Hacker News new | past | comments | ask | show | jobs | submit | fosefx's comments login

Just like with "golang", "FStar" is the query if choice. But don't think you'll find much, if the documentation is in the same state as it was two years ago.

Aside: What makes Gitlab "AI-powered"?


The press release is not that long, but it contains "AI-powered DevSecOps platform" 4 times :D so its just a buzzword.


They've got a copliot like code suggestions thingy.


They were replaced by AI


Claude would tell you that this is a shitty move PR wise and likely to backfire.

Edit: Tried it, and yes claude started it's answer with: "I need to strongly advise against making such an offer publicly". No wonder these people are so impressed by their AIs, considering they are making worse choices than their models.


Tangent: Instagram managed to lock me out of their service for a week or so a couple of days ago. My browser was signed in into my account, but I have not used it for like a month.

Got logged out. I log back in (using 2FA btw). "Please give us your phone number so we can verify it's you" I enter my phone number. I don't really get the point of this because they did not have my number before, so what are they actually verifying here? Anyway, I trust Facebook with my phone number lol. I get a code, I enter it. "Your account activity is suspicious and we will limit your account for a bit" That was it. No redirect, no link to click, nothing. So I go back to instagram[.]com and have to do the same thing again?

Well maybe my browser is on a block list now or sth. So I go to my phone (where I was signed in). And the App is broken completely, looks like the session was invalidated.

I log out, log back in, do 2FA, enter the code again. Same result.

I checked back in a couple of days ago and it seems like I have access again.

It is unfathomable how this can happen. How can the front gate to your multi billion service just not work to the point where you DOS yourself?

Also this account has 0 images, and just a couple of followers, so there is literally nothing to protect.

In moments like these you really start to notice the missing communication channels to the big tech companies. Is there any other industry that has zero customer support?


I'm sure that they have outstanding customer support. But you, however, are not the customer.


I'm confident they don't have outstanding customer support, even for actual customers (who are not you).

Outstanding customer support would entail expense, threatening profits. The money of happy and unhappy customers turns out to be the same color.


This makes me worried, because I am pretty sure Google is going to start removing keys based on attestation certificates.

I believe that this is much more about rate limiting than about security for the end users.


It seems like most industries are moving towards no support because "we need to scale at all costs and to the detriment of customers" seems to be the capitalism drumbeat. Customers these days, to many companies, are just statistical artifacts in their system.

I had a case the other day where I called my insurance company. The automated system couldn't understand my answers (I was actually trying to answer the given prompts rather than just repeating "representative" over and over). It replied "it looks like we're having a problem" and proceeded to just say goodbye and hang up on me. More than infuriating, and that's an understatement.


The problem is that there's zero law enforcement against corporation-vs-consumer fraud. Companies have noticed and are taking advantage of it (basic market pressures - if they don't, their competitor will).

Why make it easy for our customers to contact us (presumably to make a claim - ie the whole reason insurance products exist) when we can just pretend it's easy, collect money based on that lie and get away with it?


This isnt capitalism. It's more corporatism.

Capitalism responded to market forces and the needs of the customer.


Yes, companies which have real customer service will in theory have a competitive advantage over companies which have a voice response system that hangs up on the customer.

What often happens though, is that consumers go with the lowest price above all other considerations. Then they get the hard lesson in "you get what you pay for."

It's the same reason that air travel is so awful. You'd think that one or more of the airlines would compete on comfort and service, but that's impossible when travelers go to Expedia and overwhelmingly pick the flight with the lowest price.

I personally don't pay rock bottom for insurance, and I have an agent I can call and talk to without any intervening voice menus. A human in a local office answers the phone.


You pay health insurance out of pocket? I was referring to my medical insurance provided by my company.

I in general try to speak with my wallet, so to speak, but it’s like posting into the ocean. And with some things, like mail and shipping services, there are no options.


    Capitalism responded to market forces and the needs of the customer.
Did it? When? I can't name a single era when "capitalism" (a fuzzy term) actually responded to consumer demands in the way that the parent poster described. Whether it's railroad robber barons screwing over farmers, Ford selling cars with an unacceptable risk of catching fire, or Google arbitrarily deleting people's entire digital identities, large corporations have always treated their customers as a collection of statistical artifacts (to quote another poster elsewhere in this thread).


That's all semantics, we can't say "Capitalism is when the system does good things, and Corporatism is when it does bad things", the difference is not meaningful since Capitalism leads to/is Corporatism.


Disagree. A robust anti-trust environment would alleviate 90% of these issues. What we are in now (in the US) is an environment of corporate political capture, which is not inevitable, as a similar situation was demonstrably reversed in the early 20th century by strong anti-trust legislation and enforcement.

The companies get away with this because they have massive market power, and they have used the wealth generated by that power to capture our political system.


Capitalism also tends toward the mean at the expense of the edge cases.


Can not recommend the podcast series "Rabbit Hole" (2020) from the NYT enough.

https://www.nytimes.com/2020/04/22/podcasts/rabbit-hole-prol...


I was surprised this was only 6 episodes. Felt like it could have been an on-going series.


Why?


The equivalent of a framework in go is the standard library itself


it's not considered idiomatic Go to use frameworks, the stdlib provides everything.


What is cheaper? Investing into proper security for years and years without seeing anything or paying fines to regulators once you got breached?

My guess it's the latter :/


I think this is a meme, the idea that someone is always going to decide to pay X million in fines instead of paying for security.

The problem, surely, is that there is no "right answer" to what you need for security, no 100%, things that were worth it last year are no longer effective and on top of all of that, you have human beings working for you who make mistakes?

There is also the very real issue, hardly talked about, about rolling security into legacy applications/infrastructure. People talk like someone can just click their fingers and get 2FA/Webauthn/FIDO/Yubikey when most applications probably haven't been updated since 5 years ago and cost $1M per release in risk. Not saying it's good but that's how it is.


The problem is that they do not take any responsibility for the negligence and breach of contract - they were obligated to keep my data secure, they didn't, I might get defrauded now and they will never compensate me or anyone else.


> might get defrauded now and they will never compensate me or anyone else

If you're defrauded because of a leak, you have a claim for compensation. The problem is we have scant evidence these leaks cause consumer damages. There is the attribution problem–tying an instance of fraud to a particular breach is hard. But it's not so hard that we'd expect to see virtually zero cases.

What's more likely is having a list of credit card or even social security numbers is less useful than it might seem. To the degree fraud exists, consumers are largely indemnified, e.g. by card issuers.


I think you are, to some extent, making the cost look smaller than it is. Lets assume that someone gets enough of your info to take a loan out in your name. You can _probably_ (but not definitely) get that loan invalidated. However, to get back where you started, you may need to

- Convince the loaner that it was not you, which could cost many hours on the phone

- Get the credit impacts removed from your credit report, which could take many hours on the phone and web sites

- Retain a lawyer for dealing with the loaner

- Pay for any externalities in the process (mailing things registered, etc)

The above things can add up to days or even weeks of real, physical time; time which should be valued at no less than whatever you actually earn per hour. Plus the money for the lawyer.

And then, on top of that, it's widely considered that going through that process, where nearly everyone involved is incentivized to treat you as a lying thief and/or ignore you, can be fairly traumatic.

The cost is tremendous, and the emotional impacts can last for a long time.


this happened to my friend, someone took out a loan in his name, there were databreaches at over 4 companies with his data. good luck provi g which one is to blame


Isn't security pretty cheap if you want to have it from the start? Albeit you cannot include other companies code and APIs to add features really fast, long term the maintenance cost should be comparable.


Not really, security makes everything harder. I have worked on classified projects which I think are a good benchmark for continuous security and it is definitely expensive, and it was on the lowest levels of classification.

Costs come from everywhere, from the time it takes to transfer a simple file when USB ports are blocked and internet access is very limited. Regular audits, limited privileges and you can only run approved programs, maintaining software up to date but you have to actually look at the change logs (no automatic updates), physical security (alarms, safes, access control, etc...). Also, you can't work from home.

Your company may do security differently but there is always a cost. You may not notice a big "security" line in the budget but that's because the costs are everywhere, because everything can be a target. And unlike correctness, security is a moving target. For example, if the code you wrote for a specific task does the task correctly, as long as the task doesn't change, it will work forever (hence: "if it ain't broke, don't fix it"). But thing that were once secure may stop being secure as new attacks are found, even if nothing changes on your side.


Its cheap if you build it in from the ground up, and a well thought out security program shouldn't impact development velocity at all.

Retrofitting security later tends to be painful, expensive, and cause conflict.

In software companies security teams should enable the developers as opposed to being a hinderance.

Secure code is code that tends to be better written, better documented, more performant, and pass tests. All of which are good things.

I'm always amazed at how many YC/VC backed software startups seem to have no place in their team or board for security, which makes it a massive cost center later on when they try retrofit it.


> Isn't security pretty cheap if you want to have it from the start

Without trying to sound condescending (because it really is a complicated topic), this seems like a viewpoint that could _only_ be held by someone who has never had to actually deal with it.

> Albeit you cannot include other companies code and APIs

That, alone, is a huge commitment.


The goalposts move. Up front requirements are cheaper to build.


Which is why we need to increase liability for these corporations. Make it expensive for them to not care. Security breaches are often caused by gross negligence.


Cool. Now build bus stops, so I don't need one.


Well an extension can also just send your session tokens home. In the end it's software running on your computer, but people unfortunately often times underestimate the power of add-ons (read the permissions screen folks!). Mozilla requires a manual code review before allowing add-ons into the store because of this afaik.

In my example there was direct user interaction (clicking a context menu) but the service worker (background script) has no API to interact with the clipboard at all.

I guess my point is not that it's an easy thing to fix, but the fact that it looks like nobody at Google has thought about this before forcing everybody to migrate is concerning.


> Well an extension can also just send your session tokens home

Only if I give it access to the browsing origin in question, which Chrome has done a lot of work to limit and crack down on recently

> Mozilla requires a manual code review before allowing add-ons into the store because of this afaik.

This is unfortunately not actually true. They tried it for a while, but scrapped the idea after the review backlog got too unmanageable. Now all of the addons just say "This add-on is not actively monitored for security by Mozilla. Make sure you trust it before installing."

> In my example there was direct user interaction (clicking a context menu) but the service worker (background script) has no API to interact with the clipboard at all.

That makes sense—the limitation is just that nobody has built out the clipboard API in a way that it can register a context menu item as a transient activation and therefore allow access to the clipboard. This does sound like ultimately something that's possible to fix with the right plumbing, it just requires someone to take a look at it and hook up the right security plumbing.


My use case: A background script, sorry, Service Worker registers a Context Menu Entry. When the user clicks on it it fetches some stuff an copies a link to clipboard.

Using MV3 as it is this is not possible.

As someone in the thread said, it is not really feasible to try to find all ways that user interaction can trigger code that requires clipboard access. If that is the route Google want to go down it will take years of people reporting new ways the system does not work until it is usable imo.


"User interaction to perform an action" im pretty sure is a part of the HTML/JS spec. For example, browsers on iOS will not let you play a video unless in response to a "user action".


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: