> Attack the argument not the man.

But the man's argument is that since he sees something a given way then it's the truth. What people are doing in return is showing that he can only do so because of who he is.

Everyone's trying to be the new thought leader enlightened technical essayist. So much fluff everywhere.

What's wild is that with a few minutes of manual editing it would give exponential return. For instance, a lead sentence in your section saying "here's why X" that was already described by your subheading is unnecessary and could have been wholly removed.

Exponential return? This is the front page of HN! What does exponential returns even look like?

Are you saying this post is a few edits away from becoming a New York Times bestseller?

No, I guess I meant editing to approach a text that doesn't look rushed over (LLM generation is a subset of such poor writings)

But you're right, it did hit the front page, and that says more about my sensibilities not lining up with whoever is voting the article up.

IME many people aren't very capable of editing their own work effectively. It's why "editor" exists as a profession.

That’s pretty presumptive of how obviously the author could improve it. As someone who writes a lot of docs, I find feedback and preferences varies wildly. They may just have well made it “worse” to your preferences by hand editing it more.

You'd have to have a good idea of how you want the document to read, which is half (or more) of the process of writing it.

The work is mysterious and important.

> 12-stage detection pipeline

What is this recent (clanker-fueled?) obsession to give everything fancy computer-y names with high numbers?

It's not a '12 stage pipeline', it's just an algorithm.

Isn’t it? I mean 12 stage pipeline has a very specific meaning to me in this area, and is not a new way of describing something. The release notes description sounds like a multi stage pipeline.

Do you know this kind of area and are commenting on the code?

"ok chatgpt, what name do i give to this algorithm, so it sounds fancy and advanced?"

You can only pick the parts that you need and aren't now exposed to a supply chain attack. You can also easily adapt the code to your needs easily, especially as your needs change.

https://www.youtube.com/watch?v=PAAkCSZUG1c&t=568s

Coward.

Sometimes brevity is the heart of wit or whatever the line is.

Yeah, anyone who says 'the government should be ran like a company' has likely never worked in a large corporation. It's full of meaningless work, bullshit jobs and red tape.

Don't access it over https then? The link is http.

Works fine on my end. The HTTPS URL gives a 301 permanent redirect to HTTP, and then I ordered some boner pills and put my social security number to confirm.

Don't modern browsers automatically redirect http to https?

No they don't. I tried Chrome, Firefox, and Safari. None of them attempted to redirect. They just show a "not secure" warning in the URL bar.

The redirect only happens when it's configured on the web server, set in HSTS, or on a TLD that enforces HTTPS. None of these apply to this website.

Apparently it's not on by default, but all of my browsers do and also warn me whenever a site does not support HTTPS (and require me to explicitly click through to the unencrypted connection).

Not unless the site sends the CSP header to tell it to upgrade to https: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...

A client side option to force https might still be useful though. But I can imagine at least some enterprise webapp that would die horribly if you tried this.

Then use a non-buggy browser...

This makes me want to stop reading 'Show HN' threads.

Why?

Relevant username

Or type confusion bugs, or any other stuff that stems from complex logic having complex bugs.

Boundary checking for array indexing is table stakes.

table stakes, but people still mess up on it constantly. The "yeah, but that's only a problem if you're an idiot" approach to this kind of thing hasn't served us very well so it's good to see something actually being done.

Trains shouldn't collide if the driver is correctly observing the signals, that's table stakes too. But rather than exclusively focussing on improving track to reduce derailments we also install train protection systems that automatically intervene when the driver does miss a signal. Cause that happens a lot more than a derailment. Even though "pay attention, see red signal? stop!" is conceptually super easy.

I'm not saying it's not important, it is. I just don't believe that '[the] majority of memory bugs are from out of bounds access'. That was maybe true 20 years ago, when an unbounded strcpy to an unprotected return pointer on the stack was super common and exploiting this kind of vulnerabilities what most vulndev was.

This brings C one tiny step closer to the state of the art, which is commendable, but I don't believe codebases which start using this will reduce their published vulnerability count significantly. Making use of this requires effort and diligence, and I believe most codebases that can expend such effort already have a pretty good security track record.

The majority of security vulnerabilities in languages like C that aren’t memory safe are due to memory safety issues like UAF, buffer overflows etc etc. I don’t think I’ve seen finer grained research that tries to break it out by class of memory safety issue. The data is something like 80% of reported vulnerabilities in code written in these languages are due to memory safety issues. This doesn’t mean there aren’t other issues. It just means that it’s the cheapest exploit to search for when you are trying to break into a C/C++ service.

And in terms of how easy it is to convert a memory safety issue into an exploit, it’s not meaningfully much harder. The harder pieces are when sandboxing comes into play so that for example exploiting V8 doesn’t give you arbitrary broader access if the compromised process is itself sandboxed.