Unlurker|Replay|About
Amazon delivery drone strikes North Texas apartment, causing minor damage (expressnews.com)
[delayed]
As far as I can tell, Zipline are way out ahead in this space right now.
This is the latest in a string of accidents with these drones crashing into things. Not good. The earlier ones hit a crane which one could argue was an edge case as a temporary structure. This just hit a building which suggests something much more fundamentally wrong with the tech.
I wonder what the acceptable collisions/delivery needs to be for it to match last mile truck safety level (ie UPS trucks are big and run into things with non-zero frequency)
Other news sources: https://www.usatoday.com/story/news/nation/2026/02/07/delivery-drone-amazon-crash-texas-apartment/88565912007/ https://www.theverge.com/tech/875475/amazon-delivery-drone-crash-texas https://www.cnn.com/2026/02/08/us/video/amazon-drone-delivery-falls-from-sky-texas-hnk-vrtc-digvid
Experts Have World Models. LLMs Have Word Models (latent.space)
Westerners are trying so hard to prove that there is nothing special about humans.
Not sure about that, I'd more say the Western reductionism here is the assumption that all thinking / modeling is primarily linguistic and conscious. This article is NOT clearly falling into this trap. A more "Eastern" perspective might recognize that much deep knowledge cannot be encoded linguistically ("The Tao that can be spoken is not the eternal Tao", etc.), and there is more broad recognition of the importance of unconscious processes and change (or at least more skepticism of the conscious mind). Freud was the first real major challenge to some of this stuff in the West, but nowadays it is more common than not for people to dismiss the idea that unconscious stuff might be far more important than the small amount of things we happen to notice in the conscious mind. The (obviously false) assumptions about the importance of conscious linguistic modeling are what lead to people say (obviously false) things like "How do you know your thinking isn't actually just like LLM reasoning?".
Are people really using AI just to write a slack message?? Also, Priya is in the same "world" as everyone else. They have the context that the new person is 3 weeks in and must probably need some help because they're new, are actually reaching out, and impressions matter, even if they said "not urgent". "Not urgent" seldom is taken at face value. It doesn't necessarily mean it's urgent, but it means "I need help, but I'm being polite".
People are pretending AIs are their boyfriends & girlfriends. Slack messages are the least bizarre use case.
Not that far off from all the tech CEOs who have projected they're one step away from giving us Star Trek TNG, they just need all the money and privilege with no accountability to make it happen DevOps engineers who acted like the memes changed everything! The cloud will save us! Until recently the US was quite religious; 80%+ around 2000 down to 60%s now. Longtermism dogma of one kind or another rules those brains; endless growth in economics, longtermism. Those ideal are baked into biochemical loops regardless of the semantics the body may express them in. Unfortunately for all the disciples time is not linear. No center to the universe means no single epoch to measure from. Humans have different birthdays and are influenced by information along different timelines. A whole lot of brains are struggling with the realization they were bought into a meme and physics never really cared about their goals. The next generation isn't going to just pick up the meme-baton validate the elders dogma.
The next generation is steeped in the elder's propaganda since birth, through YouTube and TikTok. There's only the small in–between generation who grew up learning computers that hadn't been enshittified yet.
Stop Using Face ID (pcmag.com)
The iPhone automatically goes into BFU (Before First Unlock) after 72 hours of inactivity (it actually reboots the phone). This can’t be disabled. In addition, there are additional restrictions where your passcode will be required . For example, if the passcode has not been used to unlock the device in the last six days and Face ID has not unlocked the device in the last eight hours, then you must use a passcode to access the device (in other words, biometric unlock is automatically disabled). If you've ever wondered why you've had to enter your passcode after a good night's sleep and haven't entered your passcode recently, that's probably why! Given these built-in precautions, a click-bait headline like this is a bit excessive for most people .
>The iPhone automatically goes into BFU (Before First Unlock) after 72 hours of inactivity (it actually reboots the phone). This can’t be disabled. But if the threat is from law enforcement, as the beginning of the article implies, how does that help? They just have to scan your face with your phone when they seize it, and slurp up all the data they want. >In addition, there are additional restrictions where your passcode will be required. For example, if the passcode has not been used to unlock the device in the last six days and Face ID has not unlocked the device in the last eight hours, then you must use a passcode to access the device (in other words, biometric unlock is automatically disabled). The conditions for triggering this is so unreliable that it probably exists more to prevent people from forgetting their pins, than meaningfully increase security.
For iPhones your eyes have to be open. I’ve got to think some cops are good at holding up the phone and saying look at this text message and people opening eyes to see it though.
The same public where you're constantly leaving your fingerprints, where your face is being constantly recorded and scanned into multiple facial recognition systems, where your DNA is being constantly shed? When everything needed to unlock your phone can be taken off of your corpse or just reconstructed from what you leave everywhere you go you're not really "secure".
Nobody is going to all that trouble to unlock my phone, they'll just beat me with a hammer until I unlock it for them
Both of these methods have an undesirable side effect for me, which is that it immediately pops up the passcode dialog saying that a passcode is required to activate Face ID. Depending on the situation, that could be construed as an attempt to actively interfere with a police investigation, which could bring consequences of its own. It would be better if it silently dropped you to the normal lock screen, and only showed the passcode dialog when you attempt to unlock the phone normally. Another thing I've often wished for with kids is a mode that removes all notifications and widgets from the lock screen - the only things you should be able to do is to unlock the phone and emergency calls. You can remove most notifications with the right Focus, but not notifications to control playing music/video apps, for example, nor any other widgets you happen to put on your lock screen.
> Both of these methods have an undesirable side effect for me, which is that it immediately pops up the passcode dialog saying that a passcode is required to activate Face ID. Must be an iOS 26 thing? I haven't dared upgrade yet. No immediate passcode dialog on iOS 18 if you follow the instructions above. It does pop up like you describe if you press the cancel button on the screen, but if you are whipping out your phone to play with the screen you're not exactly acting inconspicuously anyway.
The First Sodium-Ion Battery EV Is a Winter Range Monster (insideevs.com)
[delayed]
Out the gate, sodium ion advantages are so significant that unless there is some surprise show-stopper it will likely become the dominant energy storage medium. Crustal abundance up to 1000x that of lithium - pretty much every nation has effectively unlimited supply, it's no longer a barrier or a geographically limited resource like lithium. No significant damage going down to 0V, can even be stored at 0V - much safer than lithium which gets excitable once out of its prefered voltage range. Cold weather performance down to -30C - northern latitude users don't have as much range anxiety in the winter. Basically, the only problem I see is that companies that have made significant long-term investments in lithium could take a big hit. Countries that banked on their lithium reserves as a key future resource for will have to adjust their strategy. Lithium batteries will likely still have a place in the high performance realm but but for the majority of run-of-the-mill applications - everything from customer electronics to EVs to offgrid storage - it's hard to see how sodium-ion wouldn't quickly replace it.
No mention of degradation as a result of recharge cycles. So many of my electronic devices have had to be disposed of because the battery would no longer hold a charge. This is also a big factor in EVs and their loss of value over time.
Norway regularly sees -30C in winter and EVs account for like 99% of sales there, it made the news that in January only 7 ICE cars were sold in the entire country.
It's also a different country with a different culture, etc. Norwegians drive roughly 50% less than people in the US. There's probably a bunch of contributing factors, but the point is that reduced range is less of a problem if you drive less. I'll be the first to say we need less range anxiety, and Norway is awesome. But we need to be careful comparing the US to Norway here.
How many vehicles have a 650 mile range? Almost none. Plus you can't fill up at home with gasoline, like you can with an EV.
> How many vehicles have a 650 mile range? Almost none. '22 Ford Escape hybrid The remaining miles thing shows less than that on a full tank, but I've been pretty consistently getting upper-600s between fill-ups. I suppose it would probably be less if I went on the interstate more.
You mean EVs? Yeah, none that I'm aware of. But petrol/diesel cars? Loads of them. Even my 400bhp Volvo XC60 will easily do 650 miles on one tank of fuel. A diesel one will do 700-800. And a diesel Passat will go over 1000 miles on a tank without trying. Hell, even my basic 1.6dCI Qashqai could do 700 miles on its 55 litre tank
Volvo xc60 has an estimated 25 mpg overall ( https://www.volvocarsrichmond.com/volvo-xc60-mpg.htm ) It has an 18.8 gallon fuel capacity ( https://www.volvocars.com/lb/support/car/xc60/article/dfc6f0fe96bb55fac0a801513f070383/ ) That’s a max range of 470 miles. You would need much greater fuel efficiency above 34 mpg to get to 650 miles on an 18.8 gallon tank.
Cool, I guess when I did 700 miles on a single tank of fuel driving Switzerland to Italy and then again driving Italy to Austria and then again Austria to Netherlands this summer I just imagined it. My total for the 3000 miles was 38mpg(imperial). Also you are quoting a value for the B5, which is not what I have, mine is a T8(and before you ask - no, I didn't have any opportunity to charge it anywhere on the way).
Garages exist though.
[delayed]
And human occupants will still run the heater more in winter. But it sounds like there could be a future where makers offer a sodium battery and heat pump version of their cars for sale in colder climates.
Running a preheater loop for the heat pump from the systems than need to be cooled, inverter and motor that run better cold,and other optimisations could likely supply cabin heat with very little battery draw, solar pv blended into the exterior could zero that out on an average basis,but 40 below is nothing to play with unless you know exactly what you are doing, even if they say it will still work. https://electrek.co/2026/02/05/first-sodium-ion-battery-ev-debuts-game-changer/
*potentially a lot cheaper. I've seen that repeated a lot but I still can't buy sodium batteries cheaper than lifepo...
Sodium batteries don't yet have the scale that lifepo4 batteries have. I'd expect we will see them get cheaper.
Do satellite batteries run cold? Given the difficulty of radiating heat away I would have expected the opposite. Especially considering the incentive to send up as little battery as possible, and the very predictable day/night cycle leading to the ability to precisely predict how small a battery you can get away with...
Generally it's hard to control: it'll be hot sometimes and cold other times, so a wide operating time is useful.
Let's compile Quake like it's 1997 (fabiensanglard.net)
On one particular project from 1995 where the hardware was very cost optimised, the C program compiled to 1800 bytes which meant we could save nearly a dollar by buying micro-controllers with 2KB flash rather than 4KB flash. We manufactured 20,000 units with this cheaper chip. 2 years down the line we needed a simple code change to increase the UART baud rate to the host, a change that should have resulted in the same sized binary, but instead increased it to 2300 bytes due to a newer C compiler. We ended up tweaking the assembly file and running an assembler, then praying there would be no more changes! I have always over specified the micro-controllers a little from that point, and kept a copy of the original dev environment, luckily all my projects are now EOL as I am retired.
Could also just edit the old binary directly in a pinch?
> The detail about needing to reinstall Windows NT just to add a second CPU shows how tightly coupled OS and hardware were — there was no abstraction layer pretending otherwise. In this case there was: the reason you need to reinstall to go from uniprocessor to SMP was because NT shipped with two HALs (Hardware Abstarction Layer): one supporting just a single processor, and one supporting more than one. The SMP one had all the code for things like CPU synchronization and interrupt routing, while the UP one did not. If they'd packed everything into one HAL, single-processor systems would have to take the performance hit of all the synchronization code even though it wasn't necessary. Memory usage would be higher too. I expect that you probably could run the SMP HAL on a UP system (unless Microsoft put extra code in to make it not let you), but you wouldn't really want to do that, as it would be slower and require more RAM. So it wasn't that those abstraction layers didn't exist back then. It was that abstraction layers can be expensive. This is still true today, of course, but we have the cycles and memory to spare, more or less, which was very much not the case then.
They could have shipped both HALs. Or made it easy to switch which one was in use without reinstalling. CDs were around and hard drives weren’t that small at the time. (Or maybe the really early SMP versions predated widespread availability of CD-ROMs, but I remember dealing with this nonsense and reinstalling from an MSDN CD set.)
I actually would love this to be built in to a language/compiler. A lot of times when I’m building a single-threaded program but I’m using libraries written by other people. These libraries don’t know whether they are being incorporated into programs with single thread or not. So they either take the performance penalty of assuming multi-threaded (the approach by std::shared_ptr) or they give callers choice by making two implementations (Rust Arc and Rc). But the latter doesn’t actually work because this needs to be a global setting, not just a decision made at a local call site. It won’t work if such a library is a transitive dependency.
Zig supports this. If you compile with -fsingle-threaded, operations on mutexes turn into nops, atomics become simple loads/stores, etc.
Show HN: I created a Mars colony RPG based on Kim Stanley Robinson's Mars books (underhillgame.com)
I'm on mobile (Android, Brave), and I can do everything but interact with the people. Am I doing something wrong?
Lovely series. One of the first science fiction series I read that gave a proper anarchist culture a shot. (A big thing most people don't understand about anarchism is that it's not a violent, crime ridden, disorderly society without rules, but rather a society built on the idea that everyone deserves care, and we should all put in some effort to achieve that in a self organizing way.) Loved seeing things like gift economies, self organization and free association, and a general care for both the people and the planet in those books.
This is so cool. How are you going to simulate Michel's longing for Provence? Seriously though I adore the trilogy. I started a Mars storymapping project which incorporated Underhill, Senzeni Na, the Moholes etc. a little while back too: https://saltwatercowboy.github.io/marsinplace/
It’s BYO longing for Provence.
You weren't exaggerating! I didn't even have headphones on, and it scared the sh*t out of me when I clicked on the little man.
The music was so loud from my monitor's speakers that I nearly jumped out of my skin and rushed to close it, and my volume isn't even turned up much!
vanilla JS and canvas plus a hefty bit of technical help from Claude.
It seems you draw everything every frame onto the canvas? The result is quite GPU heavy, for your next game I would recommend looking into a graphic libary like pixijs, to make use of the webgl/webgpu .. then it would run smooth even on old mobile phones.
Billing can be bypassed using a combo of subagents with an agent definition (github.com/microsoft)
Copilot fairly recently added support for running sub-agents using different models to the model that invoked them. If this report is to be believed, they didn't implement billing correctly for the sub-agents allowing more costly models to be run for free as sub-agents.
Even without hacks, Copilot is still a cheap way to use Claude models: - $10/month - Copilot CLI for Claude Code type CLI, VS Code for GUI - 300 requests (prompts) on Sonnet 4.5, 100 on Opus 4.6 (3x) - One prompt only ever consumes one request, regardless of tokens used - Agents auto plan tasks and create PRs - "New Agent" in VS Code runs agent locally - "New Cloud Agent" runs agent in the cloud ( https://github.com/copilot/agents ) - Additional requests cost $0.04 each
I've had single prompt to Opus consume as many as 13 premium messages. The Copilot harness is so gimped so they can abstract tokens from messages. Every person that started with Copilot that I know that tried CC were amazed at the power difference. Stepping out of a golf cart and into <your favorite fast car>.
So 100 Opus requests a month? That's not a lot.
Cat's out of the bag now, and it seems they'll probably patch it, but: Use other flows under standard billing to do iterative planning, spec building, and resource loading for a substantive change set. EG, something 5k+ loc, 10+ file. Then throw that spec document as your single prompt to the copilot per-request-billed agent. Include in the prompt a caveat that We are being billed per user request. Try to go as far as possible given the prompt. If you encounter difficult underspecified decision points, as far as possible, implement multiple options and indicate in the completion document where selections must be made by the user. Implement specified test structures, and run against your implementation until full passing . Most of my major chunks of code are written this way, and I never manage to use up the 100 available prompts.
I mean aren't they losing money on everything even the API? This isn't going to end well with how expensive it all really is.
Having worked some time in huge businesses, I can assure that there are many corporate copilot subscribers that never use it, that's where they earn money. In the past we had to buy an expensive license of some niche software, used by a small team, for a VP "in case he wanted to look". Worse in many gov agencies, whenever they buy software, if it's relatively cheap, everyone gets it.
It might be a gym-type situation, where the average of all users just ends up being profitable. Of course it could be bait-and-switch to get people committed to their platform.
Most LLM usage? There’s some exceptions eg Claude Max
yes, and VS code as mentioned above. That's kind of the joke.
They don't care, they would rather let you use pirated MS software than move to Linux. There is a repo on GH with powershell scripts for activating windows/office and they let it sit there. Just checked, repo has 165K stars. This could be the same, they know devs mostly prefer to use cursor and/or claude than copilot.
They don't care, they would rather let you use pirated MS software than move to Linux. Not even sure that's true anymore. How else to explain WSL/WSL2? They practically lead you to Linux by the hand these days.
Even with that, your hardware is still running Windows.
Omega-3 is inversely related to risk of early-onset dementia (pubmed.ncbi.nlm.nih.gov)
from an actuarial perspective, these longitudinal studies on dementia are huge. early-onset is basically the hardest risk to price for long-term care because the tail of the claim is so long and expensive. finding a solid inverse correlation like this is the kind of thing that eventually shifts premium modeling for an entire generation.
Wow, that is a depressing point of view. Advancements in "not paying for things" accelerates while advancements in "preventing things" just inches forward.
The O3:O6 ratio matters more. And with the right diet it's very easy to get tons of O3 with an excellent O6 ratio (1:4 vs. the 1:10+ of the standard western diet). Vegan with some seeds (hemp, flax, chia, etc.) and a fish oil or algal EPA/DHA supplement will do it quite easily. As long as you use olive/avocado oil over the O6-heavy cooking oils. Other diets are probably also capable of this.
I’m not aware of any compelling evidence that the n3:n6 ratio actually matters as long as you’re meeting the absolute required levels of each. There was a big push for this hypothesis in the 2010s, but on closer inspection the only research that seemed to support it was where the “low n3:n6 ratio” cohort were there by virtue of low n3, not high n6. Where studies compare groups of people where ratios were manipulated but both were at adequate levels, I don’t believe we see any evidence of a deleterious effect.
Cool thanks for the correction!
what is "a lot of fish" in this context? Sushi for lunch every day? Thanks for engaging with this in a helpful way.
Fatty fish (salmon, mackerel, herring) has quite large amounts. Some people aim for huge amounts of EPA/DHA but I don't think there's really much evidence that you need 3g/day or whatever the latest broscience is. Mackerel is particularly high although it doesn't taste great to me compared to salmon, 100g of mackerel has ~4g of EPA/DHA so eating that a couple of times a week is probably more than enough. Also there is some (although much less) in white fish, there can be significant amounts in shellfish, and tinned tuna has a surprisingly high amount. So all of that adds up if you eat those as well
I would recommend it to elderly family members, but they have atrial fibrillation, and I heard omega 3 can exacerbate it?
There’s a good pod on this exact subject with nutrition scientists: https://sigmanutrition.com/episode538/ The TL;DR (IIRC) is that we tend to only see this in trials where atrial fib is a tertiary endpoint so there’s not really compelling data to suggest AF is a risk. But give it a listen and see what you think, it was a while ago I listened to it and I’m not qualified to give actual advice!
That's part of my question. ALA is supposed to not convert to DHA easily. But these results seem to say at higher concentrations ALA lowers risk of EOD. Which tends to refute the belief that only DHA/EPA lower chronic inflammation or that EOD is not just a story about inflammation.
I cannot read the whole article, but the abstract says nothing about ALA. The abstract only partitions the omega-3 acids in DHA and non-DHA. While non-DHA includes ALA, without any concrete evidence that ALA has some direct role, it is more likely that the correlation seen with non-DHA refers not to ALA, but to the other long-chain omega-3 fatty acids besides DHA. Humans can elongate ALA into useful long-chain acids, but the efficiency of this is typically lower in males than in females and lower in old people than in young people. Usually pregnant women have the best conversion efficiency. Unless you monitor your blood composition, you cannot know if eating ALA (e.g. flax seeds or oil, or walnuts) can be sufficient for you. If you are an older male, it is very likely that eating ALA cannot be enough for avoiding deficiency.
Algal ALA has a different chemical makeup https://ods.od.nih.gov/factsheets/Omega3FattyAcids-HealthProfessional/ Edit: I think you mean Algae (which is EPA) Edit2: My mistake, I read Algal as ALA rather than Algae (algal)
The "algal" omega-3 is not extracted from any algae, but it is extracted from certain cultivated strains of a fungus-like organism, Schizochytrium. The cultivated strains have been selected and/or genetically engineered to have enhanced production of certain long-chain omega-3 fatty acids. The composition of an "algal" oil ("algal" is the adjective derived from "alga", "algae" is the plural of "alga") depends on the particular strain that the vendor has used in production. The first cultivated strains produced only DHA, but in recent years most vendors use strains that allow them to sell oil that has a mixture 2:1 of DHA and EPA, with minor quantities of other long-chain omega-3 fatty acids.
Yes, but more likely insects as first small “animals”. Hunting animals takes more effort than eating fruits etc. I know it’s all vague delineation of where our species really started, and at which point you would no longer consider it the homo line, but for a significant part of history we were a small predator that would eat whatever was _easily_ available. Hunting animals is not easy and it’s a risky endeavour. I’m not saying meat wasn’t part of our diet obviously, but it logically wouldn’t have been as dominant a part of our diet as it is today.
The most likely hypothesis about how humans have become the most efficient hunters of the planet does not pass through catching insects and very small animals, but through eating the remains of the big prey killed by carnivores. There are various bits of evidence for this, like the higher stomach acidity of humans, which resembles that of carrion eaters, like hyenas. It is plausible that the ability to throw sticks and stones was used initially for scaring other predators and make them abandon their prey, and only later it became accurate enough to be usable for hunting living animals. The ability to use stones to break the bones and eat the parts inaccessible for the carnivores who had killed the prey, i.e. marrow and brain, which are rich in hard to get nutrients, e.g. omega-3 fatty acids, is also presumed to have played an important role in the development of a bigger and bigger brain.
I put a real-time 3D shader on the Game Boy Color (blog.otterstack.com)
I’m incredibly impressed by this, largely because it actually is running on a CGB. What I see often are hacks where the game boy is just being used as a terminal and the cartridge has been packed with far more powerful processing power.
This is the coolest thing I've seen in months. Licence it as beerware, then I'm obliged to owe you one.
I lowkey wish Nintendo would rerelease the GBC or GBA I would buy one. They can bake in some games into a few cartridges and make it 100% worth the buy too.
You can pick a used one up for pretty cheap. Add a flash cartridge and you're done. I think the cheap android handhelds of the same form factor are a better option though. I've still got my Gameboy collection, but rarely use it. It's just so much easier to fire up an emulator these days.
Isn't it a bug that when spinning the object the light also spins?
It's the equivalent of spinning the view camera around in the scene. Up / Down spins the light coordinates, Left / Right spins the camera viewpoint. Probably could have been written that way though, since it is spinning the camera view rather than the object.
It's not that different from "real 3d" renderers. Especially in deferred rendering pipelines the rasterizer creates a bunch of buffers for depth map, normal map, color, etc but main shaders are running on those 2d buffers. That's the beauty of it parts operating with 3d triangles are kept simple simple and the expensive lighting shaders run once on flat 2d images with 0 overdraw. The shaders don't care whether normal map buffer came from 3d geometry which was rasterized just now, prerendered some time ago or the mix of 2. And even in forward rendering pipelines the fragment shader is operating on implicit 2d pixels created by vertex shaders and rasterizer from "real 3d" data. The way I look at it if the input and math in the shader is working with 3d vectors its a 3d shader. Whether there is also a 3d rasterizer is a separate question. Modern 3d games are exploiting it in many different ways. Prerendering a 3D model from multiple views might sound like cheating but use of imposters is a real technique used by proper 3d engines.
There's a GBDK demo that actually does something similar (spinning 2D imposters). Does not handle the lighting though, which is quite impressive. https://github.com/gbdk-2020/gbdk-2020/tree/develop/gbdk-lib/examples/gb/hblank_copy Unfortunately, the 2D imposter mode has pretty significant difficulties with arbitrarily rotated 3D. The GBDK imposter rotation demo needs a 256k cart just to handle 64 rotation frames in a circle for a single object. Expanding that out to fully 3D views and rotations gets quite prohibitive. Haven't tried downloading RGDBS to compile this yet. However, suspect the final file is probably similar, and pushing the upper limits on GB cart sizes.
↙ time adjusted for second-chance
Vouch (github.com/mitchellh)
Interesting idea. It spreads the effort for maintaining the list of trusted people, which is helpful. However I still see a potential firehose of randoms requesting to be vouched for. Various ways one might manage that, perhaps even some modest effort preceding step that would demonstrate understanding of the project / willingness to help, such as A/B triaging of several pairs of issues, kind of like a directed, project relevant CAPTCHA?
Users already proven to be trustworthy in one project can automatically be assumed trustworthy in another project, and so on. I get the spirit of this project is to increase safety, but if the above social contract actually becomes prevalent this seems like a net loss. It establishes an exploitable path for supply-chain attacks: attacker "proves" themselves trustworthy on any project by behaving in an entirely helpful and innocuous manner, then leverages that to gain trust in target project (possibly through multiple intermediary projects). If this sort of cross project trust ever becomes automated then any account that was ever trusted anywhere suddenly becomes an attractive target for account takeover attacks. I think a pure distrust list would be a much safer place to start.
It's just an example of what you can do, not a global feature that will be mandatory. If I trust someone on one of my projects, why wouldn't I want to trust them on others?
Based on the description, I suspect the main goal isn't "trust" in the security sense, it's essentially a spam filter against low quality AI "contributions" that would consume all available review resources without providing corresponding net-positive value.
It should just be $1 to submit PR. If PR is good, maintainer refunds you ;) I noticed the same thing in communication. Communication is now so frictionless, that almost all the communication I receive is low quality. If it cost more to communicate, the quality would increase. But the value of low quality communication is not zero: it is actively harmful, because it eats your time.
If you want me to read your comment, please pay me $1 first... if I find your comment interesting I might refund.
I had this idea / pet project once where I did exactly this for email. Emails would immediately bounce with payment link and explanation. If you paid you get credit on a ledger per email address. Only then the mail goes through. You can also integrate it in clients by adding payment/reward claim headers.
this wouldn't have helped against the xz attack
It's not intended to, though? It's supposed to address the issue of low-effort slop wasting maintainer time, not a well-planned attack.
Illegal in europe. You are bot allowed to keep a black list of people with the exception of some criminal situations or addiction.
Can you cite the law that says you may not do this? There are obvious cases in Europe (well, were if you mean the EU) where there need not be criminal behaviour to maintain a list of people that no landlord in a town will allow into their pubs, for example.
Sure, but that pull request is blatantly unreviewable because of how it bundles dozens of entirely unrelated commits together. Just say that and move on: it only takes a one-line comment and it informs potential contributors about what to avoid if any of them is lurking the repo.
One problem with giving any feedback is that it can automatically be used by an agent to make another PR.
That’s not the point. Point is: when @lt100, @lt101, … , @lt999 all vouch for something, it’s worthless.
But surely then a maintainer notices what has happened, and resolves the problem?
> Then again, if this is the case, why would you risk your own reputation to vouch for anyone anyway. Good reason to be careful. Maybe there's a bit of an upside to: if you vouch for someone who does good work, then you get a little boost too. It's how personal relationships work anyway. ---------- I'm pretty skeptical of all things cryptocurrency, but I've wondered if something like this would be an actually good use case of blockchain tech…
Idk tbh, the string of these 3 posts reads like this: - a problem already solved (you vouching for someone denounced should denounce you, which is possible! via TFA) - a blockchain to solve incrementing and decrementing integers (i.e. vouch vs. denounce as a service) - an ad-hoc reinvention of idea people should be scored. (People don't like this, and it is easily abused, c.f. Black Mirror and social credit scores in China)
Sounds like a black mirror episode.
If we want to make it extremely complex, wasteful, and unusable for 99% of people, then sure, put it on the blockchain. Then we can write tooling and agents in Rust with sandboxes created via Nix to have LLMs maintain the web of trust by writing Haskell and OCaml.
Zig can fix this, I'm sure.
Exploiting signed bootloaders to circumvent UEFI Secure Boot (habr.com)
The security story of the PC platform is such a mess due to fragmentation. I have way more trust in Apple's security here.
Security through obscurity is not a great idea. This is what Apple's current approach is. For instance if your iPhone is infected with malware, there is no anti-virus software that can find it, because Apple doesn't let software to have such deep access that is needed for scanning.
> Game vendors want protection against cheating Gamers, gamers want anti-cheats. Vendors couldn't care less.
Gamers want no cheaters, vendors want to be seen to be trying in the cheapest way that has credibility.
> From that mindset what makes sense are hardware vendors including a cache of trusted third party root certificates from known other vendors. Today this would include Microslop, the same said hardware vendor, probably various respected Linux organizations/groups (Offhand, Linux Foundation, ArchLinux, Debian, IBM/RedHat, Oracle, SUSE, etc), similar for BSD... IMO systems should be shipped in "Setup Mode" by default with no keys preinstalled. On first boot which ever OS you decide to install should be able to enroll its keys. This way it is entirely agnostic of any cherrypicked list of "trust me" vendors. You'd still have most of the benefits of easy secure boot enrolling for those that don't know what it even is/how to do it while also allowing easy choosing of other OSes (at least on initial first boot). The main problem currently is option-ROM which has a tendency to cause the system to not even POST if secure boot is enabled without MS keys. Recently bricked a MoBo this way and even though it has 2 BIOS I can't actively choose which one to boot, it just has some "trust me, I know when" logic that chooses... well guess how well that is working for me...). The Asrock board I replaced it with though has an option for what it should do with such option-ROM when secure boot is active (don't run, always run, run if signed, ...) > The user should also be able to enroll their own CA certs as well; multiple of them. Useful for Organization, Division Unit, and system local signatures. Isn't this already the status quo?? > It would also, really, be nice if UEFI mandated a uniform access API (maybe it does) for local blobs stored in non mass-storage space. [...] I think UEFI is already complex enough and most of this can in a way already somewhat be handled by the EFI System Partition, e.g. systemd-boot can tell the UEFI to load (file system) drivers off of it ( https://wiki.archlinux.org/title/Systemd-boot#Supported_file_systems ), I don't know if UEFI technically supports other types of drivers to be loaded.
>IMO systems should be shipped in "Setup Mode" by default with no keys preinstalled. On first boot which ever OS you decide to install should be able to enroll its keys. Sounds like browserchoice.eu but even more pointless. For the normies who don't care about what keys they want installed, it doesn't make a difference. For people who want to switch to linux, it also doesn't make a difference because unless they're setting up their computer for the first time, because the windows key would already be installed. The only thing it does is make setting up a new computer marginally easier for one specific case (ie. you want to install a non-windows operating system AND you don't want to dualboot), and ticks off a box for being "vendor agnostic" or whatever.
I was talking about the same "install" that is already done (pre-installed on the drive that is first booted). Enrolling certs into the UEFI isn't something that needs to be done manually when "Setup Mode" is enabled, the bootloader can automatically enroll them. This already is a thing with the exception of the ship in "Setup Mode" part. Though some motherboard UEFI implementations are shit (as to be expected) and shit their pants when this happens. See last paragraph in this section as example: https://www.freedesktop.org/software/systemd/man/latest/systemd-boot.html#Files
What would be the point of this change? It erodes security in some moderately meaningful way (even easier to supply chain new computers by swapping the boot disk) to add what amounts to either a nag screen or nothing, in exchange for some ideological purity about Microsoft certificates?
It really doesn't. UEFI are still not by default locked behind a password (can't be locked since you couldn't change settings in the UEFI if that were the case), so anyone that has access to change a drive can also disable secure boot or enroll their own keys if they want to do an actual supply chain attack. If your threat model is "has access to the system before first boot" you are fucked on anything that isn't locked down to only the manufacturer.
> just build a UEFI Kernel Image and sign that. examples and documentation welcome
https://wiki.gentoo.org/wiki/Secure_Boot
Thre original secure boot design would have had insecure bootloaders get blacklisted the moment abuse could be detected. Microsoft then made that system entirely useless by signing code that could be used to load unsigned code, like demonstrated here. They then also refused to blacklist their own broken bootloader to save sysadmins the time (who would need to deploy new recovery images and boot media containing the fixed bootloader). That vulnerable bootloader is particularly bad because it can be used to have the TPM unlock itself and give up the Bitlocker key, which the Linux loaders shouldn'tbe capable of even if they apply the bypass mentioned in the article. In a world where Microsoft cared about secure boot, they would blacklist the vulnerable Linux loaders as well as their own old bootloaders. Why Microsoft? Because they signed the files in the first place, only they can rescind the signatures. In that world, Linux users would call for Bill Gates' head for securing their security feature and sysadmins would be out for Steve Ballmer's blood for breaking their complex custom recovery system that nobody dares touch. Now we'll be stuck in the worst of both worlds.
>They then also refused to blacklist their own broken bootloader to save sysadmins the time (who would need to deploy new recovery images and boot media containing the fixed bootloader). Source? The OP suggests they expect it to be blacklisted >I assume that Kaspersky bootloader signature certificate will not live long, and it will be added to global UEFI certificate revocation list, which will be installed on computers running Windows 10 via Windows Update If you search around you'll also find that microsoft does publish secure boot revocations, contrary to what you claim. https://github.com/fwupd/dbx-firmware
I am happier writing code by hand (abhinavomprakash.com)
every day there's a thread about this topic and the discussions always circle around the same arguments. I think we should be worrying about more urgent things, like a worker doing the job of three people with ai agents, the mental load that comes with that, how much of the disruption caused by ai will disproportionately benefit owners rather than employees, and so on.
We are, after all, in the holy temple of the adherents of the Great Disenfranchisement Machine.
You what code is? A very detailed specification that drives a deterministic machine. Maybe we don't need to keep giving LLMs more details, maybe we could skip the middle man there
The gravity well's pull toward a management track, or in the very least the desire to align one's sympathies with management, is simply irresistible to some people. Unfortunately I do not think Hacker News is the best venue to discuss solutions to this issue.
On the assembly line: "What did you used to do?" "Programming. You?" "I was a lawyer."
This is literally my reality
I’ve heard this metaphor before and I don’t think it works well. For one, a power tool like a bandsaw is a centaur technology. I, the human, am the top half of the centaur. The tool drives around doing what I tell it to do and helping me to do the task faster (or at all in some cases). A GenAI tool is a reverse-centaur technology. The algorithm does almost all of the work. I’m the bottom half of the centaur helping the machine drive around and deliver the code to production faster. So while I may choose to use hand tools in carpentry, I don’t feel bad using power tools. I don’t feel like the boss is hot to replace me with power tools. Or to lay off half my team because we have power tools now. It’s a bit different.
Would a CNC satisfy your requirements?
My analogy is more akin to using Google Maps (or any other navigation tool). Prior to GPS and a navigation device, you would either print out the route ahead of time, and even then, you would stop at places and ask people about directions. Post Google Maps, you follow it, and then if you know there's a better route, you choose to take a different path and Google Maps will adjust the route accordingly.
Google Maps is still insanely bad for hiking and cycling, so I combine the old-fashioned map method with an outdoor GPS onto which I load a precomputed GPX track for the route that I want to take.
Have you never run a team of software engineers as a lead? Agentic coding comes naturally to a lot of people because that's PRECISELY what you do when you're leading a team, herding multiple brains to point them in the same direction so when you combine all their work it becomes something that is greater than the sum of it's parts. Lots of the complains about agents sound identical to things I've heard and even said myself about junior engineers. That said, there's always going to need to be people who can reach below the abstraction and agentic coding loops deprive you of the ability to get those reps in.
> Have you never run a team of software engineers as a lead? I expect juniors to improve fast to get really good. AI is incapable of applying the teaching that I expcect juniors to internalize to any future code that it writes.
Architects and engineers are not construction workers. AI can build the thing but it needs to be told exactly what to build by someone who knows how software works. I’ve spent enough time working with cross-functional stakeholders to know that the vast majority of PM (whether of the product, program, or project variety), will not be capable of running AI towards any meaningful software development goal. At best they can build impressive prototypes and demos, at worst they will corrupt data in a company-destroying level of failure.
> AI can build the thing but it needs to be told exactly what to build by someone who knows how software works. If AI was following my instructions instead of ignoring them, and after complaining telling me it is sorry, and returns some other implementation which also fails to follow my instructions ... :-(
Running Your Own As: BGP on FreeBSD with FRR, GRE Tunnels, and Policy Routing (blog.hofstede.it)
I was hoping with IPv6, getting an address space as an individual would go back to how it was in the early IPv4 days, but alas you need to be a multihomed individual with tons of usage instead of just a sophisticated netzien that wants to own their block.
Honestly it's not free but it's really not that expensive. With RIPE it's about 75€ per year for the ASN and being multihomed is not really a problem, there are multiple services that will let you announce through them for free or very cheap. You don't have volume minimums. I do agree it should be simpler, but it is accessible to individuals today.
I don't want an address, they should be cheap, meaningless (sans routing, the longer the common prefix, the closer geographically you should be) and not conflated with identifiers. I just want a way to do public-key based discovery. I'm not sure if wireguard + DHT would do though as it'd also mean that it's easy to track your PK (and maybe you through your devices/services announced with PKs). Maybe you can announce your IP in a neat encryption scheme that adds some privacy without increasing costs too much?
Basically Yggdrasil?
 Top