I eventually put a pin through his coax, which apparently burned out his linear. Ha Ha!
I, too, love to chuckle about committing felonies (depending on the price of his amp) based on my complete misunderstanding of regulations and my rights and responsibilities under them. Hee hee, ho ho!
My company explicitly states that it's our job, as senior developers, to farm the crop of new junior developers. And FWIW, we've seen enormous success from hiring inexperienced (but talented and eager) new engineers and mentoring them in the ways of our world. The main difference between me and a new kid out of college is that I've made a lot more stupid mistakes than they've had time to. I share my experiences with them, and they share their excitement and willingness to try new things with us. If I can play a small part in helping them graduate to a senior role - either here or elsewhere - I'll consider it a personal accomplishment.
We did our time as juniors. Now it's our turn to help the next cohort learn the ropes.
The first problem is that there's provably no way to reconcile "only the One True Protector should have access to a backdoor" and "any backdoor can be, will be, and has been exploited by third parties". It's like hoping desperately to find some value of A such that "A & ~A == true". It won't (and can't) happen.
The second problem is that encryption only makes it more convenient for criminals to do the things they've always been doing anyway. If I wanted to communicate secretly with you, we used to meet in the woods and talk privately. If we didn't want to be seen going into the woods, we sent emissaries to chat over coffee in a busy restaurant. Criminals are using encryption today. They are also meeting in woods and restaurants and behind barns and in churches and above taverns and on boats. There is no question that intercepting their woods / restaurants / barns / churches / taverns / boats communications would play in huge part in stopping there schemes, maybe saving lives. That point is just not debatable.
But what is debatable is whether it's worth bothering to live in a society where you and I can't talk in private, or where I can't exchange pillow talk with my wife without someone listening. If it came to that, fuck it - the experiment's over. I'd rather burn it all to the ground and start over than live in a society where laws and technology mean it's impossible to communicate without eavesdropping.
When a would-be thief sees the giant flashing "Powered by Verizon" sign floating over my phone, they'll know not to steal from me and to look for a giant "Brought to you by AT&T" banner. Thieves put a lot of thought into deciding which phone to steal.
Neither one, no. The 2600 doesn't measure seconds but frames. Seconds aren't actually clock seconds but the number of rendered frames divided by a constant.
If the clock crystal ran faster (but not so much that it screwed up the TV sync), then the "time" score would speed up by the exact same proportion. The 2600 would still calculate the exact same amount of animated movement per frame because that's how it works. On a modern computer, something updates video RAM while another something reads from that same RAM and generates a video signal for the screen to display. On the 2600, the CPU fills in the current TV scanline as it's being displayed, with only a few ms between screen refreshes to do work like calculating scores, etc. Read https://en.wikipedia.org/wiki/... if you want to be horrified at what our predecessors had to do to put a dot on the screen.
The 2600 doesn't get feedback from the TV display. It just blindly writes its signals to the wire and it's up to the TV to decode them properly. The TV doesn't send a clock signal to the 2600.
This is an excellent time to make an exception to that otherwise-sacred rule. The video was awesomely damning, entertaining, and infuriating. Other "accomplishments" it documents:
- Getting high scores of exactly 15,000,000 on two different games whose scores increment by 100 each time. Not 14,999,900 or 15,000,100, but exactly 15,000,000.
- Beating the second highest scores on those games by factors of like 30x. He got 15,000,000; #2 got 500,000.
- Beating the Barnstorming game by an unlikely margin. Summary: every time you move up or down in that game, you lose a bit of horizontal speed: the fewer movements you make, the better your time. Testers hacked up a copy of the ROM to remove all obstacles, then timed flying from one end of the course to the other in a perfectly flat line. Rogers beat that machine perfect time by over half a second.
- Scoring 1,698 in a game that increments by 5 points at a time and that caps at 1,300.
High Sierra runs fin on my 2011 MBP (16GB RAM, 1TB SSD). If it didn't, I'd upgrade this 6 year old boat anchor to get the newer OS, but it's had a pretty great run of it already.
i don't speak French but even I can figure out that's a big mealy mouthful... hard for six or seven syllables to come up with two...
First rule of speaking French: get bored and trail off halfway through each word. No one says six or seven syllables. In practice, you'll get two on a regular basis and three if it's your waiter sneering at your bad accent.
To be honest, that PR is a great reason for why you'd want to use someone else's left padding function. Turns out there are about 100 ways to subtly screw it up in JavaScript, so it makes sense to collect everyone's wisdom in a single place rather than everyone trying to re-invent that (surprisingly non-trivial) wheel.
I disagree about security flaws. If it’s not possible to use a package - say, it mistakenly always degrades SSL connections to plaintext - then I think it’s at least arguable that users should be prodded into upgrade to the fixed version.
I agree about the “same author” bit. I didn’t spell it out, but that to me means “officially designated maintainer”. Maybe that’s always the same individual maintainer, or maybe it’s “Release Manager at Foo Corp”, or perhaps it’s “person who took over package Foo after Randy got a new job”. But in all cases, the uploaded is still the person who’s directly responsible for that specific package in real life.
Eh, I don't care about that so much. If it's the idiom in your language to let someone else write every little function like that, and that's just how it is in that ecosystem, then so be it. I wouldn't want to work that way, but everyone has their preferences.
But if you're going to foster an ecosystem where everyone's going to use the same "leftpad", then you damn well better make sure that:
Once I've added "leftpad-4.5.6" to my dependencies, it's not going away unless there's a critical security flaw,
That today's "leftpad-4.5.6" is the same one I downloaded yesterday, and
That "leftpad-4.5.7" comes from the same author who released 4.5.6 and not Boris in St. Petersburg.
If you can't guarantee all three of those conditions, I want nothing to do with it. And again, pretty much everyone else offers these guarantees. This isn't just some greybeard rant about an ideal world no one has ever lived in before.
They're now implementing a 24-hour cooldown on republication of any deleted package names
So make attackers wait a whole day before uploading their compromised replacements for widely-used packages. Got it!
Seriously, NPM is a shithole. "As a general rule, the npm Registry is and ought to be immutable", you think? It's not a "general rule". It's "all the time, every" you freaking amateurs.
most of the npm support team's work is devoted to handling user requests for package deletion, which is more common than you might expect. Many people publish test packages then ask to have them deprecated or deleted. There also is a steady flow of requests to remove packages that contain contain private code that users have published inadvertently or inappropriately.
This right here is how you brought it upon yourself, and why I have zero sympathy for your self-imposed situation. If I contribute a package to Debian, you think they'll spend "most of their week" removing it just because I asked? That's not gonna happen. Here's how you fix this:
"Effective immediately, we no longer remove packages unless they cause a clear and imminent threat to their users. If you accidentally included your GitHub password, change it. That's your problem, not ours. Next time try not to do that, OK? Also, we no longer reuse package names, ever, for any reason. If you wanted it, you should have registered it. And finally, under no circumstances, period, may you ever reuse a version number. Ten years from now, package foo-1.2.3 will be bytewise identical to the one we issued last week. We guarantee it."
Anything short of that is a joke to the rest of the industry. I'm not being idealistic or unrealistic, either: these are completely reasonable, common policies that pretty much literally every other package repo implements.
Yes, it's part of the contract, but that doesn't mean it's fair or just. It's an obsolete legacy that we're stuck with, not something to hold up as good.
I don't feel that way at all, and have in fact spent lots of time in low-population states. I have nothing against them. But suppose for the sake of argument that a county in west Texas split off to be their own state. Why should that small land area county with 25 people have the same number of Senate votes as the giant (land a people-wise) remainder of Texas?
That's a great question. Probably not, but the Senate was originally a nod to slightly smaller states who didn't want to be ignored. However, the state population range at the time was much smaller: Virginia was about 12 times more populous than Delaware (which by land is 1/9th the size of Virginia, so their densities are very similar).
Today, California is 68 times more populous than Wyoming (but only 1.7 times bigger, which works out to about CA being about 41 times more densely populated). There's absolutely no way that a Senate being crafted today would give Wyoming 68 times the proportional representation of California.
Why should that not be the case? Remember, land doesn't vote: people do. I lived in Nebraska where about 60% of the population lived in Omaha. Any arrangement where the rest of the state were allowed to outvote that small, heavily populated corner is inherently disenfranchising the Omahans.
If you own the cluster, do you actually need to apply the patch? It seems like your security exposure would be far small than, say, Amazon's multi-tenant hardware.
Slashdot Mirror
I eventually put a pin through his coax, which apparently burned out his linear. Ha Ha!
I, too, love to chuckle about committing felonies (depending on the price of his amp) based on my complete misunderstanding of regulations and my rights and responsibilities under them. Hee hee, ho ho!
My company explicitly states that it's our job, as senior developers, to farm the crop of new junior developers. And FWIW, we've seen enormous success from hiring inexperienced (but talented and eager) new engineers and mentoring them in the ways of our world. The main difference between me and a new kid out of college is that I've made a lot more stupid mistakes than they've had time to. I share my experiences with them, and they share their excitement and willingness to try new things with us. If I can play a small part in helping them graduate to a senior role - either here or elsewhere - I'll consider it a personal accomplishment.
We did our time as juniors. Now it's our turn to help the next cohort learn the ropes.
Gotta agree. I was ready to be all offended by a super restrictive list, but there's nothing there that seems likely to every be accidentally crossed.
Probably OK:
Probably not OK:
I think all those rules are there so that if someone won't quit being an ass then they have an explicit rule they can point to. That seems reasonable.
The first problem is that there's provably no way to reconcile "only the One True Protector should have access to a backdoor" and "any backdoor can be, will be, and has been exploited by third parties". It's like hoping desperately to find some value of A such that "A & ~A == true". It won't (and can't) happen.
The second problem is that encryption only makes it more convenient for criminals to do the things they've always been doing anyway. If I wanted to communicate secretly with you, we used to meet in the woods and talk privately. If we didn't want to be seen going into the woods, we sent emissaries to chat over coffee in a busy restaurant. Criminals are using encryption today. They are also meeting in woods and restaurants and behind barns and in churches and above taverns and on boats. There is no question that intercepting their woods / restaurants / barns / churches / taverns / boats communications would play in huge part in stopping there schemes, maybe saving lives. That point is just not debatable.
But what is debatable is whether it's worth bothering to live in a society where you and I can't talk in private, or where I can't exchange pillow talk with my wife without someone listening. If it came to that, fuck it - the experiment's over. I'd rather burn it all to the ground and start over than live in a society where laws and technology mean it's impossible to communicate without eavesdropping.
When a would-be thief sees the giant flashing "Powered by Verizon" sign floating over my phone, they'll know not to steal from me and to look for a giant "Brought to you by AT&T" banner. Thieves put a lot of thought into deciding which phone to steal.
It's almost like people want to live here, even if they have to pay more for the privilege.
Neither one, no. The 2600 doesn't measure seconds but frames. Seconds aren't actually clock seconds but the number of rendered frames divided by a constant.
If the clock crystal ran faster (but not so much that it screwed up the TV sync), then the "time" score would speed up by the exact same proportion. The 2600 would still calculate the exact same amount of animated movement per frame because that's how it works. On a modern computer, something updates video RAM while another something reads from that same RAM and generates a video signal for the screen to display. On the 2600, the CPU fills in the current TV scanline as it's being displayed, with only a few ms between screen refreshes to do work like calculating scores, etc. Read https://en.wikipedia.org/wiki/... if you want to be horrified at what our predecessors had to do to put a dot on the screen.
The 2600 doesn't get feedback from the TV display. It just blindly writes its signals to the wire and it's up to the TV to decode them properly. The TV doesn't send a clock signal to the 2600.
This is an excellent time to make an exception to that otherwise-sacred rule. The video was awesomely damning, entertaining, and infuriating. Other "accomplishments" it documents:
- Getting high scores of exactly 15,000,000 on two different games whose scores increment by 100 each time. Not 14,999,900 or 15,000,100, but exactly 15,000,000.
- Beating the second highest scores on those games by factors of like 30x. He got 15,000,000; #2 got 500,000.
- Beating the Barnstorming game by an unlikely margin. Summary: every time you move up or down in that game, you lose a bit of horizontal speed: the fewer movements you make, the better your time. Testers hacked up a copy of the ROM to remove all obstacles, then timed flying from one end of the course to the other in a perfectly flat line. Rogers beat that machine perfect time by over half a second.
- Scoring 1,698 in a game that increments by 5 points at a time and that caps at 1,300.
High Sierra runs fin on my 2011 MBP (16GB RAM, 1TB SSD). If it didn't, I'd upgrade this 6 year old boat anchor to get the newer OS, but it's had a pretty great run of it already.
i don't speak French but even I can figure out that's a big mealy mouthful... hard for six or seven syllables to come up with two...
First rule of speaking French: get bored and trail off halfway through each word. No one says six or seven syllables. In practice, you'll get two on a regular basis and three if it's your waiter sneering at your bad accent.
To be honest, that PR is a great reason for why you'd want to use someone else's left padding function. Turns out there are about 100 ways to subtly screw it up in JavaScript, so it makes sense to collect everyone's wisdom in a single place rather than everyone trying to re-invent that (surprisingly non-trivial) wheel.
That’s terrifying!
It’s the Internet. You can say “fuck” here.
I agree about the “same author” bit. I didn’t spell it out, but that to me means “officially designated maintainer”. Maybe that’s always the same individual maintainer, or maybe it’s “Release Manager at Foo Corp”, or perhaps it’s “person who took over package Foo after Randy got a new job”. But in all cases, the uploaded is still the person who’s directly responsible for that specific package in real life.
That doesn’t help if you accurately mirror a repo where a package can be replaced with something malicious.
I agree to a point, but I don't maintain my own Linux distro even though I depend on certain packages for my software to run on it.
Eh, I don't care about that so much. If it's the idiom in your language to let someone else write every little function like that, and that's just how it is in that ecosystem, then so be it. I wouldn't want to work that way, but everyone has their preferences.
But if you're going to foster an ecosystem where everyone's going to use the same "leftpad", then you damn well better make sure that:
If you can't guarantee all three of those conditions, I want nothing to do with it. And again, pretty much everyone else offers these guarantees. This isn't just some greybeard rant about an ideal world no one has ever lived in before.
They're now implementing a 24-hour cooldown on republication of any deleted package names
So make attackers wait a whole day before uploading their compromised replacements for widely-used packages. Got it!
Seriously, NPM is a shithole. "As a general rule, the npm Registry is and ought to be immutable", you think? It's not a "general rule". It's "all the time, every" you freaking amateurs.
This right here is how you brought it upon yourself, and why I have zero sympathy for your self-imposed situation. If I contribute a package to Debian, you think they'll spend "most of their week" removing it just because I asked? That's not gonna happen. Here's how you fix this:
"Effective immediately, we no longer remove packages unless they cause a clear and imminent threat to their users. If you accidentally included your GitHub password, change it. That's your problem, not ours. Next time try not to do that, OK? Also, we no longer reuse package names, ever, for any reason. If you wanted it, you should have registered it. And finally, under no circumstances, period, may you ever reuse a version number. Ten years from now, package foo-1.2.3 will be bytewise identical to the one we issued last week. We guarantee it."
Anything short of that is a joke to the rest of the industry. I'm not being idealistic or unrealistic, either: these are completely reasonable, common policies that pretty much literally every other package repo implements.
Yes, it's part of the contract, but that doesn't mean it's fair or just. It's an obsolete legacy that we're stuck with, not something to hold up as good.
I don't feel that way at all, and have in fact spent lots of time in low-population states. I have nothing against them. But suppose for the sake of argument that a county in west Texas split off to be their own state. Why should that small land area county with 25 people have the same number of Senate votes as the giant (land a people-wise) remainder of Texas?
That's a great question. Probably not, but the Senate was originally a nod to slightly smaller states who didn't want to be ignored. However, the state population range at the time was much smaller: Virginia was about 12 times more populous than Delaware (which by land is 1/9th the size of Virginia, so their densities are very similar).
Today, California is 68 times more populous than Wyoming (but only 1.7 times bigger, which works out to about CA being about 41 times more densely populated). There's absolutely no way that a Senate being crafted today would give Wyoming 68 times the proportional representation of California.
Similarly, it's insane that people in Wyoming have four times the electoral voting power as New Yorkers. "But Wyoming is so big on the map!" Sure, but it has the about the population of Staten Island.
There is no justifiable reason why those one or two cities shouldn't have all the power if that's where all the people live.
I am american
No you're not. No one actually believes you.
I always thought the 25Mbps definition was too high as a "minimum definition."
It's too high as the definition of "minimum required for normal Internet use". It's definitely not too high as a definition of "fast Internet".
If you own the cluster, do you actually need to apply the patch? It seems like your security exposure would be far small than, say, Amazon's multi-tenant hardware.