The tone in here sure has shifted. I remember Brian showing us his binder of maxed out credit cards they used to bootstrap the company. I remember the early version spitting unicorn errors every few seconds.<p>A few things can be true at the same time:<p>- Airbnb is an inspiring story for any entrepreneur<p>- it has had arguably detrimental impacts<p>- the founders came from privileged backgrounds<p>- they also worked their ass off and are fiercely intelligent and risked plenty<p>On the tech side - it’s always funny to hear the (correct) critiques of early Rails. It reminds me of when I was talking trash about Java as a kid. My boss laughed and said “Java bought me my house, so it’s good in my book”. Or the first Tesla I ever saw with the license plate “PHP LOL” in the Facebook parking lot.<p>Pragmatism must beat idealism. In business and in database primary keys and everything in between.
I would expect every CEO to use their companies products. Even if they have no use for the product/service, their time using the product has to pay off in terms of better understanding the difficulties/challenges faced by the real users.<p>Sure, they could pay a study group to do that. But doing it themselves will probably let them make better decisions overall.
I coincidentally was exploring methods to obfuscate auto-incremented IDs to prevent information leakage. The concern arises when resources are accessed using URLs like "website.com/thing/1/children." This approach allows people to guess related URLs (e.g., replacing "1" with "2," "3," ..., N), potentially revealing unintended information or even the number of resources available.<p>To address these leaks, one option is to generate synthetic keys for each resource. However, this method is costly because it requires indexing the new key alongside the primary key (PK). Indexing is not without overhead, and synthetic keys are often larger, like 128 bits for UUIDs or ULIDs compared to a 64-bit numeric PK. This means that every record insertion necessitates dual indexing. Generating UUIDs can sometimes be challenging too because of <i>reasons</i>.<p>An alternative involves obfuscating the ID in such way that can be easily reversed in the server. Effective algorithms for this purpose are "squids" [1] (the second version of "hashids"), Skip32 Cypher [2] and ... more math :-p [3] [4]. Chaining both algorithms could provide an additional layer of obfuscation.<p>Before someone mentions this, yes, obfuscation is not encryption, so not a thorough security measure. But I think obfuscation is a practical way to prevent casual URL leaks, even though more determined attackers may attempt to reverse-engineer the IDs.<p>More options:<p>* Add a "salted hash" to the id, ex: website.com/thing/1-hash/children, "hash" could be something like SHA-256("--{id}--{salt}--"). Now the "attacker" would need to know how to generate the hash if trying the id "2". Could also be combined with ID obfuscation as mentioned bedfore. "salt" would be a single string per resource type, or even for the whole app.<p>* Encrypt the ID: only the server would know the password to decrypt the ID, so this would be secure as long as the password and method of encryption is not leaked.<p>--<p>1: <a href="https://sqids.org/" rel="nofollow noreferrer">https://sqids.org/</a><p>2: <a href="https://stackoverflow.com/a/4200193" rel="nofollow noreferrer">https://stackoverflow.com/a/4200193</a><p>3: <a href="https://github.com/c2h5oh/hide">https://github.com/c2h5oh/hide</a><p>4: <a href="https://en.wikipedia.org/wiki/Modular_multiplicative_inverse" rel="nofollow noreferrer">https://en.wikipedia.org/wiki/Modular_multiplicative_inverse</a>
Are there people who really think this is not a PR stunt? Pardon my cynicism but I call bullshit on all of this not being organized/orchestrated by publicist.<p>> It's wild (vulnerable, transparent, kind, generous, and humbling) for the CEO of a $60B company to welcome complete strangers into his home to host them – including cooking together and showing them the city – for a weekend.<p>This phrase is outright insulting in my view. Do you really think you will be in the company of a billionaire (and CEO of a PUBLIC company) without even basic vetting? Give me a break.
This article doesn’t make good on its claim to explain why this “Rails convention” is bad. It’s probably actually good. I wouldn’t have clicked on it otherwise. Rude, IMO.
There’s no engineering analysis in this post, so those of us who were looking for that, let me save you the click<p>Be born to the right people and toe the party line. That’s what Brian’s story will show you. But that’s basically a cliche right now so I doubt you’re in any way surprised
To save anyone a click, the author figured that AirBnB's urls had monotonically increasing numeric ids, which is the Rails default, and figured out that the AirBnB CEO's id was 3, and got the direct link before it was shared publicly.
"If Brian Chesky, cofounder and CEO at Airbnb, listened to his mom, Airbnb wouldn't exist today. Or at least according to her:<p><pre><code> "I told him it's a bad idea. I didn't think it was going to work, and I didn't really understand it. If he listened to me, Airbnb wouldn't be here now.""
</code></pre>
I mean, in the end, isn't it turning out to be a bad idea? Removing homes from the rental market, increasing housing prices. Encouraging more treatment of housing as an investment.<p>Sometimes, Brian, your mom is right.