Threads for mseri

  1. 3

    This was the topic for my internship back in 2017 working on the Reason compiler–integrating ppx_show into the language. I’m glad it has finally arrived (albeit in a different form) in OCaml.

    1. 2

      What do you mean? Pretty printers have been there since ages (the article is from 2017 but the fmt library is there since 2015) and the possibility to install pretty printers in the toplevel is earlier than that

      1. 4

        The goal was to automatically install a to_string function for every type created, not just in the top level. In normal execution

        1. 2

          Oh, I see. Neat!

    1. 2

      This version is incredibly better on my Mac! The first usable one since the move away from X11

      1. 3

        What/where is OCaml used? What is the language like, compared to “mainstream” things? I think I sometimes see mentions of OCaml on my Linux day-to-day, but I don’t know much beyond that.

        Is it something used a lot, or is it very niche (kinda like Rust vs Zig maybe)?

        1. 5

          Comparing it to more mainstream things: it’s a bit like Go, in that it’s an ahead-of-time compiled language that can produce fast, native binaries, but with a runtime that includes a garbage collector.

          It’s a strictly evaluated imperative language, and you can read the code and predict quite accurately what instructions the compiler will produce. You can also write in a pretty high-level functional style: OCaml has a very wide range from “high level” to “low level” coding. You basically never have to call out to C in order to do something “fast enough,” as long as you avoid heap allocations (the GC only runs in response to heap allocation, you can get a very strongly typed language without any runtime overhead if you’re careful).

          It also has a type system reminiscent of Haskell’s, which means you can make massive changes to large codebases pretty fearlessly. But — unlike Haskell — OCaml supports implicit side effects (like most languages), so it doesn’t have much of a learning curve. It also lacks typeclasses, and most of the other fancy type system things that make Haskell tricky to learn.

          OCaml also has a shockingly good JavaScript backend — you can compile OCaml code to JS and use that to share code between client and server, if you’re doing web stuff. Autogenerate correctly typed APIs and stuff (if, you know, your only clients are also using OCaml). I don’t know any other language that comes close here.

          Subjectively: OCaml is a very ugly language, with lots of weird syntax and strange language warts. But if you can look past that, it’s a very practical language. It’s not fun the way that Haskell is, but it’s old and stable and works well, and the type system is the best you’re going to find in an imperative language. (Reason — an attempt to provide an alternate syntax for the OCaml compiler — was disappointingly incomplete the last time I checked. Don’t know if it’s still a thing.)

          But the community is very small. Jane Street publishes some very thorough libraries covering all the basic stuff — containers, async scheduling, system IO, etc — but coverage for what you might think of as basic necessities (especially if you’re doing web development) is a lot more spotty.

          So it occupies sort of a weird place in the world. It’s a solid, conservative, relatively performant language. But you probably don’t want to build a product on top of it, because hiring will be pretty expensive. And I don’t think it’s particularly interesting from a mind-expanding point of view — Haskell has a lot more bang for the buck there.

          1. 2

            It’s a strictly evaluated imperative language

            What’s your definition of imperative? If you limit “functional” to “pure”, then it’s quite against the mainstream opinion that classifies Scheme and often even CommonLisp as “functional”. Presence of mutable values does not make a language non-functional—absence of support for first-class functions and primitives for passing immutable values between them does.

            Most real-life OCaml code, at least in public repositories, is as functional as typical Haskell, i.e. centered around passing an immutable state around, with wide use of benign side effects (like logging) and occasional use of mutable values when it’s required for simplicity of efficiency.

            (For the uninitiated, you need to declare mutable variables or record fields explicitly, by default everything is immutable, unlike in Scheme)

            It also lacks typeclasses, and most of the other fancy type system things that make Haskell tricky to learn.

            What you aren’t saying and what someone who doesn’t know it yet may want to hear is that lack of type classes makes type inference decidable. With any “normal” (non-GADT) types, the compiler will infer types of any value/fuction automatically. There are no situations when adding an annotation will make ill-typed code well-typed. The only reason to add type annotations is for humans, but humans can as well view them in the editor (via Merlin integration).

            Well, module interfaces do need type annotations. Which is another thing you seem to dismiss: the module system. Functors provide ad hoc polymorphism when it’s required, and their expressive power is greater. My recent use case was to provide a pluggable calendar lib dependency for a TOML library. OCaml is the only production-ready language that allows anything like that.

            But — unlike Haskell — OCaml supports implicit side effects (like most languages), so it doesn’t have much of a learning curve. it’s particularly interesting from a mind-expanding point of view — Haskell has a lot more bang for the buck there.

            Not mind-expanding for someone who already saw dependently-typed languages for sure. For someone with only Go or Python background, it’s going to be as mind-blowing as Haskell, or any actually functional language for that matter.

            Technically, it’s possible to write OCaml as if it was Pascal, but it’s neither what people actually do nor something encouraged by the standard library. People will also run into monads pretty soon, whether a built-in one (Option, Result) or in concurrency libs.

            Jane Street publishes some very thorough libraries covering all the basic stuff — containers, async scheduling, system IO

            My impression is that the last time you looked was quite a while ago. Sure they do, but for each of those there’s at least one non-JaneStreet alternative, in case of Lwt, more popular than the JaneStreet one. Compare the reverse dependencies of Async vs Lwt.

            Sure, that community is still smaller than those of many other languages, but it’s far from “you will never find a lib you need”.

            1. 1

              What’s your definition of imperative? If you limit “functional” to “pure”, then it’s quite against the mainstream opinion that classifies Scheme and often even CommonLisp as “functional”.

              By imperative I mean that OCaml has statements that are executed in order, as opposed to something like Prolog or APL or a (primarily!) expression-oriented language like Haskell. I avoided calling it a “functional language” because I don’t know what that term means to the person I was replying to. I would describe OCaml as functional as well. I don’t think the label is mutually exclusive with imperative.

              What you aren’t saying and what someone who doesn’t know it yet may want to hear is that lack of type classes makes type inference decidable.

              If this tips anyone over the fence into learning OCaml, I will be delightfully surprised :)

              Which is another thing you seem to dismiss: the module system. Functors provide ad hoc polymorphism when it’s required, and their expressive power is greater.

              I think you’re reading more into my comment than is really there. I was trying to give a rough overview of “what is OCaml” to someone who does not know OCaml. The module system is neat. I’m not dismissing it. Typing on a phone takes a long time.

              Not mind-expanding for someone who already saw dependently-typed languages for sure. For someone with only Go or Python background, it’s going to be as mind-blowing as Haskell, or any actually functional language for that matter.

              Yeah, this is fair. If the choice is between OCaml or nothing, definitely study OCaml! But Haskell has a larger community, a lot more learning resources, and will force you to think differently in more ways than OCaml. Which makes it hard to recommend OCaml to someone who is functional-curious, as much as I personally like the language.

              My impression is that the last time you looked was quite a while ago. Sure they do, but for each of those there’s at least one non-JaneStreet alternative, in case of Lwt, more popular than the JaneStreet one. Compare the reverse dependencies of Async vs Lwt.

              From this response I get the impression that you read my comment as “the only libraries that exist are the ones Jane Street published.” What I meant was to assure the person I was replying to that OCaml has a healthy set of basic libraries available, with an existential proof of that statement.

              Sure, that community is still smaller than those of many other languages, but it’s far from “you will never find a lib you need”.

              We are in complete agreement here.

            2. 2

              Subjectively: OCaml is a very ugly language, with lots of weird syntax and strange language warts. But if you can look past that, it’s a very practical language. It’s not fun the way that Haskell is, but it’s old and stable and works well, and the type system is the best you’re going to find in an imperative language.

              the syntax does have its share of odd corners, but i don’t find it ugly on the whole. i quite enjoy working in it. also, having given both a decent try, i found it more fun than haskell, and ultimately it was the fp language i ended up sticking with.

            3. 2

              The “standard” reply is a company called Jane Street, that apparently requires every employee(?) to take a course in OCaml.

              1. 6

                It is not used a lot, but its user base is growing fast recently. Companies/institutions using Ocaml also include: Citrix (xenserver), Facebook, Bloomberg (where rescript was born), Tezos, Ahrefs, INRIA (COQ to name one), Aesthetic Integration, Tarides, to name a few. It is used a lot for writing compilers (also Rust started with an OCaml implementation) but it is a pretty good language for system programming, most general purpose programming in fact.

                The community is not huge, so you don’t have as many libraries as other languages do, but the ones that are there are usually pretty solid

              2. 2

                It’s getting fairly popular. I have posted Haskell and OCaml skills in HN Who’s hiring threads, and getting tons of emails back lately due to the OCaml part. I know OCaml (and SML) for a good 15 years, and it has gone from really niche to decently easy to find a job that uses it.

                I think this is due to the increasing popularity of functionaly programming and modern type systems. Aside from this, Facebook and many others use it for building static analyzers. Furthermore, it’s a good companion for Coq.

                Sadly, Haskell is still quite unpopular, but that’s a topic for another discussion.

                1. 2

                  To complement the sibling replies, consider: OCaml is already a mainstream language. You are most likely to experience it on your desktop through FFTW, a ubiquitous signal-processing library which has been available for a couple decades.

                  1. 1

                    A lot of people have answered your question, I’d also add that F# is a direct descendant of OCaml and shares a lot of the core syntax. It’s probably more widely used than OCaml and seems to be the CLR language that people get the most enthusiastic about.

                  1. 9

                    More info on the September and November monthly reports. The team has made an incredible effort to keep the community updated, great job!

                    1. 3

                      I get a “Video Unavailable: this video is private” message from that link.

                      I think the same content is being uploaded https://watch.ocaml.org/video-channels/ocaml2021/videos to watch after

                      1. 1

                        Indeed, the live stream is no longer available. Maybe the maintainers can replace the link with yours

                      1. 9

                        Sponsors: Warner Music Group, Universal Music Group, DARPA

                        What the fuck ?

                        1. 41

                          It is a joke, refers to GithHub copilot and its carelessness against licenses. If you look at the code, you will see that after some sleep time it will serve you back your original file :D

                          1. 4

                            I’ve assumed that there was a real NN behind this satire until I’ve read this thread. I think that the problem here is that the website miscommunicates its purpose.

                            Also I couldn’t find any direct reference to the source code, and a quick search on DuckDuckGo and GitHub doesn’t show up anything.

                            1. 5

                              Is there the source code for Copilot available somewhere? I doubt it, but wondering would it change anything if it were.

                              1. 4

                                Control-U on the webpage

                                I think sometimes we forget that websites are code too

                              2. 5

                                Lame. At least actually train a NN.

                                1. 5

                                  If you receive copyrighted material and process it, in addition to costs associated to and computational power, how much would you risk in legal terms?

                                  1. 3

                                    Copyrighted material must be processed in order to play it, by the very nature of how computers work the material must be copied in part or in full a number of times during processing - there is actual exemption in copyright law to allow for this otherwise the very act of playing back material would be illegal by the letter of the law.

                                  2. 4

                                    Q: What would the NN actually do? You want just enough learning/wiggle room for it to be controversial like Microsoft Copilot, methinks. Perhaps a NN that generates a song inspired by the input song, with a slider for how similar you want the song to be.

                                    Then you could break it down by degree - at what point is the song “the same song with a note or two different”, vs “a different song that shares most of the notes”?

                              1. 35

                                If there are any questions or remarks, I am right here!

                                1. 15

                                  I wish I could invite this story multiple times. The perfect combination of being approachable, while still being packed with (to me) new information. Readable without ever being condescending.

                                  One thing I learned was that DNA printers are a thing nowadays. I had no idea. Are these likely to be used in any way by amateur hackers, in the sense that home fusion kits are fun and educational, while never being useful as an actual energy source?

                                  1. 14

                                    So you can actually paste a bit of DNA on a website and they’ll print it for you. They ship it out by mail in a vial. Where is breaks down is that before you inject anything into a human being.. you need to be super duper extra totally careful. And that doesn’t come from the home printer. It needs labs with skilled technicians.

                                    1. 7

                                      Could any regular person make themselves completely fluorescent using this method? Asking for a friend.

                                    2. 5

                                      You may be interested in this video: https://www.youtube.com/watch?v=2hf9yN-oBV4 Someone modified the DNA of some yeast to produce spider silk. The whole thing is super interesting (if slightly nightmarish at times if you’re not a fan of spiders).

                                      1. 2

                                        So that’s going to be the next bioapocalypse then. Autofermentation but where as well as getting drunk, you also poop spider silk.

                                    3. 8

                                      Love the article. Well done.

                                      1. 5

                                        Thanks for the awesome article! Are there any specific textbooks or courses you’d recommend to build context on this?

                                        1. 12

                                          Not really - I own a small stack of biology books that all cover DNA, but they cover it as part of molecular biology, which is a huge field. At first I was frustrated about this, but DNA is not a standalone thing. You do have to get the biology as well. If you want to get one book, it would have to be the epic Molecular Biology of the Cell. It is pure awesome.

                                          1. 2

                                            You can start with molecular biology and then a quick study of bio-informatics should be enough to get you started.

                                            If you need a book, I propose this one, it is very well written IMO and covers all this stuff.

                                          2. 2

                                            Great article! I just have one question. I am curious why this current mRNA vaccine requires two “payloads” ? Is this because it’s so new and we haven’t perfected a single shot or some other reason?

                                            1. 2

                                              As I understand it[1] a shot of mRNA is like a blast of UDP messages from the Ethernet port — they’re ephemeral and at-most-once delivery. The messages themselves don’t get replicated, but the learnt immune response does permeate the rest of the body. The second blast of messages (1) ensures that the messages weren’t missed and (2) acts as a “second training seminar”, refreshing the immune system’s memory.

                                              [1] I’m just going off @ahu’s other blogs that I’ve read in the last 24 hours and other tidbits I’ve picked up over the last 2 weeks, so this explanation is probably wrong.

                                              1. 2

                                                It’s just the way two current mRNA vaccines were formulated, but trials showed that a single shot also works. We now know that two shots are not required.

                                                1. 2

                                                  The creators of the vaccine say it differently here: https://overcast.fm/+m_rp4MLQ0 If I remember correctly, they claim that one shot protects you but doesn’t prevent you to be infective, while the second make sure that you don’t infect others

                                                2. 1

                                                  Not an expert either, but I think this is linked to the immune system response, like some other vaccines, the system starts to forget, so you need to remind him what the threat was.

                                                3. 1

                                                  Is there any information on pseudouridine and tests on virus encorporating it in their DNA?

                                                  The one reference in your post said that there is no machinery in cells to produce it, but the wiki page on it says that it is used extensively in the cell outside of the nucleus.

                                                  It seems incredibly foolhardy to send out billions of doses of the vaccine without running extensive tests since naively any virus that mutated to use it would make any disease we have encountered so far seem benign.

                                                  1. 1

                                                    From https://en.wikipedia.org/wiki/Pseudouridine#Pseudouridine_synthase_proteins:

                                                    Pseudouridine are RNA modifications that are done post-transcription, so after the RNA is formed.

                                                    That seems to mean (to me, who is not a biologist) that a virus would have to grow the ability to do/induce such a post-processing step. Merely adding Ψ to sequences doesn’t provide a virus with a template to accelerate such a mutation.

                                                    1. 1

                                                      And were this merely a nuclear reactor or adding cyanide to drinking water I’d agree. But ‘I’m sure it will be fine bro’ is how we started a few hundred environmental disasters that make Chernobyl look not too bad.

                                                      ‘We don’t have any evidence because it’s obvious so we didn’t look’ does not fill me with confidence given our track record with biology to date.

                                                      Something like pumping rats with pseudouridine up to their gills then infecting them with rat hiv for a few dozen generations and measuring if any of the virus starts encorporating pseudouridine in its RNA would be the minimum study I’d start considering as proof that this is not something that can happen in the wild.

                                                      1. 2

                                                        As I mentioned, I’m not a biologist. For all I know they did that experiment years ago already. Since multiple laymen on this forum came up with that concern within a few minutes of reading the article, I fully expect biologists to be aware of the issue, too.

                                                        That said, in a way we have that experiment already going on continuously: quickly evolving viruses (such as influenza) that mess with the human body for generations. Apparently they encountered pseudouridine regularly (and were probably at times exposed to PUS1-5 and friends that might have swapped out an U for a Ψ in a virus accidentally) but still didn’t incorporate it into their structure despite the presumed improvement to their fitness (while eventually leading our immune system to incorporate a response to that).

                                                        Which leaves me to the conclusion that

                                                        1. I’d have to dig much deeper to figure out a comprehensive answer, or
                                                        2. I’ll assume that there’s something in RNA processing that makes it practically impossible for viruses to adopt that “how to evade the immune system” hack on a large scale.

                                                        Due to lack of time (and a list of things I want to do that already spans 2 or 3 lifetimes) I’ll stick to 2.

                                                  2. 1

                                                    I enjoyed the article, reminded me of my days at the university :-)

                                                    So here are some quick questions in case you have an answer:

                                                    • Where does the body store info about which proteins are acceptable vs not?
                                                    • How many records can we store there?
                                                    • Are records indexed?
                                                    • How does every cell in the body gets this info?
                                                    1. 12

                                                      It is called negative selection. It works like this:

                                                      1. Body creates lots of white blood cells by random combination. Each cell has random binding sites binding to specific proteins and will attack them.
                                                      2. Newly created white blood cells are set loose in staging area, which is presumed to be free of threats. All cells triggering alarm in staging area kill themselves.
                                                      3. White blood cells, negatively selected not to react to itself, mature and are released to production.
                                                      1. 1

                                                        Interesting, thanks for sharing!

                                                      2. 5

                                                        How does info spread through the body

                                                        I came across this page relatively recently and it really blew my mind.

                                                        glucose is cruising around a cell at about 250 miles per hour

                                                        The reason that binding sites touch one another so frequently is that everything is moving extremely quickly.

                                                        Rather than bringing things together by design, the body can rely on high-speed stochastic events to find solutions.

                                                        This seems related, to me, to sanxiyn’s post pointing out ‘random combination’ - the body:

                                                        • Produces immune cells which each attack a different, random shape.
                                                        • Destroys those which attack bodily tissues.
                                                        • Later, makes copies of any which turn out to attack something that was present.

                                                        This constant, high-speed process can still take a day or two to come up with a shape that’ll attack whatever cold you’ve caught this week - but once it does, that shape will be copied all over the place.

                                                        1. 2

                                                          I did some projects in grad school with simulating the immune system to model disease. Honestly we never got great results because a lot of the key parameters are basically unknown or poorly characterized, so you can get any answer you want by tweaking them. Overall it’s less well understood than genetics, because you can’t study the immune system in a petri dish. It’s completely fascinating stuff though: evolution built a far better antivirus system for organisms than we could ever build for computers.

                                                      1. 1

                                                        In an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor.

                                                          1. 2

                                                            Strange, for me the page works but not the archive. I have made a new snapshot on the web archive, just in case: https://web.archive.org/web/20201218113458/https://www.reuters.com/article/us-usa-cyber-breach-idUSKBN28R2ZJ

                                                          1. 6

                                                            Couldn’t Apple avoid this mess by making a local cache of approved certs on each Mac and updating it periodically? I.e. the same thing APT does for package metadata (for all packages available in enabled repositories). You can search the cache (with apt search or apt-cache search) without contacting any servers. Only, in the case of Apple, it wouldn’t be a cache of package metadata, but a cache of approved developer certs. Then they could check all the apps without contacting any servers. This way both privacy and performance concerns are addressed. It would also allow users to launch programs during server downtime.

                                                            1. 8

                                                              That is indeed what they do, for security reasons they don’t require an explicit action from the user to refresh the cache, but they do have a cache, and only check it if a certain amount of time has passed. From the article:

                                                              I should also add that after closing Firefox and opening it again, no requests were made. This is reasonable, and indicates that certificate checking isn’t performed at each launch but only after it hasn’t been performed for a certain period of time.

                                                              1. 6

                                                                That’s a different thing though. I’m talking about a cache of certificates, while the article seems to be talking about a cache of cert check responses. It means that server still gets some metadata about what programs the user launches. It’s also unclear why in this case people started having problems launching any non-Apple programs during server downtime.

                                                                1. 1

                                                                  It needs to check in with the OCSP server occasionally to see if the developer certificate hasn’t been revoked, and the only way to chek using OCSP is to send the developer certificate to the OCSP server.

                                                                  People started having problems because the OCSP was available reachable, but never responded with an OK, presumably because it was being overloaded by new Bug Sur requests.

                                                                  1. 4

                                                                    yakubin meant to have a full copy of all certificates on the computer and updating that in full every so often. Therefore no data about individual apps is sent over the network, when launching an app.

                                                                    1. 2

                                                                      One could also use the google safe links algorithm where a partial hash of the app is sent and a bunch of responses is sent such that the server doesn’t know which apps the client is actually using.

                                                                      1. 2

                                                                        That only solves the privacy issue. It doesn’t solve the problem of the time needed to launch an app and reliability of the system in the face of server downtime or packets dropped by a firewall. Generally, I don’t think that execve on its own should ever prompt any network communication.

                                                                        EDIT: Your solution, by introducing frequent collisions, makes the whole mechanism essentially useless. Now you can’t differentiate between detected malware and legitimate software. To make it work at this point, you need to send the full hash to the server, defeating the point. I misunderstood, see @pgeorgi’s reply.

                                                                        1. 4

                                                                          Your solution, by introducing frequent collisions, makes the whole mechanism essentially useless. Now you can’t differentiate between detected malware and legitimate software. To make it work at this point, you need to send the full hash to the server, defeating the point.

                                                                          The solution works like this: client to server: I have a hash here, starting with 12. server to client: I have a set of good hashes 1234, 1235, 1237 and bad hashes 1236, 1239. This set is good for 24 hours.

                                                                          That way the server or a listener can’t infer which hash is specifically requested while the client gets precise information to work with (plus some more that they probably won’t need)

                                                                          1. 1

                                                                            I stand corrected. Still, it solves only one of the issues.

                                                                            1. 2

                                                                              Sure, it doesn’t solve all the issues, but some minor additions can. I think there are two reasonable approaches:

                                                                              1. Periodically receive the total list of revoked certs from Apple (which is presumably not huge).
                                                                              • benefit: privacy
                                                                              • cost: latency (it takes a while for clients to discover that an application is bad), potentially bandwidth, tho it’s probably fine.
                                                                              1. Use OCSP but with some privacy preserving measures, like the safe search thing
                                                                              • benefit: latency, bandwidth
                                                                              • cost: you have to decide what to do if you can’t get at the server, but that’s not super hard: timeout fast; and cache results.

                                                                              If Apple had just set a really small timeout on their request this OCSP system would have worked fine and no one would have noticed this outage.

                                                                              1. 2

                                                                                From the privacy point of view, looks like they will introduce encryption: https://www.macrumors.com/2020/11/15/apple-privacy-macos-app-authenticaion

                                                                                1. 2

                                                                                  Thanks for the link. Obviously this approach only offers increased privacy Vs actors that aren’t Apple. But if you’re running a Mac obviously you have to trust Apple a bit, so I don’t think it’s unreasonable.

                                                                    2. 2

                                                                      The neat thing is that this means Apple can effectively remove software from your computer in addition to watching what you run.

                                                                      1. 5

                                                                        Everyone who ever built an antivirus or any sort of malware-removal tool is an active foot-soldier in the war against general-purpose computing, apparently. Seeing as all of those tools are designed to identify and remove software from your computer…

                                                                        1. 1

                                                                          Those all have an off switch

                                                                          1. 4

                                                                            As does Apple’s equivalent.

                                                                        2. 2

                                                                          So a professional is going to be checking if Transmission got their dev server owned this week instead of every single user having to check, cool.

                                                                  1. 15

                                                                    I have been on both sides of GitHub DMCA, so I can speak from experience.

                                                                    GitHub strongly favors keeping the content up.

                                                                    So yeah, its down now. But the repo owners can send a Counter Notice. Then RIAA has 14 days to file a copyright infringement suit in Federal Court, and then present a copy of the filing to GitHub.

                                                                    If GitHub does not receive the filing in time, or anything is wrong with the paperwork, the repo will go back up.

                                                                    https://docs.github.com/en/free-pro-team@latest/github/site-policy/dmca-takedown-policy

                                                                    1. 4

                                                                      Do you know if this is true also in this case? The letter is not really the usual takedown notice: more here https://twitter.com/xor/status/1319861757301710848

                                                                      1. 9

                                                                        Sorry but I cant follow that. Twitter is absolute garbage. Maybe that guy can repost it to a blog or something.

                                                                        1. 6

                                                                          https://nitter.net/xor/status/1319861757301710848

                                                                          Nitter is a free and open source alternative Twitter front-end focused on privacy.

                                                                          1. 0

                                                                            One reason Twitter easily spirals down to utter garbage, is the lack of downvotes. We can only retweet, and if we disagree, we can only shout back. There seems to be very little moderation. And of course, the length limit on the damn tweets effectively bans nuanced thought, which require too many characters. (Incidentally, this limitation makes me wonder how Twitter managed to get so popular.)

                                                                            A free front end is unlikely to solve those problems.

                                                                    1. 4

                                                                      I wrote this article to give other people an introduction to NaN-boxing. Please let me know what you think!

                                                                      1. 2

                                                                        The link seems broken at tHe moment, can you update it?

                                                                        1. 1

                                                                          Are you getting an actual 404 or the „Cannot find article“ message? If its the latter please try and reload the page. JS isn‘t my strong point :P

                                                                          1. 2

                                                                            “Cannot find article”. Indeed, after reloading a couple of times it did load. Thanks!

                                                                      1. 1

                                                                        Unfortunately most Medium links require an account with them for access.

                                                                        1. 2

                                                                          Sorry I was not aware of that, I do not have an account myself but I can see the article. That’s bad (and it is a pity since the article is really good), I’ll avoid sharing medium articles from now on.

                                                                        1. 1

                                                                          The examples are mindblowing

                                                                          1. 2

                                                                            There is a very interesting new article on it! Hackers Tell the Story of the Twitter Attack From the Inside https://www.nytimes.com/2020/07/17/technology/twitter-hackers-interview.html

                                                                            1. 7

                                                                              Twitter has announced preliminary investigation results that this was a social engineering attack of internal tooling.

                                                                              1. 3

                                                                                I hope they will make a detailed post explaining what happened once they finish their forensic analysis and restore the system.

                                                                                1. 2

                                                                                  This might be a case where their desire for transparency conflicts with their exposure to liability. It’ll be interesting to see how it plays out.

                                                                              1. 25

                                                                                That headline is pretty confusing. It seems more likely twitter itself was compromised, than tons of individual users (billionaires, ex-leaders, etc)?

                                                                                1. 19

                                                                                  You’re right. This is a case of Verge reporting what they’re seeing, but the scope has grown greatly since the initial posts. There have since been similar posts to several dozen prominent accounts, and Gemini replied that it has 2FA.

                                                                                  Given the scope, this likely isn’t accounts being hacked. I suspect that either the platform or an elevated-rights Twitter content admin has been compromised.

                                                                                  1. 12

                                                                                    Twitter released a new API today (or was about to release it? Not entirely clear to me what the exact timeline is here), my money is on that being related.

                                                                                    A ~$110k scam is a comparatively mild result considering the potential for such an attack, assuming there isn’t some 4D chess game going on as some are suggesting on HN (personally, I doubt there is). I don’t think it would be an exaggeration to say that in the hands of the wrong people, this could have the potential to tip election results or even get people killed (e.g. by encouraging the “Boogaloo” people and/or exploiting the unrest relating to racial tensions in the US from some strategic accounts or whatnot).

                                                                                    As an aside, I wonder if this will contribute to the “mainstreaming” digital signing to verify the authenticity of what someone said.

                                                                                    1. 14

                                                                                      or even get people killed

                                                                                      If the Donald Trump account had tweeted that an attack on China was imminent there could’ve been nuclear war.

                                                                                      Sounds far-fetched, but this very nearly happened with Russia during the cold war when Reagan joked “My fellow Americans, I’m pleased to tell you today that I’ve signed legislation that will outlaw Russia forever. We begin bombing in five minutes.” into a microphone he didn’t realize was live.

                                                                                      1. 10

                                                                                        Wikipedia article about the incident: https://en.wikipedia.org/wiki/We_begin_bombing_in_five_minutes

                                                                                        I don’t think things would have escalated to a nuclear war that quickly; there are some tensions between the US and China right now, but they don’t run that high, and a nuclear war is very much not in China’s (or anyone’s) interest. I wouldn’t care to run an experiment on this though 😬

                                                                                        Even in the Reagan incident things didn’t seem to have escalated quite that badly (at least, in my reading of that Wikipedia article).

                                                                                        1. 3

                                                                                          Haha. Great tidbit of history here. Reminded me of this 80’s gem.

                                                                                          1. 2

                                                                                            You’re right - it would probably have gone nowhere.

                                                                                        2. 6

                                                                                          I wonder if this will contribute to the “mainstreaming” digital signing to verify the authenticity of what someone said

                                                                                          It’d be nice to think so.

                                                                                          It would be somewhat humorous if an attack on the internet’s drive-by insult site led to such a thing, rather than the last two decades of phishing attacks targeting financial institutions and the like.

                                                                                          1. 3

                                                                                            I wonder if this will contribute to the “mainstreaming” digital signing to verify the authenticity of what someone said.

                                                                                            A built-in system in the browser could create a 2FA system while being transparent to the users.

                                                                                            1. 5

                                                                                              2fa wouldn’t help here - the tweets were posted via user impersonation functionality, not direct account attacks.

                                                                                              1. 0

                                                                                                If you get access to twitter, or the twitter account, you still won’t have access to the person’s private key, so your tweet is not signed.

                                                                                                1. 9

                                                                                                  Right, which is the basic concept of signed messages… and unrelated to 2 Factor Authentication.

                                                                                                  1. 2

                                                                                                    2FA, as I used it, means authenticating the message, via two factors, the first being access to twitter account, and the second, via cryptographically signing the message.

                                                                                                    1. 3

                                                                                                      Twitter won’t even implement the editing of published tweets. Assuming they’d add something that implicitely calls their competence in stewarding people’s tweets is a big ask.

                                                                                                      1. 2

                                                                                                        I’m not asking.

                                                                                            2. 2

                                                                                              A ~$110k scam

                                                                                              The attacker could just be sending coins to himself. I really doubt that anyone really falls for a scam where someone you don’t know says “give me some cash and I’ll give you double back”.

                                                                                              1. 15

                                                                                                I admire the confidence you have in your fellow human beings but I am somewhat surprised the scam only made so little money.

                                                                                                I mean, there’s talk about Twitter insiders being paid for this so I would not be surprised if the scammers actually lost money on this.

                                                                                                1. 10

                                                                                                  Unfortunately people do. I’m pretty sure I must have mentioned this before a few months ago, but a few years ago a scammer managed to convince a notary to transfer almost €900k from his escrow account by impersonating the Dutch prime minister with a @gmail.com address and some outlandish story about secret agents, code-breaking savants, and national security (there’s no good write-up of the entire story in English AFAIK, I’ve been meaning to do one for ages).

                                                                                                  Why do you think people still try to send “I am a prince in Nigeria” scam emails? If you check you spam folder you’ll see that’s literally what they’re still sending (also many other backstories, but I got 2 literal Nigerian ones: one from yesterday and one from the day before that). People fall for it, even though the “Nigerian Prince” is almost synonymous with “scam”.

                                                                                                  Also, the 30 minute/1 hour time pressure is a good trick to make sure people don’t think too carefully and have to make a snap judgement.

                                                                                                  As a side-note, Elon Musk doing this is almost believable. My friend sent me just an image overnight and when I woke up to it this morning I was genuinely thinking if it was true or not. Jeff Bezos? Well….

                                                                                                  1. 12

                                                                                                    People fall for it, even though the “Nigerian Prince” is almost synonymous with “scam”.

                                                                                                    I’ve posted this research before but it’s too good to not post again.

                                                                                                    Advance-fee scams are high touch operations. You typically talk with your victims over phone and email to build up trust as your monetary demands escalate. So anyone who realizes it’s a scam before they send money is a financial loss for the scammer. But the initial email is free.

                                                                                                    So instead of more logical claims, like “I’m an inside trader who has a small sum of money to launder” you go with a stupidly bold claim that anyone with a tiny bit of common sense, experience, or even the ability to google would reject: foreign prince, huge sums of money, laughable claims. Because you are selecting for the most gullible people with the least amount of work.

                                                                                              2. 5

                                                                                                My understand is that Twitter has a tool to tweet as any user, and that tool was compromised.

                                                                                                Why this tool exists, I have no idea. I can’t think of any circumstance where an employee should have access to such a tool.

                                                                                                Twitter has been very tight-lipped about this incident and that’s not a good look for them. (I could go on for paragraphs about all of the fscked up things they’ve done)

                                                                                                1. 5

                                                                                                  or an elevated-rights Twitter content admin

                                                                                                  I don’t think content admins should be able to make posts on other people’s account. They should only be able to delete or hide stuff. There’s no reason they should be able to post for others, and the potential for abuse is far too high for no gain.

                                                                                                  1. 6

                                                                                                    Apparently some privileges allow internal Twitter employees to remove MDA and reset passwords. Not sure how it played out but I assume MFA had to be disabled in some way.

                                                                                                  1. 5

                                                                                                    That’s a good article! Vice has updated that headline since you posted to report that the listed accounts got hijacked, which is more accurate. Hacking an individual implies that the breach was in their control: phone, email, etc. This is a twitter operations failure which resulted in existing accounts being given to another party.