Unfortunately, most people seem to have taken the wrong lesson from Rust. They see all of this business with lifetimes and ownership as a dirty mess that Rust has had to adopt because it wanted to avoid garbage collection. But this is completely backwards! Rust adopted rules around shared mutable state and this enabled it to avoid garbage collection. These rules are a good idea regardless.
I'm thinking about how I religiously avoided goto until Tom Duff pointed out how silly my code looked with all of those nested error checks. Maybe they're not a good idea regardless, and the reason we're not all using functional languages today is that trying to build programs that way just doesn't work very well?
I dunno, I'm kind of in a contrarian mood this morning...
Incredible research at BlackHat Asia today by Tong Liu and team from the Institute of Information Engineering, Chinese Academy of Sciences (在iie.ac.cn 的电子邮件经过验证)
A dozen+ RCEs on popular LLM framework libraries like LangChain and LlamaIndex - used in lots of chat-assisted apps including GitHub. These guys got a reverse shell in two prompts, and even managed to exploit SetUID for full root on the underlying VM!
It's not in the current development path, but some features prototyped for work use a prefix notation math system, and that's bugged me, and wrote a little framework that let me use Objective-C to specify a parser in Backus–Naur form, and because that created an in-memory tree and had some good intermediate information that I could use for command completion.
I've done stuff with the peg/leg recursive descent parser generators in C, and realized that I want the ability to introspect the parse tree better, for things like command completion and better error messages.
I've been both thinking that this is a tool I'd like to have generally for implementing configuration and scripting kinds of things, and that this might be my opportunity to learn a new language. I've been thinking that I should learn Rust, although as I dig through a lot of it it (and Go) feel pretty prescriptive, on the other hand I've also looked at some of the side effects that sneak into Perl and Python and realize that whipupitude is not always great for long term maintenance of the code.
Anyway, I started thinking about what it might look like in C++, and that reminded me of how much the language informs my design thinking, even as I think that many of those ideas are portable across languages. Which got me back towards Rust, although...
LogLog Games: Leaving Rust gamedev after 3 years is a fascinating look at how Rust's proscription about memory management can make it difficult to build. Especially as we start to think about "data oriented design" as a response to Object-Oriented design, maybe that isn't a great idea.
On the other side, The Brain Dump — One year of C is some musings about C99 (vs C89) and thinking about design and memory in C vs C++, and it's making me think that maybe I even need to go back to my preprocessor abusing ways and implement this thing in C.
Oh that's A powerful observation: "It’s the first time the police have been invited onto Columbia’s campus since 1968. Like 1968, 2024 may go down as an inauspicious year for university administrations trying to defend the indefensible."
The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor.
The AI zeitgeist is rooted in white men being so worried that they are on the verge of having to trust the expertise of people who aren’t just like them that they would rather get their information from a wrong robot./blockquote>
Fuck yeah I feel some smugness about that, theydies and gentlethems and glitterkittens! Nobody pays me to be a business consultant, but sometimes I do it anyway, for the sheer pleasure of being right on the internet. If you squint and hold your eyes correctly while you look at this situation, Zuckerberg personallylost thirty billion dollars of net worth in one day for not being an ErosBlog reader. And ErosBlog is totally free! So, you know, fuck that guy. Fuck him in particular.
I've long thought about how seemingly subtle changes in UX of online applications can have dramatically different impacts on the social dynamics of the community that surrounds them. This is a great read on that: Every Game Has the Community It Deserves
Liebreich: The Unbearable Lightness of Hydrogen. Good reiteration of something you already know: the "hydrogen economy" is greenwashing bullshit from the existing natural gas and petroleum producers, and makes zero sense, because of physics.
How to create a secure random password with JavaScript. Probably stuff you know, about modulo bias and using decent sources of randomness and so forth (although at least one of my little one-off (non-JS) scripts that manages one of my personal sites has random number collisions far more often than I think it should for reasons I've never bothered to fix because it's just an annoyance, but...), but it's in one place.
I tried Arc Search, the new mobile app from the Browser Company. Its central insight is that almost every mobile browsing session starts with a web search; rather than giving you the usual list of results, it prioritizes building a web page for you that contains all the information you asked for.
In a new announcement, Ring to now require warrants to share your video with law enforcement
This week, we are also sunsetting the Request for Assistance (RFA) tool. Public safety agencies like fire and police departments can still use the Neighbors app to share helpful safety tips, updates, and community events. They will no longer be able to use the RFA tool to request and receive video in the app.
As I was copy-and-pasting to re-toot a Mastodon post on to my blog, I had a huge moment of... I appreciate that there are a few folks I interact with on Flutterby. I do occasionally use it as long-term memory, although with the decay of the web I'm not sure how much value that has any more.
I've got a few bugs in my CMS that I've been threatening to fix for years, but maybe the social web's time is over and it's time to just do something else with the domain names.
Right now, users seem keen at using the current set of LLMs, throwing some curl code at them and then passing on the output as a security vulnerability report. What makes it a little harder to detect is of course that users copy and paste and include their own language as well. The entire thing is not exactly what the AI said, but the report is nonetheless crap.
A cold-blooded project is like the baby painted turtle. You can freeze it for a year and then pick it back up right where you left off.
A cold-blooded project uses boring technology. The build and test scripts don’t depend on external services that might change, break, or disappear entirely. It uses vendored dependencies.
Of the programming languages I use, Perl seems to be the best at this. C is okay. C++ less so (wait, that library interface changed again?). JavaScript and Python seem to be awful.
Maestro is a monolithic kernel, supporting only the x86 (in 32 bits) architecture for now.
At the time of writing, 135 out of 437 Linux system calls (roughly 31%) are more or less implemented. The project has 48 800 lines of code across 615 files (all repositories combined, counted using the cloc command).
Matt Thomas] wanted to answer the question of whether 3D printed structures can be food-safe or even medical-safe, since there is an awful lot of opinion out there but not a lot of actual science about the subject. As a mechanical engineer who dabbles in medical technical matters, he designed as series of tests using a wide range of nasty-sounding pathogens, to find once and for all what works and what does not.
Results from various testing methods used in hospitals and FDA approved microbial surface testing, indicate that 3D printed parts of PLA/PLA+ (Polylactic Acid), and PETG (Polyethylene terephthalate glycol) can be cleaned to safe levels using warm water (120 °F), and non-concentrated dish soap. Examination and verification of cleanliness were completed via Petri dish preparations, and protein residue testing. It was found that Colony Forming Units (CFU) and Plaque Forming Units (PFU) had been reduced by 90%. Experimental results indicate that using 2g of baking soda, when used with soapy water, eliminates biofilms by chemical and physical action, neutralizes acidic bacteria, and removes mucus. It is recommended (not required) and tested by surgical technicians, that a 2-minute room temperature bleach water soak (200ppm), after washing and rinsing should be done to ensure pathogens are at safe levels. Acetic acid from vinegar was tested as well via petri dish for CFU reduction and can effectively eradicate biofilms due to the ability to penetrate the biofilm matrix and the cell membrane. Acetic acid is not recommended for disinfecting, only for biofilm reduction. It is noted to the reader that sanitation in this context refers to the method of bringing a surface or object to safe levels of cleanliness for food or medical preparation and storage. Furthermore, mass spectrometry readings indicate that no contamination from heavy metals, or other toxins are present in PLA+, and PETG before and after printing. Lastly, filaments made from a pull-trusion method from recycled soda or water bottles has been tested and found to be safe.. When using 3D-printed items for liquids, it is highly recommended to coat the 3D-printed parts in resin.</bockquote>
I've recently been diving back into the C++ code which generates some of my other web sites, and am tearing my hair out (yes, I'm bald) trying to get code which compiles on Linux running on the Mac as well. Which is frustrating, especially when I'm trying to figure out which incantations are necessary to get Boost compiling property on gcc vs clang, let alone other library issues (Hello GNU libcgipp...).
In fact, the right-wing Institute for Family Studies lurks throughout the editorial, along with its senior fellow Brad Wilcox, who was involved in discredited anti-same-sex marriage research that was influential in that political battle a decade ago. Together, the Post references or links to them three separate times in its editorial. (The IFS argument about marriage happiness is flawed too, by the way.)
Yeah. Young women: don't. While I'm very grateful to those who have tolerated some of my views over time, we should definitely not be encouraging anyone, let alone young women, to compromise with some of that shit.
When we enter into business with a company whose boss takes delight in the mass layoffs of tech workers because it disempowers those who might speak out against their company keeping a list of non-Anglophone names that some members of the team find hilarious, we have a decent sense of who we’re dealing with.
For example, one pitch in particular was for a product which promised to remove the need for me to write SQL in exchange for being able to set up all my dependencies from a drag-and-drop editor, with the sales pitch consisting of "You can get rid of thousands of lines of all that SQL you hate!" - no I can't, fucko, because your application is still connecting to Postgres so it's just writing the SQL for me with another layer of licensed abstraction on top of it. Why would I pay to have more abstractions designed for you to sell software to multiple clients, you blue-suited dementor? Eight times out of ten, I want to pay you to remove them from my codebase.
The attack was last Tuesday, November 7. According to AlphV, they did not encrypt any files, but did exfiltrate files. MeridianLink was aware of it the day it happened. According to AlphV, no security upgrades were made following the discovery, but “once we added them to the blog, they have patched the way used to get in,” DataBreaches was told.
The fundamental flaw with pitching CoPilot as a massive productivity boost is that its goal is to make it faster and easier to generate code.
As a programmer, you don't want to generate code. You want to solve problems; the less code involved the better. I don't want tools that will generate repetitive code, I want less repetition.
While my managers are very happy, they quietly suggest it may be unwise to roll out the changes to all the computers (I only did a few to be safe) because it would oversaturate the department to hear about us all day. And invite unwelcome questions. The subtext is that if we do this all slowly enough, it might seem like it took a lot of effort instead of just clicking buttons that I said had to be clicked almost a year ago.
Terence Eden's blog: EBCDIC is incompatible with GDPR. Bank customer complained that their name wasn't being spelled with the appropriate diacritical/accent marks. GDPR says that "The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her."
Bank says "we can't, because EBCDIC technology stack". The Court of Appeal of Brussels says "tough".
I've long been of the "own your own data" mindset, as is obvious from this blog that's been going for two and a half decades, and I've long thought that a distributed P2P sort of system that didn't depend on the DNS system for identity, and didn't require explicit hosting, would be a good thing. Decades of link rot have me thinking about archives, the centralization of social media has me thinking about how much of my conversations are guided in directions that "drive engagement" and sell to advertisers.
The growing Fediverse and Mastodon phenomenon are re-surfacing a lot of the issues involved with distributed social media, and the cryptocurrency fad displayed a lot of the problems P2P stuff, but security and safety are filtering higher to the list.
“These contracts offer innovative ways to build applications and processes,” Tal wrote along with his Guardio colleague Oleg Zaytsev. “Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted ‘on-chain’ without the ability for a takedown.”
With God as my witness, the next son of a bitch to mention Agile is going to get hurled into the ground so hard that I'm going to publish a seismology paper in Nature with the data.
Today, we share -with the community at large- our policy to not work with Moglen or SFLC. We have chosen to speak publicly on this matter because we feel we have an obligation to warn volunteers and activists in software freedom that this pattern of reported behavior exists. Of course, everyone should read the publicly available source materials and make their own decisions regarding these matters. While we loathe to publicly speak of these unfortunate events, the decades of ongoing reports of abusive behavior & and the risk that behavior creates for unknowing members of the Free Software community ultimately requires that we no longer remain quiet on this issue.
Checkmarx reports that the malware used in this campaign goes a step further from typical info-stealing operations, engaging in app data manipulation to perform a more decisive blow.
Connectivity provided by highertech.net
, awesome
bandwidth, well away from fault lines and other potential for natural
disasters, reliable, and run by cool people.
![[Wiki]](/adbanners/lookingglass.png){kind=small}
the repetition, not do more of it.