Threads for panic

  1. 2

    Some of the examples are compressed and end up with something like this shell

    eval(unescape(escape``.replace(/u../g,"")))
    

    in order to keep the post under 140 charaters

    It would be nice if as a user if one was presented with uncompressed code and the compressed code

    Apart from that very interesting, similar to shadertoy

    1. 2

      I don’t know if this has changed in the last 20 minutes, but if you go to the new beta UI ( https://beta.dwitter.net/ ) then there is a toggle to switch between the compressed and uncompressed versions.

      1. 1

        Thanks, you are right it is in the beta I only checked the default site

    1. 1

      How does one use a parallel port device now-a-days?

      1. 1

        The short answer is you either use an older motherboard with a built-in parallel port, or you use an add-in card that adds a port via PCIe. As far as I understand, the PCIe cards are “real” parallel ports, but USB to LPT adapters don’t work properly for anything that’s not a printer.

      1. 10

        Ready to give it a shot? Make sure to update your macOS to version 12.3 or later, then just pull up a Terminal in macOS and paste in this command:

         curl https://alx.sh | sh
        

        Pay close attention to the messages the installer prints, especially at the end!

        Installing an operating system with curl | sh? Well, I’ve done riskier things to my machines before.

        1. 12

          at this point isn’t that essentially what home-brew is? :D

          1. 7

            How’s that different security-wise from downloading an ISO and running it at boot time?

            1. 4

              In general a shell script is easier to man in the middle.

              In this specific case since it is https you are right there is not much difference.

              Assuming most people will copy paste the command from a webbrowser into the terminal there is also the possibility of some css/unicode trickery

              1. 3

                You can verify the integrity of the ISO with a SHA and/or verifying signatures with the vendor’s public key. You could do this with the shell script by downloading it, verifying it, checking to ensure that it verifies the ISO it downloads, and then running it.

                Simply doing curl | sh skips all of this.

                1. 5

                  curl verifies the script with the vendor’s public key too, that’s what https does.

                  As far as I can tell, the big difference is the sh step gets to live in your running OS with the disks mounted, but that’s it.

                  1. 1

                    It also skips any passive vulnerability scans such as the known-exploit signature checks and virus scans that are common in browsers now. So if the site is compromised and they are providing file hashes that will validate their exploit script then a browser downloading the same script and/or ISO would have a chance of catching it.

                  2. 2

                    You can do easily do curl > file and verify to your hearts content. :)

                    1. 2

                      Yeah, that’s why I’m always surprised to see websites instruct users to curl | sh when they could tell users to curl > file && sha256sum file cross-check the sum, and then sh file at least.

                      1. 9

                        I mean, if the script, the checksum, and the instructions to check the checksum are all served from the same https server, you don’t actually gain anything by checking the checksum.

                        1. 2

                          As the downloader you don’t gain anything directly but as the publisher it would require an attacker to change the content of the site, which is another opportunity for detection. Not anywhere near complete protection but an additional low cost security later.

              1. 3

                Authors of books often use ancient word processors, like WordStar or WordPerfect, because that’s what they’ve already spent the time learning. Sitting in front of their vintage computers using vintage word processors, they don’t have to think about their tools, and can focus 100% on actually writing (not that this seems to work very well for George R.R. Martin…)

                Programming is much the same. If you’re most comfortable using a totally out of fashion editor, because that’s what you learned ages ago, don’t let anyone try to convince you to use anything else.

                I was a vim user, then became an emacs user with evil mode, and I learned the ropes before I became a full time programmer. My colleagues are largely using vscode, but I don’t see any reason to switch, now that my setup is working great for me.

                1. 4

                  I still use vim for two reasons:

                  • It works everywhere. VS Code’s remote extension doesn’t work on FreeBSD, definitely doesn’t work on FreeBSD/arm64, so I can’t use it for a large chunk of the development that I do. I don’t want to move between editors on a daily basis because it increases cognitive load and gives less spare brain for thinking about the code.
                  • I have used it so much that the shortcuts that I use all of the time are completely ingrained.

                  The second is very much the sunk-cost fallacy. If I switched to an editor that could improve my productivity long term, then the fact that I’d probably have a few months of re-training my fingers is a relatively small cost. I’d happily switch to something better if it worked everywhere. The lack of an iOS version of something like VS Code makes me a bit nervous because most of the time I’m sitting in front of a physical computer, it’s running Windows, macOS, Android, or iOS and if I can’t install the editor on all of them then there’s a danger of needing to switch between them based on the device I’m using, but it doesn’t worry me too much because most of the time I’d want to use an iPad it would be for remote development and the browser-based version of VS Code is fine there. The limitations of the remote extension worry me a lot more because if it can’t even support FreeBSD (which, let’s be honest, is basically the same as Linux or macOS to the extent that a toolchain should care about) then there’s no chance that it will support whatever the next big thing is until long after it’s big.

                  1. 2

                    The more experienced I become, the more I value tool chains that are available everywhere and simple

                    Git pull ; vim ; make ; run

                    It is great to be able to deploy a simple fix this way

                    I feel make along with vim are unsung heros

                    1. 3

                      I’d substitute cmake for make there. CMake might not be installed out of the box everywhere, but getting a CMake project to build on Windows is far less painful than trying to get make to work. POSIX Make is completely useless and so any non-trivial project tends to use vendor extensions. The bmake and gmake extensions are incompatible (Solaris Make, last I checked, did little beyond POSIX), so on any non-GNU platform you’re likely to need to install gmake as an optional extra anyway and at that point I’d rather have CMake and Ninja.

                  2. 3

                    No doubt Martin uses whatever he likes when writing, but at least in the rest of the publishing chain Word is ubiquitous:

                    http://www.antipope.org/charlie/blog-static/2013/11/cmap-why-do-you-use-microsoft-.html

                    (Although I’m pretty user Martin has an actual staff while Stross is still very much a one-man show)

                    1. 4

                      For what it’s worth, I wrote all four of my books in vim and typeset them using LaTeX. The publisher required me to send camera-ready PDFs (thank you crop package) and to match their in-house style as closely as possible (the only difficult bit of this was the layout of the copyright page) but then just skipped a load of the steps. Oh, and the really nice thing about doing it this way is that you give the copy editors and proof readers an immutable format so that they can’t make changes, they can just request changes and I have to review each one and apply it, so when they make a ‘correction’ that incorrectly changes the meaning I can ignore it.

                      They didn’t have a good process for going from PDF to HTML and so completely messed up the formatting of the ePub editions of the first one. After that, I restricted myself completely to semantic markup in the TeX and wrote a small tool that dumped it as XHTML with styles reflecting the semantics so that they could style it however they wanted (I used libclang to parse my examples, so the XHTML included things like class-name, local-variable, argument, and so on).

                      1. 1

                        Charlie does all the writing himself. I know he’s tried out Scrivener and other tools on occasion. There’s a small group of volunteers who moderate his blog and provide technical support for various things, and a larger but still quite small group of beta-test readers.

                      2. 1

                        If you’re most comfortable using a totally out of fashion editor, because that’s what you learned ages ago, don’t let anyone try to convince you to use anything else.

                        I don’t believe for many the reason to stick with a simpler editor is just due to convenience, or because they don’t want to learn new things.

                        For example I’ve started with the Turbo Pascal IDE, then switched to Visual Basic and Visual Studio C++ (both before .NET existed), then I’ve used Eclipse quite extensively for Java, and for some period even used the JetBrains IDE variant for Ruby, but I found that fiddling with them on each release, on each update, trying to navigate through the countless windows, pop-ups, menus, auto-complete, etc., took more time than what they were worth… (In fact from the early days of using Visual Studio I’ve disabled syntax highlighting and auto-complete, as I found them more distracting than useful.)

                        Thus I believe that for many the simplicity plays a key role. (At least for me it does.)

                      1. 20

                        After I learned about “ci” in vim I got hooked. All of the sudden replacing text in quotes became as simple as ci” and now I’m having a hard time to use other editors. Sometimes a little detail is all that it takes.

                        1. 8

                          This was extremely helpful thanks.

                          Just to clarify to others. In vim if you are on a word “c” starts a change and the next keystroke determines what will be changed. For example, “c$” removes text from where the cursor is to the end of the line.

                          Now what is new for me is vim has a concept of “inner text”. Such as things in quotes, or inbetween any two symmetric symbols. The text between those two things are the “inner text”.

                          For example, in this line, we want to change the “tag stuff” to “anything”.

                          <tag style="tag stuff">Stuff</tag>
                          

                          Move the cursor anywhere between the quotes and type ci then a quote and you are left with

                          <tag style="">Stuff</tag>
                          
                          1. 8

                            This is a good example of why to me learning vi is not worth the trouble. In my normal editor, which does things the normal way, and does not have weird modes that require pressing a key before you are allowed to start typing and about which there are no memes for how saving and quitting is hard, I would remove the stuff in the quotes by doing cmd-shift-space backspace. Yes, that technically is twice as many key presses as Vi. No, there is no circumstance where that would matter. Pretty much every neat Vi trick I see online is like “oh if you do xvC14; it will remove all characters up to the semicolon” and then I say, it takes a similar number of keystrokes in my editor, and I even get to see highlight before it completes, so I’m not typing into a void. I think the thing is just that people who like to go deep end up learning vi, but it turns out if you go deep in basically any editor there are ways to do the same sorts of things with a similar number of keystrokes.

                            1. 14

                              There is not only the difference in the number of keystrokes but more importantly in ergonomics. In Vim I don’t need to hold 4 keys at once but I can achieve this by the usual flow of typing. Also things are coherent and mnemonic.

                              E.g. to change the text within the quotes I type ci”(change inner “) as the parent already explained. However this is only one tiny thing. You can do all the commands you use for “change(c)” with “delete(d)” or “yield(y)” and they behave the same way.

                              ci”: removes everything within the quotes and goes to insert mode di”: deletes everything within the quotes yi”: copies everything within the quotes

                              d3w, c3w, y3w would for example delete, replace or copy the next 3 words.

                              These are just the basics of Vim but they alone are so powerful that it’s absolutely worth to learn them.

                              1. 3

                                Just a small correction; I think you meant “yank(y)” instead of “yield(y)”.

                                1. 1

                                  Haha yes thanks I really got confused :)

                                2. 2

                                  And if you want to remove the delimiters too, you use ‘a’ instead of ‘i’ (I think the logic is that it’s a variation around ‘i’ like ‘a’ alone is).

                                  Moreover, you are free to chose the pair of delimiters: “, ’, {}, (), [], and probably more. It even works when nested. And even with the nesting involves the same delimiter. foo(bar(“baz”)) and your cursor is on baz, then c2i) will let you change bar(“baz”) at once. You want visual mode stuff instead? Use v instead of c.

                                  This goes on for a long time.

                                3. 6

                                  One difference is that if you are doing the same edit in lots of places in your editor you have to do the cmd-shift-space backspace in every one, while in vi you can tap a period which means “do it again!” And the “it” that you are doing can be pretty fancy, like “move to the next EOL and replace string A with string B.”

                                  1. 2

                                    Sublime Text: ctrl+f search, ctrl+alt+enter select all results, then type your replacement.

                                    1. 2

                                      Yeah I just do CMD-D after selecting a line ending if I need to do something like that.

                                  2. 3

                                    I would remove the stuff in the quotes by doing cmd-shift-space backspace

                                    What is a command-shift-space? Does it always select stuff between quotes? What if you wanted everything inside parentheses instead?

                                    and then I say, it takes a similar number of keystrokes in my editor, and I even get to see highlight before it completes, so I’m not typing into a void

                                    You can do it that way in vim too if you’re unsure about what you want, it’s only one keypress more (instead of ci" you do vi"c; after the " and before the c the stuff you’re about replace will be highlighted). You’re not forced to fly blind. Hell, if your computer is less than 30 years old you can probably just use the mouse to select some stuff and press the delete key and that will work too.

                                    The point isn’t to avoid those modes and build strength through self-flagellation; the point is to enable a new mode of working where something like “replace this string’s contents” or “replace this function parameter” become part of your muscle memory and you perform them with such facility that you don’t need feedback on what you’re about to do because you’ve already done it and typed in the new value faster than you can register visual feedback. Instead of breaking it into steps, you get feedback on whether the final result is right, and if it isn’t, you just bonk u, which doesn’t even require a modifier key, and get back to the previous state.

                                    1. 2

                                      What if you wanted everything inside parentheses instead?

                                      It is context sensitive and expands to the next context when you do it again.

                                      Like I appreciate that vi works for other people but literally none of the examples I read ever make me think “I wish my editor did that”. It’s always “I know how I would do that in my editor. I’d just make a multiselection and then do X.” The really powerful stuff comes from using an LSP, which is orthogonal to the choice of editors.

                                    2. 2

                                      I do not disagree. For vim, as for your editor, the process is in both places somewhat complex.

                                      Like you I feel I only want to learn one editor really well. So I choose the one which is installed by default on every system I touch.

                                      For which I give up being able to preview what happens and some other niceties. Everything is a tradeoff in the end

                                    3. 2

                                      In a similar way, if you want to change the actual tag contents from “Stuff” to something else:

                                      <tag style="tag stuff">Stuff</tag>
                                      

                                      you can use cit anywhere on the line (between the first < and the last >) to give you this (| is the cursor):

                                      <tag style="tag stuff">|</tag>
                                      

                                      Or yit to copy (yank) the tag contents, dit to delete them etc.. You can also use the at motion instead of the it motion to include the rest of the tag: yat will yank the entire tag <tag style="tag stuff">Stuff</tag>.

                                      Note that this only works in supported filetypes, html, xml etc., where vim knows to parse markup tags.

                                    4. 2

                                      I really like that I keep stumbling on tidbits like this one that continue to improve my workflow even further.

                                    1. 3

                                      What is the evolutionary advantage of synchronized flashing?

                                      1. 5

                                        https://www.livescience.com/32688-fireflies-synchronous-flashes-are-booty-calls-study-reveals.html

                                        In firefly mating rituals, the males cruise by, flying around and flashing their signals to let the ladies know that they are looking for love.

                                        Meanwhile, female fireflies wait in the leaves, observing the males’ flashes. Each waits for a specific pattern of blinking light sequences are unique to each species. When they spot a pattern that they like, they flash the same signal back at the male as an invitation to come on over.

                                        Scientists estimate that, of the roughly 2,000 species of fireflies around the world, only about 1 percent synchronize their flashes in large groups. However, flashing Photinus fireflies are very common, especially in North America. They evolved to flash in synchronizing patterns as a solution to specific behavioral, environmental or physiological conditions, said Moiseff.

                                        Synchronous species of fireflies are often found in high densities, making it hard for female fireflies to see and register a lone male firefly’s signal. This suggests that there is a problem in the female’s information processing, which group synchronized flashing seems to compensate for, according to the study.

                                        But once a female sees the mass synchronized signal and responds, how does she decide who in the group is to be her paramour?

                                        “In the field, under natural conditions, we find that a responding female Photinus carolinus attracted several males,” Moiseff told Life’s Little Mysteries. “These males then cluster around her and interact among each other, as well as with the female.”

                                        Researchers do not know whether the female’s initial response is directed at a single male within the synchronous group, or whether she is responding nonspecifically to the group as a whole. But because her response flash attracts many males, it appears that she isn’t communicating with any individual male, Moiseff said.

                                        “Ultimately, however, she selected a single male to mate with,” Moiseff added. “The effect of this is that female choice is occurring separately from initial species recognition and attraction.”

                                        1. 2

                                          I’d be interested to know that too… although it may simply be that there is no evolutionary disadvantage to it and that’s why the behaviour has continued.

                                          1. 2

                                            You get a much brighter flash? I assume a single firefly is flashing with some kind of purpose (it’s a mating display for at least one species), so a bigger flash should be better.

                                            1. 2

                                              You get a bright collective flash, but how are you going to attract mates towards yourself? That’s what I find puzzling.

                                              1. 5

                                                If they’re able to attract mates from a much larger radius, then more of them will come, so perhaps everybody is better off.

                                                1. 1

                                                  Yeah, this suggests that flashing as a mating signal is limited to bringing potential mates into proximity. After that, flashing must not be a strong attractor, or synchronization would be strongly penalized. I’m guessing the synchronization is driven more by safety in numbers from predators.

                                              2. 1
                                              1. 1

                                                I actually prefer this explanation; http://web.mit.edu/Kerberos/www/dialogue.html, perhaps its helpful to others as well

                                                1. 18

                                                  Interesting read, with a few neat ideas (I liked the idea of local data caching).

                                                  Why no ECC RAM though? The Xeon supports it so it would be almost silly not to use it. Oh, and a SAS LTO-4 tape drive won’t cost much more than a SCSI LTO-3 drive but it’ll hold twice as much and almost certainly be faster.

                                                  1. 6

                                                    Thanks for the tips. I didn’t know about ECC ram. Is memory corruption pretty common?

                                                    1. 13

                                                      Good question. Jeff Atwood discussed exactly this issue in 2015 and Dan Luu followed up with some further discussion. I don’t think it’s absolutely necessary, but if your CPU supports it, why not?

                                                      Personally, I use it in every system I have that supports it. Yes, it’s more expensive, but why bother using something like ZFS (which I do) if you have no guarantee that bits aren’t getting flipped before they even reach the disk?

                                                      1. 10

                                                        Jeff Atwood cites google as the case for not using ECC.

                                                        Emulating google is also emulating googles mistakes.

                                                        There is some research to suggest memory corruption occurs especially at 8+ GB scales. Perhaps these problems scale with size so at 64GB it is likelier.

                                                        ECC in a personal machine is a trivial cost. At google scale even trivial cost can matter, but in this case, unless this is a gaming toy use ECC. I mean why not?

                                                        Some HN discution on the topic

                                                        https://news.ycombinator.com/item?id=14206811

                                                        1. 6

                                                          From that discussion:

                                                          While I was at Google, someone asked one of the very early Googlers (I think it was Craig Silverstein, but it may’ve been Jeff Dean) what was the biggest mistake in their Google career, and they said “Not using ECC memory on early servers.”

                                                      2. 2

                                                        Another benefit of tape you should’ve mentioned is increased longevity and better recovery. Many cheap mediums have worse longevity than they advertise. DVD-R’s, for instance, can become unreadable in mere years. Enterprise focus on future proofing with lots of tape use means it’s unlikely to disappear like Zip or MO’s. Less uncertaintly than things like BluRay.

                                                        The only remaining comparison are to cheap RAID arrays. Idk where they are in price per GB right now.

                                                        1. 2

                                                          Great point, I’m drafting an update to the article and will include this.

                                                    1. 1

                                                      Well, while interesting, this requires users to install an application.

                                                      I find it somewhat more worrisome when information inserted into the dailer can be compromised through side channels such as sensors, which in the case of android requires no authorization to listen to and can not be turned of or feed invalid data. As such it seems trivial to capture pins and user ids that some organizations employ.

                                                      https://blogs.ncl.ac.uk/security/2016/02/05/touchsignatures-identification-of-user-touch-actions-and-pins-based-on-mobile-sensor-data-via-javascript/

                                                        1. 1

                                                          It will be very interesting to see how the enterprise vs consumer drives compare next year.

                                                          1. 1

                                                            If I were AMD or any Intel competitor there is a opportunity competing not just on performance but on trust and ownership. I if I were them I would try to open up their equivalents like AMD Platform Security Processor and enjoy the more savvy crowd recommending their systems.

                                                            1. 5

                                                              Well, as much as I hate to say it: this was only a matter of time, seeing how this was addressed at one of the more recent CCC conventions and pretty much ignored by telecom providers.

                                                              1. 3

                                                                Indeed here are the ccc videos from the other thread

                                                                https://lobste.rs/s/fb0lqr/after_years_warnings_mobile_network#c_bwf3w2

                                                                As I said this is not the only example of insecure networks that put too much trust in the other network actors; Telecom, payment processing at point of sale, travel bookings all do this. In the end putting the ordinary users at risk.

                                                                While sad for the victims, maybe this turns the tide on the banning encryption debates in parts of Europe.

                                                              1. 2

                                                                Here is the talk from Engel https://media.ccc.de/v/31c3_-_6249_-_en_-_saal_1_-_201412271715_-_ss7_locate_track_manipulate_-_tobias_engel it is really interesting.

                                                                “Private” networks that do not employ encryption and validation needs to stop.

                                                                Here is another example with the travel agencies networks https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carmen_sandiego

                                                                1. 1

                                                                  I find I tend to use !:x as in !:1 !:2 and so on instead of !$.

                                                                  !:x takes the x parameter from the previous command, so from “mv /test /nexttest” !:1 is /test.

                                                                  1. 1

                                                                    a) this looks really cool!

                                                                    b) python 2.7 or 3.x?

                                                                    c) “utilize the benefits of multi-threading with minimal concern about the implementation details.” http://i.imgur.com/2RRXCb7.gif?1

                                                                    1. 1

                                                                      This wraps concurrent.futures which were introduced in python 3.2. Its less than 50 lines of code, and a good way to learn decorators, I recomend reading the source.