Just an alien intelligence curious about humans ;)

They/Them. My name is pronounced “Ah–Eks-si — Rookh” (ending in that Germanic “ch” sound)

  • 1 Post
  • 42 Comments
Joined 3 years ago
cake
Cake day: July 28th, 2021

help-circle
  • aexiruchtoPrivacy*Permanently Deleted*
    link
    fedilink
    arrow-up
    8
    arrow-down
    2
    ·
    3 years ago

    There is no good reason to risk any amount. It is ridiculously idiotic; like having a wallet on the outside of your car to pay for parking tickets… sure, it’s a tiny bit more convenient and as long as you’re either driving or parking your car in a garage most of the time it’s unlikely the money will be stolen, but who the fuck thinks it’s a good idea? Also note the risk of the reverse; Cryptocurrencies are a juicy target and lot’s of code has been found exploitable over the years. I’d be just as worried about an exploit in that part leading to a breach into the messenger security… It is a fundamentally stupid idea to combine these.






  • Can’t say I’m surprised, they’re an “AG”, which means they’re beholden to increasing shareholder value and nothing else. It’s emminently rational for them to act similarly to corps with the same " fitness function". I mean, even the threat model they “protect” against is not one I find particularly convincing (It’s a key escrow system, but the entire “trusted” part happens inside either the ProtonMail-controlled JavaScript or in a ProtonMail-delivered binary; In both cases they are in a position to deliver tailored or blanket key exfil attacks unless you very carefully screen the JS or binary every time you download it, which seems unlikely given the target demographic of can’t-be-arsed-to-install-gnupg-themselves… Frankly it stinks to high heaven of being a Crypto-AG-style honeypot)


  • Haven’t watched the video, but I’ve had interactions with Daniel Micay and… Not exactly pleasant. Very sure of having the one true way™ and unwilling to consider people may have slightly different threat models. Got accused of being an astroturfer for CalyxOS instead (Have never used it, my arguments aimed at Puri.sm-style hardware switches). Am still using Graphene, because it comes closest to my needs, but the whole thing sure left a bad taste in my mouth (and I steadfastly abstain from conversations where Micay is likely to get involved). But then, I’ve similar experiences with OpenBSD, Exherbo Linux, and pulseaudio and systemd. There is a type of developer that manages to force their vision on a project with singular zeal, but is very unpleasant to even slightly challenge. Your only real choice is to subscribe to that vision to a potentially uncomfortable degree, or to dismiss the project.





  • No “Please do not” feature will ever work. Make sure something cannot be done, then bolt on an additional “well, here is a bone” opt-in feature (incl. the option to send fake data), if you really need to. Everything else is hoping, quite unreasonably, the “threat” of a lawsuit is sufficient to stop companies from violating your expressed preference. Hint: If they gave a damn they’d not do that shit in the first place.


  • Professionally I am an “Architect” and not much involved in system config (anymore), what I describe below is how I do things for my own, private, servers: Not a big fan of docker, it too often means “cobbled together by a dev not understanding security implications” aka “Institutionalized ‘works on my machine’” (of course there are exceptions!). Generally I like using Ansible, because it feels close to how I learned things (ssh, manually), while still making things reproducible (Infrastructure as Code). But, again, not too big a fan of using other peoples “roles”, because you never know how well they actually understand what they’re doing. I read them for a rough understanding, but usually opt to write my own, based on careful reading of a given software’s config manual.


  • That applies to science, hypotheses, experiments, etc. and there I fully and wholeheartedly agree. But being one of thousands to implement a Bubble Sort has marginal educational value unless you are truly surprised it’s not exactly efficient. It might very well differ between different universities; in mine the “science” in “CS” was mostly absent until you started working on your PhD, and the rest wasn’t even good engineering, just “trying to filter out as many students as possible, as quickly as possible, by all means necessary”. They openly admitted that, and in my case they succeeded, by killing the joy of understanding and burying it under ten feet of “now reimplement this thing that has been proven worthless sixty years ago”.


  • I dropped out of university (I couldn’t stand being one of literally thousands working on the exact same problem, at the same time, that thousands more had solved in prior years, for decades; I wanted to solve new and real problems). I registered as “looking for work” with the appropriate government agency and their first reaction was an exasperated “Oh my! You’ll need a good coach…”. Not the most encouraging reaction… Well, they did send me a bunch of local companies with internships, entry level jobs, etc. I applied for an internship starting next month at a really small shop that did “everything web” and during the interview they asked whether I could start tomorrow 😛 (Obviously they were a coder short for an important project, but they were very happy about my knowledge and skills). I seamlessly transitioned into vocational training with the same company, which was mostly pro-forma given my background (So instead of “university drop-out” I had something to put on my CV). Later I was on loan to another, mid-size, company (which didn’t know I was still, technically, a trainee) and they offered to hire me directly. I came clean about my trainee status, switched companies, finished my training, and was hired by that same company on the spot. Stuck with them a couple of years, until they didn’t promote me from “technical project lead” to “software architect” because they only had one opening and someone else was picked (Looking back I think I would have made the same choice, so I hold no grudge), and given the company’s size that meant there likely wouldn’t be another opportunity for some years, which irked me 😛


  • Well, some people used CentOS as “RedHat Gratis Edition”, and they are mostly still served by it now. On the other hand I know a lot of corporations that used it for binary-identical test systems, to try out patches, etc. for their RedHat primary systems. They have now lost that ability and I know that ditching RedHat as a consequence is very seriously discussed in some of them; They’ve killed something that was seen as “part of the deal”, if unofficially.


  • Either you take the potential risks of AI seriously, MIRI-style, then you don’t fucking develop it. Or you think, probably rightfully so, that what you are working on is still “parlor tricks” and a far cry from actual AI; Then claiming to be workin on AI safety is already a fundamentally unethical lie, so why is anyone surprised they went commercial as soon as they had a chance?


  • Looking is not always sufficient, there can be embedded subshells, newlines, etc. that’ll caise execution immediately. You need to inspect it in a separate program very carefully. Frankly, you probably shouldn’t ever copy and paste anything into a shell. Type it by hand. In a similar vein there are beautiful ways to hide malicious payloads in installer scripts (e.g. inspecting the user agent do it shows up as harmles when inspected in a browser) which are ever so popular with “hip” developer tools that can’t be arsed to go through the hassle of getting included in a distro properly, because releasing ten versions a day is “modern”…