Hacker Newsnew | comments | show | ask | jobs | submit | digitalsushi's comments login

It will be interesting to watch how over the next decade the airspace is forced to get split up and reassigned. We're on chapter:fairy tale and we will eventually get to chapter:mundane. The tech exists, the money exists, the demand exists. There are clearly some huge obstacles, the same magnitude plaguing self driving cars. Both fascinating worlds unfurling before us.

This was still a fantastic little primer - in the tech field, I think we all know a few people that know katakana and hiragana well enough to impress their friends by mentally sounding out an english cognate - "hey friends, this is a pharmacy up here" - the first 1% looks like magic to the rest of us.

Well... Taking Japanese in high school will do that to you. Hiragana and katakana are the first things you go over and it took a good part of the first year.

Korean is simpler by far. Just a couple weekends of looking at the rules and what they do. My problem is that I can't actually form the sounds in my head fast enough in order to know what the words mean.


You know, I've struggled with this concept. I agree that we shouldn't pipe a URL into a bash script without knowing what it is.

But an unsigned software repository that calls post install scripts seems just as absolutely easy to modify, and we see those regularly.

My software is most easily installed with a piped bash script. In the script contents, I try to explain what's going on. I also at the top indicate that you shouldn't just trust what I am telling you. And then in the documentation, where you are told how to run the script, I tell you to be cautious there as well. (The script just installs the repository, and from there it's all signed and delivered over https).

I could never get over how easy it would be to whitewash a bash script with an rpm just to get some psychological credibility.

If it's not signed and/or delivered over https, it's completely hackable.

That first step of trust, how?


People who are serious about their security run something like Debian and only install from the official repositories, where all packages are signed with GPG and all package maintainers must be part of the web of trust (i.e. have had their identity vouched for by at least one other Debian maintainer).

Of course you have to make sure the original install is trustworthy; all you can really do for that is compare the .iso checksum on several different machines. If all those machines are compromised (or there's a hardware-level compromise of your machine) then you're doomed, but that at least makes attacking a lot more costly than it would otherwise be.


Well, latest SSH vulnerabilities came from the official repos as well. Sure, those were bugs not evil modifications, but still.

Yeah, I know. That was awful and should have resulted in policy changes; it hasn't, and I don't use Debian any more. But it makes a good example of the right approach to package infrastructure.

Is there a distro with a stronger policy than Debian? what are you using now?

I wouldn't think stronger than Debian, but there are plenty of distros with equivalent policies. At the moment I'm running FreeBSD (not especially for security reasons).

Checkout docker-notary [0] a tool for checking signatures that you can pipe in between the download and execution of the script.

[0] https://github.com/docker/notary


The best thing about bash, and by bash I mean sh if we're going to argue and I mean bash if we're not going to argue, is that it's already on every system and you can just plan on being able to use it with no further work. Pipelining is definitely awesome, but you can make furniture out of gluesticks using enough bash (and all those two letter commands that aren't bash but always infect the system along side it)

-----


OK. I'll buy that. I don't necessarily agree, however. It's so trivial to get small programs onto a remote machine that relying on `sh` only because it's there seems like a premature optimization.

-----


It's a tradeoff. There's also nothing stopping folks from rewriting init and rc scripts as Ruby code or (re)writing systemd in Go, Ruby, etc.

-----


People like to take photos and videos of themselves. You don't need a reason, just some vanity. These will sell like hotcakes.

-----


Sure, I guess the main thing it comes down to is cost, and likelihood of the camera being stolen or damaged when left unattended.

It's fundamentally very cool and if it was cheap enough to be essentially throw away, or at least pretty easily replaceable, I think there would be a massive demand. But that won't be true for a long time.

-----


I have a friend with a web publishing business. She uses guess and check with text edit copy/paste to build websites for clients. I've shown her the console log countless times and she always rolls her eyes when I extoll its value.

She makes 50% more than me, has cash in the bank, and loves her life.

All I have is picking on her javascript. And I'm not even really any good at it.

I think there's no reason to be correct when your goal is to buy food and pay rent.

-----


No offense, but what do you do where a guess-and-check person makes 50% more than you? Is she just hustling for clients who have no idea what they're doing re: web design and using marginal technical knowledge to make pages for them?

-----


We created our password file with ccrypt, and modern vim can open it right up with no fuss.

-----


I actually had an idea for password as a service.

The security implications are all rubbish, and obviously it fails if the site goes away, but hear me out and then offer a local way of doing this, cause I'd love it:

Let's pretend you have some set of computer files that are distracting you. (A video game, or old high school/pre-divorce/estranged family photo albums, this could be anything). You want to keep them, but you want to restrict your own access to them.

Password as a service: you go to some little widget site, enter an email address, a date, and it gives you a password. Unless you have a photographic memory, you just paste it into a protected archive, forget it, and then wait until the date to get emailed a password reminder. Until then, you are locked out of your archive and there's nothing to be done until that day.

I haven't figured out a clever way of this that can't be defeated if the password is generated locally.

-----


RedditStorage reminds me of a couple business models we tried out that tanked..

The first was a new business where we would go to trade shows, conventions, hell even fast food places, and just collect as many free beverages, condiments, napkins et cetera as possible. Then we'd sell them online.

The other one didn't do much better. We'd go to a Lowes Tool Rental, and just rent a bunch of tools and then re-rent them out of our truck in the parking lot. They had to have them back an hour before Lowes closed for the night.

Our current business model is, we go to bars and hit on people, and if we get their phone numbers, we add it to a subscription service where other people can have access to it.

Honestly, I feel we're no more in the wrong than RedditStorage is.. /s

-----


It's about sensory fuzzing. Either masking them or overexposing them. An armchair in the closet under the stairs in the dark with a loud ceiling exhaust should be a reasonable substitute and save a lot of water.

It's like "flip a coin to decide a problem - while it's in the air you'll know how you want it to land".

My college coworker just called it the "coprocessor" and said the only way to engage the coprocessor was copious amounts of mario kart.

I lived in a large new england textile mill building while I was in college, with well over a mile of hallways over its five floors. I could have walked to other states, doing laps at 1AM while figuring out computer science homeworks in the back of my head.

-----

More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: