1. 4

    521 […] a European reads it as “five-hundred, and twenty one”

    An English-speaking European, maybe. In German we spell it “fünfhunderteinundzwanzig”, which is literally “five-hundred and one and twenty”. Middle-endian, if you so wish.

    1. 5

      Oh man, don’t get me started on Danish.

      1. 1

        French is almost as bad. I actually find Danish’s bonkers system easier to remember though for some reason.

        1. 1

          As an American, French is more annoying to vocalize (certain) numbers in than German. German was more: ok thats weird but its consistent and I don’t have to do math to figure out how to say the word. French on the other hand, made me very confused as to the history behind this. It seems to be the only romance language that does it too so I’m doubly confused.

          1. 1

            I agree, once you grok the vegisimal pattern it’s actually logical.

        2. 1

          which ironically is the exact way how it would be read in Modern Arabic and Classical Arabic. I’m really confused by the Quora answer that the OP based their thesis on. For Arabic speakers/readers here’s a great article that goes into the grammatical details, by a language scholar.

        1. 18

          Not this again.

          Different kinds of Arabic read numbers out loud differently, so some read most significant first, and some read least significant first, many are middle-endian. It’s pretty hard to make this conclusion just based on that.

          BUT: Arabic got the numerals from India. Indian languages write down numbers the same way you do in English, most significant digit first in a left to right script. Indian languages typically say numbers as most-to-least significant, with the middle-endian nature of tens and ones digits being swapped (similar to how “thirteen” is “backwards”). So it doesn’t even matter how it’s read in Arabic, because for a long time they were writing numbers the same way as the Indians, and it would be very weird if they used the same numerals but in the opposite order when looked at visually. The numbers got copied twice, from an LTR script to an RTL script back to an LTR script, without changing the order. The RTL nature of Arabic is a red herring here.

          And this doesn’t have much to do with why our computers work a certain way, anyway (see other comments).

          1. 2

            Different kinds of Arabic read numbers out loud differently, so some read most significant first, and some read least significant first, many are middle-endian. It’s pretty hard to make this conclusion just based on that.

            What do you mean by different kinds of Arabic? Classical and Modern Arabic both read numbers out loud the same, are you referring to dialectal Arabic? because most Arabs would not consider their dialect to be a legitimate Arabic, since almost all published text is written in Modern Arabic, or still in some cases Classical Arabic.

            For the record though this post is just wrong, because 521 in both Classical and Modern arabic is read as five hundred, one and twenty, and the author claims that “formal” arabic reads it differently. I’m not really aware of any dialects that read that as one, twenty, and five hundred, and at least to me (north African native speaker, but also Arabic language enthusiast) it sounds insanely wrong even for a dialect.

            BUT: Arabic got the numerals from India.

            Eastern Arabic Numerals are from India, Western Arabic numerals are believed to have originated in North Africa. European languages use the Western Arabic numerals, and not the eastern Arabic Numerals. The decimal system though, the more interesting part in my opinion, was indeed copied from Indian mathematicians.

            1. 2

              Eastern Arabic Numerals are from India, Western Arabic numerals are believed to have originated in North Africa

              Any sources for that? Most of the sources I have seen seems to trace the origins of both to Brahmi numerals.

              1. 1

                Right, dialectal Arabic, but also I knew that MSA doesn’t follow the same rules as what the author talks about and I wasn’t sure what they meant by “formal”, so I was really talking about MSA (I don’t know enough about Classical).

                Eastern Arabic Numerals are from India, Western Arabic numerals are believed to have originated in North Africa.

                No, the exact numeral forms were invented in North Africa (with influence from the eastern arabic forms!), but the concept of using numbers like that came from Eastern Arabic numerals, and Western Arabic numerals are a bit of an early divergence from them. They’re still related, see the first paragraph in https://en.wikipedia.org/wiki/Arabic_numerals#Origin_of_the_Arabic_numeral_symbols , in particular mathematicians had already trained themselves on Eastern Arabic numerals but hadn’t necessarily agreed on the forms.

            1. 2

              This is cool!

              Several years ago I tried to build a package manager that build packages in a sandbox. I ended up hacking on an earl version of this tool:

              https://linux.die.net/man/8/linux-user-chroot

              It has an --unshare-net flag, which uses Linux namespaces. How does that compare to using seccomp BPF? Of course the latter gives you more control, but it seems like you may not be using the control?

              I think this tool was built for similar purposes (restricting what builds can do), although I haven’t used it in awhile.

              And I also wonder why you chose to make it a shared object loaded into bash rather than an external command? In addition to linux-user-chroot, there is also system-nspawn, etc. which work in a similar fashion.

              I would like https://www.oilshell.org/ to have some process sandboxing features like this. But I think they can mostly go in a separate tool. Though I haven’t decided on what exactly that looks like.

              1. 3

                One advantage of seccomp here is that it doesn’t require any additional privileges where I’m not sure if unshare does.

                I chose to make it a shared object so that it could fit into the existing build process as “just another step”, if I had to execute a command I would need to modify the build process to re-exec itself between the “download” and “build” phases, here I just drop the privilege in the build script process and everything else follows.

                In previous sandboxes I used UML to fake being privileged and could drop networking just by shutting down the emulated network adapter. http://www.rkeene.org/viewer/tmp/fakeroot.sh.htm

                1. 1

                  One advantage of seccomp here is that it doesn’t require any additional privileges where I’m not sure if unshare does.

                  I’ve had problems with unshare before, and actually wrote a program for filtering syscalls based on seccomp to avoid those issues. I’ve written about it here.

              1. 3

                A more interesting question is, does the test code shown in the article (comparison of an uninitialized value to itself) invoke undefined behavior?

                1. 1

                  yes it does. in this case it’s dereferencing an uninitialized pointer. if we would make the array global/static it would be dereferencing a null pointer.

                  1. 1

                    This is not correct. Uninitialized static arrays have every element initialized to zero, it’s fine to access any element of them: http://port70.net/~nsz/c/c99/n1256.html#6.7.8p10

                    10 If an object that has automatic storage duration is not initialized explicitly, its value is indeterminate. If an object that has static storage duration is not initialized explicitly, then: …

                    • if it is an aggregate, every member is initialized (recursively) according to these rules;

                    and furthermore

                    21 If there are fewer initializers in a brace-enclosed list than there are elements or members of an aggregate, or fewer characters in a string literal used to initialize an array of known size than there are elements in the array, the remainder of the aggregate shall be initialized implicitly the same as objects that have static storage duration.

                    Aggregate means struct or array (6.2.5, http://port70.net/~nsz/c/c99/n1256.html#6.2.5p21):

                    21 Arithmetic types and pointer types are collectively called scalar types. Array and structure types are collectively called aggregate types.

                    1. 3

                      The example code shows a non-static (automatic) array with a declaration and no initializer. You’ll note that the sections you quoted refer to what happens when an array (or other aggregate) has fewer items specified in their initializer than the aggregate has members. In this case, there is no initializer. Indeed, this is undefined behavior.

                      All the best,

                      -HG

                      1. 1

                        You appear to only have read the 2nd quote in my comment. Here’s the first one again:

                        If an object that has static storage duration is not initialized explicitly, then: …

                        • if it is an aggregate, every member is initialized (recursively) according to these rules;

                        I agree this UB for an array with automatic storage, though.

                        1. 1

                          @jyn514, the array in the example code is not declared static.

                      2. 2

                        I stand corrected. in the case that the array has static duration, all elements are indeed initialized to zero. thank you.

                        edit: and my whole sentence is wrong. a, the pointer to the head of the array is actually initialized, it is only the array elements that aren’t initialized in the case of automatic duration. so the UB is caused by using the elements and not by dereferencing.

                      3. 1

                        It has nothing to do with pointers. I’m talking about the uninitialized memory. Would the following code invoke UB ?

                        int x;
                        if (x == x)
                            ...
                        

                        I do not master the definition of UB, but it seems that if “int” can be initialized with a trap representation (highly unlikely in current implementations), it would be reasonable for this code to crash.

                        1. 1

                          yes this is UB, as far as the standard is concerned the value of x is indeterminate, and using that value in any form is undefined behaviour.

                          from http://port70.net/~nsz/c/c99/n1256.html#J.2:

                          The value of an object with automatic storage duration is used while it is indeterminate

                    1. 50

                      I think most of the problems are ecosystem/people issues–in turn driving the language/framework problems.

                      Selected short gripes on people (any one of which I could write volumes on):

                      • Conflating standard library problems with language problems. ES5 was actually a pretty reasonable language–the problem came from having a standard lib so anemic (to this day!) that people feel the need to keep adding stuff. If TC39/W3C spent less time getting high on their own supply and more time fixing the standard library then so much of what I hate goes away.
                      • Permanent neophilia and just an overwhelming lack of restraint and good taste. Nobody seems to acknowledge the costs to chasing new shiny.
                      • Everybody uses solutions backed by Big Players without regard for whether it’s a good idea or not. Your blog doesn’t need React. Your E-commerce site probably doesn’t need Cognito. Staaaaaahp.
                      • Everything has so many dependencies and this nests. Left-pad should’ve been a wake-up call, and yet apparently nobody is actually serious about fixing that.
                      • Tooling is too complicated and takes too long to run. Why is setting up Webpack annoying? What is it hard to just run off a config off the top of one’s head?
                      • Testing culture seems to have gone super far into unit testing and just really sucks for actual can-the-user-do-the-thing-that-makes-us-money testing. It should be easier to script UAT than to do the DI and other stuff around unit testing, but for some reason that’s not where we evolved.
                      • Too much popularity-driven development. We could be forgiven for assuming that most technical decisions being made in Webland are the result of conference talks and Big Personalities posting online.

                      Selected language gripes:

                      • ES6+ is getting past what comfortably fits in a person’s head.
                      • CSS really needs to just have nested scoping already.

                      Select framework gripes:

                      • React has made dumb decisions and devs won’t back down on them. className, full stop.
                      • ThreeJS keeps carving out key stuff–say, orbit cameras–into the examples instead of core, keeps adding other shit into core, and somehow bungles packaging the ‘extras’ into friendly NPM modules. At least this was the case last winter when I ran into it, again.
                      • D3 is super easy to make slow and awful, and just always looks like spaghetti code to me.
                      • There is no good framework to do some of the Java computational geometry stuff we did two decades ago. This is likely because making a holey concave polygon from other smaller holey concave polygons and triangulating it is Real People Hard but making another vdom knockoff is Frontend Engineer Hard.

                      I could go on, but why close the year on a negative note?

                      1. 11

                        lack of restraint and good taste.

                        This sounds like the root cause of everything else here.

                        1. 3

                          ES6+ is getting past what comfortably fits in a person’s head.

                          I agree. If you took generators out of ES6 I think you’d have a reasonably comprehensible version of JS. I can get behind optional chaining to kill _.get(myObject, 'some.path.where.any.of.these.could.be.undefined.or.null)… but the trend of just adding more things to the language is a bit concerning.

                          1. 3
                            1. Incredibly poor library quality.

                            Basically, a JavaScript library consists of

                            • gnarly spaghetti code
                            • without comments
                            • inside a single file
                            • with some constructor that takes a config object
                            • where roughly 80% of the properties are undocumented
                            • and 90% of the config options are not tested with each other
                            • and break hilariously when used together
                            • with no existing tests, and no actual testing being done between releases,
                            • which means things randomly breaking in minor releases,
                            • and the project is “active”, but the authors aren’t really acknowledging any bugs.
                            2. Really bad build times.

                            At my work a project has somewhat above 1.5m lines of Java code, and probably less than 50.000 lines of JavaScript.

                            The 1.5 million lines of Java build faster than the 50.000 lines of JavaScript.

                            3. Don’t even bother using libraries. They simply won’t last for the life-time of a commercial project.
                            1. 3

                              Implying frontend engineers aren’t “real people” seems really unpleasant and stupid and seeing it upvoted a lot makes me less inclined to visit and recommend this website

                              1. 7

                                I read this in the way of “this stuff is hard because it’s genuinely hard for people in general, versus this other stuff is made hard for frontend developers because of random yak shaving reasons in JavaScript that don’t exist in Java”

                                1. 3

                                  It really reads more like “real engineers work on actually challenging problems involving polygons whereas dumb frontend people just mess around with stupid vdom knockoffs.”

                                  1. 1

                                    Well tbf, one of my pet peeves is arbitrary job titles. When did we all become engineers?

                                2. 4

                                  Where in the comment can you point to @friendlysock stating the frontend engineers aren’t “real people”?

                                  I’m genuinely curious. I don’t read it like that at all. I read his comment as stating that a lot of the ecosystem issues around frontend development are driven by short-term fads and ideas churn. This isn’t a reflection on people as individuals, rather on the group as a whole.

                                  1. 2

                                    it’s probably this part

                                    This is likely because making a holey concave polygon from other smaller holey concave polygons and triangulating it is Real People Hard but making another vdom knockoff is Frontend Engineer Hard.

                                    though I interpreted it differently. I understood the message as both things being hard, though the vdom knockoff would get more credit from frontend developers than the computational geometry stuff.

                                    edit: didn’t see @mbrock’s comment:)

                                    1. 1

                                      making a holey concave polygon from other smaller holey concave polygons and triangulating it is Real People Hard but making another vdom knockoff is Frontend Engineer Hard.

                                      Maybe I’m misreading or just grumpy but it’s pretty common for Smart People Online to imply some kind of subhuman status for programmers who work on frontend…

                                      1. 6

                                        Last job I had was at least half frontend engineering, job before that 3/4. There was some genuinely tricky frontend work–98% of it though was not. I’m not some Real People engineer shitting on FE work without any idea what it’s like. Honestly, I’m unsure the work I do mostly qualifies as Real People technical work at all anymore. That said…

                                        In my experience the types of problems solved and praised in frontend circles–frequently in the web in general–tend to be either:

                                        • dealing with self-inflicted complications (“grunt was too old so we used gulp but I didn’t like it so we switched to we webpack but now we’re trying parcel!”)
                                        • reinventing the wheel yet again (“kachow folks here’s your boy friendlysock coming at you with yet another grid system that uses the same class names as bootstrap but handles floats slightly differently”)
                                        • fighting problems in the wrong part of the stack (“we have to use an SPA because our Rails backend is SO SLOW serving just normal pages”)
                                        • dealing with stupid browser behavior (“that webworker messaging worked great until IE11 decided to fuck up transferable objects and just spew memory everywhere”)
                                        • dealing with org dysfunction (“look I know you want it pixel for pixel to match the cut up but like you never explained the animation states of this button”)
                                        • dealing with stupid business constraints (“our customers want our app to load faster but you need to pull in 15 megabytes of 3rd party analytics scripts via GTM, one of which is apparently hosted on a Raspberry Pi with a 2G connection in Antarctica”)

                                        And look, I’ve made my money solving all of those problems. And it can be a thousand times more frustrating to deal with any of those things than a Real People algorithm.

                                        But, like, let’s be real here: the things people go to conferences about and get Github stars on and tweet about are different orders of technical difficulty compared to what many people do in undergrad CS.

                                        (And no, before you get annoyed at that, I don’t have a CS degree either.)

                                        1. 2

                                          I dunno, couldn’t you make such a list about backend programmers, game developers, like everyone except actual researchers and probably most of those too? “Wow, I’m a backend developer, I’ll spend two years switching back and forth between Postgres and some weird novel big data thing and fuck around with different message queues that never seem to work reliably and then rewrite all our Go micro services into Rust”, etc.

                                          1. 1

                                            I’ll spend two years switching back and forth between Postgres and some weird novel big data thing and fuck around with different message queues that never seem to work reliably and then rewrite all our Go micro services into Rust

                                            That seems more like what a frontend-dev-tasked-with-backend-work would do, not what a real backend programmer would do.

                                            1. 1

                                              ugh

                                            2. 1

                                              I certainly could, and I believe the same about backend devs in most cases. OP specifically asked about frontend stuff.

                                              (Also, game devs get a little bit of a pass from me since they deal with a much more varied problem domain–provided they aren’t just reselling Unity assets.)

                                      2. 1

                                        I think he meant “real software developers”.

                                    1. 4

                                      Note: this is using AVX512, and in current Intel processors that have it using it will downclock all of your cores, which might be worse in tje end for your performance.

                                      1. 3

                                        The authors address this concern in passing: they haven’t observed any downclocking. It’s also worth mentioning that they only use the vpermb and vpmultishiftqb instructions, which according to this shouldn’t be that worrisome. In the link vpermb is mentioned explicitly, but vpmultishiftqb isn’t.

                                      1. 21

                                        I’m not sure of what the purpose of this post is. The only information it seems to contain is “the rust compiler uses too much RAM (for example compared to Go) when compiling a 1e6LoC main”, formatted in a very irritating way. No insight as to why, or if it is a pitfall that may be an issue in actual use case.

                                        Also, you’re comparing to V, but last time I checked, V was nothing but unbacked claims.

                                        1. 13

                                          I’m not sure of what the purpose of this post is.

                                          Seriously though, what’s the point of anything?

                                          1. 7

                                            Exactly! Do things have to have points?

                                            1. 3

                                              Seriously though, what’s the point of anything?

                                              I sincerely hope more people do things without there being a ‘point’ to them. Not everything we do has to produce a useful widget, and you never know where random exploration of the space of [the universe of all experiences] where it intersects your abilities might go.

                                            2. 6

                                              Also, you’re comparing to V, but last time I checked, V was nothing but unbacked claims.

                                              To me this was clearly a joke, and probably a reference to the author’s other article titled “V for Vaporware”.

                                              Anyways, the post was okaay in my opinion. It presented a story, and an interesting outcome. I hate the formatting as much as you do, but I appreciate the information that I got from it, which is that Rust and Go with this example were worlds apart when it came to compilation speed.

                                              Unless we’re gonna pay the author I see no reason for us to decide how insightful their articles should be, and it certainly still fits here regardless of that.

                                              1. 5

                                                I was in the middle of making a comparison with multiple languages, but we got nerd sniped by rust ooming the biggest systems some friends and I all had. Then a friend broke out the x1e.32xlarge (4 TB of ram) and it still oomed. I was laughing so hard I yolo’d it and published it as is. I plan to do it for other languages at some point in the future (2-3 months from now).

                                                1. 2

                                                  haha fair enough, I actually liked how verbatim it was by the way! only the aesthetic of the tweets put me off.

                                                  I plan to do it for other languages at some point in the future (2-3 months from now).

                                                  looking forward to see the results:)

                                            1. 3

                                              For fun, I tried it with another language that uses LLVM: Zig 0.4.0.

                                              const std = @import("std");
                                              const hello_world = "Hello, world!\n";
                                              
                                              pub fn main() !void {
                                                  const stdout_file = try std.io.getStdOut();
                                                  // 1200000 lines of:
                                                  try stdout_file.write(hello_world);
                                              }
                                              
                                              ❱ zig build-exe stress.zig
                                              00:03:10 elapsed
                                              

                                              I’m still waiting on the release build; it’s making my laptop sweaty.

                                              1. 2

                                                I really just feel like this should be extrapolated as a stress test for every language, just for fun.

                                                1. 1
                                                  #include <stdio.h>
                                                  int main() {
                                                   // x1200000
                                                   printf("hello, world\n");
                                                   ...
                                                   return 0;
                                                  }
                                                  

                                                  Time taken on a 2013 MacBook Pro:

                                                  bash-3.2$ time clang gen.c
                                                  
                                                  real	0m25.644s
                                                  user	0m21.782s
                                                  sys	0m1.790s
                                                  

                                                  (the executable is apparently 23m)

                                                  1. 2

                                                    (the executable is apparently 23m)

                                                    It’s time to introduce un-unroll optimizations!

                                                    1. 4

                                                      Loop rolling!

                                                      1. 1
                                                        time clang -Oz gen.c
                                                                146.30 real       108.65 user         7.60 sys
                                                        
                                                        ls -al -h a.out
                                                        -rwxr-xr-x  1 calmbit  staff   9.2M Oct  3 18:13 a.out
                                                        

                                                        Hmm! Interesting results. An obvious reduction, but not as big of one as I would have thought.

                                                        The disassembly is a disaster, and looks something like:

                                                        Disassembly of section __TEXT,__text:
                                                        __text:
                                                        10000136c:      55      pushq   %rbp
                                                        10000136d:      48 89 e5        movq    %rsp, %rbp
                                                        100001370:      53      pushq   %rbx
                                                        100001371:      50      pushq   %rax
                                                        100001372:      48 8d 1d 31 7c 92 00    leaq    9600049(%rip), %rbx
                                                        100001379:      48 89 df        movq    %rbx, %rdi
                                                        10000137c:      e8 09 7c 92 00  callq   9600009 <dyld_stub_binder+0x100928f8a>
                                                        100001381:      48 89 df        movq    %rbx, %rdi
                                                        100001384:      e8 01 7c 92 00  callq   9600001 <dyld_stub_binder+0x100928f8a>
                                                        100001389:      48 89 df        movq    %rbx, %rdi
                                                        10000138c:      e8 f9 7b 92 00  callq   9599993 <dyld_stub_binder+0x100928f8a>
                                                        100001391:      48 89 df        movq    %rbx, %rdi
                                                        100001394:      e8 f1 7b 92 00  callq   9599985 <dyld_stub_binder+0x100928f8a>
                                                        100001399:      48 89 df        movq    %rbx, %rdi
                                                        10000139c:      e8 e9 7b 92 00  callq   9599977 <dyld_stub_binder+0x100928f8a>
                                                        1000013a1:      48 89 df        movq    %rbx, %rdi
                                                        1000013a4:      e8 e1 7b 92 00  callq   9599969 <dyld_stub_binder+0x100928f8a>
                                                        ... (snip 4800000 lines)
                                                        100928f69:      48 89 df        movq    %rbx, %rdi
                                                        100928f6c:      e8 19 00 00 00  callq   25 <dyld_stub_binder+0x100928f8a>
                                                        100928f71:      48 89 df        movq    %rbx, %rdi
                                                        100928f74:      e8 11 00 00 00  callq   17 <dyld_stub_binder+0x100928f8a>
                                                        100928f79:      48 89 df        movq    %rbx, %rdi
                                                        100928f7c:      e8 09 00 00 00  callq   9 <dyld_stub_binder+0x100928f8a>
                                                        100928f81:      31 c0   xorl    %eax, %eax
                                                        100928f83:      48 83 c4 08     addq    $8, %rsp
                                                        100928f87:      5b      popq    %rbx
                                                        100928f88:      5d      popq    %rbp
                                                        100928f89:      c3      retq
                                                        Disassembly of section __TEXT,__stubs:
                                                        __stubs:
                                                        100928f8a:      ff 25 80 00 00 00       jmpq    *128(%rip)
                                                        Disassembly of section __TEXT,__stub_helper:
                                                        __stub_helper:
                                                        100928f90:      4c 8d 1d 69 00 00 00    leaq    105(%rip), %r11
                                                        100928f97:      41 53   pushq   %r11
                                                        100928f99:      ff 25 69 00 00 00       jmpq    *105(%rip)
                                                        100928f9f:      90      nop
                                                        100928fa0:      68 00 00 00 00  pushq   $0
                                                        100928fa5:      e9 e6 ff ff ff  jmp     -26 <__stub_helper>
                                                        
                                                2. 2

                                                  0.4.0

                                                  not that it would make a difference for this benchmark but 0.5.0 was released on monday

                                                1. 33

                                                  Ignoring completely conventions for how software should be updated on macOS (either via signed Sparkle updates, built-in updater ala Firefox, or via the Mac App Store), Google chose to implement a piece of malware known as GoogleSoftwareUpdate that resides in /Library/Google and ~/Library/Google. It is a specific kind of malware known as an APT (Advanced Persistent Threat), and several articles have been written on this subject (but I can’t find at the moment via a cursory search).

                                                  Sometimes people have “legitimate” reason to use Google Chrome (i.e. because it supports some piece of DRM you might need which better browsers like Brave choose to not ship with). If you’re one of these users, to prevent Google Chrome from infecting your computer with its malware, you need to perform the following actions:

                                                  # create folders if they don't already exist
                                                  $ sudo mkdir -p /Library/Google ~/Library/Google
                                                  # if they do exist delete everything inside of them
                                                  $ sudo rm -rf /Library/Google/* ~/Library/Google/*
                                                  # prevent Google from writing to these folders
                                                  $ sudo chown -R root:wheel /Library/Google ~/Library/Google
                                                  $ sudo chmod -R go-rwx /Library/Google ~/Library/Google
                                                  
                                                  1. 10

                                                    In what world is this an APT? I deal with threat hunting, APT attack simulation, and TTP recreation on a daily basis and this is not the first time that I’ve seen a few people who don’t like Google try and pin the term on GoogleSoftwareUpdate. It makes no sense and you make your argument way weaker by throwing around terms like that and spreading FUD. APT’s are acting groups who create payloads for specific targeted purposes, not the payloads themselves. That’s like calling Stuxnet a APT.

                                                    1. 11

                                                      I consider it an APT. Even removing Chrome doesn’t remove it, and if you don’t excise it completely it will restore itself. It’s nasty. Really evil stuff on MacOS.

                                                      1. 12

                                                        That’s like calling Stuxnet a APT.

                                                        The Wikipedia page calls Stuxnet an APT. Copied from there:

                                                        The Stuxnet computer worm, which targeted the computer hardware of Iran’s nuclear program, is one example.

                                                        GoogleSoftwareUpdate is an APT because, well, it fits the definition. It runs in the background, without your permission, it phones home to Google, and at any point in time it can modify your computer either directly or with a payload it downloads.

                                                        1. 10

                                                          An Advanced Persistent Threat (APT) is a stealthy computer network threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period

                                                          I don’t mean to be inflammatory, but I honestly don’t even think you read the first sentence of the Wikipedia article you linked. It references to threat actors specifically. So this would generally be considered a tool used by an APT. Google is the actor, GoogleSoftwareUpdate is their payload/TTP (Tools Techniques and Procedures). We assign APT names and numbers to groups, not malware families, your description doesn’t fit that definition at all.

                                                          1. 6

                                                            It seems like the Wikipedia entry uses it in multiple ways as well, since it calls Stuxnet an APT, and later refers to its creators.

                                                            If you’re used to hearing the term APT refer to the people behind the code, I can see being confused at the way that I’m using it here. Wikipedia does not use the term consistently, and others have also used the term to refer to the software itself, so I’m not alone in this usage.

                                                            I think confining the term “APT” to the software’s creators can be unnecessarily limiting. In the case of GoogleSoftwareUpdate, it might not be accurate to call Google the APT, since their mechanism (GoogleSoftwareUpdate) can be hijacked by completely unknown entities to infect computers. In a sense, you could also say that GoogleSoftwareUpdate is the entity that’s doing the infecting, and I don’t think that’s an unreasonable expansion of the definition.

                                                            1. 6

                                                              I’m saying that the entire computer security field has seemingly agreed (whether or not the terms are somewhat confused in Wikipedia) that APT refers to specific threat actors not their tooling, which means when you use those terms in technical groups they are going to misconstrue them since no one calls TTPs APTs. Whether or not you are meaning to, you are accidently leading people away from the in field terms. I have never once heard a threat hunter call a artifact an APT in my entire career.

                                                              Generally in the malware and analysis world GoogleSoftwareUpdate wouldn’t even count as malware, it would be a PUP (Potentially Unwanted Program) that functions in a known way but might do something unwanted. That’s not the same as malware either. Also if you are refering to the fact that GoogleSoftwareUpdate is installed in a user writable directory and can be replaced or DLL hijacked then you are further purposefully choosing to make that fit into you view. This is a common terrible practice, but can be mitigated by installing the Google Chrome Enterprise which installs system wide and doesn’t leave GoogleSoftwareUpdate writable by users.

                                                              1. 5

                                                                I’m saying that the entire computer security field has seemingly agreed

                                                                I thought my presence on Hacker News and Lobsters bringing in all the high-assurance and CompSci folk showed that popular security != entire computer security field. The popular ones also built many fewer systems highly-resistant to penetration. They knew nothing of those that did or even denied they existed. When they failed, they doubled down on their ways instead of relenting or admitting the other groups had anything of value. If anything, I’m skeptical when the “computer security field” that most know about make a pronouncement. The skepticism usually pays off.

                                                                Back to this, I see why @itistoday is talking like this. Many security and news pieces I read at the time talked about APT in terms of their methods. They highlighted how different the methods were. Who cares who the source is if the methods are the same things you already blocked. The “APT’s” were different using stealthier techniques that involved getting a foot in, bringing in more, and doing a lot of exfiltration of data under users’ noses. That’s basically Google minus outright hacking. Hence, hyperbole.

                                                                1. 1

                                                                  Skeptisism is always fair and I appreciate being called out when I accidently arbitrate or overly claim authority, that was not my goal and very much not my objective either. Appeal to authority was a failure on my part. I know based on our conversations that I very much have respect for the HA world and the world outside of “pop-security”, but in both of those I have never heard the term get used as a reference to persistence techniques and only referred (even in the research I read) to as the groups executing real world attacks. I agree that the term “persistence” is of importance, and isn’t represented properly in the original acronym, but I have always heard and read about them in the terms of “persistence” in general.

                                                                  For the second portion, the corporate world and enterprise land is almost the opposite of what you stated in my experience. They care much more about who, how to block them, and how to detect them than necessarily root cause detection/prevention. I think this is fundamentally flawed (as I bet you do too), but just look at something like the MITRE ATT&CK and show me how the Google example fits in? I think that the “outright” hacking and purest of intent is important to seperate out threats from potentially unwanted behavior. There is a fundamental difference between a risk and a threat no?

                                                                  1. 2

                                                                    “but in both of those I have never heard the term get used as a reference to persistence techniques and only referred (even in the research I read) to as the groups executing real world attacks”

                                                                    Thanks for fairly evaluating what’s going on here. It could be the reporting media doing it. Being outside your group, what I was reading was a combination of actors and methods that were supposedly better than everything else. If anything, it looked like media and security companies were making excuses for bad security in general by making hackers look amazing. Hackers whose methods were sending loaded emails and such followed by gradual expansion of access. Not amazing.

                                                                    “the corporate world and enterprise land is almost the opposite of what you stated in my experience. They care much more about who, how to block them, and how to detect them than necessarily root cause detection/prevention.”

                                                                    I don’t have much experience there past what I read about they do. I appreciate the insight. They’re often reactive based on whatever is getting a lot of attention. This could be an extension of their habit to want to create an easy characterization of something, point blame at it, and have some solution that eliminates it entirely. It doesn’t work with IT security in general. I definitely can see them doing it.

                                                                    “ I think that the “outright” hacking and purest of intent is important to seperate out threats from potentially unwanted behavior. There is a fundamental difference between a risk and a threat no?”

                                                                    I agree in general. I already said it was likely hyperbole. Thing is, Google is a threat actor of its own sort trying to get as much secret and public information about its users and non-users as possible to sell influence attempts by third parties. Also, getting close with D.C. in a police state with whatever comes with that. And they do their own thing in a sneaky way.

                                                                    I agree that the APT term doesn’t fit them in definition of mainstream, security community or news headlines I saw for some reasons. I do see how the sneaky, bring-in-backdoors, exfiltrate-data behavior justifies a comparison with hyperbole, though.

                                                                2. 1

                                                                  I didn’t realize the APT Language Police were here, sorry!

                                                                  I have heard various people use APT to refer to software. Multiple definitions for the same words often exist. This is how language works. Since you keep banging on about this, I’ll remind you that I’ve linked to one paper that uses “APT” in this way, that sentence from Wikipedia, and here’s another person:

                                                                  The Advanced Persistent Threat (APT) has become the watchword for today’s cyber espionage. It frequently involves a piece of malware or group of malware programs that can evade detection

                                                                  Re some people not considering it “malware”. Great, we can agree to disagree. I’m with Stallman on this.

                                                                  1. 4

                                                                    Multiple definitions for the same words often exist.

                                                                    Yeah, we have to stop this in computing. We have enough complexity, and enough trouble communicating ideas. We don’t need to overload terms and make this worse.

                                                                    Precision is a foundational aspect of why math is a universal language.

                                                                    1. 4

                                                                      Yeah, we have to stop this in computing.

                                                                      Great idea, now let’s nominate you to be in charge of the definitions of the words everyone in computing uses. 👍

                                                                      Precision is a foundational aspect of why math is a universal language.

                                                                      And math is definitely not known for overloading the definitions of symbols.

                                                                      1. 2

                                                                        Great idea, now let’s nominate you to be in charge of the definitions of the words everyone in computing uses.

                                                                        Thank you for your kind nomination!

                                                                        And math is definitely not known for overloading the definitions of symbols.

                                                                        There are very few “symbols,” but you can generate new words for your definitions by using the generalized concept of addition (which has axiomatic properties) and basic set theory primitives like subset. Put another way, assuming a function newword(L, N), where L is a tuple, containing production rules for valid words, P, and a set, C, of valid symbols (e.g. characters), I can call newword, to generate valid words contained in L of length N. While I’ll leave the proof as an exercise to the reader, it follows that incrementing N is all that is needed to create additional words in L, provided, that production rules in L are unbounded.

                                                                      2. 2

                                                                        Mathematics is the art of giving the same name to different things. (Henri Poincaré)

                                                                        Math is precise when it comes to the definitions and what a word means in a context, but the keyword here is context.

                                                                      3. 3

                                                                        There is a difference between being the language police and accepting the fact that the common use terms in the industry itself (to which I have been taken part of IR engagements that discover named APT’s) are not confused in their day-to-day use. I think when you do that you are doing it on purpose to try and craft the narrative in a way that you are the language police and can redefine terms that are not confused inside of a field. It is purposefully trying to confuse people who are not part of the field and I think that’s just as dangerous.

                                                                        It frequently involves a piece of malware or group of malware programs that can evade detection

                                                                        Again even in the your quote you are are ignoring that entire sentence, APT’s do use malware to evade detections. That just solidifies my statement.

                                                                        APTs often embed programs in a penetrated system

                                                                        From the first summary sentence in the paper, which btw is describing how GoogleSoftwareUpdate would be a good model for malware used by an APT (not crafting an APT again).

                                                                        EDIT: I’m bailing out of this argument for the sake of the length of the thread. I’ll squat in IRC or messages if you want to have a further discussion after your response to this.

                                                                        1. 4

                                                                          From the first summary sentence in the paper, which btw is describing how GoogleSoftwareUpdate would be a good model for malware used by an APT

                                                                          This is the first sentence:

                                                                          Google’s software update system can serve as a model Advanced Persistent Threat (APT).

                                                                          The thing being called an “APT” in that sentence is “Google’s software update system”.

                                                                          I’m bailing out of this argument for the sake of the length of the thread.

                                                                          Good call. It was fun and I also have work to get done.

                                                              2. 7

                                                                Oh come on, it’s just some hyperbole about Google doing things with similarities to stealthy attackers. It was a warning and joke mixed together to get more attention to the issue. That’s on top of entertaining the Lobsters.

                                                                Far as APT’s, my favorite counter on the term back when it was hot was Luiz Firmino’s comment on Kreb’s blog. It just explained why the media was making a big deal about what was just hacking 101 for any careful party targeting enterprises. Heck, the whole post makes what they were doing look obvious. I threw in 2 cents worth of corroboration.

                                                                1. 2

                                                                  I’ve read studies that only one out of four lobsters are born with a humerus bone in their body. The rest don the thick skin of an exoskeleton one should naturally expect.

                                                                  1. 1

                                                                    That’s great lol.

                                                                2. 3

                                                                  APT’s are acting groups who create payloads for specific targeted purposes, not the payloads themselves.

                                                                  Huh, I thought those were “threat actors”. But I’m not very in touch with threat hunting.

                                                                  ETA: OK, from the top of Wikipedia:

                                                                  An Advanced Persistent Threat (APT) is a stealthy computer network threat actor, typically a nation state or state-sponsored group

                                                                3. 3

                                                                  Do you by any chance have the same directions for Windows, too? There were some official instructions that Google would post; I’ve followed all of those when they were still current, and yet sometime afterwards they’ve still broken out of their sandbox, and performed damage to my seldom-used copy of Google Chrome.

                                                                  Also, you mention Brave, but Brave doesn’t quite have a way to disable autoupdate, either — unlike Firefox and SeaMonkey.

                                                                  1. 2

                                                                    I don’t have any direct directions, but Google provides Chrome Enterprise installers that have administrative templates that let you control the vast majority of these controls. They have Mac DMG’s too.

                                                                    1. 1

                                                                      Do you by any chance have the same directions for Windows, too?

                                                                      I do not, sorry. Maybe someone else knows.

                                                                    2. 2

                                                                      Or you can (in this case at least) keep your operating system up to date, and not disable System Integrity Protection.

                                                                      I realize SIP disable is required for 3rd party graphics cards on Macs. And possibly the version of whatever graphics software was required for these machines only run on older versions of MacOS. This raises the question of why they were running (presumably) non-mission critical software (Chrome) on machines that absolutely have to be running…

                                                                      1. 3

                                                                        Maybe they just wanted to use a 3rd-party GPU? I don’t see why the users are suspect because of a completely arbitrary MacOS anti-feature

                                                                        1. 0

                                                                          What anti-feature are you referring to? SIP or that lack thereof, or Google’s Keystone updater software?

                                                                      2. 2

                                                                        Somewhat similarly, on Linux (at least on Ubuntu) Chrome installs itself into /etc/cron.daily: so that even if you notice its existence in your repos and remove it from there, it will re-add itself.

                                                                        1. 2

                                                                          you need to perform the following actions

                                                                          Also recommended, KnockKnock, which can tell you what launch agents, etc. can be installed:

                                                                          https://objective-see.com/products/knockknock.html

                                                                          And BlockBlock (which I haven’t tried yet), which warns you if software tries to install anything persistent.

                                                                          https://objective-see.com/products/blockblock.html

                                                                          Ignoring completely conventions for how software should be updated on macOS (either via signed Sparkle updates, built-in updater ala Firefox, or via the Mac App Store)

                                                                          Luckily, Microsoft now offers Office in the App Store. Another terrible installer/autoupdater that I hated.

                                                                          1. 1

                                                                            Although I haven’t verified it, using a portable version of Chrome should be a solution, as nothing is installed.

                                                                            1. 1

                                                                              This is funny because I think you’ve heard the term APT and thought persistence meant persisting in memory or on disk, which is important in malware terms. But as far as I’ve known the term (in infosec for a few years) the persistent in APT means persistent in trying to get at you. Interesting that this whole time I never thought of confusing persistence of malware with the persistence in APT, but they are different meanings.

                                                                              APTs are groups, not code, a different approach would be crimeware groups that send out ransomware indiscriminately then take the profits where they can. Calling Google an APT seems hyperbolic since their primary goal is shareholder value not intel/influence/surveillance, a list of APTs and their inconsistent names (aka all infosec vendors come up with their own names) are here: https://medium.com/@cyb3rops/the-newcomers-guide-to-cyber-threat-actor-naming-7428e18ee263

                                                                            1. 8

                                                                              It seems too easy to be real. For any disagreement, identify the lead person on each side. Then, identify the lowest executive in the corporate hierarchy that both leads report into (in the extreme case, this is the CEO). Set up a meeting between the three of them. At the meeting, the two leads will present the one, correct decision that they have agreed upon. The executive will sit there, listen, and ratify it.

                                                                              the only other responsibility of an executive is to enforce company values.

                                                                              I consider this a case of “simple” not “easy”. Things I consider hard in large organisations:

                                                                              • Identify the stakeholders and lead persons for anything. Since the meeting is “between the three of them” there is no board meeting where additional stakeholder have a chance to speak up. Depending on company values, executives might require the lead persons to do some formal stakeholder analysis.
                                                                              • Come to compromise with everybody if something is urgent. If it is not urgent, then people often just defer the issue. The real hard case is probably when the lead persons experience a different urgency. Should the executive determine the deadline for the meeting here?
                                                                              • Knowing your company values and acting consistently to them. I believe most companies act according to values they never wrote down. This makes consistency impossible. The “Quadrilogue” in the article describes how hard it is to write down your “real” values instead of “wishy-washy” values.
                                                                              • Notice when company values are violated. A value like “everybody pulling in the same direction” is probably a significant value in any company, but if it does not happen the involved parties are all incentivized that the responsible executive does not notice.

                                                                              By the way, “supremum executive” sounds like a useful term for “the lowest executive in the corporate hierarchy that leads report into”.

                                                                              1. 1

                                                                                if, then certainly infimum? at least if you’re considering the set of executives.

                                                                                edit: I can see though why executives wouldn’t like that;)

                                                                              1. 3

                                                                                I wrote a script once to do the same thing and iterate over a couple possible email combinations knowing first and last name, it’s very meh written but has served me well a couple of times.

                                                                                1. 1

                                                                                  Oh cool, thanks for sharing! I don’t actually do this stuff enough to have used smtplib much at all so this is useful to see

                                                                                1. 6

                                                                                  I resisted Steve Jobs’s snow job in 1989 or 1990

                                                                                  Does anyone know what he is referring to here? Or what a “snow job” is?

                                                                                  1. 16

                                                                                    “Snow job” is an older term that simply means saying a whole bunch of stuff to try and persuade people to believe a lie. The image is of a constant barrage of arguements that eventually overwhelms the truth and buries it from view. Think big snowfall that will take a lot of work to dig the truth back out.

                                                                                    1. 3

                                                                                      Similar to a “gish gallop”: https://en.wikipedia.org/wiki/Gish_gallop

                                                                                      1. 3

                                                                                        Not too similar, one is an argumentative style to beat down the opposition, the other is a persuasive technique for an arbitrary audience.

                                                                                        Also the gish gallop has political ties and speaks to the speaker belonging to an in crowd. Snow job is neutral.

                                                                                    2. 3

                                                                                      UD defines it either as

                                                                                      An effort to deceive, overwhelm, or persuade with insincere talk, especially flattery.

                                                                                      I think it’s that term, rather than the one offered below it (NSFW).

                                                                                      1. 1

                                                                                        Ok, wierd term. But do you know what happened between him and Jobs that could be described that way? I always thought that Apple was more or less parallel to Free Software (with the exception of adopting some terminal tools).

                                                                                        1. 17

                                                                                          Might have to do with Jobs asking Stallman to distribute GCC as two programs, so that NeXT doesn’t have to release the source code to the Objective-C frontend for GCC that they wrote[1].

                                                                                          1. 3

                                                                                            Just a guess but perhaps he’s referring the the controversy around the original APSL or Eric Raymond’s participation in that announcement? Perhaps he had also been approached by Jobs?

                                                                                            I can’t find a video clip of the event and my memory is hazy (this is ~19 years ago at this point) but I remember Raymond being onstage at an early OS X event to announce that the (at the time) new APSL licence and state that it met the OSD definition. Raymond makes a reference to it in this comment, which elaborates on this line from the article it comments on:

                                                                                            I met Steve Jobs once in 1999 when I was the president of the Open Source Initiative, and got caught up in one of his manipulations in a way that caused a brief controversy but (thankfully) did the organization no lasting harm.

                                                                                            1. 1

                                                                                              I have no idea.

                                                                                          1. 10

                                                                                            Holy fuck, this is the biggest abuse of clickbait I’ve ever seen. Not only does it use dubious maths to arrive at the sum, but the author just randomly picks a 0.5% number out of nowhere!

                                                                                            1. 1

                                                                                              Exactly. For an established brand like this I’d expect people to retry (perhaps by phone). Also for cards expiring 2020 there is no bug :)

                                                                                              1. 5

                                                                                                @adtac I don’t think it’s that clickbaity. The title says “potentially”, and he also used 0.05% and not 0.5%, and though the number is still random, the implication isn’t too bad for napkin calculations for fun and no profit.

                                                                                                @vii

                                                                                                Exactly. For an established brand like this I’d expect people to retry (perhaps by phone).

                                                                                                I think most people I know wouldn’t, including myself.

                                                                                            1. 6

                                                                                              The author’s explanations are incomplete and likely to confuse.

                                                                                              The “imprecise definition” at the top cannot tell between a functor and a monad; it isn’t rich enough. For example, this Haskell type has a Functor instance but no Monad:

                                                                                              data Const b a = C b deriving (Functor)
                                                                                              

                                                                                              Const clearly is a type wrapper with no direct way to get at values of type a, satisfying the imprecise definition.

                                                                                              The container examples ignore a massive caveat that manifests in every monad-bearing language. Because of the order of evaluation, along with the fact that monoidal structures stack and interact with each other (the Eckmann-Hilton argument, sometimes known as the slogan “monoids in categories of monoids are commutative”), the typical container forms a cromulent functor, but not necessarily a monad. In Haskell, the classic example is ListT and how it can fail to be a monad transformer.

                                                                                              Indeed, many containers have technical nits in their APIs which prevent monadic behavior. In Haskell, the classic example is the family of data structures in Data.Set; these sets cannot provide Monads due to weaknesses in Haskell’s type system.

                                                                                              The author briefly touches on continuations, but misses the important connections. A continuation type doesn’t just provide a monad, but a family of monads, via the “mother of all monads” construction. For each continuation type, there is an interesting collection of behaviors, and all of the other different monads can be implemented in terms of the “mother” continuation monad. Constructing a list monad, or another container-shaped monad, on top of continuations is very instructive; the amount of non-determinism in the list monad varies with the number of times and places that the continuations can be called.

                                                                                              I’m not sure what’s scary about mathematical presentations of category-theoretic concepts. If the author grokked categories of endofunctors, then they would more clearly understand how monads aren’t containers. Alongside their reading recommendations, I’d recommend Seven Sketches.

                                                                                              As a closing note, why are programmers afraid of maths?

                                                                                              1. 15

                                                                                                As a closing note, why are programmers afraid of maths?

                                                                                                Maybe because they’re told they need to “grok categories of endofunctors” and then linked to a 350 page book on an advanced math topic.

                                                                                                Look, I love math. I made my career teaching temporal logic to programmers, and it’s awesome. You know what the first major stumbling block for programmers is, though? false => true. That breaks people. Telling them they’re wrong about monads and throwing them in the deep end is a terrible way to get people to like using math.

                                                                                                1. 4

                                                                                                  I personally feel that the word “implies” is too strong and may have been created by a lack of words for an inability to disprove. “Does not disprove” is probably closer to how most think about it. A false statement can’t be used as evidence against any statement. To actually meaningfully prove something your claims must survive evidence against, so it makes sense to have a term that represents surviving attacks however weak. I’m sure this also captures a little bit of Boole’s biases around what something failing to be disproved means, after all he was intensely religious. Still the operation is pretty useful, and will likely continue to be.

                                                                                                  1. 2

                                                                                                    Sure. I don’t care whether people like using math; math is still an essential part of existence, and in particular of writing code. One does not have to enjoy a task to not fear it. My coworkers react to matrix multiplication like they would to snakes or spiders, and I think that that is ridiculous.

                                                                                                    I will readily admit that I am broken, and further that I believe that it’s not possible to think like a computer without breaking oneself. But the reward of the study of maths is that there is a deep reason why false -> true and false => true show up. If one has already sacrificed their sanity in order to understand how to write code, one might as well take in the beauty of the works of mathematicians, since it is only with this other-than-sane viewpoint that the beauty is visible.

                                                                                                    1. 4

                                                                                                      I mean breaks them as in “it’s really, really hard to get them to understand it”. I lie awake at nights trying to find better ways to explain it. And most programmers don’t need to know that to write code. People who want to write formal specifications of code need to know it. Not everybody needs to do that either.

                                                                                                      But the reward of the study of maths is that there is a deep reason why false -> true and false => true show up [link to (-1)-categories]

                                                                                                      That is a terrible explanation. Here’s a much better one (which still, admittedly, isn’t that great):

                                                                                                      “If x > 5 then x > 0, right? So x > 5 => x > 0. But now let’s pick x = 3. [now] 3 < 5 and 3 > 0, so we have false => true. So you see, intuitively you’re already comfortable with F => T, it’s just that it looks weird when we formalize it.”

                                                                                                      Do you see why that’s a better explanation?

                                                                                                      (edit, added a spacer)

                                                                                                      1. 3

                                                                                                        One reason this is a better explanation is that you sort-of described what the symbol => means though context. I still don’t know specifically what it means though in this context, though. Is this a Haskell symbol or a temporal logic symbol?

                                                                                                        You lost me on “x = 3. 3 < 5 and 3 > 0”, because it’s not immediately obvious that the . denotes the end of the sentence (I had to read it multiple times before I realized you had written x = 3. 3 < 5 and not x = 3.3 < 5. It’s also confusing that two more symbols F and T are introduced at the end, this time with no context clues to infer their meaning.

                                                                                                        1. 1

                                                                                                          Oh to clarify this would be in the broader context of teaching someone propositional logic, so they’d know => means implication. P => Q means that if P is true, then Q is also true. As @voronoipotato said, it’s technically closer to “is at least as strong as”. At this point I’d also have introduced the shorthand for T and F.

                                                                                                          1. 1

                                                                                                            Thanks for the clarification. I initially tried reading it as “implies”, then as a Haskell fat arrow, and neither made sense to me. Reading it as “is at least as strong as” makes a lot more sense.

                                                                                                          2. 1

                                                                                                            FWIW => is a pretty standard asciification of ⇒, and -> of →. Both of these symbols are used to mean material implication in mathematical writing. If you see them both in the same place, you’re probably looking at formal logic of some kind, and there’s likely an important technical difference between the two. I won’t get into Haskell or TLA+ syntax here, or even constructive vs classical logic, but yeah there are more subtle distinctions to be confused by here.

                                                                                                            When I have to explain ->, I just say P -> Q means (not P) or Q. Maybe write down a truth table. In my experience, even programmers can usually figure that out.

                                                                                                    2. 5

                                                                                                      As a closing note, why are programmers afraid of maths?

                                                                                                      My university mathematics ended after the third semester of calculus – a requirement that only existed because, where I went to school, computer science was part of the engineering department. Most working programmers with CS degrees got them from places that didn’t require them to go beyond one semester of calculus. A lot of working programmers don’t have degrees at all.

                                                                                                      Haskell evangelists make the claim that monads provide specific utility to everyday development tasks. Devs who want to determine whether or not this claim is true. Even if they knew it to be undoubtedly true, they would not generally be willing to go back to school & attend four semesters of mathematics courses in order to get incremental gains in reliability or productivity. (Working programmers have a tendency to ignore or avoid techniques that provide much more substantial gains in reliability & productivity because of much smaller initial learning curves than group & category theory.)

                                                                                                      One way to thread this needle is to stop claiming that the benefits of monads are accessible to developers who do not also have a graduate degree in mathematics. (This would probably kill some of the momentum behind the adoption of functional programming techniques – which, though hype-driven, is long overdue & is liable, if it continues, to substantially improve the general quality of software & make software that takes advantage of multiple cores a lot more common.) The other is to write explanations that, while wrong, are less wrong than what your average code monkey already believes about monads while being accessible to said code monkey. (This annoys everybody who knows more than the author, but provides some utility, since readers gain the confidence to actually use monads without fully understanding them.)

                                                                                                      1. 1

                                                                                                        (This annoys everybody who knows more than the author, but provides some utility, since readers gain the confidence to actually use monads without fully understanding them.)

                                                                                                        I wanna add that this is not even necessarily the case. Leaving information out and skewing details are very well known teaching methods. Take continuous functions as an example. In school they’re “functions that you can draw without taking the pen off the paper”. For a mathematician a more fitting explanation is “small changes in inputs cause relatively small changes in outputs”, since even continuous functions can have holes.

                                                                                                        1. 2

                                                                                                          Yup, ‘lies for children’ are almost unavoidable. It’s still annoying to read something when you’re not part of the target audience, though, which seems to be the complaint here – somebody with a strong background in category theory being irritated at the reminder that introductory materials exist.

                                                                                                      2. 5

                                                                                                        Programmers are afraid of math because they never learned it, obviously. We often only have one or two classes on proofs as a prerequisite for programming, and they are introduced near the end of our education. Mathematics without proofs is like painting by number. It’s no wonder most people feel alienated by it, they are asked to trust the conclusions of others without meaningful evidence. Most of these claims are often not readily available to the intuition. People who simply do as they are told and follow instructions perform quite well at “mathematics” as it is taught. The rest, those who are capable of questioning, would perform quite well at actually proving things are weeded out long before they would ever have any opportunity.

                                                                                                        1. 1

                                                                                                          I don’t think most programmers end up studying proofs in university at all. I only did because I took math electives, & most CS degree programmes are much less mathematical than the one I had.

                                                                                                        2. 4

                                                                                                          Writing clearly and concisely in a manner appropriate to the audience is a skill. The author managed this and I’m grateful.

                                                                                                          It would be good to see corrections in the same language (a mix of plain English and commonly-understood programming language).

                                                                                                          Explaining maths in maths doesn’t work very well when the audience aren’t necessarily mathematicians.

                                                                                                          It’s the same problem as programmers explaining programming concepts to non-programmers. Using plain English for this is a hard skill - harder than learning to program.

                                                                                                          1. 2

                                                                                                            There is no such thing as plain English. (If you still disagree, I respectfully invite you to formally define it.)

                                                                                                            I do not want the author to correct their monad tutorial; I would like the author to not write monad tutorials. Monad tutorials are deeply harmful. They do violence not only to the concept of monads, but to the audience’s ability to internalize concepts with their own personalized schemata and experiences.

                                                                                                            By analogy, I’d like to consider another concept which appears in many programming languages and which many people develop an intuition for: Numbers. Imagine if programmers were required to build up a working concept of what numbers are and how they work. Do you suppose that people would write number tutorials? Would they explain how numbers work by analogy? It’s easy enough for me to imagine that the author would write some copy along those lines:

                                                                                                            Imprecise definition: A number is a type that counts an object of another type. There is no direct way to get each of the ‘inside’ objects. Instead you ask arithmetic to act on the number for you. Numeric classes are a lot like classes implementing the composite pattern, but numbers are capable of returning something composed with another number.

                                                                                                            Would you really excuse them if they later tried to explain, formally:

                                                                                                            The concept of numbers comes from arithmetic.

                                                                                                            A number tutorial would be a folly precisely because we hope that folks will build a robust and flexible concept of numbers which can stretch beyond the integers or other familiar domains. Similarly, monad-tutorial-oriented teaching leaves students without a concept of what monads generally are, once we leave the computer and explore the wider world. How will folks learn about the monoidal behavior of monads without understanding that a monad is a certain sort of monoid? Category theory is the most generic formalism yet for discussing reality at large.

                                                                                                            Every programmer is a mathematician, as a matter of necessary practice. I studied music, not maths, but I nonetheless am not excused from mathematical thinking when writing code.

                                                                                                            1. 2

                                                                                                              You’ve never seen a tutorial about how to start with the everyday concept of counting numbers, and then build up more and more complicated notions of “number” from these until you reach octonions? (Or go down and define natural numbers in terms of ZFC?)

                                                                                                              1. 1

                                                                                                                I find it telling that you did not link to any sources. I can produce the evidence, but of course it will favor my position, as I am biased. We’ll look at constructing the reals from the naturals, the octonions from the reals, and natural numbers in ZFC.

                                                                                                                First, construction of real numbers. Let’s compare some sources. Wikipedia starts from the perspective that there are many different constructions, and that they all involve rational numbers. Wikibooks emphasizes the need to ground the reals in axiomatic foundations, and not to assume that they exist. In both cases, some prior knowledge is assumed; the construction isn’t from-scratch on a single page.

                                                                                                                Second, construction of octonions. Wikipedia mentions each step of the construction, including the familiar example of complex numbers. Baez is, to me, an extremely casual and friendly approach to the topic, but note that they do not drop formalities:

                                                                                                                It would be nice to have a construction of the normed division algebras ℝ, ℂ, ℍ, 𝕆 that explained why each one fits neatly inside the next. It would be nice if this construction made it clear why ℍ is noncommutative and 𝕆 is nonassociative. It would be even better if this construction gave an infinite sequence of algebras, doubling in dimension each time, with the normed division algebras as the first four. In fact, there is such a construction: it’s called the Cayley-Dickson construction.

                                                                                                                And, finally, natural numbers in ZFC. Wikipedia has answers and examples. In particular, Wikipedia contains an important note as its first line:

                                                                                                                Several ways have been proposed to construct the natural numbers using set theory.

                                                                                                        1. 2

                                                                                                          My comment comparing ADA in this case to the results of the Public Accomodations section of the Civil Rights Act was moderated out for “escalating racial politics” or some similar excuse - but most likely as a result of me complaining about a reply in which a white commentator writes in what he must think is black dialect to tell me what he imagines people “in the hood” think. That is utter bullshit and perhaps it’s time to say goodbye.

                                                                                                          1. 2

                                                                                                            Please don’t leave. If you find the energy, reach out to me in PM and we can discuss this.

                                                                                                            1. 2

                                                                                                              I didn’t read the comment you mentioned so I’m not gonna make a judgement there, but I also find neither the deletion message nor leaving @arp242 comment appropriate, since in my opinion it leaves the reader with a different impression of what was actually discussed. Also if @nickpsecurity’s comment was the reason for deleting the thread then why not delete from that node onwards? ping @pushcx.

                                                                                                              1. 3

                                                                                                                I pruned from vyodaiken’s first comment about the Civil Rights Act because it was off-topic. I considered going from nickpsecurity’s respones down, but vyodaiken flaming him made me think it better to take the whole thing rather than get paged into this running off-topic argument over and over. The topic is a hell of a lot bigger, more important, and less relevant to computing than Lobsters can host. Vyodaiken PM’d to say he was leaving unless I restored it and then did so.

                                                                                                                1. 1

                                                                                                                  thanks for the clarification!

                                                                                                            1. 4

                                                                                                              very nice and fitting soundtrack for the intro!

                                                                                                              edit: the soundtrack is in general quite impressive.

                                                                                                              1. 3

                                                                                                                Yeah it’s really good, kind of has a Hotline Miami vibe.

                                                                                                                1. 2

                                                                                                                  Wow I didn’t know Hotline Miami, thanks for the mention, it has a really nice soundtrack.

                                                                                                                  1. 1

                                                                                                                    Jonatan Söderström the maker might be a genius indie game dev… all his stuff has a very ANSi ascetic with super focused gameplay and rad music. It’s inspiring when one dev makes a game that good.

                                                                                                                1. 2

                                                                                                                  Are all these things prototyped and tested in realistic use cases prior to being finalized in the standard?

                                                                                                                  1. 1

                                                                                                                    gcc, clang, and msvc often have these features hidden behind experimental flags before the proposals are even approved, so the features certainly get tested in running code, and often also in production as the link from @tt points out:

                                                                                                                    Most major C++20 features have been implemented in essentially their current draft standard form in at least one shipping compiler, and in most cases actually used in production code (i.e., has already been released to customers who are very happy with it). For example, coroutines (adopted only five months ago as of this writing) has been used in production in MSVC for two years and in Clang for at least a year with very happy customers at scale (e.g., Azure, Facebook).

                                                                                                                    1. 6

                                                                                                                      Here’s a tip: if you’re thinking about a short-term rental of someone’s private property but worry that they are going to film you to make their own porn, perhaps a simpler solution than “hey learn how to scan a network for data packets” is “stop fooling yourself that renting someone’s private house/apartment for two days is a good idea”.

                                                                                                                      1. 14

                                                                                                                        “stop fooling yourself that renting someone’s private house/apartment for two days is a good idea”.

                                                                                                                        How did you come to this conclusion? where’s your data? did you have bad experiences? is this something that you’ve actually thought about for more than 15 seconds straight? or should we assume that was a knee-jerk reaction kind of opinion?

                                                                                                                        I’m not a big fan of Airbnb because of the issues with rent prices and gentrification they’re causing across European cities, but so far my experience renting the private houses/apartments of others often in the range of 2 days, and renting out my own while traveling has been pretty positive. Obviously my opinion is purely anecdotal, so I’m looking forward to hear your non anecdotal reasoning since you seem so confident that it’s not a good idea.

                                                                                                                        1. 7

                                                                                                                          If you need some deep explanation about why trusting some stranger to provide you accomodation for a short term is less safe than trusting a regulated business to do the same, I can’t help you.

                                                                                                                          Airbnb is to Hotels what Uber is to taxis, and Uber is basically hitchhiking but you pay for the privilege.

                                                                                                                          1. 7

                                                                                                                            If you need some deep explanation about why trusting some stranger to provide you accomodation for a short term is less safe than trusting a regulated business to do the same, I can’t help you.

                                                                                                                            This is not what you were claiming. 97% safety is less than 98%, but both might still be relatively safe. You are claiming it’s a bad idea. Also a constructive explanation doesn’t have to be a deep dive. It seems you can’t properly articulate the reasons for your opinion, which is okay, but then you might be in no place to make a sober judgement about how good or bad something is.

                                                                                                                            For the record, said stranger has to trust you with their house as well. Financially Airbnb is more of a security risk to the host, than it is for the guest, or at least that was my experience.

                                                                                                                            Airbnb is to Hotels what Uber is to taxis, and Uber is basically hitchhiking but you pay for the privilege.

                                                                                                                            This has nothing to do with the topic, but I find it incorrect nonetheless. I’ve hitched-hiked a plenty, short distance, long distance, and across borders in both Europe and Africa. I sometimes had to wait hours or days, walk for kilometers next to the highway to reach the next gas station or shop, and change course completely just to get a ride. I never had to do any of that with Uber.

                                                                                                                            1. -6

                                                                                                                              It’s a completely unregulated business model, that specifically works by breaking laws in the name of profits.

                                                                                                                              For the record, said stranger has to trust you with their house as well.

                                                                                                                              That would be a reason that letting strangers into your house for short stays is fucking stupid. Which it is, but that isn’t what the article is about.

                                                                                                                              I sometimes had to wait hours or days, walk for kilometers next to the highway to reach the next gas station or shop, and change course completely just to get a ride.

                                                                                                                              Congratulations, you’ve successfully missed the entire fucking point. Have a gold star.

                                                                                                                              1. 7

                                                                                                                                For the record, said stranger has to trust you with their house as well.

                                                                                                                                That would be a reason that letting strangers into your house for short stays is fucking stupid. Which it is

                                                                                                                                No more than, say, letting strangers run code on your computer. Yet we all do that every day.

                                                                                                                                In practice, there’re not complete “strangers” in the sense of “random person”. There are trust systems in the form of reviews. It’s not perfect, but does make a significant impact, since you won’t be able to rent out your place if you get a bunch of negative reviews. So replying to your other comment (“hotel management/owners and staff all have a vested interest in preventing it from happening”), AirBnB landlords have just as much a vested interest in preventing stuff like this from happening as hotel management: they will lose business.

                                                                                                                                Are there bad or sketchy AirBnB hosts? Undoubtedly. But then again, there are also bad or sketchy hotels, and if you’re a bit careful it’s not too hard to avoid either.

                                                                                                                                On a deeper level, we all have to choose if we want to live our lives in perpetual fear of “strangers”, or just accept that sometimes we have a negative experience. My personal experiences with letting strangers stay at my house (mostly through CouchSurfing) have been overwhelmingly positive, and my life would be poorer if I hadn’t. It would be foolish to be naïve, but turns out most people aren’t all that bad.

                                                                                                                                1. 1

                                                                                                                                  Does regulation prevent someone from installing hidden cameras? There’s certainly evidence against it. But if you want to tell a few fucking people to fucking fuck off, because they’re fucking fucktards and fucking disagree with you, that’s fucking alright.

                                                                                                                                  1. 3

                                                                                                                                    It creates strong incentives for those running the business to prevent such occurrences.

                                                                                                                              2. 5

                                                                                                                                The idea that hotels, taxis, etc., are inherently more reputable than “strangers” strikes me as a naive stance. Here in Montreal, taxi drivers have long had scummy practices, including pretending their credit card machines aren’t working and offering to drive you to an ATM machine.

                                                                                                                                The only reason governments crack down on Uber, Airbnb, etc., is probably the money they get from taxi/hotel permits and whatever else ancillary fees.

                                                                                                                                1. 2

                                                                                                                                  This can also happen at a hotel, as stated in the article.

                                                                                                                                  1. 7

                                                                                                                                    And the hotel management/owners and staff all have a vested interest in preventing it from happening.

                                                                                                                            1. 15

                                                                                                                              I’d be curious to know what information is available about the discovery of such devices in the wild. How many Airbnb’s do I need to stay at to find a hidden camera?

                                                                                                                              1. 1

                                                                                                                                Me too, I’d be also quite interested in the geographical distribution of such devices!