Which part do you disagree with?
I made no statement about my alignment with the opinions therein.
Readit Newsghostly_s commented on How wealth dies surplusenergyeconomics.wo... · Posted by u/martinlaz
I'm a bit conflicted about what responsible disclosure should be, but in many cases it seems like these conditions hold:
1) the hack is straightforward to do;
2) it can do a lot of damage (get PII or other confidential info in most cases);
3) downtime of the service wouldn't hurt anyone, especially if we compare it to the risk of the damage.
But, instead of insisting on the immediate shutting down of the affected service, we give companies weeks or months to fix the issue while notifying no one in the process and continuing with business as usual.
I've submitted 3 very easy exploits to 3 different companies the past year and, thankfully, they fixed them in about a week every time. Yet, the exploits were trivial (as I'm not good enough to find the hard ones, I admit). Mostly IDORs, like changing id=123456 to id=1 all the way up to id=123455 and seeing a lot medical data that doesn't belong to me. All 3 cases were medical labs because I had to have some tests done and wanted to see how secure my data was.
Sadly, in all 3 cases I had to send a follow-up e-mail after ~1 week, saying that I'll make the exploit public if they don't fix it ASAP. What happened was, again, in all 3 cases, the exploit was fixed within 1-2 days.
If I'd given them a month, I feel they would've fixed the issue after a month. If I'd given then a year - after a year.
And it's not like there aren't 10 different labs in my city. It's not like online access to results is critical, either. You can get a printed result or call them to write them down. Yes, it would be tedious, but more secure.
So I should've said from the beginning something like:
> I found this trivial exploit that gives me access to medical data of thousands of people. If you don't want it public, shut down your online service until you fix it, because it's highly likely someone else figured it out before me. If you don't, I'll make it public and ruin your reputation.
Now, would I make it public if they don't fix it within a few days? Probably not, but I'm not sure. But shutting down their service until the fix is in seems important. If it was some hard-to-do hack chaining several exploits, including a 0-day, it would be likely that I'd be the first one to find it and it wouldn't be found for a while by someone else afterwards. But ID enumerations? Come on.
So does the standard "responsible disclosure", at least in the scenario I've given (easy to do; not critical if the service is shut down), help the affected parties (the customers) or the businesses? Why should I care about a company worth $X losing $Y if it's their fault?
I think in the future I'll anonymously contact companies with way more strict deadlines if their customers (or others) are in serious risk. I'll lose the ability to brag with my real name, but I can live with it.
As to the other comments talking about how spammed their security@ mail is - that's the cost of doing business. It doesn't seem like a valid excuse to me. Security isn't one of hundreds random things a business should care about. It's one of the most important ones. So just assign more people to review your mail. If you can't, why are you handling people's PII?
> I think in the future I'll anonymously contact companies with way more strict deadlines if their customers (or others) are in serious risk. I'll lose the ability to brag with my real name, but I can live with it.
What you're describing is likely a crime. The sad reality is most businesses don't view protection of customers' data as a sacred duty, but simply another of the innumerable risks to be managed in the course of doing business. If they can say "we were working on fixing it!" their asses are likely covered even if someone does leverage the exploit first—and worst-case, they'll just pay a fine and move on.
ghostly_s commented on Micron Announces Exit from Crucial Consumer Business investors.micron.com/news... · Posted by u/simlevesque
Wondering if we're going to have a situation in the future where we end up having to buy the hand-me-downs from industry after they're done with them (and thus kind of outdated tech)? Kind of seems like the days of building your own PC are numbered.
This is already happening in the NAS HDD space. Prices on new units have been stagnant or rising for a couple years now.
> I also know that in each and every company I have ever worked for, none of this is going to fly.
My favourite part of climbing the corporate ladder is finally having enough clout to just say "no".
> I have been asking for agendas; I have asked for clarification on what to do to prepare; I have even suggested
Try "I am unable to attend meeting without an agenda. Let me know when one has been posted." in your decline message. Do you sound like a dick? Yes. Does it work? Also yes, unless you weren't actually required in that meeting, in which case it becomes a self-solving problem.
> My favourite part of climbing the corporate ladder is finally having enough clout to just say "no".
Well that's exactly the point- in most orgs, only high level people are granted the discretion to manage their time this way.
This is a great article. It clearly explains what people like Nate Hagens have been saying for some time now. The real economy is about EROI & materials, money & financial activity can not change the amount of fossil fuels available for industrial processes regardless of any clever financial engineering.
Less an article than an op-ed.
I don't follow how the label placement in the graphic could cause a connection issue, unless it slipped down further to interfere with the pin?
While they aren't stopping users from getting medical advice, the new terms (which they say are pretty much the same as the old terms), seem to prohibit users from seeking medical advice even for themselves if that advice would otherwise come from a licensed health professional:
https://openai.com/en-GB/policies/usage-policies/
Your use of OpenAI services must follow these Usage Policies:
Protect people. Everyone has a right to safety and security. So you cannot use our services for:
provision of tailored advice that requires a license, such as legal or medical advice, without appropriate involvement by a licensed professionalI don't think giving someone "medical advice" in the US requires a license per se; legal entities use "this is not medical advice" type disclaimers just to avoid liability.
Profiles are great. I've used them for years. Much better than containers, which separate your data sort-of-but-not-quite. A profile folder has everything. You can copy it, back it up, plug it into a completely new Firefox installation later.
That portability is a killer feature, but scriptability needs to be improved. The manual says you can do:
>`firefox --profile <path> Start with profile at <path>`
But that will not work as expected if you have more than one profile (which is the whole point). At present the only workable solution is to fiddle with a GUI thru `about:profiles` (or `firefox --ProfileManager`) in order to create the profiles and give them all-important UIDs. And then do:
>`firefox -P <UID>`
It may seem small, but I've found that this is a serious roadblock. I wish it could be fixed so as to make profiles entirely scriptable.
PS: to be clear, after the futzing with the GUI to create the profiles, my script works (well!) at opening windows in the right profile, this way: (1) Check if the given profile is already launched: `ps -eo args | grep -E ".(firefox).(-P $UID)" | grep -v grep > /dev/null` (2) Do `firefox -P $UID --new-instance $url` if it isn't, and `--new-tab` if it is. Inelegant, but very reliable.
Tried containers when it was released but found it very inconvenient to manage. If I understand this solution doesn't even let you have two profiles open at once? That's even less useful imho.
edit: I use Simple Tab Groups which is far more featureful - "Send tab to [group/container/etc]" for example is table stakes.
ghostly_s commented on Our LLM-controlled office robot can't pass butter andonlabs.com/evals/butte... · Posted by u/lukaspetersson
Putting aside success at
the task, can someone explain why this emerging class of autonomous helper-bots is so damn slow? I remember google unveiled their experiments in this recently and even the sped-up demo reels were excruciating to sit through. We generally think of computers as able to think much faster than us, even if they are making wrong decisions quickly, so what's the source of latency in these sytems?
ghostly_s commented on Let's Help NetBSD Cross the Finish Line Before 2025 Ends mail-index.netbsd.org/net... · Posted by u/jaypatelani
> No need to support a vast array of hardware
I hope you understand how unique netbsd is, it is one of the only systems which can be compiled so easily with just a single script even from linux or other systems and its rump kernel etc. drivers from what I know are (modular?) so they could be used with other kernels as well if any kernel wants ie.
You never know where the innovation can be, I feel like that each kernel/operating system can bring a new idea, as an example, templeOS uses Holy C which basically is Just in time C (iirc) and that means that you can just edit files of templeOS and restart and those changes would occur
I know TempleOS is niche and a meme OS but I feel like that there are a lot of ideas and unique operating systems and I have heard that netbsd can be good in giving driver support to.
This is just one of many things, and I feel like the main point of NetBSD and the likes are fundamental hackability, they can run on things like routers as well although most run openbsd/freebsd but still. I don't see a reason not to unless you are speaking monetary (ie. it may take some extra funds developing/hosting but that is chump change) but I feel like NETBSD is a novel project with respectable goals and they aren't going to change just for this.
More Options are a good thing. if I can have a project run on Netbsd, then its very easy to port it over to any other vast array of hardware as well, and that hardware includes extremely embedded hardware as well I guess
> I hope you understand how unique netbsd is, it is one of the only systems which can be compiled so easily with just a single script even from linux or other systems and its rump kernel etc. drivers from what I know are (modular?) so they could be used with other kernels as well if any kernel wants
Aren't competing kernels already shipping support for this hardware? Surely the project has to have more selling points than "can be compiled with a single script."