Alexandro Sanchez

@ringo_ring That was definitely an AI-generated apology. Ironic and frustrating, considering your project was likely key for its training data.

Yes. That's how real recognition gets stolen, masqueraded as a compliment. Sci-Hub is SO BIG, SO BIG that you obviously couldn't do it yourself. HATE. The very fact it is being masked as compliment makes it even more terrible. I hear this argument being repeated again and again. This argument about Sci-Hub being BIG is absolute nonsense. Let's consider it: Just how big Sci-Hub is? Sci-Hub is, basically a piece of computer code that I wrote in PHP back in 2011. The code itself was not that large - some great computer games that were created by single authors in the time of MS-DOS are much longer. The code itself was tiny, but it was universal: it worked on many research papers - millions of them, making them free. You can compare Sci-Hub code to a mathematical formula in physics. Just imagine: Einstein's formula is just three letters E = mc^2 - that was enough to describe the WHOLE UNIVERSE. That global universality does not make anyone think there was any team doing Einstein's work. Sci-Hub does not require any exceptional or very expensive technical infrastructure to run on. It was first launched on a free web hosting, then moved to a rented server, as the project grew I bought a few servers myself. Every hardware part here is commercially available and within areach for a single person even without big funding. The mere fact that impact of Sci-Hub was big also does not in any way imply it must be a work of many people. Consider how many great works of art or literature were created by single authors. Nobody says Tolstoy's epic novel "War and Peace" must be work of many because it is big and famous. If you consider Sci-Hub as a work of writing - and it is writing in code - then you can easily place it in context of other works of writing and see that Sci-Hub is actually very small - both in terms of how much letters were used - and in terms of how much people it reached. Some books for kids are much more popular (yet nobody says there are many authors...)

@landaire Good point that's actually genius. Would be very interesting to have agents crawl vulns/patches, group and create queries for them. With a massive query DB, hit all OSS repos and have agents triage matches.

@AlexAltea ...like lock double-unlocking bugs (at least with the internal tool I worked with, dunno about CodeQL). There's probably some effective middle-ground though of having an agent maintain the query rules and build artifacts long-term.

I think about the timing of this acquisition often. github.blog/news-insights/… Does CodeQL (or similar static analysis tools) have a place post-AI? Given the cost of setup, licensing, etc. I'd be really curious if it's even worthwhile to have AI write these queries. Probably not?

@landaire That said, all that may be true and still be a terrible acquisition.

@landaire AIs still need tools to efficiently query data while saving on tokens. CodeQL provides this, right? Just like AI can reverse assembly snippets, but on large projects is more effective paired with Ghidra/IDA to inspect xrefs, CFGs or reason over decompiled pseudocode.

It is, when easily available in manifests/DLLs, but static vendored dependencies in binaries with stripped symbols are often overlooked. Gets worse as layers increase, e.g. app depending on libA -> libB -> libC. A vuln in libC requires up to 4 independent parties to fix, though those hellish scenarios occur usually in langs with easy dependency management. Agreed with OP on vendoring. Langs with hard dep management incentivize vendoring, which in turn disincentivizes dep bloat, and reduces exposure to vulns.

@rfleury @valigo I had never considered the security implications of the misuse of libraries caused by version skew between the developer version & the many, many deployed version(s) in shared libs before. Is that something that’s analysed a lot? @AlexAltea

If you properly vendor your dependencies, you don't need a complicated build system like cmake, or nix. All you need is a simple build script, 90% of which will be setting your compiler flags. If you don't believe this - RAD Debugger is over 200k lines of code, and clean debug build takes just a few seconds, and it has two dead-simple build scripts - one for Linux, and one for Windows. That even a person who never seen a shell script in their life can instantly understand. Linux packagers hate when you say this, because "boo hoo what if freetype that you vendor has security bugs???", but real reason they hate this is because it strips their perceived importance of infinite Sisyphean ecosystem churn to make sure exponential explosion of packages on your system has illusion of working together. I guess eventually even Linux people realized that they can't take it anymore, and invented flatpaks. For me personally, I pretty much landed at a middle ground of "dependencies are good, but automated distributed dependency management is bad"

@SamoBurja You need determinism at some layer; even the models need it. Can't have turtles/AI all the way down.

Perhaps we don't need to maintain codebases where we're going. Perhaps the model weighs will instead become all the software infrastructure we need as a civilization. That and data itself.

@calvinfroedge @Laeeth We can largely solve that, e.g. C2PA. The question is which incentives are stopping us from making such tech widely available.

What nobody really talks about is that AI essentially makes the court system irrelevant. Evidence becomes impossible to prove. You end up needing technical experts just to examine a few seconds of surveillance footage. It's almost like nobody thought this through.

@never_released Nice, IIRC VMware heavily relies on this too, but I did not expect it here.

Came across one unholy hack in QEMU today... gitlab.com/qemu-project/q… The APIC TPR register is accessed very often by Windows XP/Server 2003 and the way to make that bearable for virtualization pre-FlexPriority is to... patch the guest at runtime...

@AAGresearch @modernfintech Yeah, Ginza 41 at Escaldes

@modernfintech Was this in Andorra?

Few things in life bring me more joy than DJing at my favorite sushi spot 😆🎧🎶🎛️🎚️

@Laeeth Just curious, why is that?

Probably no special meaning. In such moments (sometimes very brief), the brain send unable to "fix" the magnitude of any dimension of a mental image (in extreme cases, real life objects too). Objects feel simultaneously large/small, close/afar, full/empty, bright/dark, loud/silent, etc. This "jitter" induces discomfort. Not sure what causes it. For me, it's a bad fever. For some, drugs. Not terrible but still pathological, as if some function is "degraded".

Don’t think I’ve had this but it seems common. What mean?

@zephyr_z9 @styropyro_ Thoughts on this?

Bruh they are selling a 500W laser for $120

@the_geeko1 Incredible work, congratulations!

been cooking this for a while! check it out thegeeko.me/blog/amd-gpu-d…

@foley2k2 @unix_byte That would very quickly exhaust the TLB. Also, while slightly less wasteful, you would need to dedicate more memory to page table entries. Many trade offs, but 4~16 KiB seems indeed the sweet spot.

@unix_byte Would it make sense to default to the size of a cache line for whatever the architecture is?

On Intel and AMD x86-64 systems, the Memory Management Unit (MMU) is architecturally fixed to use a 4 KiB base page size. This design is inherited from the Intel 80386 processor from 1985, whose paging structures, entry formats, and alignment rules all assumed 4 KiB pages. For compatibility reasons, every subsequent x86 processor has preserved this granularity. Because the x86 architecture has a rigid page-table format and decades of software, firmware, and Application Binary Interface (ABI) expectations built around 4 KiB pages, the base page size remains fixed. Later, larger page sizes such as 2 MiB and 1 GiB were added for performance, but they supplement rather than replace the mandatory 4 KiB unit. In contrast, newer architectures such as ARM64 were designed with flexible paging in mind: the architecture supports multiple possible base page sizes (4 KiB, 16 KiB, and 64 KiB), and the kernel compile-time configuration chooses which one to use. Image credit: ocw.mit.edu/courses/6-004-…

@FuzzySec @FFmpeg Why are those the only two options? Legal requirement? Some contractual guarantee in @FFmpeg's license? Genuinely curious.

@FFmpeg The distinction doesn't matter to a user getting exploited. Security issues should either be fixed or FFmpeg should say they won't support the codec. You can't have it both ways.

I didn't comment on their last rant but calling this CVE slop is cringe. In fact, vendors like this are exactly the reason to impose disclosure timeline restrictions. Imagine blaming researchers for reporting a UAF in a codec used by a framework with 100m users

"Have a responsibility"? Haven't you read the NO WARRANTY section of LGPL v2.1? ffmpeg.org/legal.html The current ffmpeg team out of good will chooses to act promptly and fix vulnerabilities, but that's not a requirement. If you run a business around it and host (say) customer PII, *you* are liable. Not a take, just law.

Arguably the most brilliant engineer in FFmpeg left because of this. He reverse engineered dozens of codecs by hand as a volunteer. Then security "researchers" and corporate employees came along repeatedly insisted "critical" security issues were fixed immediately waving their CVEs. This was hugely demotivating to the fun and enjoyment of reverse engineering.

If you consider it "Linux", GrapheneOS seems (for now) the closest we'll get to the year of Linux on phones. Any non-AOSP Linux alternative will struggle with adoption because of heterogeneous hardware/libraries and lacking ecosystem (apps). We wouldn't have a major privacy-oriented browser like Brave if @BrendanEich built outside Chromium. For the same reasons, OSS phone distros need AOSP.

@JoaoQueiros13 @PSAndorra ca.wikipedia.org/wiki/Corba_de_…

Des del PS vam proposar-ho, juntament amb un augment de l'IRPF amb diversos trams i, com sempre, ens van criticar. Suposo q el temps ens dona la raó. Així quedaria amb la nostra proposta. Només es pagaria més, a partir dels 37k€, afectant al 13% dels treballadors q més guanyen.

@PetrBenes @komercka If enough people change their scribble "signatures" to dicks, maybe it would finally sink in that they are a joke, just like the banks/governments requiring them.

Institutions (banks) that reject digitally signed documents but insist on a scanned MS Paint scribble are the reason we can't have nice things. Looking at you, @komercka

@RichDevX @AbkarinoMHM @notnotzecoxao I owe my career and company to that Skype group. 🫡

@AbkarinoMHM @notnotzecoxao we had a skype group with @AlexAltea for the xdr backdoor plus other things many years back, glad they made so much progress with it :D

An old dream now becomes reality, A new modchip for #PS3 Slim (NOR only version - HDD Version) that allow you to have a custom firmware on the startup by patching LV1, LV2 on the memory. Long life #PS3 scene 👍 Thanks @notnotzecoxao for the hint.