HackerLangs
TopNewTrendsCommentsPastAskShowJobs

hnlmorg

11,620 karmajoined há 11 anos
Developer / Sysadmin / Geek

Author of murex (https://github.com/lmorg/murex, alt DevOps $SHELL). Contributor to open source. Also works on a few proprietary projects too.

Submissions

Martin Richards, British Computer Scientist, Creator of BCPL

en.wikipedia.org
4 points·by hnlmorg·há 9 meses·1 comments

comments

hnlmorg
·ontem·discuss
That seemed to be a common theme for games in America even into the 90s. Just looks at the games approved by Sega of America vs Sega of Japan
hnlmorg
·ontem·discuss
It’s actually quite easy in most cases:

1. You can generally get a feel for the intent by the developers reputation.

2. Look at the code that changed as part of the same commits. Eg was the vulnerable code included as part of the same commits as an unrelated change elsewhere in the codebase? If the latter then that’s hugely suspicious.

3. How is that vulnerability encoded? Eg is a bug parsing logic that was discovered via fuzzing? Or is it obfuscated code? Clearly the latter demonstrates intent.

4. What’s the nature of the vulnerability? Is it simply a dumb unhandled bounds or allocation error in C? Or is there an entire path of code that opens network ports? The latter also demonstrates intent.

5. How did the authors behind the vulnerable code react to the big report? Did they rush a patch out? Write more robust tests? Work with the community? Was there any transparency? Or was the issue quietly brushed over? This is least reliable indicator but it does demonstrate trustworthiness.

With these and other indicators you can build a body of evidence that can make an argument for or against a particular vulnerability being malicious. And while I do agree that in some cases it isn’t going to be clear cut, in most cases the evidence, or lack of, will be enough to justify an opinion.

The key part of my earlier statement being “beyond reasonable doubt”. Ie I’m not talking about a mathematical proof here.
hnlmorg
·anteontem·discuss
It’s more the other way around: the first Mario game was a Donkey Kong game.

The user avatar is only “Mario” in appearance. He was called “Jump Man” in that game and even his outfit colours differed from the Mario games that followed.
hnlmorg
·anteontem·discuss
> I assume it's probably a software bug, they assume it's an exploit.

They're not mutually exclusive.

I suspect you and the security team are arguing the same thing but with different terminology.

When vulnerabilities (which, in the vast majority of cases, are accidental) are published, or when static analysis tools review code, you'll get a description and a severity score. That description will broadly describe how, if possible, that vulnerability can be exploited.

Working for an in-house security team basically just means you're a risk assessor. And the way you assess risks is to look at the potential consequences of those risks. Which means looking at how bugs can be exploited.

But none of this means those vulnerabilities were placed in the code intentionally and with malice. It just means that someone else who is malicious could, theoretically, exploit those vulnerabilities. And if the risk of that is greater than the risk appetite of the business (as will typically be the case), then they'll feedback to you that there is an exploitable vulnerability that you need to patch.
hnlmorg
·anteontem·discuss
> It's because you (like me) aren't quite as paranoid as security people are.

I work heavily with security-conscious clients where vulnerabilities would be catastrophic. And we are talking high profile clients that are juicy target for attacks.

My experience is still that the vast majority of vulnerabilities are accidental rather than due to malice.

And when I say “vast”, I mean the so heavily slanted in favour of “unintended” that it’s not even comparable.

> It's really a matter of context. Security people tend to only be involved when things are already nefarious

I’m guessing you’ve not worked with many “security people”?

You’d be surprised how much of their day-to-day is mundane.
hnlmorg
·anteontem·discuss
As someone who really doesn’t take themselves even the slightest bit seriously, if there was ever a chance that your comment was funny then I would have realised it was a joke. ;)
hnlmorg
·há 3 dias·discuss
How? Neither their comment nor mine have anything malicious in their tone nor content.
hnlmorg
·há 3 dias·discuss
> I wouldn't assume that all of those security mishaps stem from an endless series of blunders from "stupid" programmers.

The saying doesn’t mean that all vulnerabilities are blunders. It means we shouldn’t automatically assume vulnerabilities are nefarious.

If closer inspection proves beyond reasonable doubt that it was placed there deliberately and maliciously then that’s different.

But the point is most vulnerabilities are blunders so it’s better to assume that until proven otherwise.
hnlmorg
·há 3 dias·discuss
Yes, and my point is that hasn’t been the case in my experience.
hnlmorg
·há 3 dias·discuss
Yes, I got their point. My point is that’s the opposite of reality.
hnlmorg
·há 3 dias·discuss
You’ve got the saying backwards:

“Never attribute to malice that which is adequately explained by stupidity.”

https://en.wikipedia.org/wiki/Hanlon%27s_razor
hnlmorg
·há 5 dias·discuss
Ahhh that makes a lot more sense. Thanks for the detailed explanation.
hnlmorg
·há 5 dias·discuss
> Open models like GLM 5.2 are getting good enough to handle 90% of tasks, and will eat most of their usage unless they start serving it at cost.

Most people either don’t have the money to buy hardware to run open models and/or don’t have the utilisation to make renting cost effective.
hnlmorg
·há 7 dias·discuss
You’re conflating two completely different things.

I’m a retro gamer. I have around 20 systems all hooked up and ready to play from the Atari 2600 through to modern systems like the PS4. In fact I bet I have systems you hadn’t even heard of, and machines that are older than you are.

So I know better than most that consoles can live for decades. But that’s not what people mean when they talk about a consoles life.

What that term means is the period of time that a console is the current generation (and yes, “generation” is the technical term here and not something I made up).

Also decay isn’t a phenomenon exclusive to biology. Plenty of things which aren’t organic can have a life and decay, even though we know they’re not technically a life form. For example stars. But even technology can decay. Capacitors and batteries are the biggest two killers of old technology, and common problems I’ve had to repair in my old hardware. The laser in your PS1 is also a consumable. I’ve had to replace the laser in my PS1 for that very reason. Solder can crack. Any moving parts like motors, fans, and CD/DVD trays can seize up over time too. There’s also sun-bleaching that happens to white and grey casing too, which is thankfully a very easy fix.
hnlmorg
·há 8 dias·discuss
It was a trade association not Microsoft. And bullshit like this is the entire reason for trade associations existing.

Microsoft themselves support self-hosting Minecraft servers. As evidenced by the fact that the server software itself is provided as a free download from an official Minecraft (and thus Microsoft branded) site.
hnlmorg
·há 8 dias·discuss
Lots of modern cars cater for this. It’s actually a marketing point with manufacturers like the VW group publicising how they’re bringing back tactile interfaces. And some ranges of cars never took that away (for example Jaguar).
hnlmorg
·há 8 dias·discuss
I cannot comment on the cost in the US, but in the UK it would be the farm that’s more expensive because the cost is relative the distance. You still have to file the same government applications to close a dirt road as you would a busy city street. But you would have much more miles of road to file the application for, plus the actual expense of the engineering work, for rural destinations.

And that’s without factoring in that fewer subscribers are going to sign up in rural destinations vs busy urban hubs.

This is why the UK had to make subsidies available for rural fibre.
hnlmorg
·há 9 dias·discuss
I wouldn’t even trust experienced developers to merge code without peer review.
hnlmorg
·há 9 dias·discuss
Server shutdowns are a problem regardless of the platform.

There used to be a time when PC games allowed you to connect to random servers. These days Minecraft is the only one that still allows it. And even there, Microsoft go hard on the upselling of their Realms.

Some studios kill their servers after just a couple of years. Even for games that are online first.
hnlmorg
·há 9 dias·discuss
> especially if you were mislead into buying a PS5 with a disc drive thinking it'd be supported at least until the end of the product's lifespan

8 years is roughly the lifespan for a games console though.

And I say this as someone who hates Sony perhaps more than most, having lived through their the CD rootkit and PS3 OtherOS debacles. And been burned by their substandard yet overpriced audio equipment.