1. 1

    This seems like a niche begging for a product.

    1. 2

      You mean like Ubiquiti’s AmpliFi Teleport?

      1. 1

        Ubiquiti’s AmpliFi Teleport

        I hadn’t seen that before. Looks very useful.

    1. 1

      I’ve read that some/most(?) Atom CPUs don’t have speculative execution or out of order execution. Is there a comprehensive List of x86_64 CPUs that have / don’t have those features?

      1. 1

        I believe the only remotely recent Intel chips that completely lack speculative/OoO features are the Atoms based on the first-gen Bonnell microarchitecture. That started off 32-bit-only, but some of them towards the end of the run do have x86-64 support, e.g. the Atom D5xx and S12xx.

        1. 3

          Do I understand this right? A website can include code that asks the mobile provider for subscriber data? The mobile provider sends this data back to the phone and the website can send the data back to somewhere else? So any app on the phone can access this API as well? So ads in websites/apps access it, too?

          Some comments on HN paint a pretty unsettling picture, e.g. sales people calling you after visiting a site without entering any data (https://news.ycombinator.com/item?id=15477469)

          1. 2

            Apparently the data submitted to open.oneplus.net also contains geolocation (also suspected in the blog post, but I missed it the first time): https://forum.xda-developers.com/showpost.php?p=64497485&postcount=62

            1. 2

              Different venue, similar talk + Q&A and extra stories:

              https://www.youtube.com/watch?v=e9ZWQ1nNLHk

              1. 10

                If you’re sensitive to latency and run Linux, try hitting Ctrl-Alt-F1, and do a little work in console mode at the terminal. (Ctrl-Alt-F7 to get back.)

                For me this is a great illustration of how much latency there is in the GUI. Not sure if everyone can feel it, but to me console mode is more immediate and less “stuffy”.

                (copy of HN comment)

                1. 6

                  I notice this as well - the linux console feels better, in the same way that playing CS:GO without the overhead of a desktop compositor feels more immediate.

                  I’ve also noticed that tmux adds a lot of latency to vim in the terminal, so I’ve been running gvim or nvim-qt recently.

                  1. 8

                    Tmux adds a lot of latency? Especially after pressing ESC in Neovim? Try set -g escape-time 10 in your ~/.tmux.conf

                    https://github.com/neovim/neovim/wiki/FAQ#esc-in-tmux-or-gnu-screen-is-delayed

                    1. 3

                      Oh, man, I’ve seen that but didn’t quite put it together (or didn’t think to look for a setting to adjust). The delay to get an ESC to “stick” was crazy long, with the result that I couldn’t get out of insert mode without resorting to press escape, sit on hands, count to six, resume typing.

                  2. 5

                    There is a whole lot more calculations to do in a graphical environment: align the character on the table, pick the font, compute font substitution (missing glyph get rendered with other fonts), render every glyph from their vectorial format, calculating antialiasing and hinting… and all of this on top of a framework, while it is either non-existant or built-in for text interfaces.

                    A good compromise may be bitmap terminal (blit, acme, sam…).

                    1. 8

                      Happily using bitmap fonts with xterm.

                      Drawing vector fonts is so darn slow that most things that do it at all will cache the rendered glyphs.

                      1. 3

                        I nominate st, the suckless terminal - http://st.suckless.org/ - It might not always the absolute fastest terminal (I’ve not tested it), and it might not have every feature anyone could ever (not) want like SIXEL and ReGIS Tektronix 4014 graphics, configurable logging, URL launching, user-tweakable selection behaviors and all that jazz that exists in xterm, but it is refreshingly simple, lightweight, and fast.

                        1. 3

                          And I like this term for this reason. The only 2 os I could not compile it so far is Windows and Android.

                          1. 2

                            st becomes a whole lot less simple and lightweight once you configure your shell to always spawn a new tmux session for every terminal just to get scrollback. I can appreciate simplicity, but there comes a point where the system becomes a lot more complex because one tool is a bit too simple.

                            1. 2

                              Since we’re discussing efficiency, tmux scrolling is also inefficient. All the data in the back buffer needs to be resent to xterm. If I’m on a bad network link, I’ll sometimes start another connection, sans tmux, to run a command so that all the output gets saved in my local buffer and I can scroll it without latency.

                              1. 1

                                This is a valid point which 5 years of mosh use has made me forget about - for those who are not aware, with mosh, you aren’t sending data to the terminal as a stream of data, but instead synchronizing an “image” of the current terminal state and display, so there was never any “past” data to scroll back on.

                              2. 1

                                I am sort of shocked that anyone uses the terminal scroll back in 2017 - I’ve been using tmux for almost 10 years now, but I was using xterm in combination with screen since the early 1990’s X11R4 days and always had my systems configured this way for almost 30 years. I find using a terminal multiplexer actually removes complexity and massively increases productivity and I have no idea how I’d operate without one.

                                1. 3

                                  If I was using some floating window manager, having tmux for tiling would make sense. I use i3, so my window manager handles tiling in a much more flexible way than tmux ever could (not through any fault of tmux, it just cannot tile graphical applications), so tmux is mostly unnecessary unless I need some of the features related to multiplexing or persistent sessions.

                            2. 2

                              When I tried “alternative” OS’s in VM’s, they usually opened opened apps or responded to my typing instantly. They were that much faster in VM’s than the Linux system they ran on which was bare metal. My Windows systems were more responsive, too, back when I used them. I think it’s just the implementation in these GUI’s slowing things down that much.

                            1. 2

                              The site has a bad rel=canonical and Lobsters followed it. The author has no contact info or links to other online presence so there’s nothing to be done.

                              1. 3

                                Modify Lobsters to not follow rel=canonical unless it can resolve a page with status 2**?

                                1. 1

                                  Good idea, posted an issue.

                            1. 8

                              The next step could be advertising networks that aggregate data across stores, as in “customer f5d9ad in front of screen 3, seen earlier today looking at shop window of $erotic_store for 23 seconds, walking by $liquor_store, buying $foo at $bar, …”

                              Or is this already happening, too?

                              1. 5

                                It probably is yeah. The data is the product for a lot of companies.

                                1. 2

                                  There’s some research into this and I remember one paper about using free open store wifi which many devices connect to automatically to track where people walk when they enter a store.

                                  Here’s an article that’s similar but not quite what I’m talking about: https://www.theguardian.com/technology/datablog/2014/jan/10/how-tracking-customers-in-store-will-soon-be-the-norm

                                  1. 1

                                    They’re doing it on the web; might as well do it in meatspace too.

                                  1. 7

                                    Earlier examples of this problem:

                                    1. 1

                                      Does somebody know a free recording of a good software engineering lecture/course with in-depth real world examples?

                                      1. 3

                                        Analysis of the malware: https://objective-see.com/blog/blog_0x1D.html

                                        The author also notes that the detection rate for the infected .dmg file was 0/55 on VirusTotal (2017-05-06 20:12:15 UTC) and 0/56 for the contained OSX/Proton malware.

                                        VirusTotal links: .dmg file malware’s persistent component

                                        1. 8

                                          To test it, try this:

                                          printf 'GET /index.html HTTP/1.0\r\nAuthorization: Digest username="admin", realm="Digest:FFFF0000000000000000000000000000",  nonce="abcdefghijklmnopqrstuvxyzABCDEFG", uri="/index.html", response="", qop=auth, nc=00000001, cnonce="12345678"\r\n\r\n' | nc -v 192.168.0.42 16992
                                          

                                          Replace 192.168.0.42 with your target IP, this request will result in a 401. Look at the servers “WWW-Authenticate:” header and adopt the values for realm and nonce, try again.

                                          1. [Comment removed by author]

                                            1. 9

                                              Rebase permanently destroys information, right?

                                              Well, not really – it creates new commits that are altered versions of existing ones, but doesn’t delete the originals. (If the originals remain unreferenced by a tag or branch for long enough they’ll eventually get GCed, but if you do want to retain all the original information unmodified it’s easy enough to do so.)

                                              1. 2

                                                It’s only easy if you already know the hashes of the original commits. Git does not surface this information to you easily.

                                              2. 5

                                                As @1amzave said, the commits are around, see git reflog.

                                                As for being lies, they cease being lies when merged to master. The ability to craft a clear log (better word than history) of commits before merging is a superpower.

                                                1. 4

                                                  It also helps promote committing often, because it doesn’t matter if you have a “whoops forgot to initialize foo” commit in your feature branch, you can clean that up before merging to master.

                                                  1. 2

                                                    Unfortunately this needs to be enforced at the code review level, which pull request workflows actively work against. Very often pull requests contain commits leaving the repo in an unbuildable state. I tend to think of VCS as an attempt to tell a story about how something was built rather than a reflection of what actually happened. Unfortunately this takes a lot of effort to pull off well…

                                              1. 6

                                                Wtf? How is this an exploit?

                                                The default behavior is to drop to an initramfs recovery shell if / can’t be mounted. If you have an encrypted root partition/volume, and you don’t provide the password, then you get the shell. It is an extremely limited environment where none of the filesystems are mounted (and if they’re all encrypted then they can’t be mounted without a valid passphrase/keyfile). Additionally, you can control what functionality initramfs or dracut has when building it. If you’re truly paranoid you can make it very minimal with no network abilities.

                                                Also if you exclusively use keyfiles on external media (no LUKS keyslots hold a passphrase) then there is no prompt and initramfs just waits without saying anything until the keyfile device becomes available. In this mode I haven’t figured out how to break out to the recovery shell. It’s a very nice mechanism to have a system appear hung/idle until the moment the keyfile device becomes available.

                                                I can’t believe this gets a CVE.

                                                1. 7

                                                  Mismatch between expectations and reality. People may (quite reasonably imo) assume that in a kiosk like environment, an encrypted disk implies the computer can’t be used.

                                                  1. [Comment removed by author]

                                                    1. 1

                                                      Yes, but you can configure Grub to disallow command line editing without password.

                                                      If you have a BIOS password to enter setup, a password in the boot loader to prevent command line editing (neither needed for normal boot-up) and have a encrypted root partition, this bug leaves an unexpected opportunity to place suid-binaries into /boot or to tamper with the boot options.

                                                      In most scenarios this is probably not relevant, but that’s no reason to disregard the issue completely.

                                                  1. 4

                                                    Nayuki has some awesome stuff on that blog, and the fast fibs algorithms are no exception.

                                                    The one thing that scares me off is the licensing system:

                                                    If you wish to use any of my content (such as program code, pictures), please contact me to ask for permission. I will give a speedy response to your inquiry, typically in under 24 hours. If possible please show me a prototype of how you intend to use my work, so I can better understand your needs.

                                                    Generally speaking, my licensing agreement will require you to cite a link to the relevant Project Nayuki article page. Licensing for student/academic/research purposes is usually free (but please contact me beforehand); licensing for commercial use is available for a modest fee. Please explain your intended purpose clearly, and all reasonable requests will be approved.

                                                    Note that some of my program source code is available under an open-source license (often MIT), whereas others are all rights reserved. Please carefully check the license for the specific project before using it or asking me. If my particular project is open source, you don’t need to ask for my permission beforehand – but please do retain the Project Nayuki page URL and send me a very brief courtesy note. Thank you for understanding.

                                                    E.g., the Fast Fibs algorithm in this article is licensed as “All Rights Reserved”, so you need to contact Nayuki to get a license if one will be granted at all.

                                                    Please do not misunderstand, I completely understand the want to be compensated for work and the wish to have credit given where it is due, but “All Rights Reserved” is more than a “code smell” to me at this point; it’s more like a giant warning sign.

                                                    There is an overview of the licenses on the projects you can find here.

                                                    1. 5

                                                      The algorithms themselves aren’t copyrightable, so that just applies to the example Java/C#/etc. implementations.

                                                      For software of this length I personally don’t see any reason not to just MIT-license, but I don’t think it’s particularly unusual, beyond perhaps devoting space to being explicit about it. Most example code on blogs has no license attached, which means it’s All Rights Reserved by default. Even when they do, it’s often not a permissive license. For example the biggest repository of short code snippets on the internet is probably StackOverflow, which is licensed under a viral copyleft license (cc-by-sa).

                                                      1. 2

                                                        For example the biggest repository of short code snippets on the internet is probably StackOverflow, which is licensed under a viral copyleft license (cc-by-sa).

                                                        Starting Feb 1, 2016, all new code contributions to Stack Overflow and Stack Exchange will be covered by the MIT License.

                                                      2. 4

                                                        These algorithms can be found in Knuth’s TAOCP Volume 1 and also Stepanov’s Elements of Programming, among others. So maybe the implementations are copyrighted, but not the algorithms.

                                                      1. 2

                                                        How about extending the downvote dropdown to non-downvote actions? Some options could show advice, some could change user settings.

                                                        Examples: “I disagree” -> shows “please ignore or respond with a comment” but does nothing else; “this person pushes my buttons” -> automatically collapse all comments from this user (like a personal ignore list)

                                                        Also, maybe for some people “incorrect” is too close to “I disagree”, but I’m not sure what would be a better word.

                                                        1. 7

                                                          I’m confused. The article was written in 2011, Gembe was 28 at that point. Half-life 2 was stolen, according to the article, in 2003. That means, Gembe was 20 at that point. By German law, that’s well beyond the time where a criminal offense can be considered under youth legislation.

                                                          How such a person can be described as a “boy” and basically be described as an unknowing nerd is beyond me.

                                                          He caused - even if accidentally - 250 Million in damages, with criminal energy. I’m not sure how the reporters even allow him to spin that story like that.

                                                          This is a story of so much privilege that I’m confused how it is told like it’s a fairy tale. He is just extremely lucky that pressing charges would have looked bad for Valve. I wouldn’t have counted it against them if they did.

                                                          1. 5

                                                            IIRC german youth legislation (“Jugendstrafrecht”) is usually applied for offenders aged 14-17, however for offenders aged 18-20 (young adults / “Heranwachsende”) the court can decide whether to apply youth or adult legislation, depending on several factors.

                                                            Edit: See also: German Youth Courts Law Section 1 - Scope as to persons and substantive scope, Section 105 - Application of youth criminal law to young adults

                                                            1. 5

                                                              He caused - even if accidentally - 250 Million in damages, with criminal energy. I’m not sure how the reporters even allow him to spin that story like that.

                                                              I didn’t see a break down of how they came up with this 250 million in damages, it seems a lot like the ‘virtual damage’ where counting every download of a movie or audio track counts as 1 lost sale. Although, maybe it includes the cost to society for law enforcement agencies as well and the hours used by Valve employees to fix their crappy security.

                                                              1. 1

                                                                Although, maybe it includes the cost to society for law enforcement agencies as well and the hours used by Valve employees to fix their crappy security.

                                                                Which certainly isn’t “virtual” in any case. He could have reported, if he loved Valve so much.

                                                                If you leave your door unlocked and I take all your household, is the damage I’ve caused somewhat better?

                                                                1. 11

                                                                  If you take my things I don’t have them any more. Did he delete the source code when he took it? If not, it wasn’t stolen.

                                                                  1. 1

                                                                    My point wasn’t “stolen”, my point was “damages”. The article uses “stolen”.

                                                                    Do you imply that there were not damages to Valve by this?

                                                                    1. 4

                                                                      I remember playing the leaked HL2 before it launched. Let me tell you, the copy I had was quite broken and the game froze reliably when you jumped out the window of the train station in the very first level. Still, the ability to explore that platform and pick up that can had me hooked and I bought the game when it launched. I wouldn’t have bought it otherwise, I’m sure of this.

                                                                      I have a feeling I’m not alone. This goes back to the classic piracy argument.

                                                                      1. 3

                                                                        You ended your comment with a literal comparison to theft.

                                                                        I imply that the comparison is neither relevant nor apt, and claiming that it wasn’t your point is, at best, prevarication - since you brought it up.

                                                                    2. 5

                                                                      He could have reported

                                                                      Eh… 2003 was a very different time with regards to security. Responsible disclosure simply wasn’t a big deal back then like it is now. Bug bounties and security@ email aliases for companies were non-existent.

                                                                      1. 2

                                                                        Responsible disclosure and just taking stuff is a very different thing. Full disclosure wasn’t unusual back then.

                                                                        You are making this look as if he had no other choice or it was morally okay what he did. The opposite is true: he could have stopped at any time and never showed interest in any kind of hacker ethics.

                                                                        1. 1

                                                                          Responsible disclosure was a long-standing tradition by 2003: https://en.m.wikipedia.org/wiki/Bugtraq