 is fast enough for maybe 99,9% of use cases as you will saturate your I/O way before SHA-256 becomes your bottleneck[0][1]. Also, from my experience with the different available implementations, SHA-256 is up to 1.8 times faster than Blake3 on arm64.
I mostly agree with you, but there are a couple other bullet points I like to throw in the mix:
- Length extension attacks. I think all of the SHA-3 candidates did the right thing here, and we would never accept a new cryptographic hash function that didn't do the right thing here, but SHA-2 gets a pass for legacy reasons. That's understandable, but we need to replace it eventually.
- Kind of niche, but BLAKE3 supports incremental verification, i.e. checking the hash of a file while you stream it rather learning whether it was valid at the end of the stream. https://github.com/oconnor663/bao. That's useful if you know the hash of a file but you don't necessarily trust the service that's storing it.
I think SHA-256 is still marginal for speed in modern environments unless your I/O is unusually limited relative to CPU. Current servers can support 10s of GB/s combined throughput for network and storage, which is achievable in practice for quite a few workloads. Consequently, you have to plan for the CPU overhead of the crypto at the same GB/s throughput since it is usually applied at the I/O boundaries. The fact that SHA256 requires burning the equivalent of several more cores relative to Blake3 has been a driver in Blake3 anecdotally creeping into a lot of data infrastructure code lately. At these data rates, the differences in performance of the hash functions is not a trivial cost in the cases where you would use a hash function (instead of e.g. authenticated encryption).
The arm64 server case is less of a concern for other reasons. Those cores are significantly weaker than amd64 cores, and therefore tend to not be used for data-intensive processing regardless. This allows you to overfit for AVX-512 or possibly use SHA256 on arm64 builds depending on the app.
There is a strong appetite for as much hashing performance per core as possible for data-intensive processing because it consumes a significant percentage of the total CPU time in many cases. Due to the rapid growing scale, non-cryptographic hash functions are no longer fit for purpose much of the time.
Honestly?
I believe that the new hype of Server Side Rendering (SSR) frameworks is only a matter of vendor lock-in: when you have SSR, you *NEED* edge rendering, which only a few vendors can provide today.
Single Page Applications (SPA) are totally fine. My blog is an SPA (https://kerkour.com) and has no problem being indexed by the major search engines.
It's actually way faster than most webapps using new shiny new SSR frameworks as I can cache with precision the different chunks/assets.
Finally, everything is served from a server than barely uses more than 50 MB of RAM even under high load. Last time I looked, Next apps needed around 500MB-1GB of RAM to serve only a few visitors.
Your web site is serving up static, pre-rendered content. Further, it's actually more SSR-ish than SPA -- each request for a blog post returns the new page, except it is encoded as a JSON object which your front-end must interpret and convert to HTML, instead of just returning the updated HTML fragment itself.
Great to finally see this here! Cloudflare is the 4th major cloud platform that (almost) nobody is seeing coming, and I believe that they will even surpass Google Cloud Platform's sooner than expected.
The only problem that remains is their support...
I'm writing a book about Cloudflare (launching very soon) where I share this and many other things to scale faster all while saving big on your cloud bills. You can join the waiting list here: https://kerkour.com/subscribe
The most consistently amazing thing about Cloudflare is the clarity of their product positioning.
You have this common problem, we built a thing to fix it.
No 'change your problem into this other problem' gymnastics. Just 'pay us once you exceed the free tier, and it's no longer a problem'.
And furthermore, they seem to have clarity of platform vision, in that each piece does something very specific to help them compete efficiently against AWS/Azure/GCP (who have much larger resources) AND has synergies with their existing platform. E.g. edge compute, free/cheaper network traffic from compute/storage
Critically, Cloudflare seems like the only competitor to the majors that has their eyes on competing on price by capturing enough of the market of {some thing} that they can still make profits at extremely low price points.
Also, just glanced at their financials again, and they look exactly like you'd want to run a large company if your eye was on order of magnitude growth. They just pivoted to positive FCF in 2023, biggest expense is sales and marketing (over half their gross profit), and have exponential revenue growth.
Support and also all-around enterprise readiness. Even on the enterprise tier, their permissions management is a pale shadow of what IAM grants you on AWS or GCP, to the point where you will put your compliance as risk. No documentation on setting up SAML/SSO for their management console. It's very, very clear that their internal growth engines are set to ludicrous growth rates (to try and justify their outrageous stock price) and the organization is coming apart at the seams. None of which takes away from the fact that the core engineering is top-tier and the core tech product is best-in-class.
We'll see if NET survives public investor expectations.
Yeah, for example, you can grant Edit permissions on Cloudflare Workers overall within an account, but you cannot grant permissions on a single Cloudflare Workers deployment. Any developer who has permissions in, say, a development Cloudflare Workers deployment will thus have full permissions to the production Cloudflare Workers deployment, or permissions to deployments owned by other teams.
Why is this buried deep in the docs for Zero Trust and not part of user management? Why are there no references to it from user management, either in the docs or in the add/remove users screen?
On pricing page for R2 it says "Storage: 10 GB / month" is free ... what does it mean per month?
Info that there are "zero egress fees" is only available on R2 product page and not pricing page.
IMO R2 pricing page look like it only displays quick info and that there might be fine print somewhere, but there is no link to more details. It could be that's all there is to it, but somehow design feels off to me. Especially because of the "zero egress fees" info being displayed only on the product page.
Workers product page shows "Maximum number of scripts": 30 free, 100 paid. But on workers pricing page it shows "Up to 100 Worker scripts" for free and "Up to 500 Worker scripts" for paid.
Links to different sections (Pricing, Products...) don't have an option to open in new tab. IMO the whole website is weirdly organized. But maybe it's just me.
Your are billed every month for your total storage. Every month you don't need to pay for the first 10 GB.
I'm not really sure if eggres has to be mentioned if it's widely known that Cloudflare doesn't bill for eggres. But I get your point.
Concerning Cloudflare workers:
Workers has a free tier and a paid tier at 5€/month.
The free tier has a limit of 100 workers and the paid tier has a limit of 500 workers.
Perhaps just scroll down a bit more on the pricing page of Cloudflare workers. I'm assuming you are checking it on Mobile and missed that.
About but being able to open pricing in a new tab. I noticed the same.
---
They also have a minor UX issue that if you want to go to the Web analytics page, the menu goes to the first child and hides. So you'll have to click it open again and click on Web analytics ( again, just an issue on Mobile)
Great work, but I'm note sure it will be enough. Rust crates are insecure by design and we need to face it. Here are at least 8 methods to backdoor Rust crates https://kerkour.com/rust-crate-backdoor
Blocking macros might be, in my opinion, one of the best defense that you can have today.
Neurotechnology is coming way faster than most people expect, especially with AR/VR headsets (EEG) and wristbands with electrodes (EMG), which are pushed hard by Meta, Apple & co.
Some of us didn't budge when entire nations, media, tech and security forces were trying to lock us down, denying are movement and associatio rights and trying to coerce us into taking things that presented no health benefit based on a played up risk profile.
We'll be okay not wearing the shit they push. You CAN say no.
Yours is a self congratulatory way to say "I pretended to follow the rules and buried my head in the sand".
It's all you can do, really. Can't really argue the insanity of the policies because we've been proven right time and time again. It's just the public needs to "move on and forget".
Keep living in fear every time they tell you to. It's not pathetic at all.
The best way I have found to prevent the piracy of my book (https://kerkour.com/black-hat-rust) is to inundate pirate platforms with only the first chapter and with a discount code inside for those who can't afford the original price.
My hypothesis is that if they enjoyed the first chapter, most people would want to support my work instead of being freeriders.
So far it worked really well.
Thinking that you can prevent bits flowing from internet is delusional, it's better to think about how to align incentives.
You need to deeply understand who your potential clients are.
By that I mean where they "hangout". How you can reach them.
How? Talk to them. Build relationships. Maybe online if there are specialized forums, or maybe at the bar, or maybe by first visiting them physically. Not with an hidden agenda but with the sincere goal of helping them to solve their problems. Then you will see if your product is a great solution to their problems and if it can leads to a business relationship or if you need to iterate on your MVP.
Selling a new product is all about doing things that don't scale in order to get as much sincere feedback as possible.
Finally learn to not take rejection personally but as feedback.
It's a Buddhist concept that says that to achieve tranquility (end of suffering) you need to have what you value, what you think and what you are actually doing aligned and going in the same direction.
When you're feeling lost, ask yourself these 3 questions:
- What do you really want?
- What do you really value?
- What are you really doing with your life?
I've wrote a longer post that you can read here: https://kerkour.com/alignment