Hacker News new | past | comments | ask | show | jobs | submit | hannob's comments login

> $100 a ton is a round number close to estimates of what it costs to capture > carbon from an oil refinery or coal burning power plant

That's a wildly optimistic number, and almost certainly too low for the carbon sources yoU're naming. Equinor estimated over 600USD for gas burners at an LNG plant, under almost ideal conditions (existing nearby storage site, company with lots of experience): https://industrydecarbonization.com/news/is-carbon-capture-a...


Wouldn't cost vary with efficiency. I expect capturing 1% of output is much cheaper than 99% when per ton pricing is calculated.

Not really. While both relate to SHA-1, those are two quite different issues.

The Shattered attack was an actual demonstration of a long-known weakness in SHA-1 that allows creating practical collisions.

This one is more an exploration of the question whether a malicious actor can create a standard that looks good, but is actually weak. Those questions got quite a bit of attention in that time due to the Snowden leaks, and the realization that this actually happened at least in one case (Dual EC DRBG, which, technically, was already known before Snowden, but only got major attention afterwards).


HFCs are amongst the most damaging climate gases.

It's a very unfortunate outcome of phasing out CFCs that they have in many instances been replaced by powerful greenhouse gases. HFCs are slowly phased out as well, but there are still a lot of harmful gases out there.


This is irrelevant nitpicking.

For decades to come, we won't have 100% clean energy systems everywhere. Even if you power your AC 100% by solar energy, that solar energy won't be used to displace dirty energy elsewhere. Even if you make absolutely sure you have additional solar energy (I don't know how you'd do that), you still have production emissions for the solar panels.

For the forseeable future, if you can do X with less energy than before, that's an improvement.


During calm hot sunny days in the summer (so.. the ones when you need AC the most), we already have surplus of solar energy and serious problems (in some places) what to do with that energy (you have to dump it somewhere).


> you have to dump it somewhere

You don't. Solar panels are more than happy to sit idle. "Excess energy" is an economics problem, not a physics one.


Why sit idle, when they can cool your house by powering the AC?


No reason. It's obviously better to use power than waste it, but it's not a "serious problem" if we don't. It doesn't damage panels. It doesn't stress the grid. It doesn't cause additional emissions.


This is largely historic. I had lengthy discussions about this with expat's maintainer.

expat, the xml library underlying python's etree and other xml interfaces, has either mitigated these standard xml vulnerabilities or disables the dangerous features by default.

The python docs are still a bit confusing there, but if you look at this table: https://docs.python.org/3/library/xml.html#xml-vulnerabiliti...

While this table has a lot of "Vulnerable" in it, they all come with footnotes saying that up-to-date versions of expat are not vulnerable.

So... if you want to have more secure xml parsing in python, make sure you use an up-to-date expat library or one where security fixes have been backported. You don't need anything else.


I had a quick look into this rule, and I have an entirely different concern. It appears to me Validity is essentially a "pay for good reputation" service. Not sure that aligns with the goals of Spamassassin...


Author here.

If you want more technical details, we've put up a webpage back then, and published a background paper on those vulns: https://nostarttls.secvuln.info/


You explicitly call out imap and other email protocols. Can this be applied to LDAP?

LDAP (think Active Directory if you are short of imagination, and/or experience).

A lot of connections use STARTTLS on port 389 instead of full on explicit TLS on port 636. Then there are the other two ports for the "global catalogue" which I think is basically a Win NT style domain flat lists for users and groups on 3268/tcp and 3269/tcp.

I've always had my suspicions about STARTTLS but it looked quite convincing to a sysadmin and was always encouraged by the sort of people who use terms like: "best practice". I'll start dumping it from now on. This will take a while.


I’m not the writer of the paper, but I do remember STARTTLS being called out as an issue when I was previously working on setting up an ldap directory.


It looks like we bin STARTTLS in favour of TLS to fail safe.

Sad.


NBD[1] is another protocol that uses STARTTLS, although as a protocol it's not commonly exposed on the internet (and in fact encryption is not commonly used either since most people are interested in pure performance). We've tried to mitigate the worst effects by reducing the types of message that are permitted before you upgrade to TLS to the bare minimum.

[1] https://github.com/NetworkBlockDevice/nbd/blob/master/doc/pr...


I mean, I somehow understand the motivation behind a phone ban. But Fitbits?

I understand there's probably a problem creating a clear separation, but in times where lack of movement and exercise is causing major health problems, we probably shouldn't disincentivize young people using fitness devices.


I'd guess it's because even small thing as band can provide some of kids distraction. It's not about if you can play games on such device but play with it, touch, wander around the interface - had enough distraction to not focus on class and teacher. Bands are being perceived as digital rattles here.


I think the assumption that having a Fitbit, or other fitness device increases movement and activity levels in under-18s needs confirmation.

In fact, to be honest I'd not be convinced that it works even in over-18s.


Wearing a tracker doesn't actually increase your fitness.


It will track some things you do to improve fitness. I had a fitbit (until it crapped out, and i lost faith in the company) and would walk in the mornings, lunchtimes and - if i hadn't got my steps in - I'd walk at night, too. Without a tracker - as i am now - up, work, home: and certainly not as fit as i was when using a tracker.


I like this part:

"4. Does this mean CockroachDB is no longer open source?

CockroachDB will remain source available under a new license. While the new license is a proprietary enterprise license, the source code will still be available for viewing and contributions."

I mean... "The answer is kinda sorta 'No', but we really would prefer not to phrase it like that."


Good on them for not mincing words and being upfront about this


What you got now as new standards is already the result of multiple iterations of improvements in key size reductions and performance improvements. But you'll likely not get drop-in replacements for existing public key crypto in post-quantum variations. It appears signatures are even more challenging regarding size than encryption in the post-quantum world.

It may be worth noting that choosing the algorithms that are now chosen, which are primarily lattice-based, is already kinda a compromise. They're not the ones with the highest trust in security, which would've been McEliece and SPHINCS (though the latter has been standardized as a fallback). But those come with key and signature sizes that are entirely impractical for the most common use cases.

It appears most of the crypto community came around thinking that the somewhat-smaller lattice algos are now "almost certainly secure". But surely there's at least one famous cryptographer raising his voice that he still has concerns.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: