1. 2

      This is actually a good thing, because it offers plausible deniability for future Fappening-style leaks.

      1. 2

        Wait until you see what happens next election when another liberal woman is running for the Democrats. It won’t be pretty.

        1. 3

          Wait until you see what happens next election when another liberal woman is running for the Democrats. It won’t be pretty.

          The whole point is that if fakes are undistinguishable from real footage, video no longer matters. If you’re bothered by people masturbating to falsified videos, you have bigger problems than those that can be handled by reasoning.

          1. 3

            I agree, this cuts both ways. Any person “caught” in an actual documented embarrassing position can plausibly claim the footage was generated by a malicious party.

            In the end, this will probably create a market for cryptographically secured cameras, like some still cameras used for forensics.

            But there will be a lot of turmoil before this all shakes out.

            1. 3

              this will probably create a market for cryptographically secured cameras, like some still cameras used for forensics

              I think this is going to have to happen for all video and camera devices and content over time. Otherwise the whole notion of video or photographic “evidence” is going to go out the window, along with all the law and precedent that’s been built up on it for decades, casting us completely adrift in a sea of post-truth.

      1. 11

        I think I mostly agree with the premise here.. I tried freebsd but I hard time being happy with it compared to simply using a systemd-less linux like void or alpine.

        OpenBSD on the other hand fascinates me, mostly because of the security focus and overall simplicity, I think part of that idea of focused goals is the same reason I’ve been starting to keep up with DragonFlyBSD development, the drive to do something different than the mainstream can be a strong motivator of interest.

        But realistically, I dont see something like FreeNAS dying anytime soon, some of my IT friends swear only by it.

        1. 20

          I love running FreeBSD. I run Void whenever I have to run Linux, but honestly running FreeBSD is so much fun. The system makes so much sense, there are so few running processes. Configs are kept in the right places, packages that are installed just work, upgrades almost never broke anything, and in general there was a lot less fiddliness. I want to run Void from time to time to get the new and shiny (without having to build it for a custom platform), but in both Debian and Void (the systems I run), packages are of varying quality, and upgrades are always stressful (though Void’s running release nature makes it less so). FreeBSD’s consistency also makes me feel a lot less scared about opening it up and fiddling with the insides (such as trying my hand at creating my own rc unit runner or something), whereas with Linux I often feel like I’m peering at the edge of a Rube Goldberg machine.

          Oh and don’t get me started on the FreeBSD Handbook and manpages. Talk about documentation done right.

          1. 6

            “Rube Goldberg machine” is a great description for much of the Linux world. Especially Debian-style packages with their incredibly complex configuration hooks and menus and stuff.

            My favorite feature of pkgng is that packages do not add post-install actions to other packages :)

            1. 1

              I still can’t get over the fact that installing a deb service on a Debian based distribution, starts the service automatically? Why was that ever considering a good design decision?

              I personally run Gentoo and Void. I had FreeBSD running really well on an older X1 carbon about two years back, but the hardware failed on the X1. I do use FreeBSD on my VPS for my openvpn server, but it seems like FreeBSD is the only one supported on major VPSes (Digital Ocean, Vultr). I wish there was better VPS support for at least OpenBSD.

            2. 2

              Dont get me wrong, I like FreeBSD, I’ve just never felt the same fascination towards it that I do with OpenBSD, DragonflyBSD, Haiku, ReactOS or Harvey. But perhaps thats a good thing?

              I guess the main thing Is I’ve never been in a situation where I didn’t need to use linux / windows and couldn’t use OpenBSD.

              1. 5

                FreeBSD seems to do less in-house experimental stuff that gets press. Dragonfly has the single-system image clustering long-term vision, OpenBSD is much more aggressive about ripping out and/or rewriting parts of the core system, etc.

                I do feel most comfortable with the medium-term organizational future of FreeBSD though. It seems to have the highest bus factor and strongest institutional backing. Dragonfly’s bus factor is pretty clearly 1: Matthew Dillon does the vast majority of development. OpenBSD’s is slightly higher, but I’m not entirely confident it would survive Theo leaving the project. While I don’t think any single person leaving FreeBSD would be fatal.

                1. 3

                  I’m not entirely confident it would survive Theo leaving the project

                  There is no reason to worry about that: http://marc.info/?l=openbsd-misc&m=137609553004700&w=2

                  1. 2

                    FreeBSD seems to do less in-house experimental stuff that gets press

                    The problem is with the press here. CloudABI is the most amazing innovation I’ve seen in the Unix world, and everyone is sleeping on it ;(

              2. 3

                I tried freebsd but I hard time being happy with it compared to simply using a systemd-less linux like void or alpine.

                The Linux distro that’s closest to the *BSD world is Gentoo - they even named their package management system “Portage” because it’s inspired by *BSD ports.

                1. 2

                  As a long time OpenBSD & Gentoo user (they were my introduction to BSD & Linux respectively and I’ve run both on servers & desktops for years), I strongly disagree. If I wanted to experience BSD on Linux, Gentoo would be the last thing I’d look at.

                  1. 1

                    If I wanted to experience BSD on Linux, Gentoo would be the last thing I’d look at.

                    Then you are way off the mark, because the closest thing to *BSD ports in the Linux world is Gentoo’s Portage and OpenRC is the natural evolution of FreeBSD’s init scripts.

                    1. 5

                      Over the past decade, I’ve used ports once or twice. Currently I don’t have a copy of the ports tree. At this day and age, ports & package management are among the least interesting properties of an operating system (if only because they all do it well enough, and they all still suck). OpenRC might be ok, but the flavor of init scripts doesn’t exactly define the system either.

                      My idea of BSD does not entail spending hours fucking with configs and compiling third party packages to make a usable system. Maybe FreeBSD is like that? If so, I’m quite disappointed.

              1. [Comment from banned user removed]

                1. 3

                  Accusations of bribery are really a low blow.

                  1. [Comment from banned user removed]

                    1. 5

                      It’s a tech acquisition, so the profit of the company is of no interest.

                      The technology of RIL is of interest for Mozilla, which is the vendor of Firefox, but also so much more.

                      Also, I kind of shrug at “10s of millions”. A million is about the price you need to hire 5-10 engineers for a year, depending on where you are. Software is expensive.

                      Jumping to bribery without anything else but pointing at “they bought a non-profitable company” is malicious, yes!

                      1. 2

                        The technology of RIL is of interest for Mozilla

                        How so? It’s yet another rehash of that trivial “save web pages for offline/later reading” concept. No technological innovation whatsoever, no interest among Firefox users either.

                  2. 1

                    If you want to choke just read the Mozilla Foundation’s financial disclosures

                    1. 2

                      Where are these hosted? I can only find general accounting information, without specific spending breakdowns.

                  1. 1

                    Linode already rebooted its hosts for the Meltdown fix. It will probably have to do it again for Spectre fixes, when they stabilise.

                    1. 58

                      The successful applicant will be hired as freelancer (independent contractor) through the Mozilla Foundation’s third-party service Upwork (www.upwork.com).

                      Terrible idea, for a corporation with a revenue of $520,000,000 in 2016. Upwork is extremely humiliating for programmers.

                      For hourly contracts they take random snapshots of your desktop in 10 minutes intervals and they measure your mouse movements and key presses to show your activity, because design doesn’t matter, only implementation. Then they take a 2.75% cut from the client, a 20% cut from the freelancer plus extra wire transfer fees when your hard earned funds are available, some 4 weeks later, after they earned interest for Upwork.

                      Then they decided to punish those freelancers who did not upload silly promotional videos on their profiles by forcing them to have video calls for “verification” or get suspended from the platform.

                      Fuck Upwork and fuck Mozilla.

                      1. 23

                        Ugh, yes. I can totally see why they hire through external agencies, but this is totally at miss with their stated goals. Even if they don’t use the feature (it’s not necessary on fixed contracts), they shouldn’t work with a company that even does this. Independent whether this even makes sense or not.

                        (Yeah, and it’s complete bullshit, as - especially in programming - my thinking time needs to be paid)

                      1. 1

                        They should put this in a cheap laptop - a 15’’ one, not those silly netbooks.

                        1. 5

                          Snapdragon SoC laptops are supposed to arrive 18Q1. I suspect that they will be followed by other ARM based SoCs soon after.

                        1. 2

                          basically a solution in search of problems

                          Remember when LASER was called a solution in search of a problem? I hope we can find some use for distributed blockchains after the speculation bubble bursts.

                          1. 5

                            Easier to figure out some if you say audit logs like they used to be called. There’s piles of applications of them in the literature for both accounting and CompSci. Just think distributed as you explore each one. Can still use regular, efficient tech with replication, distributed checking, and signatures, too. Kind of like banks and DVCS’s whose ecosystems are still going strong.

                            1. 3

                              No?

                            1. 15

                              Please do, so I get the chance to learn something new. I’d rather be annoyed by off-topic discussions than not be aware of the more serious issues discussed.

                              1. 10

                                Agreed. I’ve got enough critical thinking skills to dig around in the context of a mail. Hell, most folks get looped into threads like this at work on random occasion and that’s exactly what you do. You follow the reply/response chain up to understand anything you feel like you missed.

                                1. 3

                                  Not relevant to the discussion here, but people randomly looping in other people into email threads without providing at least a summary of the situation as they see it is pretty damn rude.

                                  It depends on the situation of course, but I usually note in my communication why this person was added: “Adding NN to the conversation to provide input, in light of their role as customer contact” or similar.

                                  Personally, I filter all emails with my contact in the CC list into a specific folder to avoid noise in my main email inbox.

                              1. 40

                                Almost anyone just reads the mail, but not the mail it was a reply to or the discussion that comes out of it.

                                What makes you think this is true? I always read the surrounding thread.

                                I have found many of these links very interesting and feel they are legitimate posts for Lobsters.

                                1. 6

                                  General experience with the discussions that burst out below. Exceptions make the rule, as they say.

                                  Also, in the linked example, a lot of what Theo was referring to was in topics a couple of days away, so establishing context isn’t always “click previous, click followup”.

                                  1. 8

                                    Exceptions make the rule, as they say.

                                    No. “Exceptio probat regulam in casibus non exceptis” means that if there is an explicit rule regarding exceptions then there exists an implicit rule from which those exceptions are derived.

                                    1. 2

                                      I saw the pattern you were talking about. It seemed part of a larger one being really eager to speak but lazy about reading. I second your proposal of no mailing list threads unless it’s an independent write-up with context included so people see big picture at a glance.

                                      1. 2

                                        I agree and disagree. I agree that if we’re going to ban deep linking into threads then sure a write up would be ok.

                                        But, I would rather posit a second option, which amounts to when linking to a thread we link in a comment to the specific post that is at issue with the link to the top of the thread as the article link. Thus trying to encourage everyone to read the context that surrounds the post and allowing everyone to come to their own conclusions as to the post in its original context.

                                        I say this as while I’d love independent write-ups, noticing how every write up or news post can skew things ever so slightly I would rather encourage everyone to read through the original source material.

                                        I would propose the same rule for forum posts, I wouldn’t expect write ups in all cases and think that requirement would just discourage discussion over the actual issue at hand, if any.

                                        1. 2

                                          “I say this as while I’d love independent write-ups, noticing how every write up or news post can skew things ever so slightly I would rather encourage everyone to read through the original source material.”

                                          This is a good point. The Dalmore memo discussions were a good example of that.

                                    2. 1

                                      Personally, I try to get the context but I’ll admit that I can get a bit lazy with it. And my reflex is also a bit to do meta-discussions on communication.

                                      Unlike something like a Github issue, a bit more effort is required to get the full context. Not a huge amount, of course, but enough. Not to mention double-quoting and whatnot confusing people.

                                      Perhaps linking to the first e-mail in the chain will force people to read through stuff? Not sure how doable that is

                                    1. 2

                                      The problem is that bean counters like metrics, so programmers go along with code line test coverage, even if they know that the only test coverage that matters is over the input domain.

                                      1. 1

                                        In a confidential document shared with some customers Wednesday and reviewed by The Wall Street Journal, Intel said it identified three issues in updates released over the past week for “microcode,” or firmware—software that is installed directly on the processor. The updates are separate from patches produced by operating system companies such as Microsoft Corp.

                                        Intel advises customers to “delay additional deployments of these microcode updates,” the company said in a technical advisory. “Intel will provide frequent updates.”

                                        They had more than 7 months to figure it out…

                                        1. 2

                                          https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data :

                                          The NSA has devoted substantial efforts in the last two years to work with Microsoft to ensure increased access to Skype, which has an estimated 663 million global users.

                                          One document boasts that Prism monitoring of Skype video production has roughly tripled since a new capability was added on 14 July 2012. “The audio portions of these sessions have been processed correctly all along, but without the accompanying video. Now, analysts will have the complete ‘picture’,” it says.

                                          Also remember that the first thing Microsoft did after spending 8.5 billion dollars on Skype, was to replace the P2P layout with central servers (running Linux, they were probably in a rush).

                                          This news of encryption between users and Microsoft is nothing but a joke, since Microsoft collects and passes the data over to the global Stasi.

                                          1. 2

                                            Maybe this is a part of Microsoft attempting to whitewash its reputation. Like with certain efforts in bridging the gap to Linux users.

                                            Or it could be a major scam. Someone will surely look into it once the update hits.

                                            Certainky the metadata may be valuable enough either way.

                                          1. 2

                                            cogsci

                                            This has nothing to do with cognitive science. It’s about computer processing of speech and natural language.

                                            1. 1

                                              Language and speech are handled by cognitive processes.

                                              1. 2

                                                Language and speech are handled by cognitive processes.

                                                In humans, not in computers.

                                            1. 1

                                              Time to start using userspace network drivers like https://github.com/snabbco/snabb in order to reduce the number of context switches.

                                              1. 5

                                                CMake has a hidden command line argument cache that breaks user expectations like this:

                                                $ cmake -DFOO=ON
                                                $ cmake -DBAR=ON # Surprise! It actually works like "cmake -DFOO=ON -DBAR=ON".
                                                # what you should be doing instead:
                                                $ rm -f CMakeCache.txt; cmake -DBAR=ON
                                                
                                                1. 6

                                                  Don’t want overcommit? Turn it off.

                                                  me@host$ head -n3 /proc/meminfo 
                                                  MemTotal:       32815780 kB
                                                  MemFree:        13309168 kB
                                                  MemAvailable:   19461460 kB
                                                  me@host$ cat /proc/sys/vm/overcommit_memory 
                                                  0
                                                  me@host$ python -c 'import os; s = (12 << 30) * "."; print s[:3]; os.fork()'
                                                  ...
                                                  Traceback (most recent call last):
                                                    File "<string>", line 1, in <module>
                                                  OSError: [Errno 12] Cannot allocate memory
                                                  
                                                  1. 1

                                                    Don’t want overcommit? Turn it off.

                                                    Just don’t do it in production, because sooner or later you’ll come to understand why it’s the default.

                                                    1. 5

                                                      Sure, and I agree that it’s an appropriate default for most common-case systems (though there are legitimate reasons to want to disable it). My intent was basically “learn your system’s configuration options instead of griping about its defaults”.

                                                      1. 10

                                                        The issue is fork makes no-overcommit unreasonable. With a spawn model you don’t see worst-case memory usage balloon every time you start a program.

                                                  1. 14

                                                    tl;dr:

                                                    • Meltdown is easy to exploit and gives access to kernel memory and other programs’ memory from userspace. Affects Intel CPUs. There is a kernel fix that more or less doubles the cost of context switches.

                                                    • Spectre is hard to exploit and allows access to some other program’s memory. Affects all main CPU vendors who implement speculative execution. There is no fix, but some userspace mitigation should be possible, at the significant performance cost of preventing speculative execution.

                                                    1. 23

                                                      And this in the Spectre paper is horrifying:

                                                      In addition to violating process isolation boundaries using native code, Spectre attacks can also be used to violate browser sandboxing, by mounting them via portable JavaScript code. We wrote a JavaScript program that successfully reads data from the address space of the browser process running it.

                                                      This is likely an unprecedentedly huge problem for the next several decades (thinking of all the enterprise and embedded systems this affects), and the “mitigation” sections of the papers are not encouraging.

                                                      1. 4

                                                        I didn’t read about Spectre yet, but I read a paper from 2015 saying the same thing (?):

                                                        The spy in the sandbox: Practical cache attacks in javascript and their implications

                                                        So does anyone know if Spectre is worse than this?

                                                        https://scholar.google.com/scholar?cluster=1498045933646289522&hl=en&as_sdt=0,5&sciodt=0,5

                                                        We present the first micro-architectural side-channel attack which runs entirely in the browser. In contrast to other works in this genre, this attack does not require the attacker to install any software on the victim’s machine – to facilitate the attack, the victim needs only to browse to an untrusted webpage with attacker-controlled content. This makes the attack model highly scalable and extremely relevant and practical to today’s web, especially since most desktop browsers currently accessing the Internet are vulnerable to this attack. Our attack, which is an extension of the last-level cache attacks of Yarom et al. [23], allows a remote adversary recover information belonging to other processes, other users and even other virtual machines running on the same physical host as the victim web browser.

                                                        1. 9

                                                          To the best of my understanding, it builds on that work and is far, far worse.

                                                          Previously you could execute a timing attack (in JS) to observe the value of some piece of information that is being processed by the victim at the time your code runs.

                                                          My understanding is that now you can discern contents of a victim’s memory (that aren’t necessarily being touched at all by the victim) by doing something along the lines of:

                                                          • causing the CPU to speculatively execute loads that are dependent on the value of data that you’re not supposed to be permitted to read
                                                          • observing the effect of that speculated (and aborted) load on the state of the cache
                                                          • by observing the state of the cache, glean some information about what is in the memory that you aren’t supposed to be allowed to read
                                                          • because the attempt to read unreadable memory happened in an not-taken (only speculated) branch, it didn’t officially happen according to the ISA, so it doesn’t cause a segfault or anything that’d stop you carrying on with this nefarious deed

                                                          I need to read this again to be sure but I’m under the impression that Spectre is a relatively slow information leak that can be adapted to more or less any CPU with speculative execution but Meltdown is a much faster and hence practical attack that makes use of specific foibles of specific Intel chips.

                                                    1. 2

                                                      The most important Git hook is “post-update” on a remote test repository that can update the working copy after you push to it, run tests and conditionally push to a production repo.

                                                      1. 2

                                                        I use the post-receive hook to checkout, build and deploy a couple of small services on my personal server (blog, wiki, an irc bot, …). Works reasonably well and has this heroku-like feeling.

                                                      1. 2

                                                        I use a local install of MediaWiki with MariaDB and it’s much more useful than any note taking software I tried before.