HackerLangs
TopNewTrendsCommentsPastAskShowJobs

wahern

17,834 karmajoined قبل 12 سنة

Submissions

Sudo-Rs Affected by Multiple Security Vulnerabilities

phoronix.com
10 points·by wahern·قبل 8 أشهر·6 comments

comments

wahern
·قبل 13 ساعة·discuss
Nobody in Ukraine is separated from the carnage, least of all the soldiers. The value in the points system is in communicating target priorities down the line. It's just another technological improvement in the vein of, say, the radio. All technological improvements will seem to have the effect of dehumanizing people. But war is fundamentally dehumanizing. In fact, for most soldiers dehumanizing the enemy is a necessity, because otherwise they can't pull the trigger. The dehumanization to be worried about is the dehumanization of people from the perspective of non-combatants, especially those isolated from the war, like Americans.

Where technology creates greater moral hazards in war is when it helps insulate the leadership and population from the consequences of war, and so lowers the sociological and political costs to violence. In that sense having a professional rather than conscripted army should be much more morally repugnant than e-points. Again, no one in Ukraine is isolated from consequences in any meaningful way.

The Ukraine War is the most televised war in history. Especially in the beginning I forced myself to watch the videos, just so I wouldn't get lost in abstraction. The human suffering is gut wrenching. You can watch men getting shredded down; soldiers embracing each other in fear and helplessness moments before they're killed or maimed. Debates over e-points, to me, reflect a failure to appreciate the reality, a reality which is only hidden from one's view by choice. (After a few videos that left me crying, I figured I saw enough to ensure I was dutifully more engaged with the reality than the typical non-veteran at a comfortable remove.)

If anything drones and the necessity of having to record a kill for "points" is arguably an improvement over traditional aerially bombardment. Being forced to watch people injured and killed comes with a greater cost, even for veteran soldiers. On HN we take for granted that, e.g., Facebook employees forced to sift through child porn continually pay a price no matter how long they've been at the job, yet seem to assume soldiers watching a drone video feed feel no different than playing a video game. That perspective betrays a certain callousness that is in some respect even more worrisome than these technological advancements on the battlefield.
wahern
·قبل 16 ساعة·discuss
The point was just that gameification is just a modern word that doesn't reflect any change in behaviors. Presumably you were familiar with these practices under previous descriptors. And your moral objections would have been shared by many millions before you, long before gameification was coined.

On the other side of the coin to thinking there's something new about the way war is waged are the people who think they can wage war without the same consequences as befell nations before. It's fundamentally the same err, IMO. So I take moral objection to the pretense that there's something morally novel to criticize. This stuff is what happens in war, always. And things can get way worse than this, and will get worse the longer we tolerate open hostilities among nations.
wahern
·قبل 16 ساعة·discuss
Temporal API seems to be based around Unix/POSIX timestamps, which ignore leap seconds. In Unix time a day is always 86400 "seconds". This makes it trivial to do UTC calendar arithmetic into the past and future without recourse to a database and without necessarily having to deal with fractional seconds. Leap seconds are handled by the OS by repeating or skipping a second, or slewing the length of a second for some period before and after the leap second.

Most datetime APIs are fundamentally designed and intended for supporting calendar and wall clock operations for business functions. If you need SI seconds for scientific purposes, you really need to use alternative APIs and facilities that provide and guarantee the semantics required all the way down to the hardware level. Likewise, if you want timers, etc, for software facilities like thread sleeping, you use dedicated interfaces like monotonic clocks. If leap seconds are phased out, this won't really change the situation. It was wrong for software to rely on Unix timestamps for, e.g., mutex algorithms before and it'll be wrong if and when leap second clock adjustments are gone.
wahern
·قبل 17 ساعة·discuss
There's nothing new about earning "points" for kills. Warriors have always tallied their kills and displayed their numbers, e.g. https://en.wikipedia.org/wiki/Victory_marking or https://en.wikipedia.org/wiki/Scalping, though the rewards were typically accolades, and only indirectly access to more materiel.
wahern
·قبل 18 ساعة·discuss
To the extent Xi Jinping isn't seriously interested in invading Taiwan (and that seems dubious), he still needs to keep the PLA and other factions thinking he does. Reclaiming Taiwan is a pillar of PLA ideology and strategic doctrine. PLA culture is why China has never forced its will in North Korea despite continued disobedience to Beijing--the old guard in the PLA feels honor bound to defend North Korea's independence, rather than making it a client state, which it easily could do. It's similar to defense policy hawks in the US regarding Middle East intervention, who have nominally always been a minority faction. Perennial Middle East intervention never made much sense, and yet it keeps happening over and over, even when the military is woefully unprepared (e.g. Iran), because that faction is adept at manipulating defense policy, and has been playing the same long game since the 1990s. Which is precisely why the Taiwan threat is real. China isn't a political monolith, and the forces pushing to invade Taiwan, even if presently held at bay, could succeed in a blink of an eye, even without China being properly prepared for a successful invasion.
wahern
·قبل 3 أيام·discuss
According to https://openai.com/index/patch-the-planet/

Linux: 24 LPEs, plus many additional vulnerabilities.

OpenBSD: 1 LPE.

FreeBSD: 7 LPEs, plus many additional vulnerabilities.

Not sure what that says, though. Perhaps the models are more likely to find Linux issues because of the training.
wahern
·قبل 3 أيام·discuss
> A state of affairs you can thank the US for.

Egypt was a military dictatorship long before they were American allies. You can thank Nasser for that. Repproachment with Egypt in the 1970s was a diplomatic effort to stop the fighting between the Arabs and Israel, and to win over a Soviet ally.

The US supported the democratic movement and even helped ease the way. In fact, alot of Middle Eastern countries are still resentful for American support of the Arab Spring. But it couldn't stop, and admittedly wasn't particularly interested in stopping, the regression back to a military dictatorship in Egypt given the elected president was about as democratic as Turkish president Erdogan. But it never intervened, AFAIU, because while dysfunctional, Egypt is relatively stable from an international perspective and a reliable-enough American ally either way.
wahern
·قبل 8 أيام·discuss
I don't understand the conflation of multiplexing and multicasting. Are we talking about the same multicasting? (https://en.wikipedia.org/wiki/IP_multicast)

Regarding QUIC CPU load, at least as of a year or two ago it's demonstrably greater then TCP+TLS. Even Google's own numbers showed higher server-side load of up to 10%, IIRC. QUIC has to do all the same work (QUIC libraries embed the same congestion control and stream management logic as TCP, even using slightly modified versions of BBR, CUBIC, etc), and then some. More over, both TCP stream management and TLS are often offloaded to the NIC, and QUIC support isn't nearly as mature there. Even with vanilla NICs, high-performance application servers use kTLS. Unless your QUIC userland stack is DMA'ing raw packets directly to and from the NIC, QUIC is doing more work.
wahern
·قبل 9 أيام·discuss
Yes and no. Had there been more demand it would still be around, of course. But one of the reasons (albeit a lesser reason) there wasn't much demand was because of the antiquated engine tech. The poor A380 fuel efficiency competitiveness had less to do with it having 4 engines than that those engines were 1990s tech, same generation as on the 777, despite the first delivery of the A380 being more than 10 years after the 777. The 787 and A350 were favored by the industry not only because of point-to-point, but because their engines had far better fuel efficiency. (Even at the same generation, ETOPS aircraft would have slightly better fuel efficiency, but maintenance and overall operational cost is significantly higher because of the power envelop and reliability margins required, keeping the quadjet A380 cost competitive.)

Both Airbus and Emirates were willing to keep the A380 alive. Emirates was making money on it, and Airbus believed the market would eventually turn as airports reached takeoff/landing capacity. But Emirates wanted upgraded engines, so for several years there were negotiations between Emirates & Airbus on the one hand, and the big 3 engine makers on the other. IIRC, circa 2018 Emirates & Airbus were very close to a binding agreement with Rolls-Royce for an upgraded engine, but then Rolls-Royce faced costly issues with its existing programs. At the same time, prospective investment in the engine industry had already started winding down, and Rolls-Royce didn't want to be spending cash on a new program while GE and Pratt & Whitney were passing through profits to shareholders. So in 2019 Rolls-Royce walked away, and shortly thereafter (weeks if not days), Airbus and Emirates agreed to terminate the A380.

It's difficult to find non-paywalled sources, but see, e.g., https://www.forbes.com/sites/michaelgoldstein/2018/10/16/is-...
wahern
·قبل 9 أيام·discuss
> I think a lot of the jet engine manufacturers are seeing this same corporate rot process, the number of high profile scandals across the industry and reports of insiders on how the number crunchers are taking over the business are strangely reminiscent of what we heard out of Boeing and Intel.

And there's the opening for China. The 90s and early 2000s saw alot of innovation by engine manufacturers. Boeing and Airbus built their planes around the next generation of engines coming out. But over the past 10 or so years all the major engine manufacturers decided to stop investing in new civilian engines and maximize their dividends on existing models. That's what killed the A380--the A380 engines are 90's tech, and all the engine manufacturers declined to build a new engine for an upgraded A380, not even one that utilized the current tech, and not even if Airbus backstopped potential losses.

So now is probably the best time since the 1980s for China to play catch-up. But the biggest problem is as you pointed out--engines and airframes are developed together, and both Airbus and Boeing also decided to stop new aircraft development and instead coast and reap dividends for the next decade or two, so there's no market for China to break into. There's still development happening in the defense space, but that's not a market open to China, either. Their only potential market is primarily domestic, and it's not capable of incentivizing and demanding dogged innovation in the same way the international market could.
wahern
·قبل 9 أيام·discuss
Weapons systems like the Tomahawk and HIMARS are continually evolved, especially the electronic systems like navigation and command+control. The iteration isn't nearly as fast as in other industries, but the modern incarnations are not 30+ years old, AFAIU, old stockpile notwithstanding.

That's also why they're so damned expensive, and why it's difficult for upstarts to break into the market with cheaper alternatives. Like any tech company, once they get the customer locked into a platform they're constantly pushing upgrades to both stay technologically competitive and, more importantly, keep their margins high.
wahern
·قبل 9 أيام·discuss
I couldn't find any evidence Google pushed QUIC with the aspiration of utilizing IP multicast.

In 2022 an RFC for adding multicast support to QUIC was published, but backed by Akamai, not Google. And of course the RFC has the caveat that it would only be useful over multicast networks, e.g. edge servers colocated at an ISP. It seems this effort has picked up some steam over 2025 and 2026.

But I didn't look too hard. Can you share sources?
wahern
·قبل 9 أيام·discuss
They claimed and showed QUIC slightly-to-moderately reduced latency, particularly for mobile. This benefits Google by loading pages with third-party content, i.e. ads, faster.

But QUIC significantly increases CPU utilization on servers, at least the widely used userland stacks do. Unless/until Google deploys QUIC in the kernel (or puts the whole network stack in userland, a la DPDK), this won't change.

The multicast claim is kinda bizarre. I can see how QUIC could help eliminate UDP client barriers, but those barriers pale in comparison to multicast. Multicast routing just doesn't exist on the Internet; it's only supported within some independent, typically small networks. Most ISPs don't support it. Wherever you could manage to distribute content with multicast, you'd necessarily also be resolving the collateral routing problems which QUIC support resolves, whereas even ubiquitous QUIC doesn't materially improve the multicast situation.
wahern
·قبل 10 أيام·discuss
AMD Versal XQR chips are RAD tolerant, at least according to the marketing material. See https://www.amd.com/en/products/adaptive-socs-and-fpgas/vers... and https://www.amd.com/content/dam/amd/en/documents/solutions/a... ("The space-grade (XQR) AMD Versal adaptive SoCs continue the AMD tradition of full radiation tolerant"). These are SoCs built around ARM Cortex-A72 and -A78 cores manufactured using modern 7nm processes.
wahern
·قبل 14 يومًا·discuss
I don't think it's comprehensible at the individual level, but at population scales even the worst leaders tend to maintain a sizeable level of support. Trump and Chavez have alot in common[1], and nearly half of Venezuelans still supported Chavez at the end, when Venezuela had already been wrecked. Even Maduro had double-digit support in the last election (nominally 30% but probably less in reality). Cult of personality is a powerful thing, and can linger even after the personality is gone. I wouldn't expect MAGA to disappear overnight.

[1] Does this sound familiar? https://www.caracaschronicles.com/2003/12/03/the-cornered-na...
wahern
·قبل 14 يومًا·discuss
If you're worried about infringement, register your work with the US copyright office. You can only get monetary and statutory damages if the work was registered before infringement, otherwise you can only get an injunction. But you can't even file a claim in court to request an injunction without first registering the work. Basically, while copyright nominally attaches at creation, without a certificate you can't press any rights in court.

You don't need to register each release, so long as a material portion of the registered work exists in subsequent derivative works.

Without a registration threats of a copyright dispute are mostly noise to someone savvy enough to know how the game is played. If they think you'll persist they can just replace the infringing work or cease distribution, which is a hassle but not a significant deterrence for bad faith actors.
wahern
·قبل 15 يومًا·discuss
Elections are audited as a matter of course. In California every election is audited after the fact, in addition to observers (including from the different parties) wherever voting, tabulating, and auditing occurs. Here's the bill of rights for election observers: https://www.sos.ca.gov/administration/regulations/current-re... They have access to everything.

Claims of fraud generally come from either people who have no experience with elections (and apparently don't care enough to get involved), or wish to sow uncertainty and doubt in their self-interest.

Sometimes auditors make complaints, but those complaints are a far cry from the accusations thrown around in public discourse. More often election officials themselves make recommendations to improve things--usually efficiency related--but the discourse is so heated legislatures often don't want to get involved, or if they do it's to appease some political faction, not to address the mundane issues that actually need addressing.

If you're so worried about election fraud, get involved. There aren't any barriers. Heck, in some places you can easily volunteer to host a voting place. Some years we get flyers to ask if we want to host, but usually the only house on our block who offers is the same one down the block.

What I don't get is the conspiratorial minded folks who make accusations, but demand other people fix whatever imagined problem exists. How can you trust the new system any more if you're still a keyboard warrior? It makes no sense. The public is locked out of direct involvement with most machinations of governance, but elections are one of the few areas where you're free to get involved at almost every level with minimal, even zero friction.
wahern
·قبل 17 يومًا·discuss
The parent comment seemed to insinuate that if the risk of injury from taller front-ends was substantially greater, it would be noticeably apparent in insurance premiums. But because of policy limits, that's not necessarily the case, and becomes less likely to be the case as the cost of medical care and damages awards stemming from pertinent types of collisions grow, to the extent they grow faster than typical policy limits.
wahern
·قبل 17 يومًا·discuss
> astronomical insurance payouts for accidental child death.

There's no such thing. Standard automobile insurance policies cap injury liability in the low 5 figures. If you cause an accident and someone is seriously injured, there's a good chance you'll be personally liable for the majority of damages. Ditto property--you total someone's $100,000 Mercedes and you're likely going to be paying money out-of-pocket.

If you have any significant assets it's worthwhile to buy an umbrella policy.
wahern
·قبل 17 يومًا·discuss
The first birth is invariably the most difficult (longer, more painful), and the most difficult to recover from regardless of epidural. You can't at all compare the experience of a second birth without an epidural to the first birth with an epidural.

Also, it can be difficult for women to remember the finer details of the pain because the hormones after birth specifically function to cause a kind of amnesia. (The hormonal effect on memory isn't unique to pregnancy or women, it's just rarely so pronounced as at child birth.)

We've had two kids, the first my wife had an epidural (after rejecting it twice before expressly demanding one unprompted), the second without. The first birth lasted, IIRC, over 20 hours at the hospital (not counting initial time spent at home), and we had long conversations with various maternity nurses and our doula about women's experience with child birth. The hospital's nurses were on strike so our nurses were from around the country with experience with all different kinds of hospitals and populations.