1. 27

      Can I have yours?

      1. 2

        I am not giving you the photo of my face.

        Is the likeness of my face also secret information? Do you cover your head when you go out in public?

        1. 3

          A number is easier to copy than a face in practice.

          1. 2

            Do you print your personal ID number at the back of your jacket when you go out in public? It’s not about photo, it’s about a number. If you read the post, you’d see that with the number, we could then

            Activate a SIM card (and so get an internet connection that’s traceable to you, not them, hiding them from the government)

            and then do some real damage in your name. That’s the point.

            1. 4

              It’s not about photo, it’s about a number.

              It’s actually about information, which photos do qualify as.

              If you read the post, you’d see that with the number, we could then Activate a SIM card

              Just because you can activate a sim card with a non-secret, does not in anyway make the non-secret a secret, or justify that the non-secret should be a secret.

              and then do some real damage in your name. That’s the point.

              And my point is non-secrets are not secrets. And that if an authentication system was built on a shaky foundation, that also does not justify or make non-secrets into secrets.

              1. 2

                And my point is non-secrets are not secrets. And that if an authentication system was built on a shaky foundation, that also does not justify or make non-secrets into secrets.

                Okay, with this addition, your point makes sense now. But your original comment, “Passport number is hardly secret information” doesn’t state that explicitly. It seemed to me (and I suspect to the guy asking for your pass #) as if you don’t think sharing it should be a problem because it’s not secret information.

                Just a bunch of nerds being a bit literal, I guess.

                1. 1

                  I’m afraid that if a “non-secret” piece of information is considered secret by others then in fact it is secret. If someone can use your passport number to affect your life by entering into phone contracts in your name then you need to stop giving it out. To that extent, what you need to keep secret is decided by others which is admittedly a huge pain in the bum.

                  Very common with government issued numbers of any kind sadly.

                  1. 1

                    Another thing with this is that you can’t even avoid it in a lot of places. There’s this number, OIB, in Croatia, which is kind of like your government-issued, personal ID number that you shouldn’t give to anyone because it’s used to verify you are you. Except you have to give it to your bank (okay, they need to watch my secrets anyway), my phone company (they sell my info for ads?) or like anywhere you want to get a loyalty card at.

                    1. 1

                      We have that here in Sweden too (“personnummer”). It is not seen as a secret at all. It’s simply a numerical representation of identity.

                      1. 1

                        Yep, here too. But when you call e.g. your telecom, “hi, I’m X and I need to change my contract.” - “sure, what’s your totally-not-secret #”?

                        Edit: well, not here, but back there. I’m not in Croatia any more.

                        1. 1

                          My real name is not a secret to the government or my bank, but it is to you. No information is either all secret or all non-secret. Secrecy has domains.

          2. 12

            I wish we were totally clear as a society about which pieces of info are just identifiers and which represent some kind of authentication or authorization, so we could focus on protecting the right info. And if instead of repurposing IDs as passwords we designed something for authentication from the start, it could be a lot better: we wouldn’t have to handle and store everything in the clear and rotating secrets could be routine instead of a huge deal.

            (The current mess is also self-perpetuating: the standard approach to authenticating people is pretty weak, but because it’s the standard approach no company using it to book tickets for you, etc. is likely to face much liability!)

            However, we aren’t in the universe where identifiers and secrets are cleanly separated, so practically speaking I more-or-less understand the qualms about disclosing passport numbers, US Social Security numbers, etc.

            1. 4

              whenever I see a wish for X to be designed differently, I love to bring up Chesterton’s Fence:

              There exists in such a case a certain institution or law; let us say, for the sake of simplicity, a fence or gate erected across a road. The more modern type of reformer goes gaily up to it and says, “I don’t see the use of this; let us clear it away.” To which the more intelligent type of reformer will do well to answer: “If you don’t see the use of it, I certainly won’t let you clear it away. Go away and think. Then, when you can come back and tell me that you do see the use of it, I may allow you to destroy it.”

              here’s a source regarding why the US Social Security number-as-identifier is the way it is, which really emphasizes how the problem was never about designing good authentication systems, but about developing national authentication in a society that opposes the very idea of national authentication.

              1. 3

                That SSA link seems to describe part of what I’m saying (a government record identifier got widely adopted by private DBs), and notes “it lacks…the means to authenticate a person’s identity”, which, yes. It’s not the SSA making a record identifier for themselves that bugs me, or even others using it as a DB key, it’s when folks use it as if it were proof of identity.

                Spelled-out theory of how we got here: large private entities (airlines, CC issuers, etc., etc.) are capable of better auth than passing around not-all-that-secured numbers in the clear (see chip and PIN, login systems with 2FA or USB keys, etc.). They have been slow to do it (e.g. late introduction of chip and PIN for card-present transactions in the US), and sometimes just have left things a mess (CC card-not-present transactions, and everything using SSN as proof of identity), for a bunch of reasons, including (like I mentioned in the other comment) that they’re not liable for most of the cost/annoyance when the auth system is janky–with credit cards, for instance, the merchants pay the monetary costs and cardholders deal with the fuss of card reissues and false alarms from fraud filters. Competition hasn’t solved it (“use my non-janky payment system/airline/…”) because the network effects protecting incumbents are strong.

                FWIW, very different to say “it can be informative to look at history” versus assuming historical decisions are wise or ideas are bad unless presented with reams of historical analysis. To me, analogous to “that weird behavior sounds intentional, peek at the history before you change it” vs. a posture that just makes touching your old code nearly impossible.

                (‘Nother fun thing: the Chesterton quote comes from an essay arguing that proper domesticity was being undermined in the 1920s as indicated by “a multitude of modern manifestations, from the largest to the smallest, ranging from a divorce to a picnic party”. Which is a position that, uh, hasn’t aged well to my eyes and makes you think about the principle used to justify it.)

                1. 1

                  that’s a really fair point regarding making past mistakes untouchable because of a less-than-useful need for “reams of evidence”. feels like red tape against changing old ideas. thanks for the view

                  I retract what I wrote, I’m not one to advocate for fallacious red tape

          1. 2

            Not a lawyer–why does this not fall under a fair use exemption? This seems to be clearly a parody of “the grand dame of fonts”?

            1. 3

              A parody has to be a new work (to be protected). You can’t just re-cut a song and call it a parody, you have to re-record something that sounds similar.

            1. 11

              I start my job this week. My first real adult job. So mostly bootcamp stuff at work. And I’ll be working more on my parser tutorial.

              1. 2

                Congrats and best of luck!

                1. 1

                  Thank you!

              1. 8

                Working through the Cryptopals challenges! Currently finishing up set #2 and enjoying it immensely.

                1. 9

                  If you don’t mind the tinfoil, this could well be a shakedown test to see how Russia might deal with partitioning of the network in a time of relative peace, before being surprised during some other time.

                  Then again, that’s the sort of idle speculation I’d give back in my HN days.

                  1. 3

                    Maybe not the intention, but I can’t imagine the data point would go unnoticed.

                    1. 3

                      According to the time line, it may seem related to telegram.

                      Here’s my tinfoil take :)

                      Russia banned the telegram app at the beginning of the month[1]. They basically blacklisted their domains.

                      Telegram started to use the google app engine as a domain front [2].

                      I guess Russia is trying to prevent domain fronting for future ban cases. I guess it is easier for them to send a takedown notice to a Russian cloud provider than sending that to a American one.

                      [1]: https://www.nytimes.com/2018/04/13/world/europe/russia-telegram-encryption.html

                      [2]: https://en.wikipedia.org/wiki/Domain_fronting

                      1. 2

                        Probably not the intention, because running the blocklist updates in that mode means that an external party can easily force a block of something critical inside Russia at the moment than neither the blocklist operators not ISPs have spare capacity to react sanely. People who are qualified to understand your point also know that Roskomnadzor is not qualified to prevent the risk I describe.

                        But some note-taking about unexpected dependency chains will be done anyway.

                        1. 1

                          If you were to pile some more tinfoil on, what else might we expect to see from Russian authorities?

                        1. 13

                          Still outweighs stress for commuting to office and sitting in noisy and uncomfortable environment. Offices are usually creepy and dirty in my city, sometimes out of reach of public transport routes. Bad lighting, constant noise of drill in neighboring rooms (where short-living companies come and go), cockroaches, sewerage smell, dirty overloaded toilets. Colleagues fighting for better place to sit, opening and closing windows and turning on and off air conditioner. Constant feeling of surveillance.

                          After working remotely, I don’t want to work at office anymore.

                          1. 2

                            Can I ask what city you’re working in?

                            1. 1

                              Saint Petersburg

                          1. 1

                            I remember seeing this before, and I still have the same question: what are your requirements as a job search candidate to keep your solution to yourself? I can’t help thinking that the hiring company in question just lost a pretty solid security-related FizzBuzz.

                            1. 2

                              The only obligation there is whatever the employer asks for; companies that are concerned about it put the confidentiality requirement in writing.

                            1. 2

                              I agree with lots of points made, but here’s my central issue:

                              The period of 2001-2006, five years of stagnation, actually turned out to be a good thing.

                              and then:

                              That stagnation period is what gave Mozilla time to catch up with Firefox, it’s what led to the Ajax revolution, and it’s what ultimately unseated Microsoft as king of the web.

                              Why would someone that’s in Microsoft’s position voluntarily put itself in a place where they could be ousted, as happened in 2001-2006?

                              The author is right to be cynical regarding the large companies putting an actual moratorium in place.

                              1. 2

                                Yeah - I very much agree that the stagnation benefited JavaScript profoundly, as the language avoided picking up a lot of bad ideas. :) For example, PHP rose to popularity in that time period, and is one of the few cases where I’m willing to say it’s worse than most other languages.

                                I imagine the other points are true as well, but that’s the one I can speak to.

                                But you’re exactly right, this is not going to happen.

                              1. 2

                                Not for the first time, and certainly not for the last time, technical progress was stymied by collective thoughtlessness today.

                                Is there a specific incident he’s referring to that sparked this? Or is it just a general discussion?

                                1. 4

                                  I am not aware of what he’s referring to. (figured I’d say that since I posted the link)

                                  1. 2

                                    Less informative than the graphic in the post, but a bit more visually interesting: https://www.youtube.com/watch?v=vvr9AMWEU-c

                                    1. 11

                                      Last year, I bought a Xeon Phi on an impulse. For those who are unfamiliar with the Xeon Phi, it is PCIe card that contains 57 1GHz Pentium (x86) cores, with some extensions for SIMD, 8GB of memory and running an embedded Linux on board. It’s great for highly parallel general purpose code that GPU’s aren’t suited for (lots of conditionals etc).

                                      This weekend, I finally received the final parts of the system to house the Phi, and assembled it. I haven’t set up the software yet, and I still need to verify that the cooling is sufficient (these cards get ridiculously hot!).

                                      The card was only $200, but after a lot of research, it turns out these babies require some pretty high-cost infrastructure to get running (motherboard with 64-bit PCIe addressing, which is rare and rarely advertised). The total setup has cost me around €800. I got a lot of help from Don Kinghorn from Puget Systems, a company that builds and sells specialized workstations and servers (Xeon Phi, Nvidia Tesla, …). They were very friendly and replied very quickly, despite the fact that I wasn’t a customer.

                                      If anyone has an cool application for the Phi, or software that they want to port to the Phi, or something they want to test on a 57-core setup, feel free to let me know! I bought this card to experiment, but I can probably let someone else use it over SSH from time to time.

                                      This week I’ll mostly be preparing to leave for Japan!

                                      1. 2

                                        Very interesting. Do you happen to know why they decided to put 57 cores on the machine, as opposed to something rounder?

                                        1. 4

                                          There are models with slightly more cores (60 or 61 cores), but I think this is a yield issue. My speculation is that they are building them as 64-cores per die, but they can’t get acceptable yields, so they release them as 57, 60 or 61 core versions depending on the quality of the specimen. These cards normally cost thousands of dollars a piece, so I’m guessing they’re pushing the limit to what they can physically fit onto a die/board.

                                          I think this is also just where the thermals, performance and power consumption ended up being best for this kind of package (dual slot PCIe). Adding more cores likely would have meant dropping to lower clocks, and I think they didn’t want to settle for anything less than the symbolic 1GHz. As I mentioned, these cards get REALLY hot, even when idle.

                                          That said, 57 cores with 4-way HyperThreading and 512bit SIMD (AVX-512) is a plenty of parallelism to play with.

                                      1. 1

                                        Does anyone know why Assange’s username was proff? Looks like he used it for his MIT email as well

                                        1. 1

                                          In the technical realm, trying to figure out how to modularize a 2k LOC behemoth of a D3 charting routine. What does good modularization look like in JS?

                                          In the non-technical realm, realizing that yes, when I eat fatty foods for lunch my productivity drops like a rock, and no, just drinking coffee isn’t enough to overcome that. Since I started eating better, both my mental clarity and my productivity have skyrocketed!

                                          Next step: establish a more rigorous gym routine.

                                            1. 3

                                              Looks very nice, but how do I type the Unicode? Would this just be for display?

                                              It seems to me that once you start getting fancy with the inputs, you may as well need an IDE to make those Unicode characters easily accessible, and then we’re just a hop, skip, and a jump away from visual programming languages.

                                              1. 4

                                                This isn’t an entirely serious project to begin with and the unicode-ification would probably be generated from the types if it were a serious thing.

                                                Just a (working) experiment in visualization of arrows in Haskell.

                                                We don’t even really use arrows that much, other things proved to be nicer abstractions most of the time.

                                                1. 2

                                                  Fair! I actually end up drawing diagrams that look fairly similar to the ones you’ve generated when I need to reason about data streams. Maybe this could find more traction as a general data transformation visualization tool?

                                                  1. 2

                                                    Oh I didn’t write down the unicode version, kamatsu from the Reddit thread did. Sorry, should’ve said so.

                                                    It could be useful I guess, but only if you’re using Haskell?

                                                    1. 2

                                                      True, I haven’t taken a very deep look at it. I’m working with Django right now and a tool like this could de-mystify some of the QuerySet API.

                                                      1. 3

                                                        You need types mate.

                                                        I used to be primarily a Python and Clojure user. I’ve been teaching Haskell for a year now. This is how I teach Haskell: https://github.com/bitemyapp/learnhaskell

                                                        1. 2

                                                          I’ve always been a bit leery of trying to do webapps in FP. It seems to me like webapps are designed around mutable state, and Haskell needs a lot of workarounds to make it work.

                                                          That being said, bookmarked. I need to bite the bullet and do more than Hello World in Haskell

                                                          1. 3

                                                            It seems to me like webapps are designed around mutable state,

                                                            No computable problem is necessarily about mutable state.

                                                            Haskell needs a lot of workarounds to make it work.

                                                            Nope.

                                                            Some cheap-n-cheerful examples:

                                                            http://hackage.haskell.org/package/scotty

                                                            http://bitemyapp.com/posts/2014-08-22-url-shortener-in-haskell.html

                                            1. 2

                                              Other than the lineprof tool and the Rcpp comment, most of this applies directly to MATLAB code as well. I had the unfortunate pleasure of dealing with roughly 15k lines worth of MATLAB simulator code for a class I took in undergrad (no choice as to the language we used). Only tweak: Instead of lapply -> mclapply, switch for -> parfor. MATLAB complains about dependency stuff (which was nice to not have to reason about separately) but it provides decent error messages about what looks dependent.

                                              1. 5

                                                I wish this included a comparison with the MIT license, and why or why not the 2-clause BSD license would be preferable. It is also a bit confusing that there are so many variations of the BSD license, which are referenced somehwat similarly:

                                                • older 4-clause BSD license
                                                • 3-clause “new” BSD license
                                                • 2-clause “Simplified” BSD license

                                                I tend to prefer the ISC or MIT licenses, because they are (a) clear, (b) when you say “MIT License” or “ISC License”, people know which one you are talking about without confusion.

                                                1. 1

                                                  For anyone who can elucidate: What is the difference between the MIT license and the BSD licence?

                                                  1. 4

                                                    Ok, that is cool.

                                                    1. 3

                                                      Any chance you read this year’s SIGBOVIK paper on this? Search for the proceedings and look for “Unit Test Based Programming.” (SIGBOVIK is a real conference that is more or less (and by design) a joke, but sometimes has real, albeit usually ridiculous, results. This paper is one such thing.

                                                      Really interested to see where your implementation goes!

                                                      1. 1

                                                        Just found it. That paper was an entertaining read. Its approach is “purer,” I’d say, from a theoretical perspective as it generates complex functions from a small set of “ground” primitives, whereas inductive.js relies on the programmer explicitly listing the primitives for each function. This results in a trade-off. Solve attempts in inductive.js are generally faster; arbitrary operations like AJAX are easily represented; and it’s straightforward to compose programs of arbitrary size. On the other hand, utbp’s approach is simpler, and it’s definitely more convenient to be able to omit a list of operators. It’s an interesting field of study with a lot of thought-provoking papers out there, like utbp’s.

                                                        1. 2

                                                          Sorry – I would have linked, but was on my phone.

                                                          Ah, interesting! I’ll have to look into your approach a bit more, but this is a great project!

                                                      2. 2

                                                        This is the thing that will get me to enjoy writing tests.

                                                      1. 3

                                                        Finally starting to write some tests for the web app that I’m working on. As a newbie to web app testing, does anyone have recommendations on how I should be approaching this? Thought processes/paradigms? I’m working with Python/Django.

                                                        1. 1

                                                          Glad to see definitive progress toward locking the language down. That’s all I’m waiting for before I start a deep dive into Rust.