Unlurker|Replay|About
↙ time adjusted for second-chance
Post-mortem of Shai-Hulud attack on November 24th, 2025 (posthog.com)
Long story short: they messed up the assign-reviewers.yml workflow, allowing external contributors to merge PRs without proper reviews. From this point on, you're fully open to all kinds of bad stuff.
Wow, I hate this website to be honest. So much of the space is taken up by all these "bars" on my already small screen.
Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting. https://news.ycombinator.com/newsguidelines.html
This is a great writeup, kudos for the PostHog folks. Curious: would you be able to make your original exploitable workflow available for analysis? You note that a static analysis tool flagged it as potentially exploitable, but that the finding was suppressed under the belief that it was a false positive. I'm curious if there are additional indicators the tool could have detected that would have reduced the likelihood of premature suppression here. (I tried to search for it, but couldn't immediately find it. I might be looking in the wrong repository, though.)
Posthog's website design feels like a joke that went a bit too far
Other than the silly design, the website's cookie banner is actively malicious. It proclaims to be legally required and directly blames the President of the European Commission. If Posthog is being truthful about its cookie usage, the cookie banner is in fact not legally required. Consent banners are only required if you're trying to do individual user tracking or collecting personally identifying data; technical cookies like session storage do not require a banner. That they then chose to include a cookie banner anyways, with explicit blame, is an act of propaganda clearly intended to cause unnecessary consent banner fatigue and weaken support for the GDPR.
So it wasn't phishing attack? Wonder how those bot access tokens got stolen.
It explains in the article under "Why did it happen?".
They do explain all the details how the got the tokens stolen.
They explain how. “ At 5:40PM on November 18th, now-deleted user brwjbowkevj opened a pull request against our posthog repository, including this commit. This PR changed the code of a script executed by a workflow we were running against external contributions, modifying it to send the secrets available during that script's execution to a webhook controlled by the attacker. These secrets included the Github Personal Access Token of one of our bots, which had broad repo write permissions across our organization.”
Which shows the danger of keeping build scripts in your repos and letting users update them themselves.
Oh. I mist be blind. Well, that's a warning for all.
I didn’t know what Posthog was before this event but the website is so unusable on Safari on MacOS or iOS for me i’m surprised I stuck through to discover the product.
Without JavaScript, all I get is a background image and a top "navigation bar" where the only thing that's actually operable at all is a signup link. Which then goes to a completely blank page. I still don't know what Posthog is, but I'm now committed to never using it if I can at all help it.
Curious, I pressed "X" on the blog post. It went away, leaving me with the fake desktop view at "posthog.com". Ok, fine. How do I get back? I pressed the back button on my browser. The URL updated to be the blog post's URL. A good start. But the UI did not change, leaving me at the desktop view. Many moments like these if you use Posthog
Show HN: Nano PDF – A CLI Tool to Edit PDFs with Gemini's Nano Banana (github.com/gavrielc)
> Converts an image to a single-page PDF with a hidden text layer using Tesseract. This is the 'State Preservation' step. Does this mean the text only pdf page is transformed into an image that covers the full page, but the text is still under there. So, any machine based extraction would still get the text, but would probably loose all the bounding box information and regular users cannot just use their mouse to select text anymore?
Nice - but consider adding an animated screengrap like: https://github.com/pythops/oryx
Very nice! I wonder whether that could be used to get LLMs to annotate pdfs. Say an "agentic" CLI like Claude Code or Gemini-cli reviews a pdf and finds typos, could it use this to annotate the pdf like underlining them in red or something of that sort? That could be nice.
How cool! It's frustrating how tedious many PDF workflows still are. I've been building something similar in this space[0], but web-based where you visually specify the area to edit. The biggest issue for now is the cost per edit as the Pro version amounts to roughly $0.15/image. However, with some finessing, the original Nano Banana seems to do a great job as well. Have you explored UI-based approaches yourself by any chance? [0] https://docusera.com/
All it takes is for one to work out (alearningaday.blog)
Unfortunately, the "one" which accepts you, is no guarantee of it being the one which "works out" (in the short or long term). My experience is now 4x "found one that ultimately doesn't work out" (each lasting 2 to 3 years). I'm now taking time out to try to figure out how to escape the confines of the career path I've taken to find something different. Open to suggestions of entirely different careers that I could switch to that might have higher odds of not being toxic rat-races full of people telling lies and bullshit just to survive. But broader experience suggests the world of work just sucks these days (and yes, it's these days - our parent's generation had a brief period of doing 9-to-5 jobs which paid well enough to afford homes, have families and social lives and holidays. We don't get that now.). No wonder large numbers of my generation are dropping out of the workforce...
It took me an embarrassingly long time to realize this wasn’t about exercising.
Taking a break from studying for my interview in two days at a FANG company, I checked Hacker News and this article was at the top. I've been studying for this interview harder than any of the others in the past. I feel well-prepared, but there's always the luck factor. I hope this is a sign that this interview will be the one to work out!
This is a great approach! After every opportunity that closed on me another arose, and it always was the better one. Through these experiences I totally agree, and try to apply it to life, but it's hard, even knowing that it's true. How cool is it for every college, person, job offer, scholarship to want you? Even though we're looking just for "the one" it's very hard for me to mitigate the feeling of getting rejected, even knowing it was not "the one". Rejection generally hurts, when you care about the goal
On a much less optimistic dark humor note, this is the same argument in If Anyone Builds It, Everyone Dies about a superintelligent AI emerging and being a threat to humans. https://en.wikipedia.org/wiki/If_Anyone_Builds_It,_Everyone_Dies
Beautiful piece and reminder. If you're never done growing, you're never done peaking, nor ever really done trying. One working out can lead to the next way. Wishing everyone well who this piece resonated with.
The article is good, but I am more impressed by how the author has been posting every day since May 12th, 2008.
Bait & switch, though. “All it takes is for one to work out.” is not the same as "You just need the one [job] that’s the right fit. " or "You just need the one [house] that feels like home. " or "You just need the one [life partner]." Author's examples are, spiritually, the opposite of their friend's advice - in fact, "all it takes is for one to work out" is something often said to people who lost hope because they got lost being too picky .
Simplifications always leave something out. It's like the three body problem: people think one factor matters most, and one other factor controls it. But once they realize there is a third factor that alters one or the first two, or mediates between them, it gets more complicated.
The “one that works out” can also give you a misrepresentation of how the world works and a false sense of how lucky one should expect to be over a long period of time. At an earlier point in my life, I had been applying to many well-known big tech companies right out of school (not a top school either). I never got a reply from any of them so I ended up accepting a local job with a non-tech company after months of searching. But I didn’t give up my hopes and kept applying to big tech, and while I did manage to get the occasional interview with some mediocre companies or the random startup, I also miserably failed all of them too. At some point during my long period of despair at never getting a better job, my very top pick (and arguably one of the best tech companies in the world at the time) reached out to me. Even more miraculously, I somehow passed their interview (the only tech interview I passed in the prior year) and accepted a job there. I really enjoyed working there. Some of the best few years of my life. And my performance reviews were great too, so the imposter syndrome from having failed so many tech job interviews sort of faded into the background. But after a few years, perhaps due to the “hedonic treadmill” mentality, I thought I could do better. So I left to join a startup. Well, the startup failed, as startups tend to do, but what I didn’t expect and what caught me off guard was that I was now back in the same situation I was in right after graduating from college. Don’t get me wrong—having “the name” on my resume now meant I could get at least one chance at an interview about anywhere. But much like the first round that I tried to forget about, I once again failed all the interviews. Unfortunately, this second time around never procured a “get out of jail free” card. So I guess my lesson is: 1) there’s a lot of luck involved in these things, 2) if life gives you a winning lottery ticket at some point, don’t throw it away for the chance to win an even bigger lottery, and 3) that famous saying about “the only actions regretted are those not taken” is absolutely, totally wrong—almost all of my regrets in life relate to taking some action I shouldn’t have rather than inaction.
Corollary: Choosing _not_ to do something is as much an action as choosing _to_ do something. Which shines a bright light on the meaninglessness of the phrase “the only actions regretted are those not taken”.
It just sounds like you are in a middle of another journey my friend.
A lot of people experienced that during the 2020 boom. The lucky break wasn't a lucky break it was just a huge hiring boom. Once that's over the status quo returns.
My lucky break occurred many years before the pandemic, but after the original dotcom boom. Companies were neither hiring nor firing like crazy.
I thought HN is supposed to upvote articles that gratifies one's intellectual curiosity. Does this article gratify intellectual curiosity? I don't understand why these shallow feel-good articles devoid of any intellectual curiosity always get upvoted to the top! There are so many high effort, substantive articles at https://news.ycombinator.com/newest that nobody upvotes!
because even when it isn't why people come here, and if there was too much of it you may be right - a message which brings up a smile or warm feeling is enough for people to be thankfull and that is a good thing
This is why having a safety net and resources to try again is so powerful. Given enough chances you will make it, big. That means the #1 factor in success is the number of chances you get to fail and try again, not necessarily how inherently good you are. I try to remind myself of this often. I have been given so many chances, and I took them.
This always sounded intuitively correct to me, but looking back over the past two decades basically all of the successful entrepreneurs and business owners I know didn’t come from families with a lot of resources and didn’t have much of a safety net. They just went all in on their goals when they were young and had many years ahead of them to start over if it all went wrong. Contrast this with some of the people I grew up who came from wealthy families: A lot of their parents pushed them toward entrepreneurship and funded their ventures, but to date I can only think of one business from this cluster of friends that went anywhere. When you come from such resources and wealth that you don’t need to succeed and you can drop the business as soon as it becomes difficult, it’s a different situation. I don’t know exactly what to make of this, other than to remind myself to keep pushing through the difficult times for things I really want even when I could fall back to an easy path and give up.
Well said, this is the real game to pursue. Best of continued luck.
We job hop, have multiple hustles. Many people on this board have started multiple companies, sometimes at once, on an ongoing basis. Do you only want just one friend? People tend to have multiple romantic/sexual entanglements, sometimes at once, but generally more than one over a lifetime. I think this can be a useful maxim to get you to the next day, but in reality it takes a lot more than one of anything for a fulfilling life. We grow and change and need novelty. We are held in a web of interdependent, ever-shifting relationships - with people, businesses, material goods, ecology. I think that generally people are seeking connection in a broader sphere. To be held in community, to have multiple significant identities (mother/wife/boss), to live in richness and abundance where any one thing is not make or break.
We can try to walk in 10-20 directions at the same time and move a tiny direction all, or none. Or we can realize we have some things to learn that we will learn no matter whether we pick the startup, or job to learn transferrable skills and also become better well rounded.
> in reality it takes a lot more than one of anything for a fulfilling life We seem to view "reality" through different lenses. I've usually found "one" to be a magic number; as long as it's the "right one." That's the gist of what he's saying. In my experience, needing more than one, often signals issues that need closer examination. In my community, we have a joke: "An addict is someone that needs two One-A-Days."
Getting from zero straight to the one is like winning the lottery. Most people need to get through multiple "ones" to find "the one".
Agreed. It’s not what I’d call a “fulfilling” process, though.
You've been trying for a long time. What do you do if the job that makes you an offer doesn't excite you? What if the house that feels like home needs more repairs than you can afford? What if the program that accepts you has crappy funding? What if the person who chooses you has red flags? Do you say "screw it," cross your fingers, and walk through the door that kind of sucks? Or do you keep looking as long as your resources last you?
Maybe consider that we are all calibrated to standards that are this hodgepodge of other people’s messaging of what standards should be, and they communicate them for a variety of reasons, very few of which are truly designed for your reality, your situation. So when you say, ‘kinda sucks’, perhaps ask if the opinion is grounded in (your) reality? Once recalibrated to accept that what we are in, is inescapable true life, then we stop looking for something better, and instead focus on the challenge of making it better than it should naturally be. Happiness I believe, is a decision, we choose it when we feel it’s a sustainable perspective. I think it’s sustainable to allow ourselves to be happy, whenever we achieve marginal improvement on what is natural.
Often the "one" you need isn't the ideal, it's just what gets you into the market. I'm thinking a job that gets you some experience and much needed pay or a property that lets you build equity while prices continue to climb.
Be Like Clippy (be-clippy.com)
Cool they have NFTs
In before a new co-opted msoft/google clippy v2 comes out with all the ai/advertising goodness we love to hate. Get your movement diluted and confused before it even gets off the ground.
Interesting how many people in a hacker forum seem to be so pro-establishment and instead try to denigrate the goals of this initiative because of the chosen character. I guess that's how many earn their dollar after all? Sure, if it had been today, Clippy would have been evil but that's the point, it wasn't back then. Why are we so accepting of the change?
I was around when Clippy was introduced. It was universally hated. If anything, Clippy would be a good mascot for intrusive AI tools and services that harvest our data without regard for our privacy, not least because Clippy constantly monitored user actions just so that it could interrupt them. If we want a mascot for tools that respect our data, it should definitely be something far less evil than Clippy.
The assistant's name is Clippit , not Clippy.
Clippy was the nickname people gave it.
My grandmother loved clippy. Melinda French Gates back when she was Melinda French had a part in Clippy. “Melinda French (then the fiancée of Bill Gates) was the project manager of Microsoft Bob” Microsoft Bob is where Clippy was born. Reference: https://www.artsy.net/article/artsy-editorial-life-death-microsoft-clippy-paper-clip-loved-hate
i spent a lot of time playing with microsoft bob. i don't know what you were actually supposed to do with it, but in real life i spent a lot of time building houses/forts so i did that in bob too. in a different era i'd've just done all that in minecraft.
Quite the opposite: clippy was useless but not hostile which is a sobering contrast to software that is hostile and therefore worse than useless. It's a cute nostalgic way to say "the bar was on the floor and you blew it anyway."
Clippy was definitely hostile. It would constantly monitor user actions just so that it could interrupt us. Wasted CPU cycles and our time when CPUs weren't very fast. Clippy was hated by everyone. It was not just useless. It was intrusive, wasteful, and hostile. I can't believe my eyes that anyone could think that Clippy is an appropriate mascot for anything good. If anything, Clippy would be a good mascot for the trillion dollar companies that exploit our data.
I think GP is using "hostile" as a synonym for "malicious". Yes, Clippy was disruptive to your workflow, but it wasn't (as far as I know) exfiltrating private data, installing malware, trying to sell you on Bitcoin, etc.
more like choosing an assault rifle as your logo if your movement is to ban nuclear weapons.
Clippy really ... wasn't bad? It mostly stayed out of your way, occasionally showed a button to perform a useful task, and could interact with the help system without having to click through 3 menus. It wasn't a panacea but it was at least positive-value, unlike most current AI.
the meme of "omg, clippy sucked and was sooo annoying" has overshadowed the actual level experience from back in the day. nobody used clippy, but nobody expressed vitriol. you just easily dismissed it and went on with your business.
Random website claims: >In June 2021, Microsoft applied for a Clippy image trademark. Familiar with that at all?
There's trademark 90782739, which covers Clippy. It's trademark status is 641, "Non-Final Action".
Ported freetype, fontconfig, harfbuzz, and graphite to Fil-C (twitter.com)
If Fil-C requires complete recompile of ".c" code how does it deal with calls to the OS - Does it rewrap them (like Go?). I'm bit uncertain here...
It uses a sandwich; see https://fil-c.org/runtime
What is the actual catch with Fil-C? Memory safety for C based projects without a complete rewrite sounds like a very good idea, but there must be some pitfalls in this approach which this would not work in some cases. In some other memory-safety circles (Rust, Zig, etc) I'm going to expect that this is going to be heavily scrutinized over the claims made by the author of Fil-C. But great work on this nonetheless.
> What is the actual catch with Fil-C? It sounds like Fil-C combines the ergonomics of C with the performance of Python. It might have a beautiful niche for safely sandboxing legacy code. But I don’t see any compelling reason to use it for new code. Modern GC languages are much more ergonomic than C and better optimised. C#, Java, JavaScript and Go are all easier to write, they have better tooling and they will probably all perform as well or better than Fil-C in its current state.
Almost all uses of unsafe in Rust are either for FFI, or to avoid the overhead of things like ref-counting. If you use, eg, Rc RefCell everywhere you will achieve safety without issue.
> Almost all uses of unsafe in Rust are either for FFI Which makes Rust less safe than Fil-C. Consider that you have a dependency like libc, PAM, openssl, or the like. In Rust: you will `unsafe` call into the unsafe versions of those libraries. Hence, even if your Rust code is safe in isolation, your program is not safe overall because you're pulling in unsafe code. In Fil-C: compile those dependencies with Fil-C, and then the whole process is safe.
Framework Computer Now Sponsoring LVFS / Fwupd Development (phoronix.com)
The net finally caught something actually useful.
This is nice, but I still will not consider a Framework as long as they continue supporting DHH and his projects: https://tekin.co.uk/2025/09/the-ruby-community-has-a-dhh-problem I regret my purchase and would buy a different brand in the future.
I'm not a huge fan of Ruby on Rails either, but despite this I'm pretty happy with my Framework laptop.
Who/what is DHH?
David Heinemeier Hansson, creator of Ruby on Rails. Everyone who knows that abbreviation seems to have a strong opinion on the guy for some reason.
Electric vehicle sales are booming in South America – without Tesla (reuters.com)
In South America there's also no anxiety over China becoming a superpower, which may be an argument against Chinese products in the US. In fact, China has pretty good relations with most South American countries. Likely better than the US. I wouldn't be surprised if many people view China more favorably.
The average person in the west isn't losing sleep over China either. That anxiety is mostly manufactured by the media pushing the narrative that they are an existential threat. Maybe they are, I don't know. But what I do know is that western companies love it when they can sell you overpriced products made in China, but panic the moment chinese companies sell the exact same product at a fair price.
When I grew up in Germany it always made me proud that 100% of taxis were Mercedes Benz. If a car can withstand the rough demands of taxi service, it has to be good. And even in South America back then German cares were ubiquitous, especially Volkswagen. When I was in Brazil this spring[*] I rode a lot of Uber and they were 100% BYD - 100%, no exception. It's not that my head hadn't known that German auto was dead but seeing it playing out like this hit hard. [*] northern hemisphere
Sadly the German car industry has lost its way in the EV transition and is now vainly trying to get the EU to rollback the sun setting of ICE car sales in 3035. Meanwhile the Chinese are eating their lunch.
I've been riding a German electric motorbike for a couple of years, and before that, German electric mopeds. I think there is a lot of innovation in the German electric vehicle industry. I am quite excited for BTM, my bikes manufacturer, to design and release new versions of their platform. This model is distinctly German.
In Europe didn’t basically all brands take a hit? It was framed as Tesla falling behind but it’s more that Chinese EVs are so cheap, nothing can compete. Even within China the competition is insane, with over 100 car companies fighting to survive and giving out big discounts.
No. VW is up 78% and the market in general EV sales is up by 22%. It is actually just mostly Tesla doing poorly. https://www.best-selling-cars.com/electric/2025-half-year-europe-top-electric-car-brands-and-bev-models/
It isn't just Chinese EVs there are Korean brands on the road e.g. Jaewoo. https://jaecoo.co.uk/ I'm in the UK and the only new Fords I see are these huge F250/F350 which make my 4x4 (which is relatively small compared to a modern 4x4) look tiny.
You managed to write the name wrong, Jaecoo not Jaewoo, and it's chinese not korean. On top of that it's a throwaway account.
What, has it been a decade of HN’ers calling for imminent demise of Tesla. Meanwhile I’ve been laughing and buying all the way to the bank. Keep on doubting.
Tesla will report a very bad 2025 and my prediction is that the stock will go up anyway. The valuation is totally detached from the fundamentals. Tesla is a company which is falling behind in technology and there is not much indication that they will br able to fix that. But stock will likely stay high for a long time anyway.
> The only reason why cars are the size and shape they are is because ICE engines couldn't be made smaller. Electric engines on the other hand are small enough that I can have the chassis of a fully functioning car be light enough to lift by one man. Nope, the Smart existed for quite a while. Safety standards made cars slightly bigger (e.g. the new Renault Twingo is bigger than the original), but modern American "cars" are massive because that's what marketing has convinced Americans it's what they need. American vehicle manufacturers are pretty terrible at everything, and efficiency standards nudge them that way anyways, so making massive cars with high margins is a good deal for them. In Europe there are SUVs, but the average car is a VW Golf or a Renault Clio sized. They are pretty decently sized, good visibility, can fit a family of 4, etc. Yeah, you can't haul a 50 ton campervan offroading up to Kilimanjaro, sure, but that's not what 99% of car trips are for. > I think we will see small, light weight and intrinsically pedestrian safe cars made of tubes and canvas replace the heavy monstrosities we have now. Renault Twizy ( https://en.wikipedia.org/wiki/Renault_Twizy ) exists, but doesn't sell all that well (compared to "normal" cars). The Citroen Ami ( https://fr.wikipedia.org/wiki/Citro%C3%ABn_Ami_(2020) ) is pretty popular in certain places (saw a ton of them in Amsterdam and semi-rural areas in France).
>but the average car is a VW Golf or a Renault Clio sized That hasn't been the case here in a long time. SUVs and crossovers are outselling all other categories.
The lightning isn’t selling, almost at all.
Must be from the ferocious competition from the CyberTruck. (</s>, in case it wasn't obvious -although the CyberTruck does seem to be beating the Lightning in negative sales).
> Also, F150 lightening is such a failure. There was a recent video of it trying to haul very minimal load and it pretty much drained the battery in less than 100 miles. Was that due to something specific with the Lightning, or was it just due to the intrinsic energy requirements of hauling loads? (Or in other words, does an EV even exist that's notably better at hauling loads?)
TBH, those tests are mostly marketing failures. EV trucks aren't really good at hauling trailers over large distances, as the aerodynamics produce a massive impact on range. Multiple tests have shown this by showing 50% or more range reduction from pulling lightweight, non-aerodynamic loads. The marketing failure is that the companies have allowed consumers to incorrectly extrapolate from this to thinking that heavy loads in the bed have the same issue. They actually don't as weight is a minimal impact on range. Unfortunately, every thread about carrying sheetrock, rocks, mulch, etc shows how misinformed the average consumer has become in this space. It has to be a significant impact on sales, given that in the US these are the only heavy loads carried by >50% of the half ton pickups sold here.
> Ford has said unequivocally that they'll never make an all-electric muscle car What’s the thinking here? Pandering to some market segment? It sounds like they are organising the deck chairs in the titanic. Edit: I tried looking into the comment. It seems he was referring to Mustangs specifically, which is weird as they do make an electric one (assuming you agree it’s a ‘real’ mustang). I’m confused.
It’s not though. Just borrowing the name as they said.
For a while maybe, but cheap EVs are being manufactured in Europe as well, and while this could reduce petrol prices, it's also going to reduce the need for petrol stations, and I think makes petrol basically dead even in a cheap-petrol scenario. A Renault Twingo is going to cost something like 20,000 euros. That's twice the price of a Dacia Sandero, but a Dacia Spring is 16,900. The difference is only 4000, which could easily be a year's petrol.
A modern small and medium-sized car in Europe consumes like 4-6 liters/100 km. Even if one drives 15 thousands km/year (way above average) that gives like 900 liters of gasoline per year or like 1500-1700 euros with typical European prices. And electricity is not free especially when using fast chargers. So at the end the savings is about 500-1000 euros per year. Which still is a good deal, but explains why people prefer to buy small gasoline cars. I think electric car premium must be below 2 thousand euros plus infrastructure must improve before gasoline car sales in Europe start to collapse.
This is what makes the innovator's dilemma repeat itself so many times in so many industries. It's not that the incumbent companies don't see the new technology; it's that they're so entrenched in what they know how to do that pivoting to the new technology is basically a Hail Mary no matter how you do it. Do it too early and your shareholders are going to think you're crazy. Do it too late, and you're risking entering a new market as the chaser with a bad hand of company, employees, and board that don't have any idea of what they're doing.
Exactly, usually the companies know what's coming up, like you said. But, properly shifting gears to play a new game requires that you act like a startup again. It likely requires foregoing the fat margins you were used to. And it likely requires going back to the drawing board and actually learning from the market. And this is what companies find it hard to do. To be fair, I think that is not so bad a things. Companies should rise and die naturally. A few companies monopolizing markets forever does not seem good.
Student Perceptions of AI Coding Assistants in Learning (arxiv.org)
Knowledge not earned is not gained.
Well said. I’ve often been able to trick myself into thinking I’ve learned something, especially if it is somewhat intuitive. But unless I practically apply what I learned, my retention is quite low.
I am not a student and I wonder often whether we fill in memorization for the idea of learning, as though it’s somehow more valuable to be able to write valid syntax from memory on a blank file than it is to know and practice the broader strokes of abstractions, operators, readability and core concepts which make up good software craftsmanship. Sometimes I’m doing something in a new to me language, using an LLM to give me a head start on structure and to ask questions about conventions and syntax, and wondering to myself how much I’m missing had I started just by reading the first half of a book on the language. I think I probably would take a lot longer to do anything useful, but I’d probably also have a deeper understanding of what I know and don’t know. But then, I can just as easily discover those fundamental concepts to a language via the right prompt. So am I learning? Am I somehow fooling myself? How?
Testing Regurgitation on concepts or process is a large part of what learning is too often the case.
You should only use the word learning (without scare quotes) if it’s something you believe is learning. One of the first precepts of ML is that “memorization is not learning”. Learning is generalization, application to new circumstances. Schooling might not have learning as a product, but that’s a different problem.
last sentence in your first paragraph has nothing to do with the current state of the internet and certainly not AI. first sentence? turns out governments can still get away with pretty much anything and propaganda is easier than ever.
> propaganda is easier than ever. It is so much harder now. There are people who are willfully ignorant now, almost proud to be; snooty about it. But it's impossible for governments and institutions to lie like they used to be able to. People are trading primary source documents online within the day. It's why the popularity of long-ruling institutional parties is dropping everywhere, and why the measures to stop people from communicating and to monitor what they're saying are becoming more and more draconian and desperate.
Just FTR - I read them as being facetious
Poe's Law applies. There are far, far too many people who genuinely think disabled people should just disappear or die for it to be "safe" to be facetious about that without a clear sarcasm indicator.
Zero knowlege proof of compositeness (johndcook.com)
To be honest I feel like I have seen much better expositions of zero knowledge proofs. The playing cards example is nice in some ways, but people are often exposed to trickery regarding playing cards. The recipient of the proof needs to verify that the deck of cards is a normal deck of cards, that no cards have been swapped out or altered, etc. These are all precisely the things that magicians are regularly able to fool people about. So really you have to make an additional assumption of "no funny business", which distracts from the mathematical core of what you are trying to demonstrate. Likewise, the example of compositeness is a bit off because even though there is knowledge about the composite number that the proof does not reveal, that knowledge is in fact not known the to person constructing the proof either! The proof is not really zero knowledge either, since it gives the reader knowledge of a specific witness to its compositeness. Even the wikipedia example of going into the cave (which used to be featured more prominently in the article) I think is terrible. Why wouldn't you just walk a loop to prove you know the way through the secret door? Also, it's clearly not zero knowledge, as it reveals some information about how quickly they can pass through the gate. In general I think avoiding physical examples is necessary, since reality is complicated, and in the real world some information always leaks. I think the best example for teaching about ZKPs is the graph isomorphism problem: Given two large graphs, you can prove that you know a isomorphism between two graphs by generating a new randomly labeled graph that is isomorphic to both of them and showing it to the provee, who can then ask you to demonstrate that this new graph is isomorphic to either graph A or graph B. Since you don't know ahead of time which one they will ask for, the only way you could consistently pass this test is if you actually do have a graph that was isomorphic to both A and B simultaneously. But since you only reveal one of the isomorphisms, it really is zero knowledge.
>> I don't think a digital signature is a Zero-Knowledge Proof because someone else could copy and paste the signature and then it would look like they know the key, and because other third parties could check whether the signature was valid or not. One of us is confused. You can't copy a digital signature in a useful way. Without the message it doesnt mean anything. With the message its proof that the message was signed by someone with the private key. To meet your second two (arbitrary) requirements, have the signer encrypt the signed message with your public key before sending it to you.
They're not my arbitrary requirements, see https://en.wikipedia.org/wiki/Zero-knowledge_proof Specifically: > In light of the fact that one should be able to generate a proof of some statement only when in possession of certain secret information connected to the statement, the verifier, even after having become convinced of the statement's truth by means of a zero-knowledge proof, should nonetheless remain unable to prove the statement to further third parties.
I think it’s the original quote that is unclear: > a digital signature proves your possession of a private key without revealing that key. Signatures do not themselves do this; but they can be used to construct a protocol that does (e.g. the provee provides a random challenge that the prover must sign). But still this is not AFAIU a zero-knowledge proof as the signature is itself “knowledge”.
I think a definition of the security of a signature scheme is that a computationally limited attacker should not have a non-negligibly better than chance guess of the secret key. I think some of the “ZKP” techniques are supposed to only be “ZK” for a computationally limited observer? Though I may be mistaken, and maybe non-interactive ZKP schemes are only assuming that the prover has limited computational resources, not that the observer/attacker hoping to get information from them does?
I can certainly explain it more, a question of "better" is debatable! Here's the process: (A) You give me a graph to 3-colour; (B) I claim I can 3-colour it; (C) You demand that I prove it; (D) I colour it with colours ABC and cover the vertices; (E) You point at an edge; (F) I reveal the colours of the vertices at the ends of the edge; (G) If I have coloured the graph then the colours revealed will always be different; (H) We repeat this process with a permutation of the colours between each trial; (I) If I'm lying then eventually you'll pick an edge where either the vertices are not coloured, or the have the same colour. (J) This process reveals nothing about the colouring, but proves (to some level of confidence) that I'm telling the truth. So ... what's unclear? Instructions on how to email me are in my profile if you prefer ...
How do I know/prove that you're not just saying any random two colors for whichever edge I choose?
We're learning more about what Vitamin D does to our bodies (technologyreview.com)
I've read hundreds of dust mite studies, and this is the conclusion I came to, but it's difficult to put in a direct single argument with a citation that most people would require to accept it. I also got dust mites entirely out of my home and my chronically low vitamin D was resolved without a change in lifestyle or supplementation. But I'll do my best to share some of the steps toward this conclusion: #1. There is a body of molecular research showing dust mite allergens directly damage the immune system, most importantly once you inhale their fecal pods, they cause epithelial permeability in the lungs. (this study is a good overview of several ways it directly damages the immune system, all of which are totally unrelated to type 1 hypersensitivity, btw: https://www.jacionline.org/article/S0091-6749(18)30848-0/fulltext ) #2. There are challenge studies that show dust mites directly causing eczema symptoms after inhalation, which shows that dust mite allergens can act on areas other than the respiratory system, probably by entering the blood stream. Of course there are also challenge studies for asthma. (here's a paper arguing for causal role in asthma https://www.atsjournals.org/doi/full/10.1164/rccm.200811-1756pr ) #3. All of the major allergic diseases(asthma, eczema, rhinitis, and although it is not as well studies, I believe IBS) have epithelial damage and increased allergy as a core feature of the disease. #1 and #2 are good evidence that dust mites play a causal role in these diseases #4. From asthma and epithelial permeability in the lungs you can get to worse outcomes from flu and covid etc, from rhinitis you can get to worse sleep and worse mental health etc and reach a large number of health outcomes. #5. It's true that people with allergy suffer worse from all these problems, but so much damage has already been done before you even get to Type 1 hypersensitivity, but that's another story. So basically, dust mites directly damage your immune system in the lungs, skin, nose, eyes, guts(and maybe more?), create a sustained immune response, and leads to a multitude of other bad health outcomes. And since low vitamin D is associated with dust mite sensitization(( https://www.worldallergyorganizationjournal.org/article/S1939-4551(24)00021-8/fulltext ) , it's also associated with all those other bad health outcomes that are actually caused by dust mites. People have a mental model that vitamins are at the root level of causality, and therefore don't consider that vitamin D could also be caused by dust mite exposure. IgE levels are inversely associated with vitamin D: https://www.nature.com/articles/s41598-020-77968-1 But supplementing vitamin D doesn't lower IgE: https://publications.aap.org/pediatrics/article/150/Supplement%203/S7/189978/Effect-of-Vitamin-D-Supplementation-on-Total-and?autologincheck=redirected And of course high IgE is directly caused by exposure to dust mites if you're sensitized. I don't know the specific mechanism by which they cause low vitamin d, but two possibilities are that #1: the high and sustained immune response your body runs from constant dust mite exposure consumes vitamin D and acts like a leaky bucket. #2: dust mites somehow disrupt vitamin d production in the skin(e.g. there was one study showing https://www.jacionline.org/article/S0091-6749(13)01768-5/fulltext )
This helps. Thanks!
"Putting the entire population on vitamin D supplements would be too expensive for the country’s national health service, he told me." This seems absolutely bonkers. Vitamin D is dirt cheap, and if you can think at all beyond first-order effects, the improvement in immune health alone would likely pay for itself in terms of cost to the healthcare system.
The amount of money lost treating sick people who now have renewed vigour to solve other problems in their life would be just too much
You’re warning people to be cautious of taking Vitamin D… because you had problems with potassium supplements? Those are entirely different things with entirely different risk profiles.
K2 is synthetic cannabinoid inspired by THC
I mean, you're not wrong, but that's not what the discussion is about. There's Vitamin K1 and Vitamin K2. Vitamin K2 is frequently taken alongside Vitamin D.
I checked the ingredients. That is because it contains glycerin. Which is a great and safe supplement to take for anyone with sleeping issues. But will cause very vivid dreams at the start. D3 will not by itself have a huge effect on dreams.
my bottle of Nature Made D3 also contains glycerin
↙ time adjusted for second-chance
Hardening the C++ Standard Library at scale (queue.acm.org)
Imagine hardening the regex library, its already as slow as molasses.
by deleting it?
How does this compare to _GLIBCXX_ASSERTIONS in libstdc++ (on by default in Fedora since 2018)?
My understanding that this is like that but both libstdc++/libc++ have been doing more since. Additionally, Google did a blog not to long ago where they talked to actual the performance impact on their large C++ codebase and it averaged about 0.3% I think https://security.googleblog.com/2024/11/retrofitting-spatial-safety-to-hundreds.html Since then, libc++ has categorized the checks by cost and one can scale them back too.
Interesting how C++ is still improving; seems like changes of this kind my rival at least some of the Rust use cases; time will tell
> Interesting how C++ is still improving its not
I’m not really sure how checks like this can rival rust. Rust does an awful lot of checks at compile time - sometimes even to the point of forcing the developer to restructure their code or add special annotations just to help the compiler prove safety. You can’t trivially reproduce those all those guardrails at runtime. Certainly not without a large performance hit. Even debug mode stdc++ - with all checks enabled - still doesn’t protect against many bugs the rust compiler can find and prevent. I’m all for C++ making these changes. For a lot of people, adding a bit of safety to the language they’re going to use anyway is a big win. But in general guarding against threading bugs, or use after free, or a lot of more obscure memory issues requires either expensive GC like runtime checks (Fil-C has 0.5x-4x performance overhead and a large memory overhead). Or compile time checks. And C++ will never get rust’s extensive compile time checks.
Safety-critical systems aren’t connected to a MAC address you can ping. I didn’t move the goalposts.
Sure they are. Eg, 911 call centers. Flight control. These systems aren’t on the open internet, but they’re absolutely networked. Do they apply regular security patches? If they do, they open themselves up to new bugs. If not, there are known security vulnerabilities just waiting for someone to use to slip into their network and exploit. And what makes you think buggy software only causes problems when hackers get in? Memory bugs cause memory corruption and crashes. I don’t want my pacemaker running somebody’s cowboy C++, even if the device is never connected to the internet.
Major AI conference flooded with peer reviews written by AI (nature.com)
Maybe what they should do in the future is just automatically provide AI reviews to all papers and state that the work of the reviewers is to correct any problems or fill details that were missed. That would encourage manual review of the AI's work and would also allow authors to predict what kind of feedback they'll get in a structured way. (eg say the standard prompt used was made public so authors could optimize their submission for the initial automatic review, forcing the human reviewer to fill in the gaps) ok of course the human reviewers could still use AI here but then so could the authors, ad infinitum..
https://archive.ph/1cmjJ
what is a11y. Can we just write words out please.
n0o
Accessibility. It's both a very common abbreviation and very easy to search for.
 Top