Hacker News new | past | comments | ask | show | jobs | submit | SEJeff's comments login

These folks are trying to do what you are suggesting here:

https://www.nationalpopularvote.com

It is an interesting idea.


You’d genuinely be shocked how many hardcore tech folks own and run hobby or semi-commercial farms.

I run a biodiverse fruit orchard.


The point of this post is really to read the comments. It was amusing to see Rob Pike so dismissive of fuzzing when fuzzing finds a lot of issues humans miss.


First name checks out :)

I promised a coworker up north a bit in Meath that one day I’d come visit him and got that chance about seven years ago. Along the way we did the tourist in Dublin thing and part of it was the trinity long room and book of kells. Amusingly, a cabbie was asking me what I loved about Dublin and I said the history. He asked what in specific and I told him that there is probably chewing gum on the ground older than the founding of the United States. He got super offended and told me they clean the streets in Ireland, but then I mentioned the Aran Islands, Newgrange, and the Drombeg Stone Circle… What is “old” in Ireland is 3000-5000 years old. What is “old” in the USA is a few hundred years old at best.

Such a lovely place and people.


Lots of old things/places in the US too if you don’t disregard native history.


If you are counting stone circles, it seems unfair not to count 5000 year old mounds in the US.


The Drombeg stone circle is like stone henge’s grandfather.


Dromberg looks great and Stonehenge is definitely far too crowded with tourists[0] but with respect to age Dromberg is considered to be 3000 years old [1] versus Stone henge being 5000 years old [2]

I will resist the temptation to joke about time travelling aliens

0 - Why do the tourists have so many Disney shirts, hats, and backpacks???

1 - https://www.tuatha.ie/drombeg-stone-circle/

2 - https://www.english-heritage.org.uk/visit/places/stonehenge/...


My attempt to answer question 0 - apart from the most obvious answer, that it's a global megabrand present in every culture that is connected with the global mainstram, so it's like asking why do so many tourists drink Coke and eat at McD's - underpinning a great deal of what Disney does creatively is a collective longing for myth, magic, mystery and timeless stories that reach back through the ages. People who like that kind of stuff (i.e. an awfully large percentage of humans) and who happen to be passing through that part of England will be inevitably drawn to those big ol' stones rising out of the mist...


The firedancer team at one of the better HFT firms wrote an AVX512 optimized implementation of ed25519 and X25519 that’s significantly faster than OpenSSL.

https://github.com/firedancer-io/firedancer/pull/716

Ditto for sha256: https://github.com/firedancer-io/firedancer/pull/778

And sha512: https://github.com/firedancer-io/firedancer/pull/760

If you’re an optimization nerd, this codebase is wild.


I laughed a little at calling Firedancer contributors "a team at a HFT firm".

Not that you are technically wrong, not at all, that's where Jump came from. It's just that this is all completely blockchain-driven optimization, but the b-word is so dirty now that we've gotta go back to using TradFi for the rep.


It’s an optimization in hashing algorithms that is around twice as fast as the ones Amazon is posting in thus article for the same eliptic curves.

If the Amazon improvements are hacker news worthy (they are) this seems reasonable contextually.

Also, I worked for Jump for almost 12 years :)


What makes the “b-word” dirty?


I didn’t use it because I didn’t find it relevant. They’re using hashing and EC algorithms and they’re improving them.


It's hard to separate from the sea of grifters, con men, cranks, and scammers that infest the domain. Just using the word is a yellow flag that you might be some kind of whacko, even if all you really want to talk about is the math.

People have to forever be on guard that you might at any point pivot to all taxation is theft or how you have formed your own micro nation that consists entirely of yourself and thus have diplomatic immunity from all prosecution. Because it happens. Or maybe you have a once in a lifetime deal to buy this receipt like object for some hideous art that is guaranteed to appreciate in value millions of percent. It's just the crowd that has aggregated around crypto currencies includes a lot of untrustworthy people.


Why do people need to be on guard for those beliefs? People should be critical thinkers and not thought police.

Granted, there are all kinds of whackos in crypto, but we should only be concerned about the immoral ones trying to scam us out of our money: SBF, Do-Kwon, and the like.


people are legitimately buying farming land in the US and currently suing farmers for "anti-trust" for refusing to sell them their land so that they can quite literally create a crypto based sovereign micro-nation of wealthy tech VC's. [1] and I think that is a selfish, vile and delusional thing to do. It has nothing to do with "thought police" its as simple as looking at the impact of their actions and beliefs and making the decision to reject that way of thinking and way of life.

1: https://www.youtube.com/watch?v=PHlcAx-I0oY


The trough of disillusionment carved out by grifters burning the peat of enthusiasm unsustainably.


A lot of slowness comes typically comes from wanting to avoid methods that enable side-channel timing attacks


So many manhours spent on finding better ways to shovel around money and pocket what falls from the cracks.

What a wasteful and unproductive enterprise, considering the vast majority of the devised improvements never see the public eye.

Still, impressive work. Imagine if those brilliant minds behind this were focused somewhere else.


The greatest minds of our generation spend their time thinking about how to:

- make people click on ads

- make trading algos faster

- replace human artists

- build more efficient killing machines

- destroy any remaining concept of privacy


Greatest mind of previous generation made nuclear bombs and other deadly things.


Aren't the greatest mind(s) of our generation writing Terry Tao's blog posts?


This directly implies that all the people that did useful stuff (improving cancer survivability, new vaccines, renewable energy, and others) are all "below" the "greatest minds of our generation".

Not to mention it also suggests there is a way to "compare" minds. I would not choose myself to do somethings, but that does not mean I despise automatically people choosing to.


I think they meant greatest minds have to be greatest money earners also. Else they are not greatest minds.


Hey, at least we had one of them working on TempleOS.


It doesn't seem wasteful and unproductive, given that the result of the HFT industry is smaller bid/ask spreads (lowering costs for all trades) and payment for order flow which is the mechanism that eliminated retail commissions and provides price improvement on many retail trades. And even so, HFT firms are making money.

It might not seem like real work, but making money by reducing costs of market participants sounds like a good thing. I admit though, block trades might be harder now than before the rise of HFT.

If you could do warehousing/distributing/coordinating fresh foods in a way that reduced the difference in price between the farmer and the consumer and make money doing it, that would clearly be good work.


What do you work on?


Public funded, public benefiting space missions.


I'll never be able to figure out what people get from repeating the same thing over and over. I've seen this same exact comment 1000 times on hn and I'm 100% sure you have too (indeed I believe the reason you repeat is because you've seen it and agree with it).


It's virtue signalling.


I see they learned clang’s dirty little secret over intrinsics viz. that in producing the IR it deviates (sometimes dramatically when AVX-512 is concerned) from the documented opcodes and the results are inevitably detrimental.


This is why ffmpeg uses assembly, and people get extremely mad when you say it's done for a reason, because they always want to come up with a fancier abstraction (usually cross-platform) which then defeats the purpose because it doesn't actually work.

nb those abstractions do make sense when you can only afford to write a single implementation of the algorithm; then you're just talking about a high level programming language. But they frequently fail to achieve their goal when you're writing a second implementation for the sole purpose of being faster.


Completely agree re: firedancer codebase. There is a level of thought and discipline wrt performance that I have never seen anywhere else.


It's much more than just performance they've thought about. Here are some of the secure programming practices that have been implemented:

  /* All the functions in this file are considered "secure", specifically:
     - Constant time in the input, i.e. the input can be a secret[2]
     - Small and auditable code base, incl. simple types
     - Either, no local variables = no need to clear them before exit (most functions)
     - Or, only static allocation + clear local variable before exit (fd_ed25519_scalar_mul_base_const_time)
     - Clear registers via FD_FN_SENSITIVE[3]
     - C safety
  */
libsodium[4] implements similar mechanisms, and Linux kernel encryption code does too (example: use of kfree_sensitive)[5]. However, firedancer appears to better avoid moving secrets outside of CPU registers, and [3] explains that libraries such as libsodium have inadequate zeroisation, something which firedancer claims to improve upon.

[1] https://github.com/firedancer-io/firedancer/blob/main/src/ba...

[2] https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplic...

[3] https://eprint.iacr.org/2023/1713

[4] https://libsodium.gitbook.io/doc/internals#security-first

[5] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...


These are table stakes for core cryptographic code, and SOT crypto code --- like the Amazon implementation this story is about --- tend at this point all to be derived from formal methods.


As an example, the Amazon implementation doesn't refer to gcc's[1] and clang's[2] "zero_call_used_regs" to zeroise CPU registers upon return or exception of functions working on crypto secrets. OpenSSL doesn't either.[3] firedancer _does_ use "zero_call_used_regs" to allow gcc/clang to zeroise used CPU registers.[9]

As another example, the Amazon implementation also doesn't refer to gcc's "strub" attribute which zeroises the function's stack upon return or exception of functions working on crypto secrets.[4][5] OpenSSL doesn't either.[3] firedancer _does_ use the "strub" attribute to allow gcc to zeroise the function's stack.[9]

Is there a performance impact? [6] has the overhead at 0% for X25519 for implementing CPU register and stack zeroisation. Compiling the Linux kernel with "CONFIG_ZERO_CALL_USED_REGS=1" for x64_64 (impacting all kernel functions) was found to result in a 1-1.5% performance penalty.[7][8]

[1] https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attribute...

[2] https://clang.llvm.org/docs/AttributeReference.html#zero-cal...

[3] https://github.com/openssl/openssl/discussions/24321

[4] https://gcc.gnu.org/onlinedocs/gcc-14.2.0/gcc/Common-Type-At...

[5] https://gcc.gnu.org/onlinedocs/gcc/Stack-Scrubbing.html

[6] https://eprint.iacr.org/2023/1713.pdf

[7] https://www.phoronix.com/review/zero-used-regs/5

[8] https://lore.kernel.org/lkml/20210505191804.4015873-1-keesco...

[9] FD_FN_UNSANITIZED: https://github.com/firedancer-io/firedancer/blob/master/src/...


Zeroizing a register seems pretty straightforward. Zeroizing any cache that it may have touched seems a lot more complex. I guess that's why they work so hard to keep everything in registers. Lucky for them we aren't in the x86 era anymore and there are a useful number of registers. I'll need to read up on how they avoid context switches while their registers are loaded.


That team is full of world experts in high performance computing.


That looks really neat, but I still don't understand what firedancer actually is - what is a validator client for Solana and why does it need it's own crypto library?


It’s a new from scratch implementation of a validator for Solana the fastest blockchain by several orders of magnitude. The slowest part is signature verification so they sped up hashing to improve performance of the entire system.

They follow a first principles approach (the lead has a few physics degrees) and opted to speed up the cryptography. The beauty of this, despite the bad views on blockchain, is that they freaking sped up the cryptography of commonly used algorithms more than anything open or closed source that I personally am aware of.

It’s a win in cryptography, much like this Amazon post is, except it’s slower than the firedancer implementation.


Off topic - is Firedancer going to survive Jump winding down its crypto arm?

Kanav left, they liquidated a huge staked ETH position a few months ago (+ a bunch of other coins), and the SEC/CFTC is all over them for the Terra Luna fiasco.


Rumors of Jump’s demise are greatly exaggerated. Check the torrent of firedancer talks at Solana Breakpoint literally next week and decide yourself.

Folks have said jump is gonna die for 20+ years. They’ve been around 30ish…


Parent asked a specific question about the survival of Firedancer and winding down of the crypto arm though. No demise of Jump mentioned.


You will see a half dozen or so talks about firedancer and probably 35-40 or so of us total (I’m at the company that does security for firedancer, Asymmetric Research. We were founded by former jumpers).

You can make the determination on your own, but there will be an obvious large showing of firedancer folks and some exciting updates for the project.


> The beauty of this, despite the bad views on blockchain, is that they freaking sped up the cryptography of commonly used algorithms more than anything open or closed source that I personally am aware of.

For users that have AVX-512, which isn't widely available (AMD Zen 4 / Zen 5, Sapphire Rapids)...


Sure, and cpus supporting it will proliferate. Shockingly to no one reading hacker news... Both software and hardware continue to improve with time generally speaking. This was a huge software improvement on hardware that supports that functionality. It is a huge win for anyone wanting to use these algorithms where they can afford hardware that supports it.

We should celebrate Amazon's improvements and we should celebrate these improvements. Both are great for the future of technology, regardless of why they were initially developed. Improving tech and keeping it open source is good for all.


wow amazing, nobody is gonna edit that code ever again...


I love that you can simply type `orb` and get dropped into a Linux vm. Some of the cpu features are super weird (cat /proc/cpuinfo and it is unlike literally any x86 cpu I've seen before), but unless you happen to build stuff that depends on lots of specific cpu features like I do, it works well enough.


Please try out my Docker shell container - https://github.com/jrz/container-shell which works great with orbstack


I assume it matches whatever Rosetta advertises?


It's because Rosetta doesn't seem to emulate /proc/cpuinfo, so the contents reflect that of the arm64 host.


Yeah, it makes for VERY confused builds when you select on cpu features available.


I suspected that they used Cellebrite for this three days ago:

https://x.com/SEJeff/status/1813079033430876433

As much as it makes folks reel, this is working as intended. If you don't want them to crack your phones, consider setting a 10+ digit alphanumeric passcode instead of a numeric PIN.

Also, do not enable the biometrics such as FaceID. I'm very much of this opinion[1] that biometrics are usernames, not passwords.

[1] https://blog.dustinkirkland.com/2013/10/fingerprints-are-use...


In addition to the problems you mentioned, biometric systems are basically designed to cause hash collisions. And probably to a higher degree than most people realize.

After all, it would be annoying if FaceID failed just because I haven’t shaved today. So the algorithm has to account for that. As such, the entropy of the input is reduced.


> Also, do not enable the biometrics such as FaceID

I'd really like to see the ability to set a specific fingerprint to lock down the phone, requiring a different, more secure credential from the regular lockscreen to unlock. A long passphrase would probably be the right credential for most people.


I'd like to have different fingers do different things, including one that prevents fingers from working And have a short extra custom gesture to face to unlock Or a dozen of other simple things we could get with a little more competition in a more open space


If you hold power and a volume key on an iPhone will disable biometrics and require your password.


That's almost as good, but maybe harder under duress. As far as I can tell, Android requires interaction with the touchscreen.


I'm not sure FaceID would have helped them as much in this instance going by pictures of the aftermath.


Numeric pin? Seems like fingerprints on the glass alone would make a shorter numeric pin trivial to crack.

I'm just thinking of all the other weak security systems like garage door keypads where the code is derived from the more worn buttons. Or cleaning/dusting an ATM keypad before someone enters their code and then carefully examining the buttons afterwards.

But who knows — perhaps people have completely munged up their displays making fingerprinting useless.


There are some touchscreen input systems that will randomize the configuration of the numbers displayed to mitigate the "finger smudge" attack.


Man that would suck. I rely on muscle memory to recall passwords in everyday usage. Of course I could open a PWD manager elsewhere but it becomes cumbersome.


You would be surprised. After a couple days only, my brain adapted to the random layout well enough that it's the regular layout (on my iPhone, which doesn't seem to have the randomization ability) that throws me for a loop.


Would the ATM thing actually work though? Afaik most European ATM banks issue 4 digit pin codes and will block and eat the card at 3 invalid tries. Not sure how many tries you have total, but I figure it's not that easy to guess it right.

Update: ChatGPT says 12 tries total to get it right, so that makes it ~10% success ratio?


I probably read about this technique in Phrack or something similar .... so that kind of dates it.


Yeah it could be very well possible that it wasn't limited to just 3 tries back then, or at the very least the ATM would not block and eat the card then, allowing you to try again or at a different machine.


> As much as it makes folks reel, this is working as intended. If you don't want them to crack your phones, consider setting a 10+ digit alphanumeric passcode instead of a numeric PIN.

Can't emphasize this enough. If you're going to use a phone, set a long strong password. Nothing else will do. Yes, it's a bit more inconvenient. There is no workaround.


And turn your phone power off before committing a crime…

The first thing the police will do is connect it to power battery packs


Don't even bring your phone with you. You need to use old school methods to avoid tracking.


But if you leave your phone at home only on the days you commit crimes, it's a problem too. This was used in the past to identify people.


ALPR is the other big one. Your daily habits are in many databases and it’s easier than ever to sort out the outliers


I read this story many years ago where researchers were able to re-identify people using open travel datasets.

https://www.unimelb.edu.au/newsroom/news/2019/august/myki-pr...


[flagged]


I've been using this technique for some time now and it has been working really well.


Here's a list of people that have strong disagree[0]. What about those that have been falsely identified by facial recognition software? Just because you think you've committed no crime doesn't mean the authorities have the same thought.

[0] https://en.wikipedia.org/wiki/List_of_wrongful_convictions_i...


So the updated advice is to not bring the phone when you're not about to commit a crime.


that's also been updated as not being the greatest advice as they can use the lack of activity for that time period as being abnormal for you device which show suspicion as well.

just like not having any social media accounts looks suspicious. having a laptop with no data on it what so ever looks suspicious. if they want to find you as a suspect, they will find ways of doing it.


>that's also been updated as not being the greatest advice as they can use the lack of activity for that time period as being abnormal for you device which show suspicion as well.

If you're a NEET or wfh is it really suspicious that your phone hasn't moved the entire day?


How not to get your ass kicked by the police, step 1: OBEY THE LAW.

https://www.youtube.com/watch?v=uj0mtxXEGE8


That video probably isn't making the point your trying to make, given that it repeatedly shows people getting beaten by police for things that definitely don't warrant it, and towards the end advises "getting a white friend" as a means of avoiding police brutality.


An argument that could only be made by someone who's never read the news ever. Or dealt with police ever.


“One has not only a legal, but a moral responsibility to obey just laws. Conversely, one has a moral responsibility to disobey unjust laws.” – Martin Luther King, Jr.


Now, if we only had a test to distinguish between just and unjust laws.


Is your argument that we must obey all laws at all times, because a definition of "justice" cannot be given with the rigor of a mathematical proof? How then can law itself exist, without a means of objective interpretation? And why obey laws at all if no test exists by which any law can be determined to be either just or unjust?

You can find thousands of years of scholarship, philosophy, religion and legal doctrine on the matter, and most people seem capable of coming to at least a subjective conclusion on what is and isn't just, apart from what is and isn't legal.


For people protesting desegregation, the laws promoting desegregation were unjust.

For me, personally, punishments like death penalty (and adjacent, maximum security prisons, like ADX Florence) are abhorrent. If I had superpowers, I would violently oppose them. I would literally dismantle ADX Florence brick by brick, if I could. I imagine some people reading this would be equally horrified, and, would also violently oppose me.

The problem with protesting unjust laws is that these laws are just for other people. Coming to a personal conclusion on what laws are unjust is easy. Achieving consensus is impossible. Sometimes, even achieving majority is impossible (see, for reference, the Just Stop Oil guys who got 5 years in prison).

I'm not saying not to resist unjust laws; far from it. I am saying that determining what is moral and what is not is one of the hardest philosophical problems there is. And that opposing can, in some cases, lead to violence and civil war.


And that's why Socrates didn't drink the hemlock.


You're free to interpret your relationship with your government as a suicide pact if it pleases you. Others are not obligated to drink the poison of obsequious virtue.


And the Tootsie Pop Owl didn't bite


The guy that was upset younger people were reading books instead of memorizing things, and believed that would make people dumb, and literally ruin the next generation of the world?

Yeah maybe he wasn't infinitely wise on all things.


Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre. [1]

Richelieu may have said this or he may not have but the fact stands that there are enough laws on the books to convict anyone of a crime no matter how virtuous that person thinks he is.

[1] https://en.wikiquote.org/wiki/Cardinal_Richelieu


Let’s not forget syscall filtering. Using custom eBPF for what is in effect a syscall firewall is something my coworkers did for one of our clients and it’s really slick. It’s like super seccomp.


Clearly, if you care about security here, the best thing is to just use vim.


It was a month, not a few hours, and I have no idea where you got the $200,000 number. That is certainly not what Elon himself said. He said 1 month.

https://x.com/elonmusk/status/1323640901248393217


The reason you have no idea is you're talking about different instances of near bankruptcy for Tesla. Which tends to support GP's point.


What other instances? That was the really obvious one during model 3 “production hell” as they scaled up production mostly on hopium assuming they’d sell.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: