@Dark_Arc@social.packetloss.gg avatar

Dark_Arc

@Dark_Arc@social.packetloss.gg

Hiker, software engineer (primarily C++, Java, and Python), Minecraft modder, hunter (of the Hunt Showdown variety), biker, adoptive Akronite, and general doer of assorted things.

This profile is from a federated server and may be incomplete. View on remote instance

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

Yeah this one is ridiculous. There are some systems that have bounced my password ... literally the one stored in a password manager ... and gaslite me that I "must have forgotten my password."

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

Programming is mostly copy&paste

I don't know what y'all are working on but these comments always scare me ...

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

Be careful with that one. I'm not sure about your experience level, but a mistake newer (and some more experienced) programmers often make is taking DRY too far.

It's easy to "dry" something up to the point where it's spaghetti that's overly clever about how it reduces lines of code resulting in some crazy inheritance hierarchy even you (the author) are afraid to change a few years down the road.

There are of course other times when someone just copy and pasted e.g. sort logic all over the code base ... but that sort of thing is relatively rare

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

I work on compilers (we can't/don't even have access to the C++ standard library in my case)... Most of the time, Google can't help me ⚰️😅

It was definitely a bit more copy and paste when I was working on web applications... But even then, most of the code I was writing was fairly novel / more application and database architecture problems than trying tying libraries together.

Dark_Arc , (edited )
@Dark_Arc@social.packetloss.gg avatar

Never trust the client, especially with information the player shouldn't have right now.

This is a big part of the problem, but it's not the only problem. If you do all of that stuff right, you can't build a responsive first person shooter. There's some level of trust you need to put in the client.

Disclaimer: This is based on my experience playing shooters and as a programmer. I have not worked on anticheat systems hands on.

We see less and less of the "god mode" hacks where players can send the packet for a carpet bomb and the server just blindly trusts it. Or the ludicrous spinbots that spin at an extreme speed and headshot anyone that comes into line of sight.

What we're seeing is increasingly sophisticated cheats that provide "buffs" to a player's ability. An AI enhanced aimbot that when you click gently nudges your hand to "auto correct" the shot and then clicks is borderline impossible to detect server side. It looks just like a player moved the mouse and fired.

The "best" method to prevent these folks from cheating seems to be to detect the system or the game has been tampered with.

Maybe the way to deal with that is to just let it happen and deal with smurfs down ranking... So these "soft" cheaters just exist in the "pro tier" where the pros can possibly stand a chance.

One strategy I have seen that I wish more developers would do is sending "honeypot" information to the game client (like a player on the other side of the wall that isn't really there but an aimbot or a wall hack might incorrectly expose).

Maybe the increasing presence of hardware cheats will result in new strategies that make these things unnecessary. I keep wondering if a TPM could be used to solve this problem someday... But I'm not sure exactly how/we may need faster TPMs.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

I think a part of it is the difference to losing to something "reasonable" vs "unreasonable."

If you're clearly really bad at the game when we are in a fight with line of sight but somehow you keep picking off my teammates through walls... That's the kind of thing where cheating really starts to get annoying.

You may still be on the same skill level overall, but for specific parts of the game they have super powers, and it just feels ridiculous.

Smurfing is also a real issue because cheaters seem to overlap with trolls that just want everyone else to have a bad time, so they'll spend a bunch of time down ranking, so they can spend a little time giving a lot of players a bad day.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

That's all very fair

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

TPM is a joke in my mind

I thought this at first as well, but they have an interesting property.

They have a manufacturer signed private key. If you get the public key from the manufacturer of the TPM, you can actually verify that the TPM as it was designed by the manufacturer performed the work.

That's a really interesting property because for the first time there's a way to verify what hardware is doing over the network via cryptography.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

You don’t necessarily need to detect the cheat itself, you can look at things like players having suddenly higher kill rates and put them into a queue for observation by either more advanced (more expensive) automation to look for cheating or eventually involve a human in the loop.

That's true, if the player suddenly has higher kill rates. However, that doesn't work if they've been using the cheat from the start on that account. A sufficiently advanced AI powered aim bot would also be nearly indistinguishable from a professional player. Kind of similar to how Google created the CAPTCHA that uses mouse movement ... but had to go back to (at least in some cases) the additional old school captcha.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

Hmmm... I was going to say no because it's asymmetric crypto, but you're right if you are somehow able to extract the signed private key, you can still lie... Good point

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

I agree with this, but there are ways to make your "source code" not a file that you will modify.

For instance you can have a file that's imported/included for configuration purposes that you yourself don't author... And I think that's okay.

One of my favorite configuration languages for Python projects is actually just Python. It's remarkably nice. It's like having a YAML file you can script.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

Okay, that's pretty cool not going to lie. Granted, I'm not entirely sold on the idea of having a config format that's aimed at generating other config formats.

That feels like (in most cases) a recipe for things getting out of sync between the latest version of the PKL and e.g. the JSON

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

I want one even more badly for thunderbird. It feels like such an obvious thing that's just ... missing.

Standard notes: what about don’t put all your eggs in one basket rule?

If the owner of the standard notes will now be a proton, doesn't that contradict this principle? I have a proton email account but I don't want it linked to my standard notes account. I don't strongly trust companies that offer packaged services like google or Microsoft....

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

Proton is a greedy company that doesn’t like interoperability and likes to add features designed in a way to keep people locked their Web UI and applications.

That's nonsense. Proton has built everything around PGP and allows uploading public keys for users not using Proton Mail so that you can messaging them with Proton's PGP system automatically.

https://proton.me/blog/openpgp-crypto-refresh

There's 0 vendor lock in (in the entire Proton ecosystem) and there's tons of open sourced code.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

By that argument Microsoft could just shut down their IMAP servers tomorrow.

The fact of the matter is, Proton does currently provide tools to get your emails out of their ecosystem, that you can use today. Including a free tool (https://proton.me/support/proton-mail-export-tool) that creates EML files that can be imported elsewhere via Thunderbird.

Dark_Arc , (edited )
@Dark_Arc@social.packetloss.gg avatar

Other providers will return garbage to your mail client. The mail client itself must have PGP capability (plenty don't).

The bridge doesn’t even provide everything a IMAP server does

I've yet to find any functionality missing from the bridge's IMAP server that's present in any other IMAP server.

and there’s isn’t a way to get get calendars and contacts.

There's not currently a real time way to get that data, but it's hardly "vendor lockin."

specially on iOS for instance

There's something ironic to me about chewing Proton out for alleged vendor lock in while using iOS / Apple products.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

Q: Can I get the information I put into Proton back out and move to another service without paying Proton any money or extreme hardship?

A: Yes.

Dark_Arc , (edited )
@Dark_Arc@social.packetloss.gg avatar

instead of just using an open protocol like XMPP they opted for their closed thing in order to lock people into their apps

That's just not true, you're severely misinformed on this.

Proton took the established practice of PGP encrypted email and put it in a nice package. That's why you can add public keys and just message somebody that's using Thunderbird.

There is no "open protocol for end to end encrypted email", XMPP is not applicable here. There's no "IMAP for PGP" there's just IMAP, so they made a bridge so you can use IMAP even if your mail client doesn't support PGP.

Could they have made an IMAP server that returns the PGP emails and requires your mail client to handle the decryption? Yes. However, that goes against a major selling point of the product which is that it manages all that encryption for you (like a password manager). Nobody in their right mind would use that.

This isn't some matter of privacy coolaid and fanboyism; they did the open interoperable thing. You can even (as an example use case) if you're a new customer that was doing PGP email on your own, upload your own existing PGP key, and use that with Proton if you don't want to change the PGP public key people use to send you email.

Edit: Perhaps you've been confused by some falsehoods coming from Tutanota or confused the two https://proton.me/blog/proton-vs-tuta-encryption

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

Because you're paying them so you don't have to do that. Why would you pay them a premium if you're just going to do it yourself anyways?

Also that costs money to develop, maintain, and run. Which takes money/resources away from things most customers care about.

There aren't red flags here, everything is open source, this is all verifiable information. You're just refusing to accept that.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

The phrase Jack of all trades master of none really only applies to people. A company can just hire more people when it has more products.

Google's issue is not that they're "big" it's that they've failed to truly innovate and invest in anything in years. The current leadership kills anything that isn't an instant money maker despite the majority of the company's profitable products taking years to become profitable. They're also in a weird spot because their "magic" was always free services in exchange for advertising money and that's a model that's come under attack and been replicated to death by competitors.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

They can also lobby more effectively for privacy respecting legislation and privacy rights. I don't like lobbying, but so long as it's around, it would be nice to have a big privacy company that's as invested in that as the average privacy enthusiast.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

It's more like encrypted Evernote.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

There was a whole Mythbusters episode where they tried TONS of stuff to get a gas station to go up in flames (they couldn't, not even smoking a cigarette -- under near ideal conditions for an ignition of nearby vapors -- per my recollection).

So yeah, I'm sitting in my car (especially if it's cold outside).

"Static electricity" isn't somehow more of a concern sitting in your car than standing outside one in a fuzzy jacket.

Dark_Arc , (edited )
@Dark_Arc@social.packetloss.gg avatar

Hey look... a fuzzy sweater.

I'm still getting in and out of my car. I get in, shut the door, get back out, and close the door. Plenty of metal touched. Sometimes gloves.

Here's another one https://m.youtube.com/watch?v=JMfxPooeybg

Probably 1 in 10 million (and 2/2 videos where they didn't shut the car door)... I'll take that chance.

Edit: also think about it, if this was a real problem with a high enough frequency they'd engineer the fuel handles to prevent it. Heck, maybe they already did (accidentally or intentionally) plenty of them increasingly have a ton of plastic.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

What you're saying doesn't make any sense. If you're engineering something to prevent a spark from a static charge, you engineer it to prevent a spark from a static charge. You don't engineer it to "ground you at first and then fail" if you pick up a static charge for some reason.

EDIT: And there are a lot more ways to become statically charged than getting in and out of a car (which in a lot of cases isn't going to give you a static charge anyways -- e.g. leather seats on cotton clothes is extremely unlikely to generate a static charge).

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

It wasn't a little kids game until years later. Also I think it's old enough that the early versions were actually Java 6... I remember updating my code for Java 7.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

It has its own index in addition to aggregating results.

kdenlive , (edited ) to KDE
@kdenlive@floss.social avatar

⚠️ BEWARE ⚠️ Scammers are targeting Kdenlive users

Scammers are still circulating fake emails targeting users and content creators.

Remain vigilant and be cautious of any unsolicited communications claiming to be affiliated with us. We DO NOT send any emails offering promotional opportunities, advertising integrations or any promotional collaboration.

Our communications are done through Mastodon, Twitter and through emails from kde.org and kdenlive.org domains.

@kde

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

I've got to give you a down vote for not putting the important information in the title and then using an obnoxious amount of caution signs.

This is up there with "13 things you need to know" in terms of click bait.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

Ah, it's mastodon federation... I missed that, it explains a lot. Honestly I've found that majorly unsatisfactory. It's "neat" that they can talk to each other but the software is just for two fundamentally different social networking softwares.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

Looks like the sway tiling window manager with a custom theme and emacs open to some elisp ... and a couple other programs open (potentially they're also emacs TBH)

Edit: yeah looking closer all the windows are just different emacs functions

Dark_Arc , (edited )
@Dark_Arc@social.packetloss.gg avatar

Python also has a statically typed option these days.

Edit: Previously said "strongly" instead of "statically"

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

I should have said statically typed, fixed.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

To be fair, if your server is taken over, there's a good chance your other devices have been compromised first/as well, in which case you're already in trouble.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

You can have a server without a public IP; that's totally doable. An internal server that's only accessible from LAN or a VPN is still a server.

Also, the majority of compromises happen because of user error (e.g., someone opens/runs the wrong thing) or an unpatched machine, not because of an exploit in server software/because the machine is always on. This is especially true in the business world where it's often a combination of human error and the network not being segmented/ACLs not being set properly/etc (lots of cases of human error).

It's also not that unusual for someone to keep their e.g., desktop always on or their laptop/mobile device in a low power state where it still has network activity despite being "off."

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

Oh Christ, that's not the same thing and you know it.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

You 100% should have to keep your systems up to date. It's a danger to yourself and everyone else when you don't.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

If you want to phrase it as a "personal responsibility" thing, then you should frankly be criminally liable if your system is used for a DDOS attack.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

You think it's funny for your system to take part in an attack potentially costing billions of dollars in damages because you can't be bothered to switch off of Windows because "you don't like what Microsoft installs with their security updates" or "actually install security updates"?

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

It looks like the flatpak internally uses snap. Very strange setup:

https://github.com/flathub/com.authy.Authy/blob/master/com.authy.Authy.yaml#L42

It's all on flathub though, it's no secret.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

I mean it's a student project. It literally could be "I think Swift is cool and I like Linux."

And you know... They're not wrong, Swift is a cool language, it's just not got much adoption outside of the Apple ecosystem for whatever reason. It's long been workable on Linux ... I'm happy to see some novel work in this space.

Swift is also interesting because while it's general purpose, UI design was always in mind for Swift. That's different from C or C++ which are the basis of GTK and Qt the predominant UI frameworks used for the Linux desktop currently (Rust might enter that conversation more seriously with Iced and System76's COSMIC).

You're also right that there are options ... but there are also options in the Windows world. Everybody isn't using what Microsoft uses and even Microsoft doesn't use the same UI toolkit everywhere.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

That's not entirely fair either though... They can incorrectly summarize, omit important information, or just make stuff up.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

All I am saying is that it is fine to be critical of LLM and AI claims in general as there is a lot of hype going on. But some people seem to lean towards the "they just suck, period" extreme end of the spectrum. Which is no longer being critical but just being a reverse fanboy/girl/person.

Fair, nuance is an endangered species.

You may be offered a free premium Telegram subscription – but please don’t accept ( archive.is )

Telegram is giving away FREE Premium subscriptions! All they need from you is to use your cell phone as a relay to text out their OTP codes! And the recipient of the OTP sees your phone number! What could POSSIBLY go wrong with this deal?...

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

I think this is a bit panicky... am I going to use it? Nah.

But also, my phone number has been leaked by plenty of entities... some random person getting a text from it wouldn't even be that weird considering SMS spoofing. Someone could be using my number for a nasty spam attack right now and I wouldn't know.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

https://redis.com/blog/redis-adopts-dual-source-available-licensing/

This is the announcement.

This is a disappointing outcome but one that I think has been coming for a while. Amazon has profited off of Redis without giving much back for quite a while (at least I recall this being a complaint of the Redis folks, perhaps others have evidence to the contrary).

This is pretty clearly an effort to bring AWS to the table for negotiations.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

There's generally an understanding (the GPL folks think it's naive -- and this makes their case) that if you use open source software you should give back to it.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

It does, AGPL for servers, GPL for applications... If you make changes they have to be made available or you're breaking the law.

Dark_Arc , (edited )
@Dark_Arc@social.packetloss.gg avatar

If you use the software without modifying it directly (such as building on top of it, or building something that uses it), then that's allowed.

(IANAL)

Not in the case of AGPL (use over the network and IPC counts as distribution -- presumably proxying the request is insufficient to disable this clause) and even in the case of GPL that's a very problematic position to put yourself on. You're basically talking about invoking a foreign process from your primary process to avoid licensing constraints and that comes with a lot of limitations as to what you can do.

You can modify the GPL program to support more things via IPC but then if that program needs to touch a customer's computer, you have to contribute at the very least those notifications and any related improvements you made to make that possible or any new feature which makes more sense to be in the tool you're calling than your tool building on top.

And last, if you don't modify the software but charge people using it, that's completely allowed.

Yes, but who's paying for that? If it's a server hosting company, they'll pay the hardware rental fee, fair enough. However, you can't reasonably sell that software itself, people will just build it themselves.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

In Rust however you must sign a contact (using unsafe) in order to play with raw pointers. Unsafe is you the programmer promising that you followed the rules. This is like how C++ says it's illegal to write UB and your program will break (and it's your fault) but enforced through a special type of block

Which is what I said, this is about the default.

My issue is not that I don't understand Rust provides static guarantees. My issue is that you raised a comparison between unsafe Rust and C++ code. In that comparison, you're basically saying "writing an entire program in a rust unsafe block would be better than writing an entire program in C++" and I think that is very wrong.

Rust unsafe is not better than normal C++ while following best practices for maintaining memory safety.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • All magazines