Check out his Youtube channel: https://www.youtube.com/c/thebreadcode
I've been watching his videos for years now, he genuinely cares about his subject, and doesn't compromise for views. He's an engineer at heart, admits when he's wrong and updates and shares his knowledge. Thanks Hendrik!
This issue alone means I can't use it at work, and I haven't put much time and thought into Nim as a whole because I could only use it in private toy projects.
I understand it's mostly the AV vendors fault and the devs shouldn't have to worry about a problem they haven't caused, but for me, this grinds real-life adoption of the whole thing to a halt.
It's not clear to me what they could do. In the thread you linked, it's not just the binaries of the various nim executables, but also user generated binaries. And it appears that even signed binaries are getting flagged by some vendors.
I'm guessing the issue is that some malware writers started using nim, and the antivirus vendors then decided to make heuristics that detect nim generated binaries and call it malware.
This is pretty much it, malware was written in Nim, vendors started fingerprinting those binaries but didn't include any/enough non-malware binaries. This means that the fingerprint is more "this program is written in Nim" and less "this is malware written in Nim".
Yes, but it's not like this only happens with small/new languages. Even today, Go-lang binaries will often get detected by various Windows anti-malware software. They even have a section in their FAQ about it [0].
Also, in Hare's specific case, it doesn't _really_ matter as they will never support Windows or MacOS [1], and there isn't a significant presence of anti-malware software on linux distros.
Not supporting Mac is a big shot in the foot from Hare. Is this a case of ideology getting in the way of pragmatism, or do they have technical reasons? Singling out proprietary platforms sounds ideological.
"As other commenters alluded to, it's an ideological and practical decision. We simply prefer free software operating systems. We do not care to legitimize nonfree platforms, and we prefer to be able to read (and patch) the code to understand the tools we depend on. If that's a deal-breaker for you, no worries - Hare does not have to appeal to everyone to achieve its goals."
Hard to say, since we have no idea how the antivirus vendors are identifying nim. Maybe there's something about the fact that nim compiles to C which is then usually compiled by mingw? (You can use compilers other than mingw, but it's the default).
Mingw might have a higher weight for "this is malware". Then you combine that with nim generating code that's common across most nim binaries (the GC, boilerplate symbols, etc).
Then there's perhaps not enough positive signals to offset that, since there's not yet a wildly popular windows app written in nim.
I hope I didn't come off as too aggressive in my original post, I'm not trying to demand anything, or trying to act like I know anything they don't, I most certainly do not. I just love the language so much, I wish I could use it more. The linked issue doesn't show any traction, and other languages used for malware don't have this problem, so I (probably incorrectly) presumed there was a lack of interest to solve this. I apologize if I came off as demanding.
They have to work with and stay on antivirus vendors more aggressively. You can take new releases and submit them to the antivirus companies to get white-listed.
They each have their own processes, but a lot of them allow going to their website and submitting as false-positives, then you can do follow up e-mails.
Probably best to select the top 10 AV companies, to keep the workload down. Per each release, shouldn't be too bad, though likely someone or a group needs to be designated for the task.
We take it very seriously, but there isn't a whole lot we can do unfortunately. Apart from reporting false positives the only venue we could pursue is applying obfuscation practices used by actual viruses. This of course has its own slew of issues.
Yep, I mean, if the virus defence community took the same blanket, lazy approach with C and C++ compilers because viruses can be written in those, too (shock horror!) they'd be shutdown by some big players very fast.
Sorry for the choice words, but shit like this makes my blood boil. You're not trying to "keep our children safe" motherfucker, and you know it. You're trying to prevent people from being able to have private conversations, so your secret agencies can harvest all the data from everyone easily. To phrase it as "but think of the children" is instrumentalizing the actual victims of child abuse and you should be ashamed.
This is blatant disrespect of the people. Every time the government, its agencies and their pet organizations draw the "protect the children" card that's appealing to the most technically-illiterate and privacy-unmindful people who have zero understanding of how does the web work, can't think two turns in advance and naïvely believe they "have nothing to hide" and nothing like this[1] can possibly affect them, let alone an inherently malevolent party getting their unencrypted data to misuse it in quite a number of ways possible.
You might not realize it but there really are people who honestly, genuinely, in their heart-of-hearts think this way and if you want to have a chance at inducing real change in the world, you need to acknowledge that they exist and see things from their point of view.
It's easy to forget but not everyone lives in a bubble full of privacy-conscious techfolk. There are people whose children were groomed online and convinced to submit themselves to sexual abuse. There are people who were those children. There are the law enforcement officers and NGOs dedicated to fighting this stuff. These people are all real. They all exist.
Other people are parents. They see the stories, they worry that it'll happen to their own children. Whether you like it or not, this justification garners sympathy from a not-insignificant number of people.
Often, these people don't understand E2E encryption or why they should give a hoot about it. They see the very real, tangible problem of child abuse on one side and some kind of vague objection from technical people on the other.
If you want to move past venting and have a real chance of inducing change, you need to acknowledge that other people with very different worldviews exist and you need to think about how to engage with them, see things from their point of view and convince them that E2E encryption should be protected.
The right to have a private conversation is one of those fundamental rights that society exists to protect. Undermining that in the name of law enforcement is putting the cart before the horse.
I'm sure the police would also have a much easier time solving crimes if they had a CCTV in every living room. They might even pinky swear that that they'd only look at it with a court order. And promise to keep the recording extra, super safe so no bad guys can ever look at it. Just think of how much child abuse takes place inside houses - the very notion of houses that the police can't look into is an abomination that must be banned immediately!
The pushback if they proposed something like that would be enormous. But the only reason they think they can get away with the same thing, just regarding chat systems, is that they want to take advantage of the fact that most people are tech-illiterate enough not to understand how encryption works, while they do roughly understand how CCTV works.
Some things are just too dangerous to exist. A backdoor into every communication channel on the planet is one of those things.
Right? Their complete statement is "remove end-to-end encryption so we can catch child sex abusers...by monitoring all the content that flows through social media" -- they just don't say the second part out loud because everyone would realize how fucking crazy this is.
You live in bubble. Most citizens include all age groups, backgrounds, etc.
Most people literally have no idea what encryption is, what it means, does, how it is used.
Along comes a trustful thing, a news site or tv channel. It explains that encryption is being used to harm little kids, or to allow thieves to do evil.
Governments spout this blather, because it works on the majority.
> so your secret agencies can harvest all the data from everyone easily
The thing is, I don’t think the people who work at those agencies would want this either, except for maybe law enforcement. It’s the bureaucrats who think it’s a good idea, everyone else knows it’s a shite one. It’s an utter farce.
Someone in such an agency believes they act for the greater good. To watch, aides in protecting society from bomber, insurrection, threat.
They see themselves as noble, and likely most are.
The problem here is misuse, and the scope of information. While the majority behave acceptably, agency culture, and political leanings become a trap.
And so the noble use, becomes corrupted. And because the person believes themselves to be good, who they work for is surely good, and so the work done must be good.
Just look at all the devs working at facebook Do they see themselves as evil? Causing civil wars, breakdown of societal cohesion for profit, destruction for stock price?
No.
They see themselves as non-evil. They see what they do as non-evil, because of <reasons>.
Since when have gun grabbers have any success in the US? From the outside, it seems the US has decided it would rather just live with regular school shootings than deny its citizens access to lethal weapons. See also https://en.wikipedia.org/wiki/%27No_Way_To_Prevent_This,%27_...
1930s machine guns, short barrel rifles and shotguns, destructive devices and AOWs got a $200 tax, cost prohibative at the time for most people. 1960s more restrictions on FFLs and on types of guns especially imports, both raise prices and reduce availability more. 1980s new transferrable machineguns banned so now existing ones cost more than a car. 1990s handgun age raised to 21. And you steppers keep saying "it's not enough". If the cost of freedom is school shootings then so be it. We could cut down lots of other crime with a police state but don't because it's wrong.
You may as well support banning E2EE because nobody needs it.
We should amend the constitution and then make permitted ownership of single shot bolt action rifles the only widespread form of personal gun ownership. Plenty capable enough for sport hunting.
That would be enough.
There would be people made less safe by such a restrictive regime! Of course a much larger number would be safer. Tradeoffs are exactly what they sound like.
Nitpick: "single shot" and "bolt action" are a contradiction in terms. A "single shot" rifle has no magazine, only a single cartridge can be loaded at once. A "bolt action" rifle has a magazine to hold more than one cartridge, with a bolt that the user manually actuates to eject a spent case and load a new cartridge from the magazine.
If actually proposing legislation such distinctions would be important. For an internet discussion what you meant is clear enough.
Not quite no. There are plenty of bolt action rifles with no magazine, they're still bolt action. Like there are other single shots that aren't bolt action, and there are other bolt action single shot. Stupid policy this person is proposing but their language is technically correct.
Police states tend to reduce crime very well. They're still wrong. And i hope if somebody like you ever gets power and tries to do this Americans resist them by force.
We should uphold the Constution as it is now and remove every single gun law.
> there are enough armed forces personnel to police the third or fourth largest country by land mass in the world (the United States)
If you count the standing paramilitary forces (“police") that work for the government and do this job already, plus all the other armed forces, that's not that much of a stretch.
> that every single armed forces personnel would unquestioningly obey what constitutes illegal orders (military deployment on American soil)
Military deployment on US soil is not illegal. (That would make defensive war, as well as suppression of armed rebellion, impossible.)
Military deployment to enforce domestic order isn't illegal, either, though for federal regular military troops there are procedural requirements for it under the Insurrection Act (mostly, a completely discretionary Presidential determination of one of several specific kinds of need—some of which involve a request from a state governor and some of which do not—and particular notifications to the civilian population and any potential insurgents before employment of the military for certain uses.) State forces not called in to federal service may have their own procedural rules for law enforcement deployments, but most state forces can also be activated federally under federal rules.
To be honest the motivation to keep our children (or people more generally) safe seems way more clear to me that the motivation… to prevent people from having private conversations… to what end?
It's the stepping stone between the two: you cannot believe the motivation is to keep kids safe if the action makes kids less safe. That doesn't prove a specific other motivation. But it does pretty decisively disprove the stated motivation.
Ah, I see. You’re saying the threat of someone successfully breaching a child’s data and appropriate keys from a service is more significant than the threat of just internet weirdos relying on E2E to transact child pornography with impunity.
Pretty much. That is what happened every time other people have been given access.
We're in the middle of a whole bunch of cases of policemen being sacked or charged here for asking our underage girls on dates, keeping and sharing nudes from crime victims phones etc.
And remember: if someone is lying about why they're doing something that's further evidence it's not something you want. If they had a good reason, they'd be up front about it...
To expand the total surveillance even further? It seems to me that every government, no matter how liberal or progressive, loves surveillance. Look at how quick European governments started to vacuum up the data from mobile operators when COVID broke out - all "for your safety", of course.
But again… for what? Are you under the impression that every government is actually authoritarian under the hood but that characteristic just doesn’t really show its head due to encryption? Seems to me authoritarian governments have no problem being authoritarian with or without these sorts of provisions.
Side note: I’m not actually against E2E encryption. Strong proponent really. I just think these arguments tend not to resonate with a very broad audience outside of the security/privacy/technolibertarian communities
I've canceled my Humble Monthly a while ago. It's just another online game store at this point, there's nothing of the original spirit left. The amount they give to charity is tiny these days, and there haven't been any games I'm interested in in a long time. I'll buy at GOG tyvm.
I remember subscribing to Humble Bundle back when they came out with the original humble bundle. Four or five games, pay what you want, works on Linux. As a kid in High School, having a source for good Linux games was amazing. I paid for a few Humble Bundles but I eventually moved away from gaming in general. Sad to see how far they have fallen.
I really hope the auto-update component doesn't have the same issue, otherwise Firefox is essentially dead on millions of computers owned by non-techies.
I fear not. With http3 enabled, the auto-updater never returns a result. It keeps saying "checking...". Looks like the auto-updater itself will work only when http3 is disabled through about:config which non-technical people may not be able to do.
However I do recall Mozilla having another backdoor channel which they used sometime ago to push an emergency update. I hope that works.
Good. Abusing the users for testing via forced auto updates is short sighted and hopefully enough people change browser that Mozilla change their ways.
I can confirm auto-updater got broken too. When I realized my browser (nightly) was borked, first instinct was to update.. but nope, that didn't work. Then I manually downloaded a new nightly tarball, but that also didn't help. Switched to stable (95.0.2) and that worked once, then it got borked too.
Wait, it isn't already? That's absolutely wild to me. It's probably just my biases talking, but I've never had a single employer or client who used anything by IBM, but nearly everyone uses AWS for something.
I live in a town with a sizeable IBM office. The number of tendrils coming out of it is crazy. To the point where everyone knows someone who is employed by IBM.
I wouldn't say it's only megacorps.
Universities have internship courses with IBM, and IBM have both normal and research contracts with the universities. Even tiny universities with less than a hundred students.
All the banks have contracts with IBM. All of them. There are hardware contracts, software contracts, and customised development versions of both of those for the banks.
Most of the schools also have IBM contracts. Not generally customised development, just deployment of prebuilt hardware and preconfigured software. Even the kindergartens do.
All the ISPs have support contracts. They tend to be more secretive about what the contracts are, but from what I hear it's mostly prebuilt hardware and very slightly customised software, and the support contracts are where IBM make the most of the income from the various contracts with the ISPs.
All the hospitals have contracts. Customised hardware contracts, but boring and preconfigured software. However, the support contracts are fairly busy and IBM have a really high turnover in the teams that support the hospitals.
The government buildings, of which we have local, state and federal, all have IBM hardware in them. Some of which has been under active support for three decades. Software wise, though, the government is edging away from IBM due to some recent fuckups that have seen IBM blacklisted for new contracts.
And selling hardware. Software aside, both POWER and s390x have a niche and are legitimately competitive in terms of performance (although cost is another matter).
Because they're raking in huge bucks supporting legacy software and doing services/consulting work. They also turn Red Hat products into IBM revenue through bundling/repackaging it
IBM has grown to do a lot more than just computing services. Which is part of the reason why IBM has been struggling to find its way. In this article they’re talking about all IBM revenue, not just computing.
it seems like IBM's future is in divesting itself of a handful of profitable things as one organization.. then selling the IBM name to that organization.. and bankrupting the 'original' organization. otherwise they'll have one big anchor around their neck in perpetuity.
The opposite. New IBM is focused on cloud and hybrid-cloud, whereas NewCo is everything else (consulting, legacy software).
Although I believe mainframes are sticking with IBM. Those are still quite profitable, and you could imagine a "mainframe cloud" for clients that are still dependent on them.
This is quite a bit more than "a single Docker container" though, isn't it? This is networking, SSL cert, traffic routing, secret management and a whole CI pipleline.
Of course it's looking complicated "for a single container", but if you wanted to deploy your app in a traditional server setup, the graph would look the same, if not worse.
Exactly. This is more than just a single Docker container, this is all the architecture necessary to have a highly scalable, high availability setup where you can dial up the number of Docker containers as high as you want at the press of a button.
Not everyone needs all this, but most people who want scale and availability do need all this.
