1. 1

    Hey, I just send a request to join. I’m curious what’s going to be posted.

    1. 1

      I’m thinking most jobs and people announcing availability for jobs, but I’m not frequent LinkedIn user so whatever’s normal there is also welcome.

      ETA: Also, I’m going to automatically approve all requests at least until I start seeing professional recruiters starting to join. If your approval takes a few hours or even days, it’s because I’m running some errands today and I’m not a heavy LinkedIn user.

      1. 1

        Am starting to see recruiters trying to join now, FWIW

    1. 12

      Very misleading headline; the vulnerability actually only exists since Skylake, which came out in 2015.

      Still a very big deal tho.

      1. 16

        Thanks. I’m glad I didn’t have to say it. :)

        If you care about what’s happening, and you should, it’s really hard to actually find out and filter out all the wild speculation. It’s like there’s some food you’re not supposed to eat. Somebody says don’t eat grapes. Somebody else says don’t eat grapefruit. Not the same! So you ask why not, to figure out what’s happening, and someone says polonium is bad for your skin. Yeah, no shit, but what does that mean?

        The fact that minix wasn’t introduced until recently is one of the few practical facts in this whole saga, and it’s generally underreported. If you care about security, and you lack the means to prevent the nsa from plugging strange shit into your USB ports, sticking with broadwell may be a reasonable precaution. Does the register mention this? No, of course not.

        1. 5

          One problem is that it’s hard to tell what exactly is running on top of MINIX. For example, this article suggests that it has a full blown web server packed in https://www.networkworld.com/article/3236064/servers/minix-the-most-popular-os-in-the-world-thanks-to-intel.html

          The fact that there is an OS running on your machine that you have no access to, but that has access everything you do is incredibly disturbing in my opinion.

          1. 5

            The fact that there is an OS running on your machine that you have no access to, but that has access everything you do is incredibly disturbing in my opinion.

            Yes, and that makes accurate reporting and avoiding sensationalism even more important! When the actual flaws and user-hostile misfeatures are so bad, there shouldn’t be a need to exaggerate (2008 is very different from 2015) to get peoples’ attention.

            1. 1

              But if my machine can’t access this hidden OS, how can the Bad Guys? That’s what I don’t understand. Is there some special IP address to hit the embedded webserver? Some special packet you need to send?

              1. 5

                According to the conversation here AMT listens on ports 16992 and 16993 for traffic from other hosts, but it ignores all traffic from the machine itself: https://mjg59.dreamwidth.org/48429.html (This post is about a different vulnerability in AMT than the USB vulnerability in the parent article; this one can only be triggered over Ethernet.)

                1. 2

                  Naive question time: would blocking those ports at the firewall level be enough to reduce exposure?

                  1. 4

                    Only if the firewall resides on another host.

                    1. 2

                      Or go into the BIOS and turn AMT off.

                  2. 3

                    “You ever face certain death?”

                    “If it was so certain, I wouldn’t be here, would I?”

            1. 1

              AFAIK it should be [native looking] not [native]. There are two meanings fit native. First is that code is compiled to binary native to the CPU - Dart is not compiled. Second is that it uses native controls for look and feel - Flutter draws everything itself. Second meaning in this context is more useful. It may look native, but every system update requires work to make it look native again. Not saying that it can always be slightly off, especially in feels department.

              React Native uses native controls, so they have somewhat overlapping use cases, but one can do what other cannot.

              Also what’s with the AI tag?

              1. 4

                As far I understand it, Dart is indeed compiled — see here under “how does Flutter run my code on Android?” and the related iOS entry at https://flutter.io/faq/. I think it’s fair to label this “native”, even though it doesn’t use the OS’s native UI controls.

                1. 2

                  Thanks I stand corrected.

                2. 1

                  iOS still forbids JITs and interpreters (except builtin javascript) so it should be AOT compiled if it targets iOS.

                  When talking about UIs, “native” usually means “uses OS-native widgets”. For example, react-native usually considered “native” because it uses such widgets despite using javascript for UI logic. GTK is not native on Windows but native on Gnome desktop. I don’t understand obsession for AOTing UI glue code on mobile devices (especially iOS).

                  1. 1

                    Interpreters are allowed on iOS, but only for code included with package or user created.

                    It’s more an obsession for AOTing everything, because most code bases are mostly homogenous. So for example the computation heavy code will be written in the same language as the UI glue code. For better or worse.

                  2. 1

                    Also what’s with the AI tag?

                    Fat fingers at my end, looking for an android tag when posting from a mobile. Apols

                  1. 3

                    The exploit author Patrick W also makes an interesting bunch of OSX / MacOS security tools outside of his current employment, if you weren’t aware: www.objective-see.com

                    1. 2

                      He also has a patreon which i’m really happy to contribute to - i’ve got several of his apps installed and they do a great job of doing things like pointing out any changes to any of the locations/systems (launchd) which can be used to start malware persistently. His new LuLu firewall looks really nice, but is probably a bit too alpha for me at this stage.

                    1. 2

                      I’ve done the first three available courses in this and it’s been really good.

                      The first course is a bit like “Make Your Own Neural Network” (https://www.amazon.com/Make-Your-Own-Neural-Network-ebook/dp/B01EER4Z4G) where a neural network is coded from scratch. The second course goes through some optimisations to speed things up and improve accuracy. Some basic Tensorflow is introduced. The third course is really short and focusses on structuring training/dev/test data sets.

                      The Python bits are done in Jupyter notebooks which Coursera host themselves, so you don’t need to setup anything locally.

                      The remaining two courses will be available in October and November.

                      1. 1

                        That’s v interesting to hear. I was thinking I’d have to do the next session as I can’t start on anything till 1 Oct but maybe I can catch up. How close are the estimated times to the reality?

                        1. 2

                          Accurate enough. You can start and switch sessions later if you need to pause and catch up.

                      1. 4

                        I’m not a massive fan of SPAs (they’re still easy to make horrible), but note that this is from the start of 2016, not three-quarters of the way through 2017. The picture has improved, IMO

                        1. 4

                          I get distracted by websites like reddit a lot, so i blocked it and a ton of other sites in my HOSTS file.

                          1. 1

                            I’ve found the gamified angle of Forest (particulary its Chrome extension has helped me a lot in terms of blocking sites and not just unflipping the switch to visit them again

                          1. 14

                            Some of the other things you get!

                            1. 4

                              I recently found the statistics module and was grateful to not have to roll my own stddev.

                              1. 1

                                Yesterday I found the secrets module, did a little dance, then realised it’s not in py2.7. Dancing stopped, because the project I was working on is mid-port to py3, so needs to support both for now

                              2. 2

                                There’s definitely mocking in Python 2 - is anything different about the Python 3 one?

                                1. 3

                                  I’m not sure about functionality differences, but it’s part of the standard library in Python 3.

                              1. 30

                                Do not attempt to compete with Pinboard. —maciej on June 01, 2017

                                Gotta give the man credit for a healthy ego :) Pinboard does rock though. Been a happy user for years.

                                (Though I’m still waiting for my ‘Fetch Title’ button on the web UI :) )

                                1. 12

                                  Maybe I’m giving Maciej too much credit, but my reading of that was that he wrote it with his tongue firmly in his cheek. :o)

                                  1. 5

                                    Oh absolutely! I think Maciej should get all the credit in the world :)

                                    Honestly, things like Pinboard are niche services mostly for us uber-geeks and others who care enough to want to wrangle huge bodies of articles and maintain essentially random access to all of it.

                                  2. 5

                                    That date sure helped. For an entire minute, this blog post sounded like something you’d post on April 01.

                                    1. 1

                                      I don’t know the guy, so I have to say, when I first read the post, this particular sentence caught my attention!

                                    1. 3

                                      Note the first paragraph, which I’m paraphrasing here:

                                      “UPDATE: The story which follows was rushed to press before the facts were known and is wrong. The headline was clickbait speculation from the outset.”

                                      1. 2

                                        Dammit. Thanks for the clarification!

                                        1. 10

                                          In terms of ‘Would it be viable to host in Canada?’ this is interesting on its own:

                                          The first set of metrics are to other Canadian cities:

                                          9 ms to Toronto. 14 ms to Ottawa. 47 ms to Calgary. 49 ms to Edmonton. 60 ms to Vancouver.

                                          The second set are to locations in the US:

                                          9 ms to New York. 19 ms to Chicago. 16 ms to US East (Northern Virginia). 27 ms to US East (Ohio). 75 ms to US West (Oregon).

                                          But there’s also this:

                                          AWS data centers in Canada draw power from a grid that generates 99% of its electricity using hydropower

                                          I think that’s fantastic.

                                          1. 1

                                            Finally, finally ring-fencing time for the Stanford/Andrew Ng Machine Learning course on Coursera. I wonder how far I’ll get before reality gets in my way…

                                            1. 2

                                              I’m learning that even simple physical products (rather than a SaaS thing) bring a world of complexity. I thought http://www.programmingposters.com would be a nice, simple ‘make quality things that people want’ side project which would tick along easily with a minimal static site and a Shopify backend. WRONG! Even though I have a print background (long ago), I’d never had to deal with the mixed quality of printer results (therefore reprints, delays), the cost of defects and damage, the need to pre-buy and hold actual stock, shipping physical objects safely, etc.

                                              It’s taking a surprising amount of headspace, but it is still fun – and I’m trying to stay in the ‘this is all useful learning’ mood, which is helping a lot.

                                              Which is also a long way of saying “I should be doing more Elixir for fun, but keep running out of time” ;o)

                                              1. 1

                                                Seems sensible. There’s a reference to merged commits that should not be released, which I think is nuts. I like to keep a master branch releasable at all times; if something’s in there it needs to be ready to see the light of day.

                                                1. 1

                                                  Agreed - master should always be production ready (ie, suitable for continuous delivery) even if you don’t do continuous deployment

                                                1. 2

                                                  Enjoying a moment of ‘play’ time with my current client, working on using Docker to do a map-reduce-alike on our Django test suite, so that we can run lots of tests in parallel. (At the moment, the entire suite takes 20mins to run…)

                                                  1. 3

                                                    This week is another week of working front-end rebuild of a client’s webapp - the interesting thing about it is that we’re using SUIT CSS as the base framework, plus a design system of signed-off HTML+CSS+JS components to make it far more of a ‘lego-blocks’ approach. So far, it’s proving excellent - I heartily recommend you check out SUIT CSS’s design principles: https://github.com/suitcss/suit/blob/master/doc/design-principles.md

                                                    1. 2

                                                      I built a tiny library for making social network widgets (mainly Like/Share buttons with counters for facebook, linkedin, pinterest, github, gittip…), pulling the data straight from the source over AJAX with CORS and JSONP. This avoids loading all the crap the regular widgets shove down your pipe.

                                                      Been trying to come up with a name for it…

                                                      1. 1

                                                        “low-pro-so”

                                                        1. 2

                                                          This looks interesting, although one thing that may be relevant to note is that it is written in context of a dev living in the UK. Looks like the business entities chapters are specific to that area. I also think that some of the content may be more relevant for developers in the UK and possibly Europe more than the US. Not that the content isn’t general enough I just think there is cultural business, billing, and probably a handful of other practices that may be a bit less relevant for US readers.

                                                          That said, I think the post is perfectly appropriate, it may be helpful for some to note the geography in which you are practicing business, UK, global or otherwise.

                                                          1. 1

                                                            Hi bobbywilson – thanks for the vote of support. I didn’t want to be spamming lobste.rs

                                                            You’re right, some bits are definitely UK-specific, but they’re also the parts which can be easily ‘localised’ by contacting a tax office, accountant or govt biz support department wherever you are. There’s still heaps in the book that’s about making freelance work for you wherever you are.

                                                            I had planned to refactor the UK specific stuff into an appendix, based on feedback from readers (730+ at the mo), but people aren’t currently asking for that, so it’s been moved down the backlog.