• 0 Posts
  • 49 Comments
Joined 1 year ago
cake
Cake day: August 10th, 2023

help-circle

  • Are we really doing fine? 4% linux market share? Windows is a default?

    I suspect that the issue hindering adoption is GNU and other user land projects, not the Linux kernel. Plenty of people use devices that pair a Linux kernel with an easy to use UI and popular software (see Android and Chromebook).

    Many people would happily switch to a Linux based OS that had the exact same GUI as their current OS and ran the exact same software. That is not a realistic requirement in practice.

    It is possible that Linux would have more adoption if they invested more money into having drivers for a wider range of hardware, but having Linux kernel develers write drivers instead of hardware vendors is not a strategy that scales well.






  • About 10 years ago, I read a paper that suggested mitigating a rubber hose attack by priming your sys admins with subconscious biases. I think this may have been it: https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final25.pdf

    Essentially you turn your user to be an LLM for a nonsense language. You train them by having them read nonsense text. You then test them by giving them a sequence of text to complete and record how quickly and accurately they respond. Repeat until the accuracy is at an acceptable level.

    Even if an attacker kidnaps the user and sends in a body double, with your user’s id, security key, and means of biometric identification, they will still not succeed. Your user cannot teach their doppelganger the pattern and if the attacker tries to get the user on a video call, the added lag of the user reading the prompt and dictating the response should introduce a detectable amount of lag.

    The only remaining avenue the attacker has is, after dumping the body of the original user, kidnap the family of another user and force that user to carry out the attack. The paper does not bother to cover this scenario, since the mitigation is obvious: your user conditioning should include a second module teaching users to value the security of your corporate assets above the lives of their loved ones.




  • I am not a hiring manager (or, more likely a recruiter/HR), so I cannot speak about the value of having a MS listed on one’s resume.

    I am a senior developer with a masters degree and I am very grateful for the knowledge I got from that degree. Since I graduated, I have never needed to write a compiler, but i know how to implement a bunch of language features and it makes new languages easier to learn.

    Could I have learned all of that without going to school? Definitely. It is all in white papers, software documentation, and textbooks, but for me, that is not the best way to learn. From what I have been able to find, even the most advanced MOOCs are only at advanced undergraduate level but don’t cover grad school level concepts.



    • Encrypt the data at rest
    • Encrypt the data in transit

    Did you remember to plan for a zero downtime encryption key rotation?

    • No shared accounts at any level of access

    Did you know when account passwords expire? Have you thought about password rotation?

    • Full logging of access and activity.

    That sounds like a good practice until you have 20 (or even 2000) backend server requests per end user operation.

    All of those are taken from my experience.

    Security is like an invasive medical procedure: it is very painful in the short term but prevents dire complications in the long term.




  • So you are suggesting forum software that supports single sign-on?

    We are talking about an open source project, not a high school reunion. I don’t want to hang out with people, I want to have a discussion about a focused topic.

    I want to ask a question and get an answer. If the question is not one that anyone online can currently answer, I want to be able to tell at a glance if anyone has talked about my question. If I don’t understand the answer, I want to ask a follow up question.

    In the evening, I want to be able to take a look at new posts from that day, grouped by topic, to see if there is anything I find interesting or can weight in on.

    With Discord (or any real time chat), it is hard to follow a single topic when more than one is being discussed. It is doubly hard to do so after the fact. I am aware that Discord has a forum feature. I have only seen one server ever enable it and no one posts anything to it.



  • It is better to find a developer that has experience with the language features you use rather than one that is experienced in the exact language you use. For example, I work on distributed systems in Java/GoLang/Python. We want candidates that understand how to write concurrent logic and stay away from people who are just Java web developers.

    The big issue is doing a coding interview with candidates. We have a standard straightforward problem that candidates need to solve by filling in a stubbed out method. We have it in Java and have ported it to GoLang. If we have to interview a candidate who does not know either of those languages, we would need to find a language that the candidate knows and we know well enough to port the problem to. We would also have some difficulty digging in to design specifics like choice of concurrency primitives.


  • I have been an individual contributor at large corporations for more than 10 years. Every time I have had a colleague promoted to manager, they always planned to stay technical and keep coding. Every one of them, without fail, stopped coding because they were too busy.

    Thinking back to my managers who left for other roles, only one quit to work in higher management, the rest all went back to working as developers.

    I worked at giant, globally distributed companies (15-25k employees), so I imagine that my experience is not typical.


  • But a floating point issue is the exact type of issue a LLM would make (it does not understand what a floating point number is and why you should treat them differently). To be fair, a junior developer would make the same type of mistake.

    A junior developer is, hopefully, being mentored by more senior coworkers who are extra careful with code reviews and would spot the bug for the dev. Machine generated code needs an even higher level of scrutiny.

    It is relatively easy to teach a junior developer to write code that is easy to read and conforms to the teams style guide.


  • All the time. Causes include:

    • Test depends on an external system (database, package manager)
    • Race conditions
    • Failing the test cleared bad state (test expects test data not to be in the system and clears it when it exits)
    • Failing test set up unknown prerequisite (Build 2 tests depends on changes in Build 1 but build system built them out of order)
    • External forces messing with the test runner (test machine going to sleep or running out of resources)

    We call those “flaky tests” and only fail a build if a given test cannot pass after 2 retries. (We also flag the test runs for manual review)