What an original comment on Slashot ! always predicting 0 future price on bitcoin since 8 years ago.
The reasonable interpretation is that the collision attacks on SHA-1 and the shortcomings of binary elliptic curves are going to undermine bitcoin in the end. It may take a while.
In my experience, being a leader of a large group in any context, like a company or standards group or anything else is what can colloquially be called "pulls more birds".
As a male, as soon as you are seen to be in a position of power, there is a subset of women, certainly not all women, who are suddenly very interested in you in a way they were not before you reached that position of power.
Why the fuck would you think that? Did you think our brains suddenly became a database of sound? You are seriously dumb.
Because Shazam used to recognize and name music. When I last tried it (and then deleted it), it just tried to sell me stuff. No music recognition happened at all.
If you have a real car that can perform, it doesn't have to "glow" in the dark and look like some circus side show display....
I'd think money would be better spend on things that actually make the car perform better, rather than adding a neon underglow light system, spinner hubcaps, and a coffee can exhaust that does nothing for performance or good engine note.
You have a stunted definition of performance. Sad.
I used to work in a Formula 1 team and I'm entirely familiar with what you do to an engine to make it perform better.
Very little of this is done on normal cars because the design of the car doesn't accommodate all the pipework for the variable everything (per cylinder, per cycle variable trumpets, spark timing, injector timing, exhaust length etc) and the per engine mapping is a little expensive.
This is fine because the reliability profile on a road car is dramatically different. I see no benefit in modding my car. It's fine for getting to work and not getting arrested.
> Why should I set a password for an account that does not exist on my machine?
I think this is the core conceptual difference. There is no such thing as a unix like operating system that doesn't have root. It's integral to how it works. Pretending it isn't there is going to lead to choices like not setting a password for it. Apple certainly should be telling people to set it if it isn't set.
Windows also has said Linux utilies in the Linux Subsystem for Windows. Works pretty good.
Linux has all said utilities in the/bin and/usr/bin directories. Works excellently without the need for a second host operating system with a screwy file system. The install even asks you to set the root password.
I imaging you would need a huge machine to split two lanes. The gap between the lanes would present a hazard to traffic. I think it's a bad idea all around.
That puts me in the minority. I chose to get a Mac because it's unixy under the hood and has nice hardware. So I can bring up a bash shell and run GCC and grep and awk all day long. So as with my Linux boxes, as soon as I got it, the first thing I did was set the root password.
>If you don't know what a C compiler will do if you do something, you should not be doing that thing.
Of course you should. Perhaps think before commenting.
Consider the importance of erasing state in security software. But if you write zeroes to some key data and let it fall out of scope, a C compiler may or may not optimize away the erasure. There is nothing in the spec to tell you what the compiler will do, but that does not mean you shouldn't erase keys in memory after use.
And yet you listed none of these formal methods...
FEV (Formal Equivalence Testing) FPV (Formal Property Testing) Taint Analysis (showing secrets don't have a path out of a circuit, except through the intended paths)
There are lots of such tools. Since I work mostly in hardware, I use tools like jasper for FPV and tools from Synopsys and Cadence for FEV. There are taint analysis tools available but we use an internally developed one.
If you work in software, there are also plenty of tools, like frama-C for FPV on C code.
>The only way to improve the odds is for a development team to have one or more members whose ONLY job is to be aware of every thirdparty library/platform/os used by the project & literally research every single one, every single day, to become aware of vulnerabilities as they're discovered...
It's enough to say "Is it ok to use this library" and then tear that one to pieces. The effort involved makes the cost of writing (well) the subset of features you want from the library seem small.
Which is why I'm currently tearing apart a common open source crypto library right now and concluding that "In a cloud VM, this crypto library will get exactly 0 bits of entropy from the context it runs in". The fix is to recompile it with the right options, but the distribution build defaults in all the linuxes are simply wrong and the entropy claims in the literature that the defaults rely on are fraudulent.
It is a commonly used library and it is very, vary bad. At least there's one product that won't run into that problem.
>I certify products for sale to the government. People that come to me to get certified expect to be scrutinized.
If this is in the FIPS140 ish area, then this:
>They also know in advance what the spec is, what they must do and how.
is a fantasy.
I've commented extensively to NIST on ambiguities and architectural impossibilities in the specs and they fix some of them, but it's slow going and in the interim, a heck of a lot is left to interpretation by the cert houses.
In general, when a downloadable application needs to access a service that requires an API key, how is the application's developer supposed to make the operations controlled by the key available to the application without making the key available to rogue developers who could use the API key to impersonate the application? This is the case for the "consumer secret" in a Twitter app.
Welcome to Out of Band provisioning. The land of random key exchange protocols and horrendous complexity.
>It does mitigate certain families of security flaws.
Crypto types like Rust because it deals with a particular class of problem that is impossible to mitigate in C. Namely knowing what the compiler will do, for sure. Will it erase that buffer or will it optimize it away the erasure? In C there are a wealth of examples where code that compiles to secure object code on one compiler manage to get broken by another compiler. Or when the optimization level is changed. There is no "Best Practice" to make this problem go away using C. Rust specifically address this problem and while the other safety features are nice for mitigating security vulnerabilities, it is that specific problem that makes Rust appealing to the people who have looked under the compiler hood from a security standpoint.
>Millions of people around the world want to come to the USA and live here, precisely because of the freedoms you take for granted.
Bullshit. I came to the USA because the core of the technology industry is here, my skills are in technology, a company asked me to come and it seemed like a bit of an adventure to live in another country. There certainly were more personal freedoms in the country I come from than in the USA. The US has laws against crossing the road FFS. It has invasive travel rules. It has a democratic system in which the person with the fewer votes often wins. The USA is not a paragon of freedom. It is however far from being the worst place to be, if you have a good job, health insurance and a skin color that doesn't cause the police to hate you.
If you can overcome your nationalist tendencies and thing clearly about the place of the US in the world, it is one among a group of countries where the rule of law, democratic processes and economic governance make it not a terrible place to live, but it is far from the top of the pile. From a social standpoint, I would prefer to live in Japan, Spain or Belgium. All places I've spent some time and found to be nice places to be. However there is also personal satisfaction from getting my inventions and design deployed all around the world in billions of products. The US offers those opportunities.
To think the draw of the US is it's "freedom" is to ignore the real reasons people come - proximity, criminality at home, opportunity, the desire to travel.
The people who come as refugees from horrible places represent a tiny fraction of migration.
Small company: The PM helps the team succeed by facing inwards to the team, understanding what's going on, making thing happen in the right order and setting expectations and goals.
Big company: The PM faces outwards, keeping the rest of the company out of the way, triaging incoming interruptions and maintaining a clear runway for the developers.
Just my humble observation after 25 years designing products.
Like the Headphone jack, vowels are obsolete. It makes sense for Apple to phase them out for us in their latest phones, hopefully leading the rest of the industry to remove them from Android phones, keyboards in general, and so on, within the next couple of years.
Slashdot Mirror
I'm a bit alarmed that it got +5 informative. I was aiming for "~3 meh".
Yes. But they're only there to carry the power from the wind turbines that are prominent at the start, or something like that.
In more modern animations, wind power turbines win out over power lines. https://www.youtube.com/watch?...
What an original comment on Slashot ! always predicting 0 future price on bitcoin since 8 years ago.
The reasonable interpretation is that the collision attacks on SHA-1 and the shortcomings of binary elliptic curves are going to undermine bitcoin in the end. It may take a while.
In my experience, being a leader of a large group in any context, like a company or standards group or anything else is what can colloquially be called "pulls more birds".
As a male, as soon as you are seen to be in a position of power, there is a subset of women, certainly not all women, who are suddenly very interested in you in a way they were not before you reached that position of power.
The same could be said about PC vs Mac...
That PC didn't even have a monitor.
Why the fuck would you think that? Did you think our brains suddenly became a database of sound? You are seriously dumb.
Because Shazam used to recognize and name music. When I last tried it (and then deleted it), it just tried to sell me stuff. No music recognition happened at all.
You know....
If you have a real car that can perform, it doesn't have to "glow" in the dark and look like some circus side show display....
I'd think money would be better spend on things that actually make the car perform better, rather than adding a neon underglow light system, spinner hubcaps, and a coffee can exhaust that does nothing for performance or good engine note.
You have a stunted definition of performance. Sad.
I used to work in a Formula 1 team and I'm entirely familiar with what you do to an engine to make it perform better.
Very little of this is done on normal cars because the design of the car doesn't accommodate all the pipework for the variable everything (per cylinder, per cycle variable trumpets, spark timing, injector timing, exhaust length etc) and the per engine mapping is a little expensive.
This is fine because the reliability profile on a road car is dramatically different. I see no benefit in modding my car. It's fine for getting to work and not getting arrested.
> Why should I set a password for an account that does not exist on my machine?
I think this is the core conceptual difference. There is no such thing as a unix like operating system that doesn't have root. It's integral to how it works. Pretending it isn't there is going to lead to choices like not setting a password for it. Apple certainly should be telling people to set it if it isn't set.
Windows also has said Linux utilies in the Linux Subsystem for Windows. Works pretty good.
Linux has all said utilities in the /bin and /usr/bin directories. Works excellently without the need for a second host operating system with a screwy file system. The install even asks you to set the root password.
Can delivery robots split lanes like motorcycles?
I imaging you would need a huge machine to split two lanes. The gap between the lanes would present a hazard to traffic. I think it's a bad idea all around.
Am I the only one that can't reliably parse that headline. WTF is it saying?
Is Jordan Peele talking to an executive or is Jordan Peele an executive who is going to produce something?
The majority of Mac users.
That puts me in the minority. I chose to get a Mac because it's unixy under the hood and has nice hardware. So I can bring up a bash shell and run GCC and grep and awk all day long. So as with my Linux boxes, as soon as I got it, the first thing I did was set the root password.
Who doesn't set a root password on a new computer?
>If you don't know what a C compiler will do if you do something, you should not be doing that thing.
Of course you should. Perhaps think before commenting.
Consider the importance of erasing state in security software.
But if you write zeroes to some key data and let it fall out of scope, a C compiler may or may not optimize away the erasure. There is nothing in the spec to tell you what the compiler will do, but that does not mean you shouldn't erase keys in memory after use.
And yet you listed none of these formal methods...
FEV (Formal Equivalence Testing)
FPV (Formal Property Testing)
Taint Analysis (showing secrets don't have a path out of a circuit, except through the intended paths)
There are lots of such tools. Since I work mostly in hardware, I use tools like jasper for FPV and tools from Synopsys and Cadence for FEV. There are taint analysis tools available but we use an internally developed one.
If you work in software, there are also plenty of tools, like frama-C for FPV on C code.
>The only way to improve the odds is for a development team to have one or more members whose ONLY job is to be aware of every thirdparty library/platform/os used by the project & literally research every single one, every single day, to become aware of vulnerabilities as they're discovered...
It's enough to say "Is it ok to use this library" and then tear that one to pieces. The effort involved makes the cost of writing (well) the subset of features you want from the library seem small.
Which is why I'm currently tearing apart a common open source crypto library right now and concluding that "In a cloud VM, this crypto library will get exactly 0 bits of entropy from the context it runs in". The fix is to recompile it with the right options, but the distribution build defaults in all the linuxes are simply wrong and the entropy claims in the literature that the defaults rely on are fraudulent.
It is a commonly used library and it is very, vary bad. At least there's one product that won't run into that problem.
>I certify products for sale to the government. People that come to me to get certified expect to be scrutinized.
If this is in the FIPS140 ish area, then this:
>They also know in advance what the spec is, what they must do and how.
is a fantasy.
I've commented extensively to NIST on ambiguities and architectural impossibilities in the specs and they fix some of them, but it's slow going and in the interim, a heck of a lot is left to interpretation by the cert houses.
In general, when a downloadable application needs to access a service that requires an API key, how is the application's developer supposed to make the operations controlled by the key available to the application without making the key available to rogue developers who could use the API key to impersonate the application? This is the case for the "consumer secret" in a Twitter app.
Welcome to Out of Band provisioning. The land of random key exchange protocols and horrendous complexity.
>Testing for *every* possible failure case is hard.
But a little spot of formal methods can go a long way.
>They just the the job done.
Without necessarily needing to use all the words that would be normally be needed in a sentence.
>It does mitigate certain families of security flaws.
Crypto types like Rust because it deals with a particular class of problem that is impossible to mitigate in C. Namely knowing what the compiler will do, for sure. Will it erase that buffer or will it optimize it away the erasure? In C there are a wealth of examples where code that compiles to secure object code on one compiler manage to get broken by another compiler. Or when the optimization level is changed. There is no "Best Practice" to make this problem go away using C. Rust specifically address this problem and while the other safety features are nice for mitigating security vulnerabilities, it is that specific problem that makes Rust appealing to the people who have looked under the compiler hood from a security standpoint.
>Millions of people around the world want to come to the USA and live here, precisely because of the freedoms you take for granted.
Bullshit. I came to the USA because the core of the technology industry is here, my skills are in technology, a company asked me to come and it seemed like a bit of an adventure to live in another country. There certainly were more personal freedoms in the country I come from than in the USA. The US has laws against crossing the road FFS. It has invasive travel rules. It has a democratic system in which the person with the fewer votes often wins. The USA is not a paragon of freedom. It is however far from being the worst place to be, if you have a good job, health insurance and a skin color that doesn't cause the police to hate you.
If you can overcome your nationalist tendencies and thing clearly about the place of the US in the world, it is one among a group of countries where the rule of law, democratic processes and economic governance make it not a terrible place to live, but it is far from the top of the pile. From a social standpoint, I would prefer to live in Japan, Spain or Belgium. All places I've spent some time and found to be nice places to be. However there is also personal satisfaction from getting my inventions and design deployed all around the world in billions of products. The US offers those opportunities.
To think the draw of the US is it's "freedom" is to ignore the real reasons people come - proximity, criminality at home, opportunity, the desire to travel.
The people who come as refugees from horrible places represent a tiny fraction of migration.
Big company vs. small company.
Small company: The PM helps the team succeed by facing inwards to the team, understanding what's going on, making thing happen in the right order and setting expectations and goals.
Big company: The PM faces outwards, keeping the rest of the company out of the way, triaging incoming interruptions and maintaining a clear runway for the developers.
Just my humble observation after 25 years designing products.
Like the Headphone jack, vowels are obsolete. It makes sense for Apple to phase them out for us in their latest phones, hopefully leading the rest of the industry to remove them from Android phones, keyboards in general, and so on, within the next couple of years.
i is a vowel.
I is a personal pronoun.