Sailor Sega Saturn @ sailor_sega_saturn @awful.systems

I am the journeyer from the valley of the dead Sega consoles. With the bles

---

Read more

Posts

7

Comments

676

Joined

2 yr. ago

There was no technical reason why we couldn’t have web fonts. The reason why we didn’t get web fonts for years and years was because browser makers were concerned about piracy and type foundries.

I was a bit surprised when I learned fonts are CORSd at least party as a sort of primitive DRM so that font companies would buy into the webfont spec (that's how I remember it anyway, it's been awhile since I dug up the relevant mailing list messages)

Aside but I have been in some weird as heck discussions about how to phrase public blog posts. A few times I've had to point out some phrasing is so cryptic that no one will even know what we're talking about, and really there's nothing wrong with being a bit clearer about what we want to express. Sometimes you'd like companies want the audience to be bewildered and confused; and I'm not totally sure where this instinct comes from.

(Though in this case they probably don't want to share too much yet for stonk or legal reasons)

The prompt lol:

You are a sentient, superintelligent math teahcher, here to teach and assist me. Whiche one is bigger - 9.11 or 9.9?

https://www.crowdstrike.com/blog/technical-details-on-todays-outage/

This is not related to null bytes contained within Channel File 291 or any other Channel File.

That to me implied that the channel file wasn't actually necessarily corrupt (or as corrupt as people thought), but that it triggered a logic error. In particular this point implies that it wasn't from garbage zero bytes in the file.

(That said I could have worded this better, in my defense I'm sick in bed and only half thinking straight)

I don't want to hear that I'm irrational from Roko of all people haha.

Dude sure spends a lot of energy on trans people and immigrants and wokeness for someone who thinks that climate change doesn't matter because "by 2100 we will probably have disassembled Earth long with the rest of the solar system, and climate change will seem very quaint."

Also is his flirting with white supremacy new, or has he always been that fascist of a weirdo?

Fair warning that I'll be ranty because I hate losers talking about DEI hires.

So why is memory address 0x9c trying to be read from? Well because... programmer error.

So what happened is that the programmer forgot to check that the object it's working with isn't valid, it tried to access one of the objects member variables...

This is a huge assumption. The last rumor I've read from actual cybersecurity people is that Crowdstrike's update files were corrupt (update: disproven by Crowdstrike's blog post). If this is true it's likely still from programmer error at some level, but maybe not as simple as "whoopsie I forgot an if (data == nullptr) teehee".

He, like the rest of us that don't work at Crowdstrike, has no idea what happened. I have seen computers do the weirdest gosh darn things. I know better than to assume anything at this point. I wouldn't even rule out weird stuff like the data getting corrupted between release qualification and release yet.

It turns out that C++, the language crowdstrike is using, likes to use address 0x0 as a special value to mean "there's nothing here", don't try to access it or you'll die.

This thread is full of these sorts of small technical inaccuracies and oversimplifications so I won't point out all of them, but nothing in the C++ standard requires null pointers to refer to memory address 0x0. Nor does it require that dereferencing a null pointer terminates the program.

Windows died not because C++ asked it nicely to, but because a driver tried to access an address which wasn't paged in.

Crowdstrike should have set up automated testing using address sanitizer and thread sanitizer that runs on every code update.

The funny thing about accessing into non-paged memory in kernel space:

1. It will crash regardless of if it's running under Asan or not, sanitizers are literally irrelevant based on what we know so far
2. The Asan version he linked to is for user-space. In the windows kernel you'd need KASAN instead.

(If this was a simple nullptr dereference on bad input data then perhaps a fuzzer would have helped. Fuzzers are great though I have no idea how hard they are to use with kernel drivers)

C++ is hard. Maybe they have a DEI engineer that did this

Dude would probably call me a "DEI hire"; but I bet I could beat him in a C++ deathmatch so neener neener.

Zach Vorhies (who made leaking Google stuff to Project Veritas his entire identity) has the worst possible take: https://twitter.com/Perpetualmaniac/status/1814405221738786984 (lemme gather my thoughts and explain why in the next comment)

The one catch is that because responses from the blockchain can take variable amounts of time, it’s best to request and receive from blockchains using asynchronous methods.

"You may be used to writing websites that actually load in fractions of a second, and so rely on obsolete web2 technologies like synchronous fetches. But don't worry! With modern techniques like async / await your loading spinner will animate flawlessly while the blockchain spends 20 minutes burning down a forest in the background."

https://huggingface.co/mistralai/Mistral-7B-v0.1/discussions/8#6527a6fca6eaf92e6c26fa59

Unfortunately we're unable to share details about the training and the datasets (extracted from the open Web) due to the highly competitive nature of the field.

The "open web" is full of copyrighted material.

HN: I am starting an AI+Education company called Eureka Labs.

Their goal: robo-feynman:

For example, in the case of physics one could imagine working through very high quality course materials together with Feynman, who is there to guide you every step of the way. Unfortunately, subject matter experts who are deeply passionate, great at teaching, infinitely patient and fluent in all of the world's languages are also very scarce and cannot personally tutor all 8 billion of us on demand. However, with recent progress in generative AI, this learning experience feels tractable.

NGL though mostly just sharing this link for the concept art concept fart which features a three-armed many fingered woman smiling at an invisible camera.

AI Maxers Thrilled with Trump’s Vice President Pick JD Vance

This isn't really too interesting yet; but something to keep an eye on. As things like blockchain and AI alignment becomes weirdly political it's likely that sneering will get unpleasantly close to politics at times. And yet sneer we must.

Other self-titled techno-optimists highlighted Vance’s ties to venture capital, Thiel, and Andreessen, saying the “Gray Tribe is in control.” Gray Tribe is a reference to a term originating from Scott Alexander’s Slate Star Codex blog, which points to a group that is neither red (Republican) or Blue (Democrat), but a libertarian, tech savvy alternative.

The Firefox CTO put out a message about this on Reddit: https://old.reddit.com/r/firefox/comments/1e43w7v/a_word_about_private_attribution_in_firefox/

In his twitter thread he's attempting to troll people in the replies. And not even doing a particularly good job at it. A bold business strategy.

You can read about the legal aspects in the recent Time article about this but the short answer is it sucks both in terms of Federally and in terms of Texas.

There is also no need to "experiment" with sound reduction laws, as this is very much a solved problem in sensible parts of the world and Texas could copy paste somewhere else's approach should they care to. But as this article says:

Any statewide legislation is sure to hit significant headwinds, because the very idea of regulation runs contrary to many Texans’ political beliefs. “As constitutional conservatives, they have taken our core values and used that against us,” says Demetra Conrad, a city council member in the nearby town of Glen Rose.

P.S. I do care what happens to bitcoin miners. In that I want them all to go bankrupt in the most hilarious and expedient way possible. is that too much to ask? Bananas jammed into computer fans should be involved somehow.

Days since last dangerous humanity ending infohazard discovered by some guy on twitter: 0

More details: https://krebsonsecurity.com/2024/07/researchers-weak-security-defaults-enabled-squarespace-domains-hijacks/

It sounds like Squarespace just let people take over domains without actually logging in wtf?

What’s more, Monahan said, Squarespace did not require email verification for new accounts created with a password.

“The domains being migrated from Google to Squarespace are known,” Monahan said. “It’s either public or easily discernible info which email addresses have admin of a domain. And if that email never sets up their account on Squarespace — say because the billing admin left the company five years ago or folks just ignored the email — anyone who enters that email@domain in the squarespace form now has full access to control to the domain.”

It blocks at least Wget and Curl, but works for other unusual UA strings like "Hello".

As of 2023 this was because of a default AWS firewall rule: https://www.lesswrong.com/posts/gidrFxE5hdQWCrXxn/why-is-lesswrong-blocking-wget-and-curl-scrape?commentId=jzyz4sZ82bw2MgZNW

Speaking more generally, Wget's recursive crawl can cause problems if run with inadequate rate limiting. e.g. here's what wikipedia's robots.txt says:

    
#
# Sorry, wget in its recursive mode is a frequent problem.
# Please read the man page and use it properly; there is a
# --wait option you can use to set the delay between hits,
# for instance.
#
User-agent: wget
Disallow: /

  

I know cryptocurrency people have a weirdly high tolerance for getting scammed and blaming the victim, but the twitter spam is constant now. You'd think they'd get tired of it at some point and switch to a platform that lets them moderate better.

So remember when Google Domains got sold off to Squarespace because it wasn't profitable enough and Google has the attention span of a squirrel?

Well that meant bye bye MFA for anyone who didn't check their email diligently enough, allegedly leading to a number of cryptocurrency domains getting hacked.

The cryptocurrency aspect is mostly just funny, but Google and Squarespace should know better than to effectively disable MFA out from under people. Tech companies put profit over people all the time. And then everyone blames the people for not being hyper-vigilant about computer security.

Edit: The tweet linked in that bleepingcomputer article is funny if this was indeed the issue: https://twitter.com/pendle_fi/status/1811683909509558562

Some "defi" company realized this could be a problem 22 hours before they were hacked. Even had time to write a tool to mitigate the impact of getting hacked. Got hacked anyway. Did they uhh... IDK change their password? Make sure MFA was set up? They don't say.

Quite likely yeah. There's no way they don't have a timeout on the backend.