I think being on GitHub (and seemingly open source) gives developers a false sense of security in that they assume the code is open and therefore community vetted and that the developer has nothing to hide.
I suspect people who would know not to download and run a random binary off the internet would download, compile and run projects from GitHub.
I mean, you can use static analysis or similar, but you generally can't check every line of code for every open source lib you pull in, let alone its dependencies.
Seems that, once you decide to use open source, you are actually making a choice to trust to some extent.
Commercial Linux distributions like Red Hat, Suse and Canonical stake their reputation on compiling a trustworthy collection of open source software, in exchange for money. Unfortunately they disclaim any legal responsibility, but at least they make reasonable efforts to analyze the security of the software they are distributing, in order to avoid PR disasters.
For some reason the same business model has not made many inroads for higher-level language ecosystems, although many companies are trying - for example the Python Conda distribution.
Although the "repo" is a list of manifest files that include third-party download sources. So even if there is an approval process it seems to be quite vulnerable to including malware.
Of the 351 malicious repositories in the spreadsheet somebody linked, only 4 have more than 10 stars. None of them have more than 30 stars, and none of them have more than 3 forks. None have more than 5 issues, and only 4 have more than one issue.
You don't have to assume that the code is community-vetted. If a repository has at least a couple hundred stars, lots of forks, and an active pull request cadence, then you know that at least some people have gone digging through it.
If not, then that's when you should break out the sandboxing tools and prepare to check the code yourself. At least it should be easy-ish to automatically check/block everything that has the potential to open a network connection, which defeats most profitable malware models.
They could build an optional "risk score" that open-source community-oriented projects could turn on. It could include requirements like having something dependabot-esque along with CodeQL enabled. Rules could be created for CodeQL (if they haven't already) that check for obfuscated code, suspicious access (keychain, password storage, etc.) and other items.
On top of that it could have forced release binary scanning via VirusTotal/insert-malware-scanning-vendor-here.
This is the problem, the best we can do is pay via exposure. But that actually ain't nothing. Not just individuals, but also orgs could then make money from private contracts based on their reputations? This should be the benchmark of trust. Could there be anything better?
Excellent question. No, I am not. I am just attempting to use my very limited knowledge on this subject to hopefully further discussion on a topic that feels really important.
I would love other people to jump in and elevate this conversation.
Sure, CVEs might not be the ideal metric. Could you, or anyone else, suggest a better metric?
If GitHub is too lethargic to do even contemplate this type of change, maybe this could be a differentiator for GitLab?
No it won't. I could write you very basic, obvious malware that is obfuscated just enough for copilot to miss it 100% of the time. Let alone things like what JiaTan wrote.
You can get rid of legacy OS like Windows or Linux that cannot run applications in the sandbox and switch to those which can. In this case the malware only gets a sandbox and not the whole system.
If you work for a commercial company then you should not download the code from random users on Github for free but from commercial, safe repositories where the code is inspected, tested and verified. Or from reputable large commercial companies that are unlikely to put backdoors. Microsoft or Apple won't risk their reputation by backdooring an open-source library.
I don't get it, is there priviledge escalation attacks for windows? I haven't logged in as an administrator since 2005 or so.
We know we can hit the windows key and type "sandbox"? (May need to "install" it from windows features.) Right?
There are software packages that let you snapshot the files and checksums, then compare again after you've run your test program / installer / whatever.
You can make this software "portable" so you don't have to install it every time. You can copy and paste into the sandbox from your windows desktop and drives.
Obviously this isn't sanboxie or nix or an immutable file system or anything, but let us not pretend it's 1996 and "GoBack.exe" hasn't been invented yet.
They can - if you write the sandbox and adapt applications to it. What I meant is that the sandbox should be built-in into a distribution.
Also, I did some research and the sandbox is difficult to implement because you need to stub literally every facility (because Linux was not designed for sandboxing). For example, I had to write an emulation of /proc in Python using FUSE because many apps rely on reading files there but granting them full access leaks too much information about your system and is not secure. Now think how much time you need to stub every API, including undocumented APIs like /sys, ioctls and so on.
Unless there is a comment "this code is actually safe, it's done this way for optimizations", or a variable called "thisCodeIsSafeItLooksWeirdForPerformance" and the LLM just ignores the backdoors.
There's a pretty continuous line between the carolus guilder and the euro. For example, the modern-day (2002) guilder was fixed at an exchange rate of 2.2 GLD = 1 EUR. Previous coins also had a more-or-less fixed ratio, aided by the value of the gold and/or silver they were made out of.
If you want to treat it like a completely separate coin, you'd have to buy historical carolus guilders in auctions. They seem to be worth about €1500 [0], although the same amount of gold can be bought for only €240.
Currencies rarely "go away". They are usually replaced by new ones, and the government will buy the old currency and pay you in new currency. Imagine the mayhem if a government decided that all money everyone owned would suddenly be completely worthless!
Sure, but as long as they have a staff of a dozen people monitoring the transactions so that they can catch and fix/block/revert the occasional fraud it still works out cheaper than hiring and maintaining those 700 call center workers. Each case helps build a library of business rules.
Eventually you would have guardrails programmed into a separate system where the LLM simply doesn't have the permissions needed to perform actions not permitted by the business rules.
It is the same idea as behind the self checkout counter at stores. Sure you lose a little in shoplifting/fraud, but it might still work out to cost less over all.
> Houses can be cheap, or they can be a good investment. Not both.
> I think I read that here on hacker news a few years ago, and it has stuck with me.
It's repeated in every HN discussion about housing.
Also, it's too simplistic. It's basically impossible (barring a complete market meltdown like Detroit back then) to not increase your net worth owning a house.
You have to live somewhere. If you buy a house you (very slowly) end up owning it. A house has nonzero value. Now you have some equity, aka wealth. Even if the price depreciates it's not zero, so you built some wealth (vs renting where you could've rented for 60 years and still own nothing).
There's no contradiction. If it's easy to generate rent income from a house then houses will appreciate in price. For example, if I can buy a house and pay off the loan just from rent payments then it's a great investment.
The valuation of the company has little to do with the equation of how much profit has been made in the past. It is focused on the companies profit potential in the future. This has always been the case.
Sears or Ford may have produced a ton more in profit than was, as you say, put into the company. But the current valuation is based on what profit the market believes it will produce in the future.
I think what amazes OP is that "convincing people that profit will happen in the future" produces better stock value than actual profit happening today. We all know that's how it works but it's still amazing. The market is clearly showing that a bird in hand is worth less than two that might be in the bush 10 years from now.
Musk is 50, already past his intellectual prime. Has been an entrepreneur (or at least he claims) ever since he was 20.
If he hasn't delivered any profit in 30 years, it's clear that his business model is based on politics, subsidies and aggressive promotion to sell the stock and enrich himself as opposed to building something that improves the quality of life of the avg. citizen.
“Because our population exceeds the carrying capacity of the planet, and if it does not do so already, will likely do so in the future, and if it does not do so in the future, it is still a good idea to have a backup plan for our descendants in case we manage to wreck this planet some how. Having a plan B just makes sense doesn’t it? Bet you the dinosaurs wished they had one”
It’s doesn’t, though. Per capita consumption varies. It’s more that a minority of our population vastly over-consumes. That problem would exist on another planet too.
That's a popular argument that falls apart when you look at the aggregate level of material wealth on this planet. Using GDP per capita as a passable proxy: current world GDP per capita is around $12k afaik, which is about where Mongolia and Indonesia are. Considering high level of inequality there (when you go there as a tourist, you're exposed to the wealthiest part of the society, and we're talking about the average), do you think people would be happy to freeze their consumption on that level? Or even lower, because most people talking about "over-consumption" also think that the current level of consumption is unsustainable?
To make things worse, there are also embedded emissions. You can see it with China, coming out of poverty requires infrastructure expenditure, which means "wealth averaged out" would be even worse than the average would suggest, as you can't average sewers and highways, you have to build them anew.
There is just not enough wealth on this planet as it currently is. When you're saying "they'll be happy far below the most conspicuous of over-consumption", it actually means "worse than an average citizen of Mongolia, forever", which doesn't sound as enticing, does it
That would assume GDP is a measure of resources and production capacity as opposed to just vaguely correlated. It would also assume there is no way to reduce unnecessary production costs, like profits.
It’s entirely possible to start from today’s resources and build production far more efficiently if we produce rationally for use.
Look at the scale of the numbers involved, profits are around 15% across developed economies [1], which is not nearly enough to offset the difference between average Mongolian and what you'd consider a decent QoL.
I don't see any evidence for that claim. What's more, planned economies don't seem to be particularly efficient at reducing waste or improving QoL, examples are plenty, from lake Karachay to unavailability of basic feminine hygiene products in USSR up until its breakup.
I'm reading this book, "Why We Sleep" by Matthew Walker, and it says the half-life of caffeine is like up to 8 hours ... so having a 3pm coffee means going to bed at midnight with half of it still active.
I've cut coffee out of my diet after noon lunchtime, and I think it's helping ... tough to be sure but as long as I believe it, it's pretty good
I don't think that book is generally considered scientific. It contains a bunch of opinions, but it is not peer reviewed article and not everything in it is backed by good studies.
I have noticed the same effect as well. There is a noticeable difference to the quality of my sleep on the days I have consumed caffeine and the days that I have skipped it. The quality of your sleep likely has effects on your mood, energy levels and over all stress levels.
However, I was referring to the direct effects of caffeine on your stress and anxiety levels. I would go so far as to say that if you are taking steps to reduce your stress and anxiety levels, quitting caffiene should be on the list of some of the first things you try. (Alongside the usual advice of good sleep, exercise, meditation and diet)
"After adjusting for additional dietary, demographic, and lifestyle covariates, positive associations between total weekly caffeine intake and anxiety and depression remained significant"
"Caffeine also increases anxiety in PD patients as well as among healthy adults at these doses although the exact relationship between caffeine-induced anxiety and panic attacks remains uncertain. The results suggest that caffeine targets important mechanisms related to the pathophysiology of PD."
You probably don’t carry a wireless charger with you on the go, which is incidentally when you’re most likely to need this. You’re not going to wirelessly charge your phone while you watch a movie on a flight or a train, but you sure do want to charge it so you have power left at your destination.
Wireless charging is nice but has a few problems. A cable charges my phone ~3x faster, generates less heat, and wastes less electricity. On the go, a USB-C cable is also more useful than a wireless charger.
You need a faster wireless charger. The high-power ones aren't as slow as this.
But still, you're right: wires are more efficient and faster. And the big factor is that no one brings a wireless charger traveling with them. A cable is much smaller and lighter, and the wireless charger still needs the cable and power adapter anyway.
When I first got a phone without a headphone jack, I bought one such dongle. It didn't work. My two subsequent phones have had headphone jacks, so I'm not going to worry about this problem again for a while, but at the time at least it was certainly not as simple as buying a dongle and knowing it would work.
Every answer here is "buy this other thing, no wait, that may not work for your use case, buy this other thing to lug around or that makes your laptop effectively a desktop".
This is strictly worse than the previous status quo.
I am not an economist, but here is my theory on the whole thing (would love to hear if there is a flaw with this reasoning!):
The fundamental problem is that a wealth of a society is determined by its productive capacity. A society with more homes, more cars, more phones, more food, more clothes, more university classrooms, more hospitals and doctors, more medicine, (you get the picture)... more good and services is wealthier.
A society with more dollars but without the corresponding increase in all of those things is no wealthier.
You can magic up trillions of dollars and hand them out to each and every individual currently alive in the US or for that matter the planet. Give each person a billion dollars. You still would not suddenly end poverty, or hard ship or hunger or anything else.. that money is still used to buy the goods and services which are being produced at the same rate as before.
When we distributed trillions of dollars over the last couple of years while simultaneously having lockdowns for covid, we not only added money to a system without adding corresponding productive capacity. We did the opposite.. we reduced the number of homes being built and maintained, we reduced the number of clothes being manufactured, we reduced the amount of education we provided, we reduced the amount of health care provided, we reduced the number of vacations and restaurant meals that were provided, we reduced the number of cars being made (you get the picture)... we created a backlog of unmet demand.
The prices would likely have gone up even without the money printing due to this backlog of unmet demand, the additional money in the system just made the price rises bigger.
I think being on GitHub (and seemingly open source) gives developers a false sense of security in that they assume the code is open and therefore community vetted and that the developer has nothing to hide.
I suspect people who would know not to download and run a random binary off the internet would download, compile and run projects from GitHub.