HackerLangs
トップ新着トレンドコメント過去質問紹介求人

tux3

9,521 カルマ登録 13 年前

投稿

Hybrid Signatures

keymaterial.net
1 ポイント·投稿者 tux3·4 日前·0 コメント

Guandimiao (Archaeological Site in Henan, China)

en.wikipedia.org
1 ポイント·投稿者 tux3·7 日前·0 コメント

Waiting for PostgreSQL 19 – Add pg_plan_advice contrib module

depesz.com
2 ポイント·投稿者 tux3·3 か月前·0 コメント

Highlights from Git 2.54

github.blog
4 ポイント·投稿者 tux3·3 か月前·0 コメント

Carelessness versus Craftsmanship in Cryptography

blog.trailofbits.com
2 ポイント·投稿者 tux3·5 か月前·0 コメント

コメント

tux3
·7 日前·議論
There is a scale between prise-sensitivity and risk-averseness, from my point of reference large companies are much more risk-averse than they are price sensitive. Of course this will vary, CTOs exist in all sort of different environments.

Price is not the reason people chose AWS. Some companies use Azure. The current startup at $WORK uses yet another smaller Cloud. And yet AWS sill has the clear lead in market share. That's because price is far from the only factor, and not even the main factor.
tux3
·7 日前·議論
>Once Q-Day happens, your only source of security is PQ anyway, so if we're going to do hybrids with today's threat model in mind, PQ+PQ is the way you really want to go

I want to broadly agree but I still can't resist arguing :)

EC is really cheap on the CPU and I trust that libsodium's X25519 is implemented pretty solidly. After Q day, the $ price to break EC is still not negligible.

Whereas PQ+PQ is really expensive. I'm anti PQ+PQ hybrid just on cost. PQ+EC is practically free and still inflicts $'s on attackers after Q day (attacks do get cheaper and you discard the EC at some point, but practically I don't see EC as instantly worthless).
tux3
·7 日前·議論
The large enterprise vendors are not prise-sensitive. They're on AWS because you never get fired for picking AWS, and there isn't really any other choice for these vendors regardless of AWS ripping you off.

At this point S3 is a standard interface. All sorts of cloud providers and open-source projects provide S3. If you're on AWS, price isn't the reason. You pick AWS because you don't see your company taking a risk with anything else.

S3 doesn't mean expensive. AWS does. But AWS users are fully locked-in, they'll pay whatever the price is.
tux3
·7 日前·議論
Yes, your AI agent is making posts. Please stop.
tux3
·7 日前·議論
And notability isn't just for spam, the core difficulty with Wikipedia is that people disagree about what should be written in articles. The site only functions because of a masterful Jiu-jitsu move where we redirect heated arguments about what Wikipedia should say into heated arguments about which Reliable Source to cite.

That's the fundamental underlying reason behind all the rules and all the deletion discussions. It's not that the article isn't important, it's not that the content is wrong or not useful or that we don't want it. It's that Wikipedia would be pure chaos if it let people just write without sources, and the fights over content would never end.

Notability just boils down to "can we find enough reliable sources to write an article we can verify and stand behind?". Just quoting what authors of the topic say about their own work would of course fall a little short of what people expect from an encyclopedia.
tux3
·7 日前·議論
The Satish 2012 study that seems to have started this trend was a small cohort of 22 people split in 6 smaller groups where they also just injected pure CO2 in a small room. There have been several attempts to reproduce, which sometimes found no clear effect, or a significantly smaller effect.

This original study has been used to market these CO2 monitors for years, but the evidence is quite thin and doesn't support a strong effect. It seems likely that there is a small effect, and it has been wildly exaggerated thanks to a small study with N=22.
tux3
·9 日前·議論
Well, it depends. Sometimes in math you do a lot of chipping away at a problem, and eventually a bigger result falls after all the right foundations are built. That seems to describe bottom-up building.

On the other hand when a new high-level concept becomes clear and seems to emerge like a revelation, and people start thinking in terms of those new definitions, it seems that a hundred pages worth of smaller results can fall out of it almost effortlessly. This way of describing it is more top-down.

I don't know that there's an exact parallel with software. Math keeps feeding into itself in a way that software dreams about with our ambitions of code reuse. The old Object Oriented dreams of perfectly encapsulated classes and abstractions partially worked out, but not to the degree that was envisioned.

The current situation with package managers doesn't look like a tower that keeps growing higher and higher levels of abstractions. It looks like a tower where each person wants to place one tiny brick that they call left-pad, and next year we will rebuild the lower levels instead of going higher. So the top-down and bottom-up building that we do is different. We keep rebuilding the bottom, and we don't very much like when the tower of abstractions get too tall and hard to reason about.
tux3
·9 日前·議論
Well, it depends. Sometimes in math you do a lot of chipping away at a problem, and eventually a bigger result falls after all the right foundations are built. That seems to describe bottom-up building.

On the other hand when a new high-level concept becomes clear and seems to emerge like a revelation, and people start thinking in terms of those new definitions, it seems that a hundred pages worth of smaller results can fall out of it almost effortlessly. This way of describing it is more top-down.

I don't know that there's an exact parallel with software. Math keeps feeding into itself in a way that software dreams about with our ambitions of code reuse. The old Object Oriented dreams of perfectly encapsulated classes and abstractions partially worked out, but not to the degree that was envisioned.

The current situation with package managers doesn't look like a tower that keeps growing higher and higher levels of abstractions. It looks like a tower where each person wants to place one tiny brick that they call left-pad, and next year we will rebuild the lower levels instead of going higher. So the top-down and bottom-up building that we do is different. We keep rebuilding the bottom, and we don't very much like when the tower of abstractions get too tall and hard to maintain.
tux3
·10 日前·議論
For complex recipe graphs beyond vanilla train routing is also way more efficient. You get to reuse the same rail network, and sometimes not have to route dedicated belts for 6 low throuput ingredients from all over the map

I feel like a lot of the challenge in early Pyanodons is place-and-route and belt congestion. Unlocking trains feels amazing. They're definitely optimal for a lot of recipes in that mod I think
tux3
·11 日前·議論
Spruce up is unreasonably charitable. I'm more irritated that the authorship information is misleading. craig-kerstiens is not available on Huggingface, and yet not a single sentence in this article seems to have been typed on a keyboard.

When Claude writes things like "as someone who has spent a lot of time doing X", I think this is also a kind of failure of alignment. LLMs shouldn't write as if they had personal experience. It's something a person might say in the training data, but I just think LLMs shouldn't claim life experience they don't have, even if that's a statistically likely sequence of tokens.
tux3
·11 日前·議論
Or in the case of my poor Verilog, even very short pipelines :(
tux3
·13 日前·議論
>And of course, how do you know all the postings on your site are actually fully factual and not exaggerated in any way?

You don't, but you smile and just delete the content. And then you've done your part as a platform. You're very happy to delete things when notified, and you do it promptly. Then you get to publish a very factual transparency notice.

Someone will have archived the page already? Social media is upset when they hear that the big company tried to attack the small independent site to take down this page that They Don't Want You To See? That's out of your hands, you're a neutral platform and you've done your part.

You just need to fold immediately, and you're covered by all the safe harbor neutral platform protections. Same as forums, social media, any website with user-generated content.

Now that won't stop an asshole from suing you over frivolous nonsense. But it does make it easy to throw their suit away - like you said, if you have the spite and money to follow through with a defense.
tux3
·13 日前·議論
Same way any other website with user-generated content deals with it. The website has broad immunity as a platform, but is expected to take down content that would be illegal when notified.

Random people on the Internet have been at it long enough that there is plenty of precedent to establish that you can safely host a platform. But then again, I am not a lawyer, I am not your lawyer, and for legal reasons this is not the legal definition of legal advice, etc.
tux3
·13 日前·議論
Sounds like a Streissand effect waiting to happen. Besides, IANAL, but I'm sure plenty of people here could find a lawyer to file for an easy anti-SLAPP defense.

Factual statements about bad employers are very much free speech. Judges aren't particularly fond of frivolous lawsuits. There are already mechanisms in place to quickly throw those away without wasting everyone's time and money.
tux3
·16 日前·議論
Mathematicians in academia are paid a little less than AI researchers. Companies are willing to pay billions to steal the few people capable of driving development of frontier LLMs from each other. Cryptographers don't quite enjoy the same popularity.
tux3
·18 日前·議論
>1- Separation of powers between rulemakers and judges. In practice many Administrators who have the power to enforce rules and bans are actually editing articles themselves!

Separation of judge and party is enforced pretty consistently, it is official policy that people shouldn't participate in a decision if they were involved in the kerfuffle in any way. You can edit articles and enforce rules, as long as these are separate. And then, rules can be proposed by anyone, but they're not just created on the fly because it's convenient. That would obviously be objectionable.

In fact this isn't limited to admins, regular users have the power to decide on a ban. An administrator is only needed to close and enact the decision, and this is what happened to Larry Sanger here.

>The only exception are protected articles, in which case administrators can emit an official ruling on what the article content should be.

Admins don't have a special power to decide what should be in important protected articles. It is not like a government where people are elected, and then citizens don't have any say until the next election.

The community tries to reach a consensus, and admins are part of the community. They get an input like everyone else plus special powers to enact decisions. But any "ruling" better reflect consensus, or you better bet you will wake up to the Noticeboards on fire with about 50,000 words of heated complaints and discussion.
tux3
·18 日前·議論
What a lot of games do is run a strictly deterministic simulation in lockstep. Then you don't save the path of every unit, you save one move command for the whole group. Then the game replays inputs, and the pathing algorithm should give the same result if there are no desyncs.
tux3
·21 日前·議論
I haven't dug into the native helper to see how much it checks, I can believe that ChromeOS does full remote attestation. If it's anything like Android Play Integrity, there's not a lot of flexibility without hardware exploits.

But who outside of Google is running exclusively ChromeOS? My impression from looking at the JS part is that it's mostly obfuscation, with the possible exception of ChromeOS.

I feel like the secure connect client being closed source would have been an effective deterrent 5 years ago, but these days everyone's throwing LLMs at everything. So an attack that would have taken effort doesn't present nearly as much of a barrier anymore. At least as long as there remain some platforms that don't enforce full attestation...
tux3
·21 日前·議論
CAA is completely based on trust, it's not one of the most powerful security feature. It's completely voluntary reporting by the browser, and any attacker who cares can just lie without issues.

You can make Firefox pass CAA if you want. You take the Chrome "SecureConnect Reporting" (Context-Aware Access) plugin, port it to Firefox with some light changes, and you can report whatever you want to CAA.
tux3
·26 日前·議論
Modern VPNs based on wireguard can do direct connections with hole punching. It's just a lot more work to setup on your own, or you have to sign-up to a SaaS like tailscale and use their relays, and they'll do the hole punching for you.

Here this is a decentralized network with a lot of existing public relays. But in principle a VPN can solve a lot of the same problems. It's just that commercial VPNs are not decentralized, and doing your own wireguard setup is a pain.