Readit News logoReadit News
dns_snek commented on Discord Alternatives, Ranked   taggart-tech.com/discord-... · Posted by u/pseudalopex
ozlikethewizard · an hour ago
You can have multiple instances of signal on a mobile device, and you can use VoiP or eSIMs to register. Signal with an online persona revealing no identifying information, registered to a cash purchased eSIM on an ungoogled android is as good as your getting. Why do you think so many jurisdictions are trying to ban both GrapheneOS and Signal.
dns_snek · 22 minutes ago
You can do all of that but you shouldn't have to when using a privacy-focused messenger, and most people won't so they'll be exposed and suffer the consequences if they use Signal expecting a certain level of privacy (and pseudo-anonymity).

It's a terrible anti-feature and the only reason they're not being punished for it is because there aren't many alternatives to pick from.

dns_snek commented on I now assume that all ads on Apple news are scams   kirkville.com/i-now-assum... · Posted by u/cdrnsf
xwkd · 4 days ago
Over the past decade, there's been a lot of regulation forcing Apple to open up their "Apple only" integrated platforms.

It used to be the case that if Apple wanted to build a walled garden / cathedral, then in order to compete in the hardware marketplace they had to provide software that didn't suck. You knew that if you bought an Apple product, there was reasonable assurance that everything was tightly integrated. If it wasn't, you'd go buy a market alternative (Android, PC). In my mind, this means that they spent a lot of time and dev resources (i.e. money) on their Frameworks. I think it showed. Time was spent on design. They focused on opening up capabilities "the right way."

Now that's pointless. If the iPhone is just an Android phone with a different coat of paint, then dev resources are going to be shifted to a place where Apple can distinguish themselves in the market, where they have platforms that they can control: Services.

dns_snek · 4 days ago
Can you support this unfalsifiable reasoning beyond blaming a convenient political scapegoat? Which paragraph of which article of which regulation requires them to deliver low-resolution PDFs in Apple News, for example? What about all the other issues?

Your argument essentially boils down to: If Apple doesn't get to do whatever they want without compromise, their execs get too discouraged and depressed to innovate. The obvious conclusion is that the only way we can enjoy the unrivaled genius of Apple is to give them a blank check to do whatever they want.

Every act of consumer protection and every form of pro-competitive regulation is twisted and exaggerated, no matter how insignificant it is to their bottom line or product functionality. The world is ending any time they don't get their way and when the world doesn't end, this decision becomes the scapegoat for all of their future faults, missteps, and bad performance. They can never do anything wrong and nothing is ever their fault, it's so so incredibly tiring to listen to this.

dns_snek commented on The RCE that AMD won't fix   mrbruh.com/amd/... · Posted by u/MrBruh
arghwhat · 4 days ago
> you're also trusting that the client's HTTP stack is parsing HTTP content correctly

This is an improvement: HTTP/1.1 alone is a trivial protocol, whereas the alternative is trusting the client's much more complicated TLS stack and its HTTP stack.

For technical reasons, unencrypted HTTP is also always the simpler (and for bulk transfers more performant) HTTP/1.1 in practice as standard HTTP/2 dictates TLS with the special non-TLS variant ("h2c") not being as commonly supported.

> for that matter, you're also trusting that the server (and any man-in-the-middle) is generating valid HTTP responses

You don't, just like you don't trust a TLS server to generate valid TLS (and tunneled HTTP) messages.

> you're also trusting that the client's response parser doesn't have a vulnerability (and not, say, ignoring some "missing closing bracket" or something)

You don't. Authentication 101 (which also applies to how TLS works), authenticity is always validated before inspecting or interacting with content. Same rules that TLS needs to follow when it authenticates its own messages.

Furthermore, TLS does nothing to protect you against a server delivering malicious files (e.g., a rogue maintainer or mirror intentionally giving you borked files).

> you're also trusting that the client is parsing the correct signature (and not, say, some other signature that was tacked-on later)

You don't, as the signature must be authentic from a trusted author (the specific maintainer of the specific package for example). The server or attacker is unable to craft valid signatures, so something "tacked-on" just gets rejected as invalid - just like if you mess with a TLS message.

> It's trivially easy to disassemble software to find vulnerabilities like those, though. So it's a lot of trust given for an untrusted software stack.

The basis of your trust is invalid and misplaced: Not only is TLS not providing additional security here, TLS is the more complex, fragile and historically vulnerable beast.

The only non-privacy risk of using non-TLS mirrors is that a MITM could keep serving you an old version of all your mirrors (which is valid and signed by the maintainers), withholding an update without you knowing. But, such MITM can also just fail your connection to a TLS mirror and then you also can't update, so no: it's just privacy.

dns_snek · 4 days ago
> HTTP/1.1 alone is a trivial protocol

Eh? CWE-444 would beg to differ: https://cwe.mitre.org/data/definitions/444.html

https://http1mustdie.com/

> the alternative is trusting the client's much more complicated TLS stack and its HTTP stack.

An attacker doesn't get to attack client's HTTP stack without first piercing protection offered by TLS.

dns_snek commented on My AI Adoption Journey   mitchellh.com/writing/my-... · Posted by u/anurag
keyle · 4 days ago
Architects went from drawing everything on paper, to using CAD products over a generation. That's a lot of years! They're still called architects.

Our tooling just had a refresh in less than 3 years and it leaves heads spinning. People are confused, fighting for or against it. Torn even between 2025 to 2026. I know I was.

People need a way to describe it from 'agentic coding' to 'vibe coding' to 'modern AI assisted stack'.

We don't call architects 'vibe architects' even though they copy-paste 4/5th of your next house and use a library of things in their work!

We don't call builders 'vibe builders' for using earth-moving machines instead of a shovel...

When was the last time you reviewed the machine code produced by a compiler? ...

The real issue this industry is facing, is the phenomenal speed of change. But what are we really doing? That's right, programming.

dns_snek · 4 days ago
> We don't call architects 'vibe architects' even though they copy-paste 4/5th of your next house and use a library of things in their work!

Architect's copy-pasting is equivalent to a software developer reusing a tried and tested code library. Generating or writing new code is fundamentally different and not at all comparable.

> We don't call builders 'vibe builders' for using earth-moving machines instead of a shovel...

We would call them "vibe builders" if their machines threw bricks around randomly and the builders focused all of their time on engineering complex scaffolding around the machines to get the bricks flying roughly in the right direction.

But we don't because their machines, like our compilers and linters, do one job and they do it predictably. Most trades spend obscene amounts of money on tools that produce repeatable results.

> That's a lot of years! They're still called architects.

Because they still architect, they don't subcontract their core duties to architecture students overseas and just sign their name under it.

I find it fitting and amusing that people who are uncritical towards the quality of LLM-generated work seem to make the same sorts of reasoning errors that LLMs do. Something about blind spots?

dns_snek commented on The RCE that AMD won't fix   mrbruh.com/amd/... · Posted by u/MrBruh
krater23 · 4 days ago
Auto Update is EVERYTIME a RCE. When the software checks a signature, you just need the key. And the delivering enterprise have the key. EVERYTIME.

Don't understand why most people mean auto updating software would in any way create more security. It just creates more attack vectors for every software that has a auto updater.

dns_snek · 4 days ago
Remote Code Execution (RCE) is a type of vulnerability. Intentionally running code from a developer you trust is not a vulnerability.

An auto-update mechanism only becomes an RCE if it allows unauthorized third parties to execute code on your machine by failing to verify that the code comes from a legitimate source.

> you just need the key

Secrecy of cryptographic keys is the basis of all cryptography we use. There's no "just", you need the key and you don't have it.

dns_snek commented on The RCE that AMD won't fix   mrbruh.com/amd/... · Posted by u/MrBruh
bb88 · 4 days ago
It's not directly an RCE unto itself, it requires something else. A compromised DNS on the network, e.g. So no surprise they ignored it.

Also, if AMD is getting overwhelmed with security reports (a la curl), it's also not surprising. Particularly if people are using AI to turn bug bounties into income.

Lastly if it requires a compromised DNS server, someone would probably point out a much easier way to compromise the network rather than rely upon AMD driver installer.

dns_snek · 4 days ago
You're completely misunderstanding the impact. If you run AMD's software you're effectively giving root access to your computer to any wifi network you connect to and any person who happens to be on that network.
dns_snek commented on The RCE that AMD won't fix   mrbruh.com/amd/... · Posted by u/MrBruh
dns_snek · 4 days ago
Can anyone rationalize this decision? Sure technically this is outside the stated scope however the severity of this vulnerability is immediately obvious, which should trigger some alarm bells that the scope needs to be reconsidered.

If they lose just one customer over this they're losing more than the minimum $500 bounty. They also signal to the world that they care more about some scope document than actually improving security, discouraging future hackers from engaging with their program.

This would be a high severity vulnerability so even paying out $500 for a low severity would be a bit of a disgrace.

What's the business case for screwing someone out of a bounty on a technicality?

dns_snek commented on ICE seeks industry input on ad tech location data for investigative use   biometricupdate.com/20260... · Posted by u/WaitWaitWha
reactordev · 5 days ago
Replace “tech” in this scenario with “ammunition”.

Does your argument still hold up?

>”employees are making the actual thing that inflicts harm while consumers' actions are completely diffused and many steps removed from the harm they cause.”

“employees are making the actual thing that inflicts harm while consumers' actions directly cause deadly harm.”

I’m not arguing that we shouldn’t be voting with our wallets and supporting these people but your initial argument is flawed. They produce goods precisely because consumers buy them…

dns_snek · 5 days ago
I didn't say "tech", I said "ad-tech" and "big tech" (meaning ad-tech like Google, not TSMC) which aren't morally neutral like ammunition is. Invasion of privacy and exploitation of private information is an inherent part of their business model.
dns_snek commented on ICE seeks industry input on ad tech location data for investigative use   biometricupdate.com/20260... · Posted by u/WaitWaitWha
lukan · 5 days ago
"The only way for consumers to avoid this "

Or they could stop drinking coke? But I guess that is too much to ask.

dns_snek · 5 days ago
You can avoid coke but approximately every brand in the supermarket is funding ad-tech. And even if you can find brands that don't, your supermarket is likely funding ad-tech to advertise itself so you can't go to there at all. Maybe you still have a farmer's market but chances are that they're advertising online.

You can't buy a car or any smartphones you've ever heard of, you won't find an ISP that doesn't advertise online, and good luck finding a decent job without supporting ad-tech.

dns_snek commented on A sane but bull case on Clawdbot / OpenClaw   brandon.wang/2026/clawdbo... · Posted by u/brdd
louiereederson · 6 days ago
- Why do you need a reminder to buy gloves when you are holding them?

- Why do you need price trackers for airbnb? It is not a superliquid market with daily price swings.

- Cataloguing your fridge requires taking pictures of everything you add and remove which seems... tedious. Just remember what you have?

- Can you not prepare for the next day by opening your calendar?

- If you have reminders for everything (responding to texts, buying gloves, whatever else is not important to you), don't you just push the problem of notification overload to reminder overload? Maybe you can get clawdbot to remind you to check your reminders. Better yet, summarize them.

dns_snek · 5 days ago
> Cataloguing your fridge requires taking pictures of everything you add and remove which seems... tedious. Just remember what you have?

I have ADHD, I forget where I put things down 5 seconds ago and I forget what's in my fridge all the time. It's genuinely a big problem for me because I let things expire, buy things I already have, and just accumulate cruft that necessitates a big fridge clean once every few months which makes me feel bad about all the things I'm throwing away.

In an ideal world I want an up to date inventory on everything that's in my fridge with expiration reminders. I'd love for someone to solve this problem in a non-tedious way. Taking pictures of everything would indeed be tedious.

d

u/dns_snek

KarmaCake day4331June 25, 2018View Original