Madhurjya Roy

@noctarius2k The German one looks difficult because compound words don't have spaces. If you break it down, it's syntactically the same as English. The real offender is French: 999,999 is neuf cent quatre-vingt-dix-neuf mille neuf cent quatre-vingt-dix-neuf

🤣🤣🤣

@koushik Also, FYI, you can do “actual” dev work using nothing but “ed” on Linux. Why do you install anything at all?! Block everything then and it will be the most secure system in the world. Why are you drawing the line at editor extensions?!

@koushik Or that I have to work on a new programming language and I can’t have the language support extension, because it is not whitelisted!

if you're a company, you should def block extensions in browsers and editiors.

@koushik Anyway, I could have argued about how MDM systems only target GUID-based package identification. And I could just use a tarball instead of an installer package. But seems like it's not worth talking anymore, since you have decided to die on this hill.

@koushik Wow! So, if someone works at your company they are stuck with only the few editor/IDEs that can support MDM policies (or you'll uninstall their editor) and forced to only live with the extensions that you as a dictator deem fit for use? Bravo!

@koushik Mention one MDM software that can prevent me from using a malicious plugin on Neovim.

@mroyme not true

@koushik The only IDEs that support such MDM features are the ones from Microsoft (VS/VSC), Apple(XCode) or JetBrains. What about the rest?

@mroyme mdm my guy!

@ZOleander47715 @OutofGalaxyy How does that happen? I have seen games like Genshin Impact, which will download the game as data, but even then it is at the mentioned size unless you open it once.

@mroyme @OutofGalaxyy 中国app纸面数据虽然也是只有7-800mb，但你下载完就算没登录没使用过也会立刻飙升到GB的等级

@OutofGalaxyy in China😂

@koushik How would you even do that? You can block the extension marketplace, but you can’t block an extension. Extensions are just snippets of executable code. In fact, with editors like Neovim/Emacs, they might just be a couple of lines of Lua/Elisp that I can copy from an website.

@mroyme you don't have to block every extension. obviously we have an allowlist.

@koushik In fact, you can’t done even have LSP in most editors without extensions.

@koushik You think extensions are just for making editors cute? With modern web frameworks, I can’t think of a single editor that works well without installing additional extensions. In fact, I’m curious what editor you use that works so well without extensions.

@koushik Well, except for maybe Zed + Go (if you only work with Go)

@koushik The point is that the most secure system is the one that does nothing at all. I completely disagree with your statement about disabling extensions. It barely provides any security, if at all! There’s so many ways to get a payload to run on a given system.

@mroyme actually penmanship is part of our interview process.

@OutofGalaxyy @ZOleander47715 The screenshot is misleading. The "iPhone Storage" shows the app + (all its data). For a messaging app, this could also include things like the backup of all the media that's sent / received through that messaging app. Here, none of these apps I use are Chinese.

@ZOleander47715 Okay I’ve heard that Chinese apps are lowkey heavy, but THIS is just insane wtf

I strongly believe there are entire companies right now under heavy AI psychosis and its impossible to have rational conversations about it with them. I can't name any specific people because they include personal friends I deeply respect, but I worry about how this plays out. I lived through the great MTBF vs MTTR (mean-time-between-failure vs. mean-time-to-recovery) reckoning of infrastructure during the transition to cloud and cloud automation. All those arguments are rearing their ugly heads again but now its... the whole software development industry (maybe the whole world, really). It's frightening, because the psychosis folks operate under an almost absolute "MTTR is all you need" mentality: "its fine to ship bugs because the agents will fix them so quickly and at a scale humans can't do!" We learned in infrastructure that MTTR is great but you can't yeet resilient systems entirely. The main issue is I don't even know how to bring this up to people I know personally, because bringing this topic up leads to immediately dismissals like "no no, it has full test coverage" or "bug reports are going down" or something, which just don't paint the whole picture. We already learned this lesson once in infrastructure: you can automate yourself into a very resilient catastrophe machine. Systems can appear healthy by local metrics while globally becoming incomprehensible. Bug reports can go down while latent risk explodes. Test coverage can rise while semantic understanding falls. Changes happens so fast that nobody notices the underlying architecture decaying. I worry.

🚨 UPDATE: Mini Shai-Hulud has crossed from @npmjs into @pypi and is still spreading. Newly confirmed compromised artifacts: @​opensearch-project/opensearch: 3.5.3, 3.6.2, 3.7.0, 3.8.0 (1.3M weekly downloads) mistralai: 2.4.6 on PyPI guardrails-ai: 0.10.1 on PyPI additional @​squawk/* packages on npm guardrails-ai 0.10.1 executes malicious code on import. On Linux, it downloads git-tanstack[.]com/transformers.​pyz, writes it to /tmp/transformers.​pyz, and runs it with python3 without integrity verification. The git-tanstack.​com domain displayed a message signed “With Love TeamPCP,” along with: “We've been online over 2 hours now stealing creds Regardless I just came to say hello :^)” The page also linked to a YouTube video and you can probably guess which one.

Possibly the most inaccurate AI of all time.

@NickVanWig What is “may” cache?!

?