1. 1

    I find very surprising that esbuild, written in Go, is faster than swc, written in Rust. This is one of the main arguments behind the “rewrite everything in Rust” wave we are having.

    1. 4

      It is possible for an O(n) implementation in Python to outperform an O(n^2) implementation in C. To me, a go program being faster than a rust program at a similar task is not surprising. The program with better data oriented design will come out ahead. I view the RIIR brigade as mostly about safety, anyways.

      Edit: here’s the esbuild FAQ answer for “why is it fast?”, https://esbuild.github.io/faq/#why-is-esbuild-fast

      1. 1

        it seems to me that esbuild is less configurable, but it’s important to keep in mind that the RIIR argument holds insofar as that swc is comparing itself to babel, not esbuild just yet

      1. 2

        I have been messing up with a Raspberry Pi and open media vault for a couple of days and I am planning to continue doing that :)

        1. 2

          It is not, but it is clearly declining in usage even in places deeply involved with it. It is a pity, because modern Perl code can be very elegant :(

          1. 6

            It can be elegant, but to me the best value of Perl is in writing utility scripts, too awkward for shell.

            I generally prefer to write small things in Perl… but I would prefer to read other people’s work in Python.

          1. 10

            I do not recall the old Macbook Pro price, but ~$2000 for the base model is breaking a mental barrier.

            1. 4

              IIRC 1799$ for prev “high-end” model.

              1. 4

                When was this?

                This is the 15” from 2016 I’m using now:

                15-inch MacBook Pro - Space Gray

                $2,599.00 [USD]

                With the following configuration:

                • 2.6GHz quad-core Intel Core i7 processor, Turbo Boost up to 3.5GHz
                • 16GB 2133MHz memory
                • 512GB PCIe-based SSD
                • Radeon Pro 450 with 2GB memory
                1. 2

                  So the new base model is more expensive than the previous “high-end” model. That’s an outrageous increase.

                  1. 3

                    Except the MBP line had two “base” Pro configs - the low end one (2 ports, optional touchbar, now M1 based), and the high end one (which could be specced with a dGPU before, 4 ports). There was a significant price difference between the two. This replaces that latter one. I think it’s pretty confusing how they have a barely-Pro Pro model now, but I’m assuming it’s vestigal and will get replaced or killed off.

              1. 2

                I have a pull request opened for the asdf package manager that requires some attention, so time to fix it and hopefully it will get merged.

                1. 1

                  good luck!

                1. 18

                  Neat idea. I’m not sure this is a captcha, but rather just a rate limiter.

                  1. 13

                    So much this. A proof-of-work scheme will up the ante, but not the way you think. People need to be able to do the work on the cheap (unless you want to put mobile users at a significant disadvantage) and malware/spammers can outscale you significantly.

                    Ever heard of parasitic computing? TLDR: It’s what kickstarted monero. Any website (or an ad in that website) can run arbitrary code on the device of every visitor. You can even shard the work, do it relatively low-profile if you have the scale. Even if pre-computing is hard, with ad networks and live-action during page views an attacker can get challenges solved just-in-time.

                    1. 9

                      The way I look at it, it’s meant to defeat crawlers and spam bots; they attempt to cover the whole internet, they want to spend 99% of their time parsing and/or spamming, but if this got popular enough to prompt bot authors to take the time to actually implement WASM/WebWorkers or a custom Scrypt shim for it, they might still end up spending 99% of their time hashing instead.

                      Something tells me they will probably give up and start knocking on the next door down the lane. And if I can force bot authors to invest in a $1M USD+ /year black hat “distributed computing” project so they can more effectively spam Cialis and Micheal Kors Handbags ads, maybe that’s a good thing? I never made $1M a year in my life, probably never will, I would be glad to be able to generate that much value tho.

                      If it comes down to a targeted attack on a specific site, captchas can already be defeated by captcha farm services or various other exploits (https://twitter.com/FGRibreau/status/1080810518493966337). Defeating that kind of targeted attack is a whole different problem domain.

                      This is just an alternate approach to put the thumb screws on the bot authors in a different way, without requiring the user to read, stop and think, submit to surveillance, or even click on anything.

                      1. 9

                        This sounds very much like greytrapping. I first saw this in OpenBSD’s spamd: the first time you got an SMTP connection from an IP address, it would reply with a TCP window size of 1, one byte per second, with a temporary failure error message. The process doing this reply consumed almost no resources. If the connecting application tried again in a sensible amount of time then it would be allowed to talk to the real mail server.

                        When this was first introduced, it blocked around 95% of spam. Spammers were using single-threaded processes to send mail and so it also tied each one up for a minute or so, reducing the total amount of spam in the world. Then two things happened. The first was that spammers moved to non-blocking spam-sending things so that their sending load was as small as the server’s. The second was that they started retrying failed addresses. These days, greytrapping does almost nothing.

                        The problem with any proof-of-work CAPTCHA system is that it’s asymmetric. CPU time on botnets is vastly cheaper than CPU time purchased legitimately. Last time I looked, it was a few cents per compromised machine and then as many cycles as you can spend before you get caught and the victim removes your malware. A machine in a botnet (especially one with an otherwise-idle GPU) can do a lot of hash calculations or whatever in the background.

                        Something tells me they will probably give up and start knocking on the next door down the lane. And if I can force bot authors to invest in a $1M USD+ /year black hat “distributed computing” project so they can more effectively spam Cialis and Micheal Kors Handbags ads, maybe that’s a good thing?

                        It’s a lot less than $1M/year that they spend. All you’re really doing is pushing up the electricity consumption of folks with compromised computers. You’re also pushing up the energy consumption of legitimate users as well. It’s pretty easy to show that this will result in a net increase in greenhouse gas emissions, it’s much harder to show that it will result in a net decrease in spam.

                        1. 2

                          These days, greytrapping does almost nothing.

                          postgrey easily kills at least half the SPAM coming to my box and saves me tonnes of CPU time

                          1. 1

                            The problem with any proof-of-work CAPTCHA system is that it’s asymmetric. [botnets hash at least 1000x faster than the legitimate user]

                            Asymmetry is also the reason why it does work! Users probably have at least 1000x more patience than a typical spambot.

                            I have no idea what the numbers shake out to / which is the dominant factor, and I don’t really care; the point is that I can still make the spammers lives hell & get the results I want right now (humans only past this point) even though I’m not willing to let Google/CloudFlare fingerprint all my users.

                            If botnets solving captchas ever becomes a problem, wouldn’t that be kind of a good sign? It would mean the centralized “big tech” panopticons are losing traction. Folks are moving to a more distributed internet again. I’d be happy to step into that world and work forward from there 😊.

                          2. 5

                            captchas can already be defeated by […] or various other exploits (https://twitter.com/FGRibreau/status/1080810518493966337)

                            An earlier version of google’s captcha was automated in a similar fashion: they scraped the images and did a google reverse image search on them!

                            1. 3

                              I can’t find a link to a reference, but I recall a conversation with my advisor in grad school about the idea of “postage” on email where for each message sent to a server a proof of work would need to be done. Similar idea of reducing spam. It might be something in the literature worth looking into.

                              1. 3

                                There’s Hashcash, but there are probably other systems as well. The idea is that you add a X-Hashcash header with a comparatively expensive hash of the content and some headers, making bulk emails computationally expensive.

                                It never really caught on; I used it for a while years ago, but I’ve never received an email with this header since 2007 (I just checked). It seems used in Bitcoin nowadays according to the Wikipedia page, but it started out as an email thing. Kind of ironic really.

                                1. 1

                                  “Internet Mail 2000” from Daniel J. Bernstein? https://en.m.wikipedia.org/wiki/Internet_Mail_2000

                              2. 2

                                That is why we can’t have nice things… It is really heartbreaking how almost all technology advance can and will be turned for something evil.

                                1. 1

                                  The downsides of a global economy for everything :-(

                              3. 3

                                Captchas are essentially rate limiters too, given enough determination from abusers.

                                1. 4

                                  Maybe. The difference I would make is that a captcha attempts to assert that the user is human where this scheme does not.

                                  1. 2

                                    I mean, objectively, yes. But, since spammers are automating passing the “human test” captchas, what is the value of that assertion? Our “human test” captchas come at the cost of impeding actual humans, and are failing to protect us from the sophisticated spammers, anyway. This proposed solution is better for humans, and will still prevent less sophisticated attackers.

                                    If it can keep me from being frustrated that there are 4 pixels on the top left tile that happen to actually be part of the traffic light than by all means, sign me the hell up!

                              1. 4

                                I am so happy for this release. I feel that age is the sensible way of using encryption nowadays. I also admire how they didn’t rush for a version 1, but when the moment arrived, they finally made the final step.

                                1. 8

                                  Alternatively, one can use static named directory. It has the advantage of being expanded at any place, so it works with any command, not just with cd.

                                  1. 1

                                    Is this approach zsh only?

                                    1. 2

                                      Yes. AFAIK, bash does not have this.

                                    2. 1

                                      Wow! I had no idea such a thing existed. Definitely it looks like a more complete solution than mine, although also more complex. Still good to learn something new :)

                                      1. 1

                                        I also like the words of wisdom thar you can just use shell variables.

                                        https://vincent.bernat.ch/en/blog/2015-zsh-directory-bookmarks#fn-variables

                                        You only lose the prompt expansion.