Readit News logoReadit News
oofbey commented on Log level 'error' should mean that something needs to be fixed   utcc.utoronto.ca/~cks/spa... · Posted by u/todsacerdoti
georgefrowny · 3 hours ago
Easy to say, but there's "yes we know this is wrong but this will have to do for now" and "we don't expect to see this in real life unless something has gone sideways".
oofbey · 3 hours ago
At scale the rare events start to happen reliably. Hardware failures almost certainly cause ERROR conditions. Network glitches.

Our production system pages oncall for any errors. At night it will only wake somebody up for a whole bunch of errors. This discipline forces us to take a look at every ERROR and decide if it is spurious and out of our control or something we can deal with. At some point our production system will reach a scale where there are errors logged constantly and this strategy Durant make sense any more. But for now it helps keep our system clean.

oofbey commented on Pure Silicon Demo Coding: No CPU, No Memory, Just 4k Gates   a1k0n.net/2025/12/19/tiny... · Posted by u/a1k0n
xphos · 3 hours ago
As a computer science guy who interlops in computer engineering i really want to find time to build something cool like this and tapeout. The retro architectures for rendering are simple but fun! I love the project
oofbey · 3 hours ago
It’s amazing and wonderful to see the Internet support these tiny cliques of interest. Having everybody connected leads to homogenization of culture in some ways, but it also supports these couple dozen (?) people around the world finding each other for this amazing little competition.
oofbey commented on Using AI Generated Code Will Make You a Bad Programmer   unsolicited-opinions.rudi... · Posted by u/speckx
crimsoneer · a day ago
I think this is a slightly silly take.

Yes, taking the bus to work will make me a worse runner than jogging there. Sometimes, I just want to get to a place.

Secondly, I'm not convinced the best way to learn to be a good programmer is just to do a whole project from 0 to 100. International practice is a thing.

oofbey · a day ago
Using a compiler will also make you much worse at writing assembly code. Doesn’t bother me at all. Haven’t written any assembly since the 20th century.
oofbey commented on 1.5 TB of VRAM on Mac Studio – RDMA over Thunderbolt 5   jeffgeerling.com/blog/202... · Posted by u/rbanffy
chis · 2 days ago
I wonder what motivates apple to release features like RDMA which are purely useful for server clusters, while ignoring basic qol stuff like remote management or rack mount hardware. It’s difficult to see it as a cohesive strategy.

Makes one wonder what apple uses for their own servers. I guess maybe they have some internal M-series server product they just haven’t bothered to release to the public, and features like this are downstream of that?

oofbey · a day ago
Blog posts like this one are great marketing.
oofbey commented on 1.5 TB of VRAM on Mac Studio – RDMA over Thunderbolt 5   jeffgeerling.com/blog/202... · Posted by u/rbanffy
daft_pink · a day ago
The next Mac studio is going to be a top seller. I don’t think people want to drop $10k on a few M3s, but I think they will do it for the M6. Just hoping the DRAM shortage doesn’t ruin this plan.
oofbey · a day ago
Apple always charges a huge premium for RAM. Maybe it’s enough to buffer their pricing scheme from the supply shock. I have run the numbers though.
oofbey commented on Testing a cheaper laminar flow hood   chillphysicsenjoyer.subst... · Posted by u/surprisetalk
ProAm · 4 days ago
lol I wanted hood of a car flow. This is cool, but not that cool
oofbey · 4 days ago
I always thought these hoods were for sucking away germs or fumes so they didn’t get out into the room. Nope. That’s backwards. Trying to keep the sample clean here.
oofbey commented on AIsbom – open-source CLI to detect "Pickle Bombs" in PyTorch models   github.com/Lab700xOrg/ais... · Posted by u/lab700xdev
rafram · 4 days ago
> It looks for GLOBAL or STACK_GLOBAL instructions referencing dangerous modules like os.system, subprocess, or socket.

This seems like a doomed approach. You can’t make a list of every “dangerous” function in every library.

oofbey · 4 days ago
Agree an explicit block list is not very robust. I imagine the vast majority of legit ML models use only a very limited set of math functions and basically no system interaction. Would be good to fingerprint a big set of assumed-safe models and flag anything which diverges from that.
oofbey commented on AIsbom – open-source CLI to detect "Pickle Bombs" in PyTorch models   github.com/Lab700xOrg/ais... · Posted by u/lab700xdev
lab700xdev · 4 days ago
Hi HN,

I’ve been working with ML infrastructure for a while and realized there’s a gap in the security posture: we scan our requirements.txt for vulnerabilities, but blindly trust the 5GB binary model files (.pt) we download from Hugging Face.

Most developers don't realize that standard PyTorch files are just Zip archives containing Python Pickle bytecode. When you run torch.load(), the unpickler executes that bytecode. This allows for arbitrary code execution (RCE) inside the model file itself - what security researchers call a "Pickle Bomb."

I built AIsbom (AI Software Bill of Materials) to solve this without needing a full sandbox.

How it works: 1. It inspects the binary structure of artifacts (PyTorch, Pickle, Safetensors) without loading weights into RAM. 2. For PyTorch/Pickles, it uses static analysis (via pickletools) to disassemble the opcode stream. 3. It looks for GLOBAL or STACK_GLOBAL instructions referencing dangerous modules like os.system, subprocess, or socket. 4. It outputs a CycloneDX v1.6 JSON SBOM compatible with enterprise tools like Dependency-Track. 5. It also parses .safetensors headers to flag "Non-Commercial" (CC-BY-NC) licenses, which often slip into production undetected.

It’s open source (Apache 2.0) and written in Python/Typer. Repo: https://github.com/Lab700xOrg/aisbom Live Demo (Web Viewer): https://aisbom.io

Why I built a scanner? https://dev.to/labdev_c81554ba3d4ae28317/pytorch-models-are-...

I’d love feedback on the detection logic (specifically safety.py) or if anyone has edge cases of weird Pickle protocols that break the disassembler.

oofbey · 4 days ago
Thanks for starting to address the gap. When would this tool be best used? As a post commit hook? In the CI/CD chain? At runtime?
oofbey commented on Linux Sandboxes and Fil-C   fil-c.org/seccomp... · Posted by u/pizlonator
oofbey · 7 days ago
Nit:The word “orthogonal” should not mean merely “different”. It should mean “completely unrelated” if we are drawing a proper analogy from linear algebra. Orthogonal vectors have a dot product of zero. No correlation whatsoever. As ML and linear algebra terms spread to more common language of course the terms will change their meaning. Just as “literally” now often means “figuratively” I’m not going to die on this hill. But I will try to resist degradation of terms that have specific technical meaning.

So I would very much disagree with the statement that memory safety and sandboxing are orthogonal. They are certainly different. Linearly independent even. But with a fair amount of overlap.

oofbey commented on The highest quality codebase   gricha.dev/blog/the-highe... · Posted by u/Gricha
maddmann · 9 days ago
Ah true, that also can happen — in aggregate I think models will tend to expand codebases versus contract. Though, this is anecdotal and probably is something ai labs and coding agent companies are looking at now.
oofbey · 9 days ago
It’s the same bias for action which makes them code up a change when you genuinely are just asking a question about something. They really want to write code.
o

u/oofbey

KarmaCake day602December 15, 2020View Original