Federal prison alumnus, product engineer, and writer when I have something to say. These are all related. / Sat, 30 May 2026 18:05:45 +0000 /posts/we-have-all-been-reduced-to-a-passphrase/ Sat, 30 May 2026 00:00:00 +0000 /posts/we-have-all-been-reduced-to-a-passphrase/ What Passphrase Are You? I went to prison. I don’t hide this. The shame has passed. While I was gone, someone stole everything I owned in the physical world and then, for good measure, changed the passwords on most of my digital life. This included my GitHub account, moved my domain name across three registrars, my Google Workspace account tied to that domain name (as had been for 13 years), 2FA keys—you know, just about everything. I’ve gotten most of my digital accounts back—I’ve lawyered up for the personal stuff (some of which has been posted on Facebook Marketplace). I... personal /posts/the-moat-was-never-the-code/ Thu, 21 May 2026 00:00:00 +0000 /posts/the-moat-was-never-the-code/ The moat was never the code I ran an unauthorized sports streaming service from 2016 to 2021. It was called HeheStreams. I charged $125 a year; users could have a single annual payment of $100. My infrastructure cost was $75 a month. HeheStreams didn’t re-encode or re-broadcast streams. My users consumed them directly from licensed platforms—using the same CDN and DRM as the platform’s paying users. I implemented more than a dozen different platforms in the name of feature parity across each sport. People who know the technical side assume that was the hard part. It was hard. It was... startups /posts/statement-timeout-0-casually/ Thu, 14 May 2026 00:00:00 +0000 /posts/statement-timeout-0-casually/ so you got tired of alerts that your queries were timing out. that’s bad because alerts are good even though nobody likes the alerts. my mom didn’t like acknowledging she might have cancer either so she just ignored the headaches and vertigo and balance issues and then it was like ope stage IV brain cancer. the name makes it sound like a fix. it’s not. removing the timeout doesn’t make the slow queries faster, it just lets them run forever, and “forever” on a 1tb db with bad queries is how you lose the restaurant. let me explain what i... engineering /posts/we-made-this-hard/ Tue, 28 Apr 2026 00:00:00 +0000 /posts/we-made-this-hard/ We made this hard The job hasn’t changed in thirty years. A request comes in. You return some HTML. The browser draws it. Maybe you sprinkle some CSS on top so it doesn’t look like a 1996 GeoCities fever dream, or maybe you do so it does. That’s the whole gig. Somewhere along the way we convinced ourselves this hard. It isn’t. It really, really isn’t. And the people paying for our confusion are the ones who can least afford it: the restaurant owner who just wants a menu online, the babysitter trying to put up a contact form, and—maybe... engineering /posts/how-postgres-works-at-scale/ Sat, 11 Apr 2026 00:00:00 +0000 /posts/how-postgres-works-at-scale/ A single idle-in-transaction connection can starve every table in your database. Most senior Rails devs don’t know that. You learned MVCC the way most of us did—”writers don’t block readers,” concurrent transactions get isolated snapshots, UPDATE doesn’t lock the table. That’s marketing copy. The operational reality is that those snapshots have a cost, and the cost compounds across every table at once if one connection gets stuck. I’m going to try to translate what this mental model is that I’ve built while building and operating a Rails-based data pipeline that handles 10TB/day. Not “what is MVCC”—you’ve heard that—but instead consequences... postgres /posts/landing-pages-for-open-source-maintainers/ Tue, 24 Mar 2026 00:00:00 +0000 /posts/landing-pages-for-open-source-maintainers/ I have a few open-source libraries that you could call popular. I use a lot of others. Open source isn’t a README, but it’s the cheapest marketing a developer has. A world-class marketing person opens your README the same way they’d open a landing page, because that’s what it is. If you just wrote it like internal documentation—like developers wane through all day—it’s going to become a sore. The marketing-brain version treats the README as a conversion funnel where the conversion is “developer tries this and tells a friend.” You spent six months on the library and four minutes on... open-source writing /posts/every-company-has-two-org-charts-and-one-is-bullshit/ Tue, 03 Mar 2026 00:00:00 +0000 /posts/every-company-has-two-org-charts-and-one-is-bullshit/ Every company has two org charts. The first one lives in the HR system. It’s clean. It shows who reports to whom, who has budget authority, who’s in charge of what. It’s useful for figuring out who to cc on an email and who approves your time off. Beyond that, it’s mostly decorative. The second one doesn’t exist anywhere you can see it. No document, no diagram, no Confluence page. It’s the one that actually determines what happens—who gets consulted before a decision gets made, whose opinion the VP asks for before committing to a technical direction, who can block... /posts/wide-tables-and-query-validation/ Sat, 03 Jan 2026 00:00:00 +0000 /posts/wide-tables-and-query-validation/ I’m building an ETL system that imports billions of person records from data vendors. Each vendor sends different attributes—household income, automotive interests, education level, charitable donor status—in their own formats with their own column names. The system normalizes everything into a canonical schema and exposes a query interface for building audiences. The obvious choice for storing hundreds of optional attributes is JSONB or EAV. Flexible, no migrations needed, handles sparse data well. I went with wide tables instead: every queryable attribute is a column on the people table. This sounds like a 2005 decision. But Postgres handles wide tables fine—you... ruby /posts/i-got-out-of-federal-prison-and-couldnt-log-into-my-github/ Sun, 28 Dec 2025 00:00:00 +0000 /posts/i-got-out-of-federal-prison-and-couldnt-log-into-my-github/ I got out of prison and couldn’t log into my GitHub. The password while I was gone. The phone number tied to the account got transferred to another carrier. The device with my two-factor authentication codes—gone. Eighteen months away, and I came back to find myself locked out of my own account. GitHub, for those unfamiliar, is where programmers store and share code. It’s the largest platform of its kind. Your GitHub account is your professional identity if you work in software. It’s your portfolio, your history, your proof of work. Mine had twelve years of contributions on it. Every... personal /posts/interactive-rails-playgrounds/ Mon, 01 Dec 2025 00:00:00 +0000 /posts/interactive-rails-playgrounds/ I built a WASM-compatible Rails playground that runs entirely in your browser. No server, no setup, just Rails. This is built on the backs of people much smarter than me. Try it out below. The VM takes a few seconds to load, but once it’s ready you can run any Active Record code against a real SQLite database. -- examples -- Post.published.map(&:title) This does not play nicely with iOS. Run Reset loads ~76MB Rails environment Post Load (0.1ms) SELECT "posts".* FROM "posts" WHERE "posts"."published" = 1 => ["Getting Started with Ruby", "Rails is Magic"] The stack The playground runs wasmify-rails,... ruby /posts/how-to-get-a-job-as-a-felon/ Thu, 20 Nov 2025 00:00:00 +0000 /posts/how-to-get-a-job-as-a-felon/ Hi, I’m Josh. I was inmate number 71690-509. I went to federal prison. I got a job after. Here’s what I observed. This isn’t motivational. I’m not going to tell you to “stay positive” or that “everything happens for a reason.” If you’re reading this, you’ve probably already waded through that garbage. You want to know what actually works. Fair warning: my crime was running a sports streaming website. That’s a “cool” crime in comparison to many. People hear it and go “oh, what?!” rather than recoiling. If you’re reading this with an assault conviction or something involving theft, your... personal /posts/when-you-dont-look-autistic/ Tue, 14 Oct 2025 00:00:00 +0000 /posts/when-you-dont-look-autistic/ I get this a lot. “You don’t look autistic.” It’s meant as a compliment, I think. Like I’ve done a good job of hiding it. Gold star for passing. Or it’s a remark that implies I don’t have autism because I don’t visibly struggle. You know, like you can’t have COVID if you don’t get tested. Or you don’t look like you have cancer—is that one? What I want to ask—but don’t, because that would be rude and I’ve learned not to be rude in ways that upset people—is: what does autistic look like? What they expect Based on the... personal /posts/going-to-federal-prison-for-piracy/ Thu, 18 Sep 2025 00:00:00 +0000 /posts/going-to-federal-prison-for-piracy/ Here’s something I’ve been putting off writing: I spent eighteen months in federal prison. The charge was computer fraud. The context is weirder. In 2016, I built a website called HeheStreams. It started as a joke—a proof of concept I posted on Reddit after BallStreams, my beloved NBA streaming site, vanished overnight. Nobody picked it up, so I kept working on it. Eventually I slapped a paywall on it, thinking it was ludicrous that anyone would pay for such a thing. People paid for such a thing. What HeheStreams actually was HeheStreams let users watch live sports from MLB, NBA,... personal /posts/loud-for-selfish-reasons/ Mon, 01 Sep 2025 00:00:00 +0000 /posts/loud-for-selfish-reasons/ I’m pretty open about being autistic. I write about it. I mention it at work. I don’t hide it when it comes up in conversation. People sometimes tell me this is brave, which is weird, because bravery implies I’m doing something hard for noble reasons. I’m not. I’m doing it because it’s easier than the alternative. How I got here I wasn’t always like this. For most of my life I hid it—or more accurately, I didn’t know what I was hiding. I just knew something was off and I didn’t want people to see it. The shift happened in... personal /451/ Tue, 31 Dec 2024 00:00:00 +0000 /451/ SEALED Case No. 22-cr-00350 (S.D.N.Y.) 451 Unavailable For Legal Reasons The content you are attempting to access has been restricted due to a legal demand. FCI Thomson Inspected Hey. So I'm in federal prison now. Long story. Actually it's not that long, it's just ██████████. Shit happens. Anyway. I've been reading a lot. The library here has exactly one book I care about: HTML for the World Wide Web from 1999. There's a chapter on "publishing your web page to GeoCities." I've read it four times. Not because it's useful. Because it's the closest thing to a religious experience I... personal /posts/gem-configuration-patterns/ Sat, 12 Aug 2023 00:00:00 +0000 /posts/gem-configuration-patterns/ Configuration is often the first thing users interact with in your gem. It’s also the part most gem authors spend the least time thinking about—which explains a lot. This post covers the patterns you’ll encounter and implement, ordered from the simplest to the most involved. Module accessors The simplest possible approach. You expose a few attributes on your gem’s main module and call it a day. module MyGem class << self attr_accessor :api_key, :timeout, :debug end self.timeout = 30 self.debug = false end MyGem.api_key = "sk-123" MyGem.timeout = 60 puts "api_key: #{MyGem.api_key}" puts "timeout: #{MyGem.timeout}" puts "debug: #{MyGem.debug}" Run Reset... ruby /posts/conventional-api-with-grape-and-ruby-on-rails/ Fri, 24 Mar 2023 00:00:00 +0000 /posts/conventional-api-with-grape-and-ruby-on-rails/ Here’s the thing about API endpoints: you end up writing the same boilerplate over and over. Pagination metadata. Object type annotations. Wrapping collections in data arrays. Every endpoint looks identical except for the one line that matters—the actual query. I got tired of it. So I built a convention system with Grape that handles all of it automatically. Now my endpoint code looks like this: # thing.rb get do pagy(Author.all) end And the response looks like this: { "data": [ { "id": 1, "name": "joshmn", "object": "author" } ], "has_more": true, "object": "list" } No manual JSON construction. No remembering... ruby /posts/a-plea-for-administration/ Tue, 27 Dec 2022 00:00:00 +0000 /posts/a-plea-for-administration/ Here’s the thing about admin panels: nobody wants to build them, nobody wants to maintain them, and the people who need them most are the ones with the least power to demand them. This is a problem. I ran a platform once. Not a big one, but big enough to have customer service people who weren’t me. From day one, I gave them tools—real tools. They could reset passwords, grant trials, see debugging info, approve orders. They could actually solve problems without filing a ticket and waiting for me to wake up. Was this risky? Maybe. But I worked with... personal /posts/database-constraints-first-validations-second/ Thu, 24 Nov 2022 00:00:00 +0000 /posts/database-constraints-first-validations-second/ A few years ago I inherited a codebase where the users table had no unique constraint on email. The model had validates :email, uniqueness: true, so everything seemed fine—until I found 847 duplicate email addresses in production. Someone had written a rake task. It bypassed ActiveRecord. The model validation never ran, and the database didn’t care. Nearly a thousand users couldn’t log in because the system kept finding the wrong account. This is the kind of bug that makes you question your career choices. The conventional approach Rails tutorials teach you to think about validation first. You write validates :email,... ruby /posts/rest-only-controllers/ Sat, 11 Jun 2022 00:00:00 +0000 /posts/rest-only-controllers/ A few months into a project, I watched a developer add a mark_complete action to a TasksController that already had archive, unarchive, assign, unassign, prioritize, move_up, move_down, and duplicate. The routes file had so many member blocks it looked like a DSL for avoiding REST. Each custom action did one thing, took maybe five lines of code, and was perfectly reasonable on its own. But collectively they’d turned the controller into a junk drawer. The before_action filters had grown into a decision tree. The tests were full of post :archive, params: { id: task.id } mixed with patch :update, params:... ruby