For me, when I use python, it's because I want faster dev time to prove a concept or that I expect others with little to no programming experience to maintain the code in the future. So, I rarely ever use async because I never seem to be in a position where the debugging complexity and how hard it is for others/newbies to read and be familiar with the code is worth the performance improvements.
Like others are saying, if I want it fast and efficient (processing), I'll just use Go. Python isn't like JS in browsers, you don't have to use it, you have to want to use it. and the same goes with its features. Maybe if python tutorials/books and "How do i ____ in python?" search results used async, map, filter, collections,etc.. these awesome python features would be more prevalent. But, I can see how mature projects should probably mandate their usage where it makes sense.
There should be more discussion around Canada and Russia's vast unpopulated tundra's. They don't need to accept climate refugees, but if they make it arable or industrialize it, it might help the rest of the world cope with climate change effects and enrich those countries.
Russia has geographic proximity to east china as well as Arabia (and not so far from Africa either), a direct border with close to 50% of the world's population. Canada has proximity to Russia as well as aerial proximity to Europe. It's really sad that there is an actual housing crisis in Canada. It is a failure of imagination, ambition and administration. Canada has the capability and resources to be a legitimate economic super power,similar to the US and China.
Look at Dubai in the desert, they are a mostly immigrant region and they've essentially transformed that hostile desert into an economic cash-cow. Canada is far more desirable for immigration with orders of magnitude more resources like fresh water (the most in the world!!), space and access to trade. The problem I think is that they focus on post-industrial economic development. They want IT and medical workers not factory and construction workers. Develop housing near existing cities instead of building new cities and investing in R&D make the harsh and cold areas livable. Which is more hostile? An area with excess heat, little fresh water and useless desert sand or an area with lots of cold, lots of fresh water and a diverse soil/mineral ecosystem?
In general, people don't need to go to mars or another planet. We need to conquer the cold. We literally have Antarctica waiting to be populated if nothing else pans out.
Why are climatologists not more practical I wonder (Honestly asking, not rhetorical)? We all know warning people about the impending collapse of ecosystems doesn't have enough of an effect right? Can't do much about ocean current and acidification of the ocean. But how about artificial seas/lakes in the arctic for fishing? Assuming existing sources of cash-crops fail, what are the alternative? Where can rice be grown artificially at large scale, or naturally after the world heats up a bit more?
I'm thinking a lot is possible with a nuclear power plant and proximity to enormous amounts of fresh water, wood and building space.
I'm just saying, it looks like the world is past the prevention stage for climate change, but minimizing its impact might be the best way to focus resources and efforts.
I agree with this take, but my view is that it is one step detached from the root cause. The right to property is fundamental and inalienable. A person who can't own things isn't free, they have no claim on liberty.
That said, service providers, corporations and the like should be allowed one remedy: They can refuse future services and business to anyone if that person violates whatever b.s. rule they came up with.
However, the government (any government) has no authority to police post-ownership activity in a manner that deprives the owner of their property rights. In other words, they can say "You can't own an AK-47" or "You can't generate sound over certain dB" , but they can't say "You can't shoot your AK-47 on your property, even if it pauses no risk of harm to others, but you can own it", and they can't say "You can't use your speaker at maximum volume" (they can police the sound you generate but not the usage of your property, if the speaker passes the legal threshold then the speaker isn't relevant, the sound generated is).
This also applies to free (not commercial) sharing of property (copyright laws are fundamentally invalid).
The problem is, I am talking logic and reason which doesn't translate well into real-world scenarios. In the real world, the guys with the biggest guns make up random rules and pretend it is just and valid.
The reason I'm stating all this, is in the hopes that I can convince anyone who reads this and maybe if enough of us agree, some day democracy might work and laws can change.
The government can prevent ownership of things. It cannot however pass laws that dicate you can come into possesion of things and by all reason it is your property, but as a matter of technicality it can't be considered property and is subject to arbitrary usage laws by the government or rules by third-parties.
That said (I promise, my last one!), access to network services is special. If someone made some software where to function it requires some network service, and they came up with random rules on the network service side, then that is also their right, since that service is on their property. The remedy people have for this is to avoid that service. And if that service is the only one of its kind and using it is required, then the government has a natural obligation to protect the public against monopolies.
I had a hole other post/thread that got negative feedback and some interesting discussion about Google, Android and their sideloading policies. If you glean anything from this post of mine, please let it be that I am advocating for solving of the root causes of these problems. It is all too easy to be reactionary and fall into these rage-baiting events. Solving root causes is never easy, but good solutions are often simple. If reasonable minds can have a healthy discourse to find these solutions then many problems are solved, instead of playing whack-a-mole forever.
They have one of the largest Linux user base out there in Azure. They have their own distro. My favorite Linux memory forensics tool (AVML) is made by them. Sysmon for Linux uses eBPF which makes it a tad-bit more powerful than auditd,etc..
This can trace all processes on the host while strace traces one PID and its descendants. And bpf tracing does not stop processes at each syscall, so they run without slowdowns.
Totally agree with this take. That said, you must account for the size of the codebase and associated attack surfaces and compare that with frequency of a particular bug class consistently popping up on every CVE.
In other words, you shouldn't use vulnerability counts, but you can discern patterns of vulnerability to intuit something about the nature of the codebase.
For example, RCE vulnerabilities on Chrome, especially under V8 while not very common they happen commonly enough to suspect that maybe there is some code quality issue. However, if you look at the sheer size of V8, and how much scrutiny and research it undergoes, it is surprising there aren't even more critical vulns being found all the time. JIT is inherently a risky endeavor.
I think this is to be expected, all tech has societal impact like this. This is just happening over a span of few years instead of decades and centuries. Failure in government policy making at it's peak.
Yes, stunt growth if that growth is immediately harmful to the public. Provide adverse incentives that increase the cost of replacing humans. Less or no government subsidies, incentives or tax breaks if you replace humans with LLMs. Even without replacing humans, tax LLM usage like cigarettes.
In the short term that is. over time, wind down these artificial costs, so that humans transition to roles that can't be automated by LLMs. Go to school, get training,etc.. in other fields. Instead of having millions of unemployed restless people collapsing your society.
But everyone is on the take, they want their short term lobbying money and stock tips so they can take what's theirs and run before the ship sinks. (if I can be a bit over dramatic :) )
Can someone articulate for me why everyone seems to be opposed to this?
You can sideload apps on non-google-certified android builds/installs just fine right? If you're going to publish an app that literally be installed on billions of devices, is this not a sensible measure? Long overdue even? Why isn't Windows and Linux distros enforcing this as well is my question!
Do you guys understand that people's lives are being ruined by malware? and the most popular way of deploying malware on the most popular platform (android) is sideloading apps!
This is a similar situation as "Freedom of speech isn't freedom of reach". You can publish any android app you want, that doesn't give you the right to anonymously deploy those apps on everyone's personal tracking devices (phones).
I get a petition to allow alternative attestation and verification authorities. and honestly, I don't think Alphabet has much choice on that given EU and US anti-trust policies. I can't image the EU being ok with a US company collecting the IDs of all its developers.
For about a decade now, on Windows, you are required to have an ID-verified code signing certificate so sign drivers for example. And that has dramatically reduced rootkit abuse on the platform. Don't get me wrong, I also don't want to submit my ID to anyone. But this is a very sensible measure, one that will improve security in measurable and significant ways to millions of regular people.
> You can publish any android app you want, that doesn't give you the right to anonymously deploy those apps on everyone's personal tracking devices (phones).
This is about users freedom to install apps on the devices they own.
> non-google-certified android builds/installs
Those targets are rapidly disappearing. Alternative Android ROMs are dying one by one. Look at how few modern phones are officially supported by LineageOS. And many of those are Pixels which Google is no longer releasing binaries for (making ROM builders lives harder).
> Do you guys understand that people's lives are being ruined by malware?
Do you have figures to back that up? There are already multiple warnings when sideload apps.
> For about a decade now, on Windows, you are required to have an ID-verified code signing certificate so sign drivers for example.
I don't have figures to back that up, but I did read some figures on posts regarding this. my comment was based on real-life compromises observed.
Drivers and applications are not the same thing, certainly and no application is the same as other applications. browsers aren't the same as file managers. To users what matters is impact not category. A persons entire life can be destroyed because of one side-loaded app, much less so with a windows rootkit (because you don't have phone number/2fa app,etc.. on your windows box).
Users are free to buy devices that let them install any app. Google is responsible for the majority of users who don't care about installing apps from anonymous randos, but care much much more about their livelihoods and well being suffering at the hands of criminals!
> Those targets are rapidly disappearing. Alternative Android ROMs are dying one by one. Look at how few modern phones are officially supported by LineageOS. And many of those are Pixels which Google is no longer releasing binaries for (making ROM builders lives harder).
Ok, then let's talk about that, I'm all for sticking it to Google for all that b.s., but not for the topic at hand.
I have a lot of third party apps and none of them are by 'anonymous' developers. Presenting the situation as if everyone is exposed to 'anonymous' apps and Google is here to save you is misleading and fear‑mongering.
Then what's the problem here? If they're not anonymous, what do they lose that's so valuable that it is worth endangering the unsuspecting public over?
It really, really sucks to be tricked into installing malware, and I have sympathy for the victims. But this measure will remove so much freedom from a much larger group of people, and therfore it isn't justified.
We just have to educate people better about how to protect themselves online, not resort to paternalistic control regimes which just happens to give one of the largest tech giants the power to also crush anything that it sees as a threat to their business model.
> But this measure will remove so much freedom from a much larger group of people, and therfore it isn't justified.
Maybe that's the disconnect here, because i don't think you/others lack empathy for regular people being victimized. You're incorrect about that figure, the people being actually impacted (not merely compromised but harmed, as in financial loss, job loss, harassment, or worse) is many times more than people who want to sideload apps.
Educating people doesn't work. We've been doing it with phishing for decades now , and it has no impact. in the moment, you're sure it's legitimate, so you won't look for obvious signs of phishiness.They use a lure to establish trust in the context, so you guards are down. Absolutely anyone can fall for deceptive lures. No amount of education changes that. You know what made a difference with phishing? Trust senders, DKIM/SPF validation, url-rewriting with sandbox detonation and global-scale reputation analysis/response (it means as soon as you hit one person, your domain/infra gets burned globally) ,etc..
It really frustrates me to no end, because it is the exact audience on HN that innovate and create software/apps but the level of ignorance on this subject is atrocious. I know you guys care as much as I do when people get hurt! It's just a case of knowing a lot about one domain and assuming you also know a lot about a related domain I think.
Even if I'm in the minority it still doesn't justify it. I'm sorry, it sucks, but I don't hold this position because I lack knowledge, I hold it because I think giving up freedom to control our own devices is too much, even if it means people will get hurt. I also perfectly understand how cameras in every home will prevent so much domestic abuse and crime, but I am still against it. Not because I don't understand how many people are victim to these things, but because I think the intrusion on ME is too much.
But we're not talking about your devices, so long as you have alternatives. and Apple has this policy already. But unlike apple, you can use non-google-certified builds just fine and do whatever you want.
Also, how about not using android or iphones at all, support a FOSS phone with 100% control over it? This is a private business selling services to the public, taking measures to protect the public. You or anyone else has no entitlement or rights over how they provide that service. The right you have is to not spend your money on that business. Getting a phone that doesn't give you root on it to begin with is submitting to Google's (and vendor's) authority to arbitrarily decide what gets and doesn't get installed on your device.
I AM using GrapheneOS, but its future is also uncertain as Google has gutted AOSP. There aren't really any alternatives, and the problem is that phones are much more than just phones now, they are general purpose computing devices and run many applications that are pretty essential to modern society, such as ticket apps for public transport, government identity apps, payment apps and so on. In my country, Denmark, we are getting mandatory age verification next year, and it looks like it's going to be offered only as an app. These apps are simply not available for non-AOSP Linux phones, and there is little hope that they'll ever be.
Owning a smartphone is becoming less of a choice, and it's becoming harder to own one that respects my freedom. I don't think it is entitlement to demand freedom in an ecosystem that I feel I am forced into.
I say let's fight against smartphone usage being required everywhere. I don't care if the phone is FOSS or not, we still should be allowed to not have a personal tracking device. I am also all for supporting a fork of AOSP. The EU talks big on not depending on US tech companies, it even funds lots of FOSS projects, this should be on top of their list.
The fact that your country is getting age verification, given how democratic and free Denmark is should tell you the prevailing view of the public on the subject matter. Why not focus on what everyone will support - which is being free from tech companies and closed code systems. The 99% of people that do pay for phones, don't think about technology much, they don't even know what sideloading is let along care about it. You/HN is an extreme minority in that aspect, as are android devs. and there are definitely more people being adversely impacted by sideloaded malware. Freedom that is not practical is just wishful thinking. Freedom that ignores the harm caused on others is tyranny by any other name.
I am also doing my part on fighting that, but it is an uphill battle. I will not stop fighting, and I am actively trying to bring my point into the public discourse in my country and organize myself in organizations that fight this.
Until we have laws that guarantee that I won't be forced to be a Google customer, I will demand freedom over my device if I am practically prevented from running an alternative OS because I risk getting my access to the rest of society limited. If it means that some people will be more vulnerable to scams in the mean time, that is not my fault, but the fault of politicians who have failed to secure our right to digital autonomy and our right to remain analog. I also think there should be other technical measures that could mitigate these scams that would not be as draconic, but I don't know enough about what scams you have in mind that I can offer concrete alternatives.
I do not think that is tyranny, but I think Google is definitely being a tyrant and misuse their market position.
I think two things can be true. I agree with most of what you said. I think Google is doing the right thing with the right intent, but they shouldn't be the sole arbiter of who can write apps. It should be similar to the PKI/CA ecosystem, or better yet, governments can directly issue permits of some sort and they could be the CA's.
Agreed. What Google is doing is practically inserting themselves as the only CA in this domain. They, a private company, effectively take on the role of policing the digital infrastructure of many countries, but without being a democratically controlled agency. That makes me very very uneasy.
Also a problem, but at least the power is decentralized for now. Also, browsers are not operating systems, and it is easier to switch to another browser if you don't agree with its list of trusted CAs.
All valid points, except no CA can survive when Chrome isn't supporting them. Most users won't switch browsers because one site isn't compatible with Chrome, they're more likely to just use another site. So using that CA costs site owners customers and they in turn will move away from the CA.
My point sort of being, there is a deeper problem where industries self-police. People complain about oligarchies, ruling classes and corporations running America but at the same time they don't push for or support governments regulating things like this. Governments should be the arbiters of which CA is legitimate, just as which appstore and which app developer. If you want to treat patients, sell drugs, build bridges, sell cars,etc.. you give your id to the government and validate your credentials. App development as well as all other public safety impacting credential validation should be the same way.
If you're in europe, your local government does the validation and OSes like Android will respect the CA's of the country they're operating under. Software should obey laws. And if governments can't be trusted, that isn't a software problem but a political one.
Often bank scams rely on sending money to another account (obviously registered with an ID), and then being drained at ATM. The account is going to be registered on a drop or another victim. Sure, it's burned after that, but as long as it's an insignificant cost, scamming is still profitable.
The same situation with malware, bad actors are incentivized to put effort into bypassing this, so dev accounts will be registered on random homeless people, stolen IDs, or just fake IDs. While normal developers will choose to give away IDs.
And as always, it starts with 'protect the children/elderly/vulnerable', then that authoritarian country requires Google to give away info on every developer to operate legally, then it's UK and other 'democracies', then you can't run your code on your device without the government approval.
Yeah, and then we should also maybe install spyware on everybody's phones, so the government can scan our phones for child porn, because people are using phones to share child porn you know, and that is bad you know.
And if we're at it, we should maybe also put camera's and microphones in everybody's houses so we can see what everyone's doing all the time, because many children are being hurt in houses you know.
But don't worry, if you don't want all of this you can just get this degoogled phone just around the corner and it works perfect you know, because everybody is using them and there's a big market for it and it's very easy to use.
I can't tell if your argument is a slipper-slope fallacy or a straw-man argument, has to be one or both.
When you sell physical goods, you have to have a business license right? To a small group of people you know, nobody cares. But to mass market goods or services, you need to give the government your id, and they need to be able to hold you accountable, in the event you decide to break the law and/or harm the public.
I think this is something governments should have enforced long ago. Even linux distros with > N number of users should be required by law to id-verify package publishers. Although, they sort of already verify identify, just not using a formal/official way.
You have the right to free speech, anonymity and privacy. But being able to reach and impact the public is not a right, it is a privilege.
You can speak with a loud microrphone in public anonymously, but if you want to arrange a protest, you must give your id for the approval. If you want to start a radio or tv station, you must give up your id for the FCC license,etc... software isn't special.
Right, we have an online community where we share some cool software that we wrote for each other, and then suddenly we need to show our IDs because of "safety".
You are falling for the trap that all these wannabe dictators are setting up for us: that they are protecting us with all these regulations. Oh sure it protects some people in some ways, but you're not seeing how you're giving away your freedom and put them in control of your life.
I think it's just that certified Google devices are no longer usable for your much smaller use case, because Google prioritized their much larger customers who suffer from harm. Freedom vs security is not the argument here, because there is no expectation of Freedom when it comes to a private business. If you ask me, software licensing and copyrights should entirely be torn down. If google is a monopoly and they are forcing this measure, it might qualify for an anti-trust suit by governments. But if they aren't a monopoly (cooperhead,lineage,etc..) then you should use other options and ditch certified google devices.
I say all of you should give up and use iphones like me! :)
So I assume then you would also be completely obedient when the government or companies wants instant access to all your data all the time, because of safety you know. Just because there are a few of these stupid rebels, the whole world shouldn't be an unsafer place right? And of course they are not gonna misuse this power, why so suspicious? It's all silly conspiracy theories. Big tech and the government are here to protect us!
People change their tune extremely quickly when you ask them to show you their phone, ask them for the password and let you look through it to make sure you don't have anything bad on it. Every single message, every single app and every single social media. This is the world we are heading towards if we don't take a stand now, except instead of me checking your phone it will be the government and Google.
Not all software is sold as part of a business. Free software is one such example. So this comparison is inappropriate.
>I think this is something governments should have enforced long ago. Even linux distros with > N number of users should be required by law to id-verify package publishers.
There should be massive burdens and surveillance on linux and free software maintainers, because ???. I guess it's just too easy for them, so they should be shoeboxed into a business model for developing software whether they like it or not.
>You have the right to free speech, anonymity and privacy. But being able to reach and impact the public is not a right, it is a privilege.
This is just some nonsense platitude, not unlike the canadian idea of "freedom of expression". "You have the right to a completely weak and useless form of speech because I say so"
>but if you want to arrange a protest, you must give your id for the approval.
What are you yapping about old man? We have the right to assemble. There is limited radio and TV is regulated only because there is limited bandwidth.
Software is special because it is just information and Information Wants To Be Free.
You are making the argument here that because some old forms of information distribution are regulated due to technical restraints, that all forms of information should be highly regulated.
Software is just information, as I stated earlier. It could be encoded into any information medium, for example a book. So why not regulate software in the same way that books are regulated, which provides strong free speech protections?
I agree, people here have no empathy to less technical users. Peoples' lives being ruined is not a hyperbole. You have people losing their life savings due to pig-butchering scams and such. And people here think their convenience and desire to publish apps anonymously outweighs this?
You are free publish source code for your app. You are free to publish unsigned .apk and people who want it will find a way to install it. Once app is installed it's more than a speech: it's a potentially hazardous product. The analogy is how chemists are free to publish formula for any pharmaceutical but are not free to put pharmaceuticals on the market without approval.
That is a totally inappropriate comparison. Knowing the chemical formula for cocaine does not give me access to cocaine. Whereas access to the source code of a program nessisarially gives you access to the program.
In one case, it is efficacious to restrict the product without restricting the information. In the other case it is not.
You're still freely publishing any apps you want. You want anonymous speech which isn't the same as free speech. And the benefits of that certainly doesn't outweigh harm caused against even one innocent person.
"There's many ways to combat crime" - name one effective way to combat sideloading of apps, that is anywhere as effective as id verification of devs?
Here's one: prosecuting the devs that currently spread malware, block (or warn users for) foreign sources that don't cooperate with law enforcement
You don't need an ID to find the person behind an IP address + timestamp. The line physically goes to a subscriber (yes, also with CGNAT: ISPs are required to keep logs for a reason). The police can do that in any country. Google isn't an elected government that I want to sit on that seat of power
Besides, criminals by definition don't care about laws. Photoediting an ID is not particularly hard, but quite illegal. Tackling the source (the person) ought to help more than impacting everyone who uses a specific distribution mechanism
The devs that write malware are typically in a different jurisdiction, and how can you prosecute them if they're anonymous? That's what this measure does!
The moment they use IPs to find devs and prosecute them , every malware dev will just use a vpn or Tor. or just use a compromised device to route their connection. This is a long running cat and mouse game.
Criminals care about laws if breaking the law is difficult, because laws have consequences. ID verification isn't as simple as "hey, it's an ID, all is good", and now you're on the hook for the much more serious crime of faking IDs and defrauding. It doesn't need to prevent all criminals, it just needs to be a good enough measure that it reduces the amount of abuse significantly.
There is no need to regulate anonymous speech if you uphold the principle of free speech. The only reason why you want to de-anonymize speech is to apply consequences for some forms of speech.
It's less about saving the concept of anonymous development, more about the tightening grip that the big three companies, Apple, Google and Microsoft (they're making their own moves in the same direction) have on home and personal computing. We would be giving up a lot; this would effectively kill any open source computing products from ever becoming viable. Platforms become fiefdoms, they become shit to use because there's no other choice and can never be. Any app that runs counter to the desires of the parent of the platform can be killed and it becomes impossible to build a competitive ecosystem because the chicken & egg software problem, something which open ecosystems can solve through compatibility laters, but that becomes unviable thanks to DRM and hardware integrity lockouts.
It's a nightmare scenario, our lives locked in to total corporate control. What do we get in return for that? Scammers won't be stopped by this, the key to grifting isn't technology but people. What you're suggesting is trading open platforms and open source and fortifying current marketplace monopolies for a marginal decrease in scams. For a while. Maybe. I suggest that is unbelievably stupid.
Maybe the EU and other parties should fund an open source fork of Android? People who don't want these big companies to control their devices can use that instead.
How does it kill open source products? The only thing required is for open source contributor who is responsible for publishing .apk to present their ID.
This gives Google (and inherently, the US government) the power to unilaterally remove any application from every Android phone on the planet. I don't trust them with that capability and neither should anyone else with an ounce of sense.
When I had to do this, I just incremented a register.
xor rcx,rcx
loop:
inc rcx
cmp rcx, -1
jne loop
Something like that roughly. Except, I didn't count all the way to -1, just roughly half way through the 64bit space. It stalls for a couple of minutes.
Now, I wasn't doing this for stressing profilers or anything fancy like that. I was looking into malware delayed execution techniques. Sleep() and other "Dear system, I'm gonna nap for a bit, wake up later" routines have the downside of being api or system service calls, and detecting branching decisions after sleeping is a tell-tale red flag for anti-malware systems.
Sure, you can detect techniques like this as well, but I figured I could insert idempotent instructions in the loop's inner basic block that makes it look like it's crunching data for legitimate reasons instead. It just needs to delay execution long enough to fool sandbox automated analysis. I've thought about delaying/frustrating human analysis too, and I'm sure better minds than mine have thought of better solutions, but making this part of an unpacking routine that relies on the computed value to decrypt malicious code seems to be the obvious thing to do. Which again, I'm sure it's been done, but doing it yourself and figuring out the anti-anti-analysis techniques is fun.
Like others are saying, if I want it fast and efficient (processing), I'll just use Go. Python isn't like JS in browsers, you don't have to use it, you have to want to use it. and the same goes with its features. Maybe if python tutorials/books and "How do i ____ in python?" search results used async, map, filter, collections,etc.. these awesome python features would be more prevalent. But, I can see how mature projects should probably mandate their usage where it makes sense.
reply