As I understand it, this is too brittle. I think this is trivially defeated if someone adds an append to your code:
func do_another_important_thing(key []byte) []byte {
newKey := append(key, 0x0, 0x1) // this might make a copy!
return newKey
}
key := make([]byte, 32)
defer scramble(&key)
do_another_important_thing(key)
// do all the secret stuff
Because of the copy that append might do, you now have 2 copies of the key in data, but you only scramble one. There are many functions that might make a copy of the data given that you don't manually manage memory in Go. And if you are writing an open source library that might have dozens of authors, it's better for the language to provide a guarantee, rather than hope that a developer that probably isn't born yet will remember not to call an "insecure" function.
It's not so much that it's a catch 22, its that there's no financial incentive for them. TVs are a low margin item already, and Samsung/LG get their margin by being brand names and advertising fancy features.
I doubt they would meaningfully save money over investing in DP, and the opportunity cost is greater for them to spend that money on the next "Frame" TV or whatever.
LG, Samsung and Sony are the only actual panel manufacturers and they probably bake those license fees into the panels they sell back to HDMI Forum.
May be, but by not solving the problem, they become part of the problem, even if they aren't part of HDMI cartel directly. So it's their fault too problems like above happen.
>If you choose lower-level languages like Rust, your team will spend weeks fighting the borrow checker, asynchronicity, and difficult syntax.
It's interesting the author decides to describe Rust in this way, but then spends the next 90% of the article lambasting the Go authors for having the restraint to not turn Go into Rust.
Arenas are simple to write, and if you need one, there are a lot of implementations available. If you want the language to give you complete flexibility on memory allocations then Go is the wrong language to use. Rust and Zig are right there, you pay upfront from that power with "difficult syntax".
Every once in a blue moon I'll meet someone who can trace the genesis of their career to neopets. I learned to code from neopets. It started from html, then I fell into a cheats crowd, where I learned Visual Basic (some of the best early cheats were in Visual Basic).
Then one day, a guy coded a program in Python. It was only one with a "modern" style (it used Window XP styles, while most VB6 programs looked like windows 98 programs), and it used threads so it could watch multiple stores instead of having to manage multiple processes.
I must have been 12-13, and I was completely floored with it. I was convinced everyone programming in VB6 was wrong and the future was Python. I eventually self taught myself Python just to write my own cheats, which I eventually sold to others for millions of neopoints. Then my account got frozen and I moved on to other games.
Similar story to me. I was big into games and game design as a kid and was already doing some light modding of games but only a little programming. I experimented with using a memory editor to cheat on the Flash games in 6th grade, which promptly led to my account being banned. I was devastated and wanted revenge and swore I would write my own, sophisticated autobuyer bot. By mid 7th grade, I finished my project. I wrote it in REALBasic (was on a Mac). I implemented a barebones HTTP socket and cookie jar on top of the raw TCP socket provided by the language and learned to do all of that by sniffing my own network traffic and reading parts of the RFCs. I wrote rudimentary String parsing functions to parse the HTML results since I don't know Regex, and I also defeated the shop CAPTCHAs using a novel approach I have never seen anyone else use to this day. My bot worked phenomenally.
Fast forward to college, I re-implemented my bot as a pet project to learn Python. This time it was much better and included automatic selling of loot, automatic auctioning with feedback based pricing algorithms, and multiple account coordination for using a command and control server. I'm pretty sure I was the most sophisticated botter on the platform at the time. I had a very roundabout way to convert the loot into USD and was making around 7-10$/day completely passively.
Out of college I interviewed at a malware reverse engineering company. When you pass the interviews, they ask you to give a presentation before you get your offer. I chose to do a presentation about the bot (it was interesting from a security perspective)... big mistake. The VP of engineering was suddenly "pulled in to something" and I went home without an offer.
I’m in my mid-30’s now. In high school I learned HTML because I really wanted to customize the styling of my Guild (I think that’s what it was called).
And then built a neopets fan site and forum which taught me basic business (trading links with other fan sites, hiring/managing forum moderators, and eventually sold the fan site during junior year).
The will to customize my MySpace profile was also a driver for learning HTML.
I sometimes think about this in the context of today’s highly controlled platforms that simply don’t make space for users to customize or do anything outside the platform directly.
> in the context of today’s highly controlled platforms that simply don’t make space for users to customize or do anything outside the platform directly
There is Roblox, which is popular with kids and lets them upload minigames written in Lua.
I followed this exact same path. Started with HTML for guilds, learning to slice PSDs and ended with learning VB6 to develop auto buyers / adopters :D Slopdog forums was my inspiration for using VB I think?
I hung out with the neopets kids in school who were doing html stuff. I never really got into neopets myself but some of them were really into geocities which I totally clicked with. Some of my friends were artsy so I made pages for webcomics and CYOA games (with hand drawn graphics to accompany). Those friends ended up getting careers in the arts while I ended up as a computer/electrical engineer.
I'll jump in too. Also started coding with HTML in Neopets and then joined the middle school's programming club! We were playing around with C++ and Visual Basic. Love seeing these updates!
This is exactly how I got my start. Neocodex was the forum where I learned how to program, and slicing up images in CS2 to show up on a Tripod site was how I learned web development.
this is how i got my start in programming, eventually leading to working in finance and now in gamedev for a AAA. many of the programmers i worked with as a teenager to build neopets automations are in similar places. i have so many stories and even met my ex wife of ten years through the community!
oh and i regret all the duping glitches i found and exposed and stuff im sorry
Real talk, call me "old" - but it's like "Oh we get to be put on some list?". TLDR: They ruined the fucking internet. The internet sucks now, all those great "magical" experiences - they fucked it up. For all of us. Everyone.
You know there is one way to say a big "fuck you" to all this shit? I mean at least an idea I had?
What if you had physical "RSA" keys, you were part of groups, had to join, etc. Something like this...whatever. And you know how you use the internet? You literally send use data encrypted blogs in blobs. Keys change, ciphers change. Think 56k internet, but not "slow" - just blobbed/packageized.
In theory, you can basically just wrap the whole internet like a privatized radio relay - just much much faster and, global. The internet becomes only a packet relayer. Custom cryptogrphically rotated black box to anyone except keys in theory. Try and surveil that fuck shit mother fuckers.
The internet could at least fucking exist in some form. You could even have this "public" type AI-VERFIER "resigned/hashed packet" that uses some open source community checker that can be this trust based "thing"...auditble that is basically saying there "there is no weird images, etc...or there is no whatever here" and this can be signed. ISP network layer would see something like:
[VERIFIED CHECK]
fsdf34234ASDFsdfDataBLOB
Or go "naked"
fuckyou_fsdf34234ASDFsdfDataBLOB
In theory, it would at least try and prevent the NSA/INSERT_GOV_TER_ORG_HERE from at least respectfully trying to decrypt the "risky" packets. Blah blah blah. You know, just being kind to everyone I guess. Thanks.
I don't know...just an idea.
EDIT: There are of course other solutions related to end devices and comprised devices. The "simple" solution is offline, air gapped stable enviroments that handle all your decrypted / encrypted devices.
There there are network things, etc. All details - blah blah. But I am just talking shit. Someone should build this.
Similar technologies have been built and reinvented over and over again.
There is a critical mass of users needed to make this "social network", and turns out (big surprise) most people don't want or care about this technology.
I know. A man can dream you know? No one cares about anything. Well maybe they do, they care about "stuff". Just give them stuff... #congratulations_you_just_reinvitedx1000_INSERT_GOOD_BAD_IDEA_HERE
But thanks for the reply. At least someone has a fucking heartbeat and is real. lol
Serious question though, from a purely data analytical question - are you an incredible programmer? Like legit. Please tell me you're a badass. You gotta be? Real talk, rate yourself. I demand it.
You could say the same about anything, but cheating in multiplayer ruins the experience for others. Cheating in single-player? Great, we call those mods, but in a multiplayer game I'm happy to think of OP as a piece of shit for not just cheating but writing the cheats for others.
Even if it's just indirect competition, by giving yourself an advantage compared to others you affect what others percieve as a healthy benchmark for performance.
"Just neopets" isn't an excuse, you could say the same for any online game.
Cheaters even wreck just the scoreboards for some games. You might think a fake score submissions is about the least damaging thing since it doesn't directly effect others gameplay at all, but it still ruins the experience and affects the community's ability to compare and share genuine runs.
Being banned eventually is hardly a punishment, doubly so if they ever sold-on their ill-gotten gains for real money.
There wasn't a hint of contrition in OP's post, and the downvotes I'm receiving suggests that the culture of entitlement is so great now that cheating in multiplayer isn't even seen as bad anymore.
I hope you share that same energy for people doing high frequency trading or writing advertisement engines. Cheating in neopets is probably at the lowest end of harm caused by cheating and also hurts neopets devs more than it hurts other players.
I think it's reading into a lot into OPs comment. A lot of people look somewhat fondly on dumb/slightly illegal things they did as a teen, even if they would never do such a thing as an adult (nor encourage it in current teens). The downvotes you are getting are likely due to guidelines violations (be kind, curious, not snarky, etc) not due to your actual viewpoint.
>And yet, from the App Store’s point of view, you can build a game with guns and cartoon violence and happily ship it to kids, while tracking your own body needs a 16+ “mature themes” label.
This really isn't an Apple problem, but an American culture problem. This is such a common trope in many forms of media:
* You can sell games with gratuitous amount of gore, but implied clothed intercourse gets you pulled from stores.
* You can get away with a lot of violence and possible sneak a PG-13 rating, but a single boob gets you rated R.
Well, no, because Apple categorizes all of these things separately. The world is not subject to MPAA notions about "Sex" or "Violence" -- rather, Apple splits those up into "does this app have any sex" or "does this app have any violence"
The author has a problem because what he is selling is an app to track sexual activity in explicit detail, which is a huge privacy invasion, and Apple's normal screens are rather good at noticing that
The author of this post is trying to sell an app that is not explicitly prohibited by Apple guidelines, but it is offensive to pretty much anyone who looks at it
> which is a huge privacy invasion, and Apple's normal screens are rather good at noticing that
Do you have any better evidence? Apple's App Store screens are notoriously useless; famously, Lastpass had to tell people to stop downloading their app from the App Store after Apple's "normal screen" replaced their app with a trojan horse: https://blog.lastpass.com/posts/warning-fraudulent-app-imper...
As I understand it, whatever it costs, is strictly less than the market dynamics of providing the ride today.
There is probably some market equilibrium where they could reasonably provide <5 minute pickups for waymo users that would both cover the cost of the automobile and still be less than the price of an uber today.
Well, 2. is what the people are asking for but aren't getting. They want deprecation and a ENV flag to enable. It'd be enough. But even that isn't being allowed which is weird for a power-user program. I can't help but think, "Don't obey in advance."
They're deprecating it and removing it. What is required is deprecating it and leaving it in (with env flag to enable) till it actually breaks rather than obeying in advance.
While I think the problem highlighted in the article is a longstanding problem for Rust[1], I don't think the example, or finalizers was the problem with Futurelock as described by Oxide.
I'm not sure you can write a simple example in Python, because Rust's future's architecture and Python's is different. `futurelock` is an issue of cancellation safety which is a stranger concept (related to finalizers, but not in the way OP has described).
Personally, I think `tokio::select!` is dangerous and I don't use it my code - it's very easy to deadlock yourself or create weird performance issues. I think the interface is too close to Go and if you don't understand what is going on, you can create deadlocks. That said, even if you avoid `tokio::select!`, I think cancellation safety is one of those dragons that exist in async rust.
The `futurelock` is probably closer to something like:
import threading
mutex = threading.Lock()
def gen_1():
yield 1
print("acquiring")
mutex.acquire();
print("acquired")
yield 2
print("releasing")
mutex.release()
yield 3
def gen_2():
yield "a"
def do_something_else():
print("im gonna do something else")
mutex.acquire()
print("acquired")
mutex.release()
print("done")
a = gen_1();
b = gen_2();
zipped_data = zip(a, b)
for num, letter in zipped_data:
print("output", num, letter)
do_something_else()
print("done")
Here you can see that `gen_1` "holds" the lock, even though we are done with it, and `gen_1` won't release it until `next` is called again.
The problem is before `do_something_else` is called, either `a` must be destroyed or someone has to call `next` on it. However from just reading the code, the fact that this exists can be difficult to see.
>Are you okay not being told a tool you're using has a vulnerability in it because the devs don't have time to fix it?
Yes? It's in the license
>NO WARRANTY
>15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
If I really care, I can submit a patch or pay someone to. The ffmpeg devs don't owe me anything.
Not being told the existence of bugs is different from having a warranty on software. How would you submit a patch on a bug you were not aware of?
Google should provide a fix but it's been standard to disclose a bug after a fixed time because the lack of disclosure doesn't remove the existence of the bug. This might have to be rethought in the context of OSS bugs but an MIT license shouldn't mean other people can't disclose bugs in my project.
Google publicly disclosing the bug doesn't only let affected users know. It also lets attackers know how they can exploit the software.
Holding public disclosure over the heads of maintainers if they don't act fast enough is damaging not only to the project, but to end users themselves also. There was no pressing need to publicly disclose this 25 year old bug.
How is having a disclosure policy so that you balance the tradeoffs between informing people and leaving a bug unreported "holding" anything over the heads of the maintainers? They could just file public bug reports from the beginning. There's no requirement that they file non-public reports first, and certainly not everyone who does file a bug report is going to do so privately. If this is such a minuscule bug, then whether it's public or not doesn't matter. And if it's not a minuscule bug, then certainly giving some private period, but then also making a public disclosure is the only responsible thing to do.
That license also doesn't give the ffmpeg devs the right to dictate which bugs you're allowed to find, disclose privately, or disclose publicly. The software is provided as-is, without warranty, and I can do what I want with it, including reporting bugs. The ffmpeg devs can simply not read the bug reports, if they hate bug reports so much.
Sorry to put it this bluntly, but you are not going to get what you want unless you do it yourself or you can convince, pay, browbeat, or threaten somebody to provide it for you.
Have you ever used a piece of software that DID make guarantees about being safe?
Every software I've ever used had a "NO WARRANTY" clause of some kind in the license. Whether an open-source license or a EULA. Every single one. Except, perhaps, for public-domain software that explicitly had no license, but even "licenses" like CC0 explicitly include "Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work ..."
I don't know what our contract terms were for security issues, but I've certainly worked on a product where we had 5 figure penalties for any processing errors or any failures of our system to perform its actions by certain times of day. You can absolutely have these things in a contract if you pay for it, and mass market software that you pay for likely also has some implied merchantability depending on jurisdiction.
But yes things you get for free have no guarantees and there should be no expectations put in the gift giver beyond not being actively intentionally malicious.
Point. As part of a negotiated contract, some companies might indeed put in guarantees of software quality; I've never worked in the nuclear industry or any other industries where that would be required, so my perspective was a little skewed. But all mass-distributed software I've ever seen or heard of, free or not, has that "no warranty" clause, and only individual contracts are exceptions.
Also, "depending on jurisdiction" is a good point as well. I'd forgotten how often I've seen things like "Offer not valid in the state of Delaware/California/wherever" or "If you live in Tennessee, this part of the contract is preempted by state law". (All states here are pulled out of a hat and used for examples only, I'm not thinking of any real laws).
reply