Posts by doublelayer

Re: Problems and solutions not welcome

A lot of those customized machines are really just customized machines with wheels. The casing and the engine may be trucklike, but the important part that makes them different are the machines in the middle. There's a reason why you don't just buy a harvester and plop it on a truck.

Their point was that, when you want a vehicle to move something, you often choose between the general purpose options on offer rather than trying to make a custom one. If you succeed, the custom one might be a bit more efficient and maintainable, but it will be more expensive because it's only customized for you and you will have waited a long time for it to come around. Unless you need something that the general purpose options don't do, you will probably be better off with one of those instead. At times, it might be necessary to change a process so that you don't have to spend a lot of resources making tools that are otherwise useless.

Re: Problems and solutions not welcome

Those companies mainly exist because they have the ability to provide something based on a design that sort of looks acceptable and technically isn't broken, then charge for each change so that it actually becomes a little useful. Their business is based on those who need the software not being able to plan out exactly what they need and describe it accurately enough that they get what they need, and from having frequent enough changes that there's always someone around who needs them to build a new one. Some of the tools they have could be handy, but they'll still need to design something that's likely to do a lot of things for a long time, which current projects sometimes say they're doing but don't always accomplish because the design doesn't allow for it and neither the seller nor the buyer makes sure it happens.

Re: Run linux they said...

I think you're both wrong. They're wrong when they claim that easy modification makes open source worse. You're wrong when you say this:

"Oh please. Ever hear of Hex-Rays and similar tools? Any person or team with the level of skill needed to pull this off could just as easily change a small bit of assembler in some commercial binary and try to poison the well, in fact it would probably be easier since white hats in general aren't decompiling gigabytes of commercial binaries on a regular basis."

No, that wouldn't be enough. That gets your exploit in. It is not as easy as putting it in as source code, but you can definitely do it. Now you have a poisoned binary and you do what with it? Unless you somehow manage to replace the canonical one with yours, it's not getting installed everywhere. I can make a poisoned version of Windows, but if I can't put it on Microsoft's servers, it's not getting installed for the general public. This attack had the chance of working because and only because they got their backdoor into the canonical version of the xz source, the one that gets compiled and put into repositories. Putting it into a fork and then waiting for someone to install that fork would do very little. Doing the same to proprietary software isn't any more effective.

Re: Would This Have Been Caught Sooner In Proprietary Software?

"No problem in this case. It was a well organised long term con."

Yes, sort of, but it was an organized one on a small tool like XZ. The attacker wasn't writing code full time to do that. They could spend a bit of time writing something useful on occasion to keep their name in everyone's head as someone who knows what they're doing while spending more time on other things. Working at a company takes more time and thus makes an attack more expensive. You also can't divide effort. Jia Tan could have been a bunch of people. One wrote some modifications, one just worked on the malware, one did the pressure campaign, and they just used the same set of GitHub accounts. You can't do that as an employee of a company because your accomplices don't have access to the internal code and giving it to them is a detectable crime which businesses already try to prevent. Not so expensive that you can't do it, but it reduces the number of attempts.

"Are you impyling some sort of QA? That's what Microsoft's customers are for."

I don't think they were implying that. If you're writing code on a team with a lot of people, you have a lot of code reviews and a lot of changes. It makes it harder to slip something in than if you only have to slip it past one person. This is especially the case if you insert your backdoor and I, your colleague, have a feature change to the same area and end up breaking your backdoor while merging your feature with mine.

The main reason why it's hard is that you don't get to choose your project as closely when you're working for a company. If you get a job at Apple, maybe you end up working on some part of Safari, the iMessage or Facetime protocols, or some core OS component. You can probably put a backdoor in those. Maybe you end up working on the new headline feature they're going to announce next conference: yet another emoji thing that's not actual emoji, the sixth version now. Have fun doing anything malicious when you're writing code for a feature nobody ever uses. It's probably possible, but you don't get to pick a target and specifically add code to that, whereas targeting XZ is as simple as finding where the source for that is and sending a pull request.

Re: Its worse than you could imagine....

It's efficient for programming time, so implementations can be made quickly. The same reason why we use text-based formats like XML or JSON frequently rather than making a custom binary format. Sure, an HTTP response code could look like "\x02\x04" (one byte for version number, one byte for status code), but that wouldn't do all that much for efficiency and makes the protocol harder to extend. It also has little to do with datagrams. If you use UDP for the protocol, you still have to encode the protocol data somehow. UDP can't send a single page as a packet in most cases, and it shouldn't be expected to. Somehow, HTTP has been a viable transmission mechanism for a long time. As we increase network speeds, the overhead from the protocol becomes less and less important, yet a small device with little memory and a slow connection can implement and use HTTP well enough as well. Leave even more efficient protocols to places where you need them.

This is why I assume they're asking a religious question, not a legal one. The legal answer in many countries is that the marriage can be dissolved. Whether it happens automatically, requires an annulment form, or if you actually have to go through the divorce process probably varies from place to place, but the union does not need to continue. I think they are asking based on religious authorities that do not acknowledge a divorce as legitimate, and there are a lot of them who do everything differently and their reasons for what counts and what doesn't are based on subjective interpretations of religious texts, so I don't think you'll find consensus between their opinions.

The social security card isn't as obviously acceptable as you say:

The card on which an SSN is issued is still not suitable for primary identification as it has no photograph, no physical description, and no birth date. All it does is confirm that a particular number has been issued to a particular name. Instead, a driver's license or state ID card is used as an identification for adults.

Nothing associates a card with its true owner. He did also have an ID with a picture, but of a type that can be faked or obtained fraudulently (by providing documents without pictures). The other person using the same name almost certainly also had an ID card with the same information and his picture on it. So they can't assume that someone with a card with the correct SSN and an ID with the person's picture mean the presenter controls this account. If you're the only person presenting them, they'll probably accept them. If you're presenting them while someone else, also with documents, says you're lying, they'll either require more or bring in the police to determine which of you is the true one, since law enforcement can validate documents with more accuracy than can a bank.

I can pretty much guarantee that nobody knows. If you ask enough people, you will get every possible answer. Each of those answers can be backed by some kind of reference to religious text if you want. People with one view who strongly object to the other view will say that the other guy's reference is misinterpreted, assuming you get them to make an argument instead of just shouting.

Re: geniuses everywhere you look

There are certainly reasons that might have happened with the person coming in being a criminal. The easy example is multiple holders of a single identity. If two people buy the same fake identity from a criminal who stole it, they may end up in an identity theft collision. Person A goes to take out the debt, person B hasn't gotten to that stage yet and is still pretending to be the person, all while the actual owner of that identity isn't doing any of the things that person A or B are doing. A bank could have decided that this was what happened in this case. This situation wasn't that, but there is a method by which a similar set of circumstances could arise.

Re: Why did he do it ?

"Something seriously wrong with USA .... this and the recent monkey torture story :("

Why is a country being blamed for a single criminal? Maybe, if I'm being generous, you could say that there is something wrong with the California police system which failed to unravel the crime*, but that wouldn't be the whole country either.

* Not knowing many details, I'm inclined not to blame them too much. With an identity theft going on for three decades, including lots of documentation, it would be hard to prove who is correct from documentation alone. If one person has a full set of documentation for an identity and another one has a partial set, one of them has clearly stolen the set. Governments are likely to believe the one with the full set who has been working under that identity for seven years at the time because that is not typical for an identity thief. This may be a reason to treat all identity theft cases with more scrutiny, maybe getting DNA testing involved in all cases of identity confusion, but that has its own potential downsides.

Re: Why did he do it ?

The first bit appears to be the typical identity theft playbook: steal someone's identity, earn some money on that identity to establish a history, borrow money, don't pay it back, if questioned, tell them it's not you. The normal method is that, once you've stolen money that way, you burn that identity and either stop committing crimes or go get another one. I'm not really sure why he kept doing things under the second identity. My only theory, and one I haven't researched, is that he may have polluted his own identity, for example getting arrested, at some point and used this as a backup.

Re: I hope you know up front that's how your food is delivered

The article did cover both questions: the app lets you opt out and, if there is an automated delivery, they don't take the tip. It's true that you have to go out to retrieve the delivery, and the points raised by others about those with disabilities that make that difficult are valid problems with the idea. I have a feeling a lot of people who don't have those concerns won't have a problem with that and may approve if the deliveries are cheaper, especially in a city like Phoenix whose unpleasant weather is usually just it being really hot, where a few seconds outside probably isn't too bad.

Re: And if any non USA backed state developed this...

Yes, it's definitely the USA's fault. That's why the US sanctioned them in 2021. I'm sure that's a long con of some sort.

That might work for Facebook, but not so much for ISPs or phone store providers. I think the requirements are easy enough for Apple and Google. TikTok comes out of their stores immediately and that's basically it. However, maybe they need to consider whether the government will want them to actively remove the app from people who already have it and whether they're willing to take that action and how they'll do it without annoying users too much.

ISPs have a trickier situation to consider if the article's theories about mandated connection blocks prove true. This seems extreme to me, but I think there's a chance that the ban is simply overturned by a court, so if I'm wrong, anything could happen.

Re: USA Free Market

It was kind of both. The taxation issue certainly got a lot of people angry, to judge from how much is written about it, but they were also influenced by ideas about political philosophy which originated from people who had no taxation-based complaints against the British government. Had they somehow arrived at a resolution around the tax issue, and I'm not sure how they would have managed that, that could have ended it in the mid 1760s. By the mid 1770s, they had more complaints to do with liberty* and governance**, and a tax law change wasn't going to fix them.

* Liberty: theirs, not anyone else's.

** Governance: not democracy, at least not yet. The complaints had to do with things like law enforcement practices and chains of command, not just who gets to vote for what.

Because the systems today don't want to have you regenerate voice files every time a new string comes along. With a pre-built voice model, it can say, usually reasonably accurately, any set of words. If a new street name is added to a map, nobody needs to record that name for you to hear it. And if I want to build something other than navigation which speaks, I don't need to hire someone to read things into a microphone for hours or do that myself. It also means you don't have to have as many pauses in sentences as clips are spliced together. I'd say those are net benefits to anyone who uses it.

Re: A message--the absolutely wrong one--has just been sent to all the sociopaths in the US...

From the judge's statement, it doesn't sound like his awkwardness was used to reduce his sentence, just to change where he served it. I admit that this was one of your points, although the recommendation was for a medium-security, not a low-security facility. Still, you may have overestimated how much that helped him.

Re: What ?

It's not about the weather. That's where his parents live, so if he is near there, it is easier for them to visit him. From the context, it seems they think that would be beneficial to his mental health.

I don't like to buy from Amazon, and I don't do it frequently, but when I have, my experience differs from yours. Other stores available to me usually have something that is similar to what I'm looking for, but the selection is worse, prices are usually worse, and information is less. If they sell only one item that meets my requirements, but Amazon has twenty, I can optimize better from that menu. That also means that I may be able to find someone who has put their prices down because they know people are considering their competition.

Of course, that selection also comes with some major downsides, like having to filter out fraudulent items. I'm thinking of storage mostly, because people do like to sell either refurbished hard drives as new ones or the ever-popular fake SD cards. However, the shops I know that sell storage devices usually have quite a large markup on them instead, and I don't buy enough of them to buy them wholesale. Amazon is far from perfect, but I don't know of many stores where I can find anything near the level of options other than AliExpress (like Amazon, but even more things are fraudulent) or eBay (basically random). For some types of products, I can find better stores, but if I don't already have one in mind, that's when Amazon starts to look like an appealing option, even if I don't go buy from them.

"While "lie" may technically require intent I am pretty sure most people will take uttering falsehood and untruth without intent as lying"

I don't think they do. I certainly don't. I class that as being wrong. I know lots of people who are frequently wrong but aren't trying to be dishonest, and the distinction is relevant to what I think of them. Of course, it can be difficult to know what the intent is, because I also know some types of people who say something they know is incorrect, and are thus lying, but are good at acting as if they're really deluded into thinking it's true. Those people are quite annoying.

Re: So nobody ever tried the commands before publishing?

Not if you lump it into a requirements file which says to install a bunch of packages, and you just assume that if you run that file and the program works, you must be fine. I'm guessing it was in a list of other packages so it wasn't a completely ineffectual install step and that they didn't have any testers of any competency checking on it.

Re: I wonder why every request is showing an error

"I respectfully suggest that it is because you didn't read (and absorb) the documentation."

No, it's because I was writing quickly. I read the documentation, which is how I know where the status code is, but I was using an HTTP client that I hadn't used before, and I forgot that it was a string. Generally, you have to understand the documentation, not memorize it. In either case, the bug was identified and fixed quickly. I'm just pointing out that a compiler that detected that I had effectively written "if False" would have pointed it out even faster, with no doubt about the particular cause. Of course, if I keep using this HTTP client library, then I'll begin to write if status_code == "200" all the time, and if I go back to a different one I know where they are integers, that's when my automatic entry will end up being the wrong thing.

Re: the reason we use compilers is to somewhat limit the number of stupid things we can do

Those sound like the words of an overconfident person to me. People trying to write something quickly can write a stupid thing even though they would be smart enough to avoid it in another circumstance. Have you ever looked at some code and thought "who decided that was a good idea", checked the logs, and it was you? I have. Sometimes, I know it at the time, so the code is helpfully labeled with comments about why this stupid thing is what I've done right now, but it should be improved at some point. You don't even have to write a lot of code to know that. Are you really saying you've never done something on autopilot and realized, usually right after doing it, that you shouldn't have? Of course, we try to minimize how often that happens and I think I've done well enough at that goal, but I'd be lying if I said it wouldn't ever happen again.

Re: It's 2024

You are definitely correct about both things. The reason I bring them up anyway is that I've worked in many places where people wrote unit tests that were testing basic functionality because they occasionally caught errors made by the coders by testing every path, but that a compiler in other languages would have detected. I was required to write similar ones because otherwise, coverage reports would indicate that the function didn't test that the if statement did, in fact, execute the enclosed code when the condition was true. The time spent on unit tests like these that either did nothing or tested manually what a compiler could test automatically took out time. If I had insisted on writing even more tests that were actually useful, my performance would decrease and that doesn't end well.

This does not mean that I neglected useful tests, because I did try to include new ones whenever I thought the risk of someone changing a part was too high, but our project's testing was insufficient, and the time spent on pointless tests of basic things did not help. By all means, you can put the blame on my management for not caring about good tests or on me for listening to them. I certainly blamed myself every time I looked at our build tests which showed 40868 unit tests passed and gave me very little confidence that that meant anything useful.

I can't agree with you about the reasons. Python was not the language I learned in introductory courses. It was not the language I learned in advanced courses. Many of those were taught in C or C++ for me, though I learned about ten languages more or less for some course. Python was used in exactly one course, or roughly 0.5 courses because that one used some others as well. If I just stuck with what I learned first, I would not use Python.

I use Python for some purposes because it makes it easy for me to express the intended computation quickly and generally accurately. My typical example is string parsing, where one or two lines of Python can do what would take twenty in C. If I need to parse a million such strings per second, then I might reimplement it in something faster, but in many cases, I need to parse a smaller number and it doesn't really matter how quickly, so the faster and more accurately I can chop them up and reconstitute the parts I care about, the better. This does mean that, as a program gets larger, I am less likely to use Python to write it, but that doesn't kick in as fast as it might for you. I have and will continue to write quite large systems in it when it is better than the alternatives.

Re: It's 2024

I'm glad to hear it. I'm pretty good at not doing that myself, having had a lot of experience, but I can't claim never to have done it, especially as I did it not too long ago. I was writing a basic HTTP client, and I checked the return code with something like

if status_code == 200:

Huh, I wonder why every request is showing an error? Is it that I'm not connecting to the right place? Have I incorrectly implemented the authentication? Did my quick client mess up a character encoding thing? No, I have to compare against a string status code instead of a numeric one but Python doesn't mind comparing a string and an integer for equality, it just always says False. A simple error, quickly fixed, and I probably wouldn't have made it if I was writing a larger program rather than a quick script (because the larger program would have abstracted out the HTTP stuff into one part that I would have focused my attention on when writing it), but I do make mistakes.

If you never make mistakes, that's great, but two things are still true. First, there are many people who do make them and it can be helpful to catch them without requiring them to go through long, otherwise pointless processes because they might try to skip them or they might make another mistake*. Second, I don't believe that you actually never make a mistake. I think you probably catch it quickly instead.

* In a project I worked on, every function would start by checking all its parameters for unacceptable nulls. Every unit test would start by testing all the parameters with unacceptable nulls. We pointed out that, if someone forgot to check for nulls, they would probably forget to test for the null they missed because everyone just wrote tests in the same order that their checks appeared which made it really easy to miss such a thing a second time if they already missed it the first time.

Re: It's 2024

The problem with that is that manually writing unit tests that test obvious behavior takes time, and that time could be better spent on tests that might help in the future instead of catching obvious stuff now. I've written a lot of unit tests that will never catch a real error because they effectively duplicate the code in a function. Either the function remains the same and the test will pass, or someone changes the function and will have to change the test, but it won't detect anything useful. I have written it because it tests some types and names, the same thing a compiler for other languages would do. If I didn't have to write that, I could spend the time writing a test which tests the boundary between two units, the places where changes to one area can cause a failure in another. I've worked on codebases where we had complete test coverage and where the tests would never do anything for us. By wasting time with tests that could be done automatically, we end up spending less time on the tests that prevent bugs later.

I also disagree about some features like inheritance. I find that well-structured types make certain design challenges much easier to get around than doing without them. Of course, Python has plenty of those features, and I use them frequently. Since I complained about Python's type system, I'll give it some praise now: one of its major strengths is the number of syntactic and structural ideas it has gathered from other languages and made available. For example, if something is best written in a functional language style, I can do that easily in Python while C makes it a pain. That is what makes Python such a good language for getting something functioning quickly; I can express what I want very quickly and accurately.

Re: The x86 layer hasn't skipped [a] beat

It depends how often you have to use it. If most of your tools are compiled for ARM, then you will be efficient most of the time and the emulation is there when you need to run something that wasn't compiled for it. The trouble comes if most of what you want to do hasn't been compiled over and you spend most of your days in emulation. For people who use niche tools, it's probably not ready. For the average office computer where a word processor, email client, and browser are needed, you can likely find ARM versions of all those things. Definitely if you're using Office for those, but Firefox and LibreOffice have Windows on ARM ports as well. I don't have one, but I think it has avoided the reasons why I told people not to consider earlier attempts. The Windows RT devices may have looked like Windows, and there was some Windows source code in there, but they didn't have compatibility with anything Windows had. The current version does have that, and from what I've heard from people who use it, it works pretty well.