1. 6

    Important for anyone considering trying this out on Linux: you’ll have serious issues if you install this.

    I think it’s irresponsible that an issue this serious has been open since November, without the author highlighting the danger prominently in the Readme or somewhere.

    1.  

      Looks like a fix-ish went in 10 hours ago: https://github.com/cknadler/vim-anywhere/pull/68

    1.  

      Based on this writing, it seems that we are yet again separating dev from prod. Use ubuntu/debian base for dev, but build special for production.

      I thought one of the main points of Docker was being able to run the same container in production. Seems that’s still not going to happen with Docker either. Dev just has to run long enough to make the next commit, and needs gobs of debug built-in. Prod has to run forever and be secure.

      Seems the only upside you really get with the Docker workflow is similar tooling between dev and production.

      1.  

        Use ubuntu/debian base for dev, but build special for production.

        You can use the same images for development/testing, though? You might install a few extra packages into your dev environment (gdb, …) with the same base Dockerfile.

        1.  

          From my experience, the difference from dev/prod is not the biggest issue, as long as you have the same images for testing/staging and production.

          Some teams do not even use Docker images for development and that’s not a big issue as long as you have good CI (at least that’s been a very long time we didn’t have the “that’s work on testing and not in production”.

        1. -4

          Some aphorisms apply:

          1. It’s a poor craftsman that blames his tools.
          2. Be the change that you wish to see in the world.
          1. 20

            Fair warning, this is a rant.

            It’s a poor craftsman that blames his tools.

            This aphorism is the reason I quit HN all those years ago. It is absolute trash. A much improved version is “A craftsman takes responsibility for the tools they use.” This is still irrelevant to the article that was posted, but it has a chance of being useful in some discussion happening somewhere, probably (but if I were to bet on it, I wouldn’t).

            What if you’re being forced to use bad tools? What if your tools are actively sabotaging your ability to work? What if your tools really are the biggest source of pain and distraction? What if not using the tool will be held against you? What if not using the tool will get you fired? What if the tool genuinely does the opposite of what it claims to do?

            What if you’re sitting down to really think about the impact your tools have on your work, and seeing one of them come up severely short? Is that blaming [their] tools? Or should we all just put up with whatever we’re handed, because it is always on us as craftspeople to take on the full burden of bad tools—even when there is no good reason—and just slog through it as our lives unhappily waste away?

            I wish people would be more honest with this whole “a poor craftsperson” thing and just say “I think you’re bad and that it’s your fault,” or even “quit your bitching”. It’s still a lowest tier comment, but at least it’s direct.

            And yes, I’m going to continue to use gender neutral words because I want to…

            Be the change that you wish to see in the world.

            Yeah, that’s why he’s writing about it.

            Some aphorisms apply

            These ones don’t, but it’s easy to miss that when you don’t attempt to justify the application of those aphorisms.

            The article is a) an analysis of the ways slack can decrease organizational productivity, even circumventing individual countermeasures, and b) a call to action to change the culture that embraces slack.

            Neither of your aphorisms meaningfully interact with the two (clearly expressed) core ideas of the article, in any way.

            1. 2

              Thank you for this. You’re spot-on.

              The craftsman metaphor is terrible, when applied to programming. It says “his tools”. In the workplace, you don’t use your tools; you’re forced to use their tools.

              Slack (as often used) is terrible, and Jira is worse. These have become tools of managerial surveillance; they are tooled used against, not by, workers.

              1. -2

                Maybe a poor craftsman blames his manager.

              2. 0

                I used the first aphorism correctly, and I am also aware that a lot of people are triggered by it.*

                If the tools suck don’t use them. If they’re valuable but flawed be constructive? It doesn’t have the same ring to it. Slack has a place, what’s the alternative? IRC? A directory with everyone’s phone numbers in it? There’s no ‘turn off notifications’ button for your manager taps you on the shoulder twice an hour.

                The article didn’t read as a call to action to me as much as a long poorly formatted ramble by someone who was having a adverse reaction to their current work environment.

                It’s a flawed workplace culture… Are they blaming someone else’s tools? Is that better?

                Which gets into the second aphorism. I think the author should talk to his manager/coworkers or quit instead of writing passive aggressive blog posts.

                If I’m really going to lengths to make myself absolutely clear. By talk I don’t mean go on crusade against the tools, they fail to present any alternatives in the post! (Besides use email for everything, maybe they’re too young to remember how difficult that was.)

                *Maybe I was hoping to get a rise out of someone. Plato was fond of the Dialectic, maybe I am too.

                1. 1

                  If the tools suck don’t use them.

                  You really seem to have not read the post you’re replying to:

                  What if you’re being forced to use bad tools? What if your tools are actively sabotaging your ability to work? What if your tools really are the biggest source of pain and distraction? What if not using the tool will be held against you? What if not using the tool will get you fired? What if the tool genuinely does the opposite of what it claims to do?

                  That addresses your ~first aphorism~ really quite neatly. They’re blaming someone else’s tools, sure, because they’re to blame. Rejecting reality because you have a pithy quote that suggests you should is not productive.

                  I think the author should talk to his manager/coworkers or quit instead of writing passive aggressive blog posts.

                  Who’s to say they’re not doing that too? Writing a post like this has value as well; it lets a wider community reflect on it, submit comments (there have been some useful ones here, this thread notwithstanding), and possibly come up with some mitigations or thoughts on how future tools could do better. This is not a new concept.

                  “Be the change you want to see in the world” is great when you’re all-powerful, but that’s almost never the case in real life.

                  and I am also aware that a lot of people are triggered by it.*

                  christ man, get back to HN

                  1. 1

                    I have never been on HN… That’s a personal attack, it’s toxic, you shouldn’t do it, I shouldn’t get into the mud with you by responding.

                    Nobody is being forced to do anything here. A good crafts-laborer would realize this. It’s an apt aphorism. It’s not a dangerous idea to suggest that a worker can determine the conditions under which he works…

                    Just because I used an aphorism and that’s something that trolls do doesn’t mean I’m a troll. I didn’t expect to get any upvotes for an unpopular opinion voiced in an unpopular way, but I also didn’t expect so much hostility!

                    1. 5

                      I am honestly interested in the mechanism by which a craftsperson could determine the conditions under which they work, assuming a standard capitalist employee-employer relationship.

                      If we all tend to agree a person needs to work in order to make a living, I find this might be possible if you’re “your own boss”. Even then you probably have clients, and they tend to demand their own sets of tools and processes you need to adjust to. This isn’t only a matter of IT: my dad worked in a car repair shop, and they really didn’t have a choice with regards to the diagnostic hardware and software they could use, nor the hardware they used to do the actual repairs (it’s mostly proprietary, and dependent on the manufacturer).

                      Of course, you can always quit and find another job with better tooling; IT people today are severely privileged since jobs are abundant and we’re in very high demand. It’s certainly not unreasonable to expect this won’t be the case forever, and actually discussing problems with the tooling (and management, and processes, and …) seems like a good thing to do if you want to improve your working environment.

                      1. 1

                        My mechanisms are the same as yours. Employers by and large are people too. My grandfather was an auto mechanic too, and he had his side projects just like I do.

                        I think the only point we actually disagree on is whether this blog post is constructive.

                      2. 3

                        That’s a personal attack, it’s toxic, you shouldn’t do it, I shouldn’t get into the mud with you by responding.

                        Your flippant use of the word “triggered” is what’s toxic.

                        It’s not a dangerous idea to suggest that a worker can determine the conditions under which he works…

                        No, just dangerously wrong.

                        1. 0

                          Discussing triggers big and small is important. I can’t think of another way to put it, but being triggered by the use of the word triggered isn’t a mentally safe place to be.

              1. 5

                Someone had my GitHub username or I registered my account a long time ago and didn’t add an email address/lost my password. The account was dormant (no repos). I emailed GitHub and asked to take the username and they gave it to me with no questions asked. I’m quite grateful for this.

                As for the article: by this same logic it seems to me that you should also argue that domain names should be forever too…

                In FreeBSD we heavily use GitHub in the ports tree. We have SHA256 on our distfiles so if someone acquired a previously active account and tried to serve malicious code from the repo it would fail. Several times I have caught projects changing their git tags via the ports tree throwing checksum errors.

                1. 2

                  I emailed GitHub and asked to take the username and they gave it to me with no questions asked. I’m quite grateful for this.

                  Worth noting we have a set of criteria around account inactivity/there must be no repositories with content/etc. around doing this.

                  1. 3

                    Windows 3.0? I don’t see anything related in the page.

                    1. 2

                      Gah, it ate my link. Not sure how to edit the URL. I can change everything else.

                      1. 2

                        A mod might be able to help!

                    1. 2

                      I thought this was going to be explaining Monads using things in the kitchen or things a non-tech person would do in everyday life. I was disappointed it was just code.

                      1. 2

                        instance Monad Knife where

                      1. [Comment from banned user removed]

                        1. 12

                          It says it in the article. The guy developed the computers but not the business. All kinds of companies and people were building computers and their parts. There was a missing component of marketing and business strategy that forms ecosystems in the market. That’s what the women came up with along with starting the business, financing it, etc. Those kind of techniques are what made Dell, Gateway, etc rich.

                          Tinkering technical geniuses building better hardware continue to languish in obscurity, barely make any money, or their companies fold to this day. Especially in space FPGA’s target. Those bringing in marketing folks or focusing on product development more than technological excellence do a lot better on average.

                          1. 4

                            womyn

                            Dude, at least try to obscure your trolling.

                          1. 4

                            A solid list, with one question mark.

                            Lynn Conway started life as a man. does this mean he/then her achievements give equally credited to men/women?

                            1. 52

                              No. Trans women are women.

                              1. 10

                                Thank you . I want to live in a world where this is just taken as a given. Lets start with our little world here people.

                                1. 8

                                  What is the goal of creating a list of women in CS? If it’s to demonstrate to young girls that they can enter the field, it seems unproductive to include someone who grew up experiencing life as a man.

                                  If the goal of creating the list is some kind of contest, then it’s counterproductive for entirely different reasons.

                                  1. 28

                                    someone who grew up experiencing life as a man

                                    Do you know any trans women who have said they grew up experiencing life as a man? I know quite a few and none of them have expressed anything like this, and my own experience was certainly not like that.

                                    However, if you mean that we were treated like men, with the privilege it brings in many areas, then yes, that became even more obvious to me the moment I came out.

                                    Regardless, trans folks need role models too, and we don’t get a lot of respectful representation.

                                    1. 21
                                      $ curl https://www.hillelwayne.com/post/important-women-in-cs/ | grep girl | wc -l
                                      0
                                      

                                      The motivation for the post are clearly layed out in the first paragraph:

                                      I’m tired of hearing about Grace Hopper, Margaret Hamilton, and Ada Lovelace. Can’t we think of someone else for once?

                                      It’s a pretty pure writeup for the sake of being a list you can refer to.

                                      On your statement about “girls”. It’s quite bad to assume a list of women is just for kids, it’s also bad to assume trans women can’t be examples to (possibly themselves trans) girls.

                                      1. 4

                                        That’s not a motivation, that’s a tagline.

                                        The primary reason I would refer to a list like this is if I was demonstrating to a young woman considering CS that, perhaps despite appearances, many women have historically made major contributions to the field. I’m not sure what else I would need something like this for.

                                        1. 5

                                          Maybe its not for you to distribute but for women to discover …

                                        2. 1

                                          I don’t see why it’s bad to assume that. It feels like it would be a pretty serious turn off to me if I we’re looking for successful women and found people who were men into adulthood. I find it hard to imagine that I’m unique in that feeling. I’m sure it feels good for trans people but I’d that’s your goal admit the trade-off rather than just telling people they’re women and not transwomen.

                                          You can berate people for not considering trans-women to be the same as born women but it will likely just keep them quiet rather than convince them to be inspired.

                                          1. 19

                                            people who were men into adulthood

                                            Now I’m curious what your criteria are, if not self-identification. When did this person cease to be a man, to you?

                                            When they changed their name?

                                            When they changed their legal gender?

                                            When they started hormones?

                                            When they changed their presentation?

                                            When they got surgery?

                                            What about trans people who do none of that? E.g. I’ve changed my name and legal gender (only because governments insist on putting it in passports and whatnot,) because I had the means to do so and it bothered me enough that I did, is that enough? What about trans people who don’t have the means, option, or desire to do so?

                                            When biologist say that there’s not one parameter that overrides the others when it comes to determining sex¹, and that it makes more sense to just go by a person’s gender identity if you for whatever reason must label them as male/female, why is that same gender identity not enough to determine someone’s own gender?

                                            1. http://www.nature.com/news/sex-redefined-1.16943
                                        3. 16

                                          If it’s to demonstrate to young girls that they can enter the field, it seems unproductive to include someone who grew up experiencing life as a man.

                                          This is a misunderstanding of transexuality. She grew up experiencing life as a woman, but also as a woman housed in a foreign-feeling body and facing a tendency by others to mistake her gender.

                                          Does that mean she faced a different childhood from many other women? Sure. But she also shared many of the disadvantages they faced, frequently to a much stronger degree. Women face difficulty if they present as “femme” in this field, but it is much more intense if they present as femme AND people mis-bucket them into the “male” mental box.

                                      2. 14

                                        If they identified as a woman at the time of accomplishment, it seems quite reasonable that it’d count. For future work, just think about it in terms of trans-woman extends base class woman or at least implements the woman interface.

                                        In any event, your comment is quite off-topic. Rehashing this sort of stuff is an exercise that while interesting is better kept literally anywhere else on the internet–if you have questions of this variety, please seek enlightenment via private message with somebody you think may be helpful on the matter, and don’t derail here.

                                        1. 7

                                          The point of this is not to give more achievements to women… It’s to showcase people who were most likely marginalized.

                                          1. [Comment removed by author]

                                            1. 9

                                              This is definitely not what life is like for trans people pre-transition.

                                          2. 12

                                            It’s rude to talk about people’s gender like this fyi

                                            1. 0

                                              It’s ridiculous to allow this framing to suppress a reasonable point.

                                              1. 10

                                                It’s not a reasonable point. This is not the place to make whatever point you’re trying to make.

                                            2. 3

                                              Depends on where a person is on political spectrum. I’d probably note they’re trans if targeting a wide audience, not if a liberal one, and leave person off if a right-leaning one.

                                              1. 5

                                                what they dont know wont hurt them. As far as the right is concerned , she is a woman …

                                              2. 2

                                                It is irrelevant, and you asking this is offensive.

                                                1. -1

                                                  Interesting question. I think it may be met with hostility, as it brings to mind the contradiction inherent in both claiming that sex/gender is arbitrary or constructed and also intentionally emphasizing the achievements of one gender. Based on the subset of my social circle that engages in this kind of thing, these activities are usually highly correlated. Picking one or the other seems to get people labeled as, respectively, some slang variation of “nerd”, or a “TERF”.

                                                  1. 34

                                                    Can we please not for once? Every time anything similar to this comes up the thread turns into a pissfight over Gender Studies 101. Let’s just celebrate Conway’s contributions and not get into an argument about whether she “counts”.

                                                    1. 10

                                                      Much as I sympathize, transgender is controversial enough that merely putting a trans person on a list that claims all its members are a specific gender will generate reactions like that due to a huge chunk of the population not recognizing the gender claim. That will always happen unless the audience totally agrees. So, one will always have to choose between not mentioning them to avoid noise or including them combating noise.

                                                      1. 20

                                                        I would like to live in a world where trangender isnt controversial and we dont have to waste energy discussing this. Can lobsters be that world please ?

                                                        1. 18

                                                          Perhaps this is why we get accused of pushing some kind of agenda or bringing politics into things, by merely existing/being visible around people who find us ”controversial” or start questioning whether our gender is legit or what have you. I usually stay out of such discussions, but sometimes feel the need to respond to claims about trans folks that I feel come from a place of ignorance rather than bigotry or malice, but most of the time I’m proven wrong and they aren’t really interested in the science or whatever they claim, they just want an excuse to say hateful things about us. I’ve had a better than average experience on this website, when it comes to responses.

                                                          1. 6

                                                            I cant speak for everyone on the side that denies trans identity. Just my group I guess. For us and partly for others, the root of the problem is there is a status quo with massive evidence and inertia about how we categorize gender that a small segment are countering in a more subjective way. We dont think the counters carry the weight of status quo. We also prefer objective criteria about anything involving biology or human categorization where possible. I know you’ve heard the details so I spare you that

                                                            That means there will be people objecting every time a case comes up. If it seems mean, remember that there’s leftists who will be quick to counter anything they think shouldn’t be tolerated on a forum (eg language policing) on their principles. For me, Im just courteous with the pronouns and such since it has no real effect on me in most circumstances: I can default on kindness until forced to be more specific by a question or debate happening. Trans people are still people to me. So, I avoid bringing this stuff up much as possible.

                                                            The dont-rock-the-boat, kinder approach wouldve been for person rejecting the gender claim to just ignore talking about the person he or she didnt think was a woman to focus on others. The thread wouldve stayed on topic. Positive things would be said about about deserving people. And so on. Someone had to stir shit up, though. (Sighs)

                                                            And I agree Lobsters have handled these things much better than other places. I usually like this community even on the days it’s irritating. Relatively at least. ;)

                                                            1. 6

                                                              For us and partly for others, the root of the problem is there is a status quo with massive evidence and inertia about how we categorize gender that a small segment are countering in a more subjective way.

                                                              I know you’re a cool dude and would be more than happy to discuss this with you in private, but I think we all mostly agree that this is now pretty outside the realm of tech, so continuing to discuss it publicly would be getting off topic :) I’ll DM you?

                                                              1. 7

                                                                I was just answering a question at this point as I had nothing else to say. Personally, Id rather the political topics stay off Lobsters as I voted in community guidelines thread. This tangent couldnt end sooner given how off topic and conflict-creating it is.

                                                                Here’s something for you to try I did earlier. Just click the minus next to Derek’s comment. This whole thread instantly looks the way it should have in first place. :)

                                                              2. 4

                                                                I find the idea that everyone who disagrees with these things should avoid rocking the boat extremely disconcerting. It feels like a duty to rock it on behalf of those who agree but are too polite or afraid for their jobs or reputations to state their actual opinions, to normalize speaking honestly about uncomfortable topics.

                                                                I mean, I also think it’s on topic to debate the political point made by the list.

                                                                1. 4

                                                                  I agree with those points. It’s why I’m in the sub-thread. The disagreement is a practical one a few others are noting:

                                                                  “I mean, I also think it’s on topic to debate the political point made by the list.”

                                                                  I agree. I told someone that in private plus said it here in this thread. Whether we want to bring it up, though, should depend on what the goal is. My goal is the site stays focused on interesting, preferably-deep topics with pleasant experience with minimal noise. There’s political debates and flamewars available all over the Internet with the experience that’s typical of Lobsters being a rarity. So, I’d just have not brought it up here.

                                                                  When someone did, the early response was a mix of people saying it’s off-topic/unnecessary (my side) and a group decreeing their political views as undeniable truth or standards for the forum. Aside from no consensus on those views, prior metas on these things showed that even those people believed our standards would be defined by what we spoke for and against with silence itself being a vote for something. So, a few of us with different views on political angle, who still opposed the comment, had to speak to ensure the totality of the community was represented. It’s necessary as long as (a) we do politics here and (b) any group intends to make its politics a standard or enforeable rule. Countering that political maneuvering was all I was doing except for a larger comment where I just answered someone’s question.

                                                                  Well, that plus reinforcing I’m against these political angles being on the site period like I vote in metas. You can easily test my hypothesis/preference. Precondition: A site that’s usually low noise with on-topic, productive comments. Goal: Identify, discuss, and celebrate the achievements of women on a list or in the comments maintaining that precondition. Test: count the comments talking about one or more women versus the gender identity of one (aka political views). It’s easier to visualize what my rule would be like if you collapse Derek’s comment tree. The whole thread meets the precondition and goal. You can also assess those active more on politics than the main topic by adding up who contributed something about an undisputed woman in CompSci and who just talked about the politics. Last I looked, there were more users doing the politics than highlighting women in CompSci as well. Precondition and goal failed on two measurements early on in discussion. There’s a lot of on-topic comments right now, though, so leaned back in good direction.

                                                                  Time and place for everything. I’d rather this stuff stay off Lobsters with me only speaking on it where others force it. It’s not like those interested can’t message each other, set up a gender identity thread on another forum, load up IRC, and so on to discuss it. They’re smart people. There’s many mediums. A few of us here just want one to be better than the rest in quality and focus. That’s all. :) And it arguably was without that comment tree.

                                                                2. 8

                                                                  So, I avoid bringing this stuff up much as possible.

                                                                  Keep working on this

                                                                  1. 2

                                                                    The dont-rock-the-boat, kinder approach wouldve been for person rejecting the gender claim to just ignore talking about the person he or she didnt think was a woman to focus on others. The thread wouldve stayed on topic. Positive things would be said about about deserving people.

                                                                    Do you believe the most deserving will be talked about most? If you have a population that talks positively about people whether or not they are trans, and you have a smaller population that talks only about non trans people and ignores the trans people, Which people will be talked about most in aggregate? It isn’t kinder to ignore people and their accomplishments.

                                                                    It is also very strange for technology people to reject a technology that changes your gender. What if you had a magic gun and you can be a women for a day, and then be a man the next, why the hell not? We have a technology now where you can be a man or a women or neither or both if you wanted to. Isn’t technology amazing? You tech person you!

                                                        1. 5

                                                          I’m unconvinced that the size of binaries is correlated at all with any metric people actually care about. Anecdotally, people used to write games in assembly, and then C++ - both languages that produce reasonably sized binaries, but nowadays it’s common to include interpreters (lua, etc), drivers for many different controllers, whatever crap the unity standard library includes, etc. This is great for dev productivity, but has no value to the consumer (or even negative value, since they need to download all of that).

                                                          I know that this is mentioned in the post, but I think that it completely undermines the point of all of the analysis that uses binary size.

                                                          1. 2

                                                            It’s mostly the size of the assets. Binaries are nothing compared to them.

                                                            1. 1

                                                              C++ - both languages that produce reasonably sized binaries

                                                              Wait, what?

                                                              Including a single template in your C++ code can easily dwarf the size of the Lua interpreter.

                                                            1. 6

                                                              What am I looking at?

                                                                1. 3

                                                                  We don’t discuss all of our security processes and technologies in specific detail for what should be obvious reasons

                                                                  isn’t that worrisome?

                                                                  1. 5

                                                                    When it’s related to spam mitigation it’s not unusual.

                                                                  2. 2

                                                                    That’s a little worrisome. They built an auto nuker, but didn’t think about what next? Whether it’s a false positive or not, “what if it’s republished?” should be part of the checklist. What if it really were malicious? I just keep retrying until I find a version that sticks.

                                                                  3. 4

                                                                    The left-pad thing happened again.

                                                                    1. 2

                                                                      Somebody left padded the safeguards meant to prevent left padding? “no, no, we totally fixed it by adding a ‘are you sure you want to fuck everybody?’ confirmation to the delete command.”

                                                                      1. 1

                                                                        Has anyone written up the impact this time around?

                                                                    1. 9

                                                                      There’s an incredible lengthy reply in this thread, which is completely made up.

                                                                      The thing is that to run those 1 & 0, it has to, technically, store them in a physical way so that it can be passed through to what’s next. As it’s 0 & 1, it’s not encrypted or protected. It’s pure raw data. The encryption and protection are usually done after the data has passed through the processor… by a task handled by the processor (ironically). Now, what they have “found” (which is false. it’s has been known since the 80’s) is that it’s possible to access this raw data by force feeding some 0 & 1 to the processor which can be hidden in anything and makes it start an hidden small software which, for example, could send a copy of the raw data through the web.

                                                                      Fascinating.

                                                                      1. 8

                                                                        It’s not just completely made up, it’s gibberish.

                                                                        1. 3

                                                                          This almost sounds like it was written by some AI…

                                                                          1. 3

                                                                            Looks more like a markov chain to me.

                                                                        2. 1

                                                                          I saw hints of the truth in there which I thought were pretty funny. Like the bit about force feeding 1s and 0s I assumed was referring to specially crafted instructions to starve the CPU cache or trick the branch predictor or something. Hilarious.

                                                                          Permalink for those who want it: https://www.epicgames.com/fortnite/forums/news/announcements/132642-epic-services-stability-update?p=132713#post132713

                                                                        1. 3

                                                                          Oh, thanks! Yuki was me, I changed my name. o7

                                                                          1. 4

                                                                            Any guesses as to how this could happen?

                                                                            There must be some timing involved because of how you need to press the button quickly, but I am struggling to think of why you would put any timing code in there at all apart from exponential backoff, which would result in things slowing down, not passing.

                                                                            Maybe some wacky timing attack protection that bugged out?

                                                                            1. 2

                                                                              my experimenting didn’t reveal any timing element; it worked consistently for me without any kind of trickery.

                                                                              1. 1

                                                                                Yeah, I’ve been puzzling over this. I simply do not understand how this happens. Assuming it’s not an intentional backdoor left by a departing employee (which I doubt), it has to be related to something in Directory Services? I am really at a loss.

                                                                              1. 12

                                                                                As a Linux user, I don’t really care, because I’ve lived with the knowledge that my screen locker (whatever the local DE’s substitute for xscreensaver is) has been totally busted(*) for years without it really bothering me.

                                                                                (* by which I mean, multiple times it has manifested security vulns wherein mashing randomly on the keyboard for a bit would crash the screen locker and unlock the screen)

                                                                                Something something if you have access to the hardware you can just futz with it anyway.

                                                                                1. 5

                                                                                  Something something if you have access to the hardware you can just futz with it anyway.

                                                                                  A critical difference here is that “you can futz with the harder” is something you’d need at least some knowledge and some equipment to do, not necessarily much of each, but you need to know what you’re doing.

                                                                                  You can fit the instructions for this exploit in a single tweet.

                                                                                  1. 2

                                                                                    Very much this, but:

                                                                                    You can fit the instructions for this exploit in a single tweet.

                                                                                    That has also been the case for many other exploits of that kind, independent of operating system, with or without a graphical shell.

                                                                                    Screen locking seems to be a surprisingly nasty problem, even all smartphone platforms have had similar issues.

                                                                                  2. 4

                                                                                    This one is accessible remotely.

                                                                                    1. 3

                                                                                      Oh, it is? The exploit described here sounds like you need local access. This is interesting.

                                                                                      Is it exploitable via RDP or VNC or something if you have screen sharing turned on, and if so do you need to log in as an ordinary user account first?

                                                                                      1. 3

                                                                                        Screen sharing is indeed the remote exploit vector, [1] [2]. You don’t need to log in as an ordinary user account first.

                                                                                        1. 3

                                                                                          Does Remote Login allow SSH’ing in as root? I’m not familiar with the default macOS config.

                                                                                          1. 2

                                                                                            I don’t know, but you could enable it pretty trivially.

                                                                                            1. 1

                                                                                              I did try after enabling SSH to “All Users” and it didn’t allow me to log in as root.

                                                                                            2. 2

                                                                                              Thank you for elaborating. Yeah that’s genuinely scary. Good reason to leave screen sharing turned off I guess. :x

                                                                                        2. 3

                                                                                          Another reason to consider a Wayland composer? I’ve got Wayland and Weston with xwayland comparability running on my media PC right now. Seems to work pretty well.

                                                                                          1. 2

                                                                                            Yeah I’m hoping Wayland fixes this properly by using a protocol for screen locking that is not intrinsically silly like X11’s is. I assume it does (why would Wayland devs bother to copy such an obvious misfeature of X11?), but I haven’t checked.

                                                                                          2. 1

                                                                                            You’re perhaps referring to gnome-screensaver https://www.jwz.org/blog/2015/04/i-told-you-so-again/ ?

                                                                                            How is light-locker’s track-record? KDE’s thing?

                                                                                            I still use xscreensaver on Xubuntu 17.10. I have a feeling jwz has a better track-record than all of the above, but it’s probably not perfect either …

                                                                                            1. 3

                                                                                              Yes. I don’t know about the others’ record but I’d be surprised if it was perfect. xscreensaver can’t do a perfect job here either because it, like any process, could be arbitrarily killed by something like an OOM killer or a hardware bug causing SIGBUS to be emitted in it.

                                                                                              The underlying problem is that X11’s protocol for screen lockers is silly: the screen unlocks when the locker quits for any reason at all. jwz asserts that gnome-screensaver ought to take more care about crash proofing in light of that, which I can’t dispute. Solving the root problem is going to be much more robust anyway though.

                                                                                              The 2004 article on this is much better BTW: https://www.jwz.org/xscreensaver/toolkits.html

                                                                                          1. 4

                                                                                            This seems like a very bad idea for security in DNS stuff - an entire programming language, even if sandboxed, is a recipe for trouble.

                                                                                            1. 1

                                                                                              Given this all happens on the authority side, I’m not sure I see a huge potential for impact.

                                                                                            1. 1

                                                                                              It occurs to me the eop_malloc demonstrated doesn’t ensure any alignment for the result (or rather, guarantees certain unalignments depending on the size requested).

                                                                                              1. 6

                                                                                                Very weird to see Haskell in Industry language and OCaml in Academic, no?

                                                                                                1. 1

                                                                                                  It does mirror my experience. While you do see some applications of OCaml in industry (Jane Street et al), I’ve observed Haskell to have more real-world penetration simply because the ecosystem is more mature. (Not having multiple core libraries to choose from, what feels like a more stable toolchain, etc. probably helps.)

                                                                                                1. 17

                                                                                                  Denial of service seems like a better description than privilege escalation. In the taxonomy of bad stuff, the latter usually implies getting to do something more interesting than halt.

                                                                                                  1. 4

                                                                                                    the fact that we found this accidentally and that the behavior is exactly what you’d expect if there were no permissions check for the kill call at all leads us to believe that there is likely more that can be done to exploit this issue

                                                                                                    There’s nothing found yet, but it does give cause for some concern that the means of denying service is what appears to be escalation.

                                                                                                    1. 4

                                                                                                      I was part of the team helping Shea to research and disclose the issue. One key finding was in the logs we saw <unprivileged user> killed <privileged process>, indicating that we hadn’t tripped just a crashing bug, but actually escalated beyond the normal access control protections of kill.

                                                                                                      1. 9

                                                                                                        Privilege escalation is when you increase the abilities of the attack code to do what a higher-privileged account or process can do in arbitrary ways. This includes opening, modifying, and/or destroying resources. Merely terminating a resource is a Denial of Service (DOS) attack on that resource. The title is wrong.

                                                                                                        1. 3

                                                                                                          Using Privilege Escalation instead of DoS in the title is still misleading. Most people assume that something marketed as Privilege Escalation lead to at the very least reading or writing resource owned by root. I can already kill privileged process by running shutdown (I know that’s not the point, but killing ALL system’s process is still far from running code as root).

                                                                                                      1. 8

                                                                                                        Another GitHub aspect I dislike is that it turns into a “social coding” platform, where people “share much more than code”. It feels like a social network, and I do not want a git + facebook mix.

                                                                                                        1. 7

                                                                                                          Wow, I’ve not seen anything like it becoming facebookey. Do you have some examples on this?

                                                                                                          1. 13
                                                                                                            • automatic feed of what other users liked (on the home page while connected),
                                                                                                            • on-site notifications,
                                                                                                            • “like buttons” for projects (stars),
                                                                                                            • “react with emoji” buttons on comments,
                                                                                                            • emojis everywhere
                                                                                                            • rich user profile pages
                                                                                                            • follow users, projects

                                                                                                            It seems it only lacks the private messaging. There are already in-github-issue blogs.

                                                                                                            1. 13

                                                                                                              I actually like the stars, which I use for bookmarking. I regularly get the latest releases of starred repositories with a script.

                                                                                                              Not a fan of emojis though.

                                                                                                              1. 3

                                                                                                                Those darn subset of unicode!

                                                                                                                1. 1

                                                                                                                  Thank you, this is useful. :)

                                                                                                                2. 13

                                                                                                                  I consciously don’t reply to all, as much of it - IMHO - is very much up to taste.

                                                                                                                  automatic feed of what other users liked (on the home page while connected),

                                                                                                                  I know quite a few people using that for discovery.

                                                                                                                  on-site notifications,

                                                                                                                  I like them, because they don’t drop down my inbox. I use both them and the (really well implemented) emails.

                                                                                                                  “react with emoji” buttons on comments,

                                                                                                                  They are literally a wanted feature. Before having them, issues were full of people posting “+1”, “no”, etc., which trashed everyones email inbox.

                                                                                                                  It seems it only lacks the private messaging. There are already in-github-issue blogs.

                                                                                                                  Fun fact: they used to have that. It was killed off in… 2010something?

                                                                                                                  1. 3

                                                                                                                    much of it - IMHO - is very much up to taste

                                                                                                                    Yes. :-)

                                                                                                                    Most of these features happen to be convenient.

                                                                                                                    Maybe blurring the line with social networks is a side effect of trying to make collaboration better…

                                                                                                                    IIRC, they added emojis reaction to messages to prevent people putting “+1”-only messages to tell they are really eager to see a new feature implemented.

                                                                                                                    GitHub is a good answer to what people ask, and I am OK with what people ask for. I do not ask the same thing (just GIT server + gitweb or alike) but still have an account as I find all I need with GitHub, and it is required to comment on issues.

                                                                                                                    1. 1

                                                                                                                      It was killed off in… 2010something?

                                                                                                                      Pretty close: April 2012. No-one wanted another inbox to check.

                                                                                                                      1. 1

                                                                                                                        Ah, the fork queue… good old times.

                                                                                                                    2. [Comment removed by author]

                                                                                                                      1. 1

                                                                                                                        You are right, we need these features. This makes the platform evolve as they are added, and makes using GitHub as a social network possible.

                                                                                                                        As long as it is possible to use GitHub without the “social” features in the way, then I have no problem with it. :)

                                                                                                                      2. 2

                                                                                                                        Those things don’t annoy me, I actually like to know if someone follows me, it’s good for my ego. I don’t have any crazy big projects though, may after a certain point the notifications become too frequent? I’m sure you can turn them off or ignore them though?

                                                                                                                        1. 2

                                                                                                                          turn them off or ignore them

                                                                                                                          Yes, exactly. So this is no big trouble fortunately. I can mostly ignore the platform and work as if I got commits through e-mail an a mailing list.