HackerLangs
トップ新着トレンドコメント過去質問紹介求人

grayhatter

2,369 カルマ登録 9 年前
https://gr.ht

[ my public key: https://keybase.io/grayhatter; my proof: https://keybase.io/grayhatter/sigs/j8azbrA5Q7W1ecOwaYaZfMwmWh95MA06i5YpVRIhmno ]

コメント

grayhatter
·2 時間前·議論
a word, or a drow?

But I'd also like a word with them. Or anyone else who might have a suggestion for "required reading". I'd like to think I know better than to use ascii art when it might flow into rtl text, but I wonder what other assumptions I've made that I should be aware are assumptions.
grayhatter
·15 時間前·議論
it is.

If I call your code slop, I'm being professional and courteous.

The truth doesn't have a ethical value. Me calling your code slop might feel disrespectful, but it's less disrespectful than trying to pass slop off for your coworkers (or users) to use and deal with.

Lying to someone, and allowing someone who's supposedly your friend to ship slop is more disrespectful. If I wrote shitty code, and my friend didn't stop me, and I find out later he knew it was shitty code... that would be very hard on our friendship.

Unless you meant it's a lie to call it slop code. A lie would be disrespectful, but then again, we both know you didn't say that because it's not a lie.
grayhatter
·昨日·議論
I built bot detection into the web framework I wrote. It's blocking well over >90% of the abuse.

The secret 3rd option is write some code.
grayhatter
·昨日·議論
Allow me to reframe what I'm trying to say. Depending on how much placation and linguistic sugar you required to tolerate reality; you might need to remember, or think of ark is an asshole, but then so am I. I'm going to speak bluntly and directly, if you shit out shitty code. I'm going to call your code shitty. I will use the word shit. If you're making decisions that follow a clear pattern, especially if I have a problem with that pattern, I'm gonna name it. Naming something by that pattern, might be seen as degrading, or insulting. That's still, not an attack.

It's an uncomfortable observation, wrapped up in an opinion you don't like. I'm sorry reality is uncomfortable for you (rhetorical you), but welcome to the club?

Let me try explaining it with an example: If I wanted to attack someone, I would directly call them, personally an idiot. Or some other clearly directed insult, at who they are as an individual. I wouldn't list, or trash their output, I wouldn't waste time stating I'm grateful for their time or donations.

No, hypothetically, if I wanted to attack someone I'd use the example of the no call no show to the meeting and say: wow Jarred and his team really are shitty people to no call no show on someone like that. I hate a lot of people, but even I wouldn't noshow on them. He sounds like a shitty human.

I wonder if there's something we can all learn about the subject, given everyone is so sure a recounting of facts followed by a conclusion saying literally

"I actually don't have any personal criticisms of Jarred. He has different taste than me, he wants different things out of life than me. But I think he's actually happy and successful exactly where he is. He figured out how to accomplish all the stuff in life that he wants. [...] Honestly, I think he did well for himself, and I don't wish him any ill will."

is so clearly a personal attack? Honestly, if that were me, that would hurt way worse than reading this attack.
grayhatter
·一昨日·議論
> Or maybe he doesn't care, and just wants to attack Jarred?

I've worked with ark enough that I think I've started to learn his default style, or at the very least to know that from him; this isn't an attack. If that was your read, I think you're taking more from sources that aren't this post.

I wonder if you're confusing statements of fact, for attacks? They're distinct, and the context for the post. I'm sure he's been asked a few, hundred, times what's his take on this decision made by this single person.

> Two, I actually don't have any personal criticisms of Jarred. He has different taste than me, he wants different things out of life than me. [...] Honestly, I think he did well for himself, and I don't wish him any ill will.

> That said I'm happy that our business interests are no longer intertwined! As soon as the Internet stops arguing in public about whether the rewrite was good or bad for Bun based on the language choice, I believe that concludes our interactions.

Translation, Jarred posted his thing, so now Andrew "has" to post his thing: hopefully so the internet will stop asking, and he can ignore this shit he doesn't care about, and people will leave him alone long enough that he can get back to spending his attention on his language, which is all he really wants.
grayhatter
·一昨日·議論
It's a losing game to try to keep any FOSS code completely isolated from large scraping data sets. All you can do is never share it, or share it and eventually it'll get consumed by the machine.

Spend your time making better software you and your friends can use... don't waste the time trying to stop others from making another painfully average codegen machine.
grayhatter
·一昨日·議論
That's the reason I left as well. I complained, was told I need to drop the attitude, or leave.

so I left.

must be harder than I think running a src forge
grayhatter
·一昨日·議論
Did you just ask if we could use AI to create new/better honey bees?
grayhatter
·一昨日·議論
Nah, that's on me: I was irked by the feeling that you weren't trying to talk in good faith. I still don't think you're trying to but at least now I'm less annoyed, and can apologize for trying to troll you in my last msg.

Good luck buddy :)
grayhatter
·一昨日·議論
If you run a server using TLS, and that server select Kyber, does the security of the connection depend on Kyber being sound? If I need to trust the security of the connection. I have to trust the server, because the server trusts Kyber, that means I have to trust Kyber, because I have to trust the server.

> you don't have to trust the server

oh, sorry I should have realized this wasn't a conversation anymore
grayhatter
·3 日前·議論
Did you really need me to specify rhetorically speaking? You weren't able to work out that on your own?
grayhatter
·3 日前·議論
> Just because NIST engages in some wholesome activities doesn’t mean that their core purpose isn’t to do the bidding of the NSA.

Their core purpose is to recommend standards that everyone can use, and anyone who wants to work with the US government is expected to follow. They have to pick standards for everything, but can't have experts in everything on staff, so are required to defer to other experts willing to help. The NSA took advantage of them. I find the idea that NIST wants to be a lackey to the NSA, stupid. It's ignorance and incompetence that lead NIST to getting duped by the NSA. The problem is, not getting dupe is literally, their *only* job.

It's like hiring a firefighter to protect you and then they set your house on fire; it doesn't matter so much why you don't have a house anymore... you just sure a hell are never letting him near anything important every again.

You're allowed to treat gross incompetence as equivalent to intentional malice, without needing to make something up about how it was intentional.
grayhatter
·3 日前·議論
My problem is with NIST, your problem is with DJB. Neither of us really want to defend either, (I assume, maybe you do want to defend one of them?) We just disagree which one is more likely to make the world worse.

I'm not taken in by the crazyness on either side, and while if pressed, it's obvious which side I would pick. I'm not so much picking a side, so much as complaining again, how we're letting a group with an earned reputation for being untrustworthy keep secrets about crypto. I hate the whole thing, but that's how little trust I have left in other people. The crazy guy is the on the side I hate less... but what to do?

edit:

> You're making my point for me. Nobody in the whole world is asking for you to take NIST's word for anything.

Literally everyone standardizing on Kyber is asking me to trust NIST, et al, and pay the additional overhead for setting up a TLS connection. I guess you could frame it as they're not asking, because I'm not being physically forced to interact with them... but then I try really hard not to engage with bad faith bait, when I'm able to resist.
grayhatter
·3 日前·議論
I know the backstory. I know there's no real evidence or proof against Kyber's real security, only questions. I've also read the full email threads that I was able to find. Nearly everyone looks like a shithead. I'm sure they're fine people in real life, but there are so many emails that are covered with contempt for the person they're replying to. Trustworthy people don't act like that. > But he's counting on you not knowing any of it. Which is to say: he's preying on your ignorance. It's a bad scene.

I know all of that, I also know I'm years away from the maths to understand the crypto and decide for myself. So, I'm forced to have an opinion because friends and employers will expect me to have one; like them, I'm also forced to operate on trust. Help me with this one? Because my problem is, the only person in the whole scene with ethos is djb. Not a single person in the stack has their name on *anything* that would allow me to trust them given their previous behavior.

So who's the non-deranged person that can put their ego aside, long enough to go point by point down the "deranged man"'s "psychotic rant". Where something everyone who's paying attention can point to and say, djb has stopped taking his crazy pills, here's what reality looks like. Because I went looking for it when I first heard about it, his blog has been linked to from HN many times. But no one has linked to a single other person. I agree with you, the arguments he's making are barely convincing. But one one side, I have a well respected cryptographer (who might want to consider or respond to the accusations he's becoming a bit eccentric) saying hey, y'all are fucking it up. Directly to the people who actively did something ethically inexcusable. Who not only appear to following the exact same pattern as last time, but no one is willing to put their name and time on the line?

What am I supposed to do? Get on board because NIST recommended it already, and there's the RFC for it, so why bother fighting? Just trust the current or next US administration won't do something I object to... like trying to back door crypto... again... I know you'd never actually make that recommendation... well I hope at least. But really; what would you expect me, someone who still trust djb even though his eccentric writing is desperate for an editor, and also, someone who actively believes the people in charge of NIST are ethically questionable. What should I do? where's the evidence that would convince me to switch from believing the guy working to improve foss crypto, to the org with a history of delivering backdoor'd crypto.
grayhatter
·3 日前·議論
I'm not making a falsifiable argument. I'm stating that given their history, and current behavior I don't trust NIST and I don't think anyone else should either. They are keeping secrets around a new crypto system, the last time they did that it was to hide a known-broken crypto system.

The controversy over the PQC is the topic at hand. If they'd selected a cipher that didn't carry the objections of someone who's reputation I trust more than NIST. Then I'd trust NIST's decision, by proxy.
grayhatter
·3 日前·議論
> Incorrect. My argument is that they aren't the same entity.

Did I claim they were the same?

> The thing you said is a whole different argument. "I like waffles" "So you hate pancakes" is happening.

uh.... you started it? What are we even doing? I'm not above this kinda comment, but I kinda assumed you were? I'd be interested if you have a take I haven't considered; but not if we're just going to try to make straw man of the other.

> Yes you are. [required to consider motive]. Why render yourself willfully ignorant? That's not how you arrive at truth.

I'm not looking for a pure truth. I'm just looking for a heuristic that's just functional enough to keep me, and my data safe. I don't even want to make a perfect is the enemy of good argument. I'm just pointing out, where my line is. I lack the maths knowledge, practical experience, fucks left to give, and spoons remaining for the things I want to spend my time one. Evaluating every bit of information I could possibly gather, and witholding and judgement is a cute idea, but I've got better things to do. NIST has in tandem with the NSA, lied, and shipped a broken crypto system. Let's pretend I don't consider that to be permanently disqualifying, resign, stand up a completely new group from scratch, black tag/non-salvageable. They've burned the default good will everyone starts with, and then peed on it for good measure. Now they're hiding information AGAIN?!

Nah, I could waste my time trying to find the objective truth. Or I could give NIST the finger, and say, make the person with the remaining good will and trust and fucks left to spend on NIST happy. Only then come back to me. Until then, I refuse, and for the same reason I refuse to review LLM PRs; I'm trying to do things, and [they] are trying to DoS my brain.

Ideally, you'd stop helping [the them], or answer the remaining objections line by line, and publicly? Then I'd have someone else with enough good will that I can trust. Because NIST is doing the opposite if they want my confidence.
grayhatter
·4 日前·議論
You're argument is that I shouldn't think of NIST as a patsy for the NSA, is because the NSA can't possibly be recommending a compromised cipher, because if they were, that would mean this US government org is horribly defective and dysfunctional, where one side didn't know what the other was doing?

Incentives are basically all I consider when trying to establish true motive. But you're not required to consider motive when there's a history or pattern. Even if "It's the way we've always done it", wasn't a much, much stronger motive than thought/reason is for any human. It's both logical and desired to treat something as the most dangerous until proven otherwise.

I used to be a nurse. I remember when working in the ED, I was taught that every single woman on childbearing age who comes into the ED with abdominal pain is an extopic pregnancy until proven otherwise. If you ask a woman if it's possible she could be pregnant, regardless of the truth, many will claim it's impossible. If you blindly trust them, and delay treatment, you could needlessly kill your patient, or leave them infertile. Why would someone lie and risk that? Or how dare your medical team make assumptions like that? Well the alternative is worse, the reality should be easy to prove.

NIST has a history of recommending broken ciphers. That's not a mistake a professional would ever make. So thinking about incentives, I'm going to treat it like it was intentional. Here the group with a history for fucking up, isn't being transparent. I would love it if NIST would say enough to make DJB happy or at least stop pretending like they deserve any trust anymore.

Until then, I don't find "they're probably behaving like rational actors" compelling enough to trust them with keeping secrets from somebody who I actually do trust.
grayhatter
·4 日前·議論
Because NIST chose it, after non-public input from the NSA. But if I am honest, NIST recommending it at all is enough to suspect it of being compromised. I say that as an American, and my non-american friends equally don't trust NIST on crypto topics.

The real problem I have is best described as I haven't read a single coherent argument responding to and rejecting the real concerns raised by the individual who after nist betrayed the internet with by recommending a compromised standard at the encouragement of the NSA. Is the person who wrote the crypto library everyone uses.

DJB puts his money (time) where his mouth is. I would critique his attachment to his own ego. But I'm in the group of people who haven't contributed enough yet to foss to get to throw stones. So I'll defer to people who can match his contributions. Until that happens, DJB's reputation is cares passionately about crypto and it's community, vs an US government group with a reputation for trying to sabotage crypto systems after passing secrets with the NSA, who refuses to provide details about their most recent secret messages.

I do find some of the arguments and refutations from the mailing lists compelling. But not all the them, and nothing directly from NIST. Equally some of DJB's appear to weaken his points. But like I said, I plan to trust the reputation each party has earned.

NIST has a history of behaving inappropriately, and unethically around it's cryptography recommendations. But the people currently in charge would rather pretend they're above it and not literally directly responsible for the organization with a well earned reputation. If you're given a 2nd chance after your partner catches you cheating, it's a reasonable requirement that you account for every second of your time, until you restore the reputation you destroyed.
grayhatter
·7 日前·議論
My job is to teach students how to get stronger. Instead of forcing them to stack and rerack their own weights, and instead of using the existing university policy against plagiarism, or the existing social contract. I made them sign an additional set of rules where they promise to only use the magic weight lift button when stacking or reracking. I feel that this middle ground is superior: I'd rather sacrifice the subtle exercise benefits of moving relatively light weight in weird ways; that extremely important toward helping prevent injuries, instead of actually dealing with the desire of students (human nature) to get out of the effort that goes into learning.

I have no idea how accurate, or useful that analogy is, but personal intuition tells me it's really close. I also don't envy teachers. I used to teach, so I do understand the position they feel that they are required to adapt into. However, I prefer CS programs that don't encourage people to tolerate non-determinism, or otherwise unpredictable outputs. They're the source of some of the most intractable bugs, one i doubt the next generation of students will be able to troubleshoot correctly if they never learn to solve beginner level bugs without LLM assistance.
grayhatter
·9 日前·議論
> many people misunderstand the purpose of code review

Oooh, I bet including the author? Yeah, right there, he fails to make any qualifications for his statement, making it factually incorrect.

There are plenty of reasons to do code review. If you force me to, I'll define it as information transfer. The point is to have a conversation about the code. To expand both people's understanding about the codebase. Everything on top of that is extra. I've found real and significant bugs doing code review. In large part because I understand the codebase better than the author. That's finding and preventing bugs.

I also read PRs looking for malicious code trying to sneak in, you never know, the person I've called my best friend, someone with opsec better than mine, may suddenly have turned evil and this is the PR where they're finally sneaking in the back door.... that's never happened yet, but fingers crossed!

> As everyone should know by now, it is not in general possible to find bugs by examining the code.

... I'd love to know what the author really meant to write here, because it certainly wasn't this.