"If only they used DC from the wall socket, all those H100s would be green" is, not, I think, the hill you want to die on.
But, yeah, my three 18MW/y racks agree that more power efficiency would be nice, it's just that Rewrite It In (Safe) Rust is unlikely to help with that...
It’s significantly more than that, but it’s also true that we include stuff in other languages where appropriate. CockroachDB is in Go, and illumos is in C, as two examples. But almost all new code we write is in Rust. That is the stuff you’re talking about, but also like, our control plane.
I think it's hard to call it a reason. It is a tool which fits in with the philosophy of the company in terms of how to achieve it's goals, but I think it would still exist if rust didn't. I would describe the goal as making a hyperscaling system that can be sold as a product, the philosophy of how to make this is an aggressive focus on integration, openness, and quality, and that rust is a language that works well with the last two of those goals.
It's also not really a case of "rewriting in Rust" anyway, it's more just "writing it in Rust" since most of the stuff the Oxide team has built is greenfield work.
Pretty much everything Oxide publishes on github is either in rust or it's an sdk to service in rust. Well and web panel isn'tin rust, so negative points for that, true evangelists would have used WASM.
But Oxide reason to exist is to keep memory of cool racks from Sun running Solaris alive forever.
(And for that matter, Oracle's proprietary Solaris seems better maintained than I ever expected, though in this context I think the open source fork is the relevant thing to look at.)
Sorry, but as someone who is involved with the development of contactless payment terminals, this just isn't a practical attack.
The phase where the relaying is supposed to happen (between the terminal sending its actual challenge and receiving the response) already employs a very short timeout (a millisecond or less, definitely not anywhere near a network round-trip to, well, anywhere).
There is a 'card selection' phase that may take (much) longer, as well as various retries, but the key bits (pun intended) of the exchange are only valid in that very short window.
Also, upwards of 80% of all point-of-sale transactions in some northern-European countries are NFC these days, and if any of this had truly any large-scale applicability, people would definitely have noticed...
In Turkey when the contactless payments became ubiquitous one concern / urban myth was that people were using actual pos devices in public transport to lift money from wallets at back pockets and stuff. I guess that would work but that kind of fraud gets shut down pretty fast.
Relaying the thing seems like a workable thing but the timeout aspect is interesting. I wonder how fast can a short direct radio link would operate. Say someone inside an Apple store relays a card from another shopper while the accomplice checks out. In the line of sight of victim?
That's already hard to achieve reliably (in-store WiFi is right out, but possibly Bluetooth?) but would definitely make the required on-device malware even more complicated...
Also, the underlying processing also takes some time obviously. Hence the 1.5ms timeout. If the cards take 0.5ms on average to respond in real world that leaves even less time to relay.
But I bet in close proximity, sub 1ms would not be a big deal for specialized hardware. Just flood the room with infrared if it gets the job done.
> The phase where the relaying is supposed to happen (between the terminal sending its actual challenge and receiving the response) already employs a very short timeout (a millisecond or less, definitely not anywhere near a network round-trip to, well, anywhere).
Sincere question: is that enforced by some certification process?
Because for anything that isn't strictly audited, I wouldn't assume that your own wise practices are universally applied. In fact, things like timeouts in particular are often treated very informally by engineers and often face pressure from product people for more leniance to improve the happy path user experience. Until real exploits like this become widely known, people can be really quite sloppy about this stuff.
> Also, upwards of 80% of all point-of-sale transactions in some northern-European countries are NFC these days, and if any of this had truly any large-scale applicability, people would definitely have noticed...
I don't think the article is suggesting this is an epidemic that threatens nfc payments at some large scale, and highlights the prerequisites for pulling it off. All they seem to be reporting is that it's acheivable, inviting to malicious actors, and seems to be happening in the wild.
Yeah, I realized this was a low-quality discussion when I got to the part where the author is basically stumping for security through obscurity as part of the solution.
> To defend against concatenated ZIP files, Perception Point suggests that users and organizations use security solutions that support recursive unpacking
Yeah, or, you know, just outright reject any ZIP file that doesn't start with a file entry, where a forward-scan of the file entries doesn't match the result of the central-directory-based walk.
There is just so much malicious crud coming in via email that you just want to instantly reject anything that doesn't look 'normal', and you definitely don't want to descend into the madness of recursive unpacking, 'cuz that enables another class of well-known attacks.
And no, "but my precious use-case" simply doesn't apply, as you're practically limited to a whole 50MB per attachment anyway. Sure, "this ZIP file is also a PDF is also a PNG is also a NES cartridge which displays its own MD5" (viz https://github.com/angea/pocorgtfo/tree/master/writeups/19) has a place (and should definitely be required study material for anyone writing mail filters!), but business email ain't it.
That's fair, but do realize that sometimes people do have to send around archives from the last century (they got archived for a reason!) or created by eldritch-horror tools that just make weird files (which, sometimes, are the gold masters for certain very important outputs...). And it's kind of annoying when these weird but standard files get silently dropped. Especially when that same file went through just fine yesterday, before the duly zealous security settings changed for whatever reason.
All I'm saying is, don't drop my stuff silently because your code couldn't be arsed to deal with (ugly) standard formats. At least give me a warning ("file of type not scannable" or whatever, the actual words are not so important). And then when I have to yell at the Shanghai people I can yell at them for the correct reasons.
drones may still be a thing, and weren't nearly as hyped as blockchain.
my barometer for penetration is how often the non-tech people talk about it, e.g. goofball uncle didn't buy a drone, but he went hard on BTC. if he's still holding he probably made money recently, too.
Of course it does, your resume is a critical part of selling your skills & services to employers. Want to close faster and for more $$$? Demonstrate your value prop in the terms they know and care about.
However, this is definitely a hack, and I sort-of feel the same about the Zig solution from the article. Would be nice if languages had 'cleaner' support for this?
// Foo and Bar cannot be assigned to each other
type Foo = Foo of int
type Bar = Bar of int
// Foo and Bar can be assigned to each other
type Foo = int
type Bar = int
The first variant uses single-case unions. It's a bit unfortunate that they also default to classes over structs unless you annotate them with [<Struct>], partially fixed by escape analysis though.
The enum trick is the tersest and will also serialize correctly in most cases, but I have never seen anyone use it like that before.
When using implicit typing, definitely `var foo = (int Foo)12`. Less sure what the explicit variant should look like, since parsing may be trickier, but `(int Foo) foo = 12` might work?
"Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting"
Also, your back button isn't truly broken, you just need to hold it for a bit and select the last-known-good URL...
Doing real-time OCR on 1280x1024 bitmaps has been possible for... the last decade or so? Sure, you can now do it on 4K or 8K bitmaps, but that's just an incremental improvement.
Fact is, full-screen OCR coupled with innovations like "Google" has not lead to "ultimate" productivity improvements, and as impressive as OpenAI et al may appear right now, the impact of these technologies will end up roughly similar.
(Which is to say: the landscape will change, but not in a truly fundamental way. What you're seeing demonstrated right now is, roughly speaking, the next Clippy, which, believe it or not, was hyped to a similar extent around the time it was introduced...)
And, whereas it's nice that Rider is now free for non-commercial use, and it's definitely a capable IDE, Visual Studio remains an equally capable-and-frequently-updated competitor, not doomed by any single "problem" that I can see?
(Source: have been using both Visual Studio and Rider for C# development for over a decade now, and they complement each other quite nicely, while also offering a perfectly acceptable solution on platforms or within organizations that only support one and not the other.)
Depends on your definition of "free", but, yeah. For non-commercial, non-paid use, both VS and Rider are good options, but this submission still breaks site guidelines and is a dupe...
We'll miss Bedbug Bret writing whiny op-eds about how people aren't allowed to be mean to him on Twitter and how those tens of thousands of Iraqi civilians deserved to die
A harrowing piece on the democracy-threatening trend of campus protests? A curious and thoughtful interview with an anti-trans activist? A 3D infographic about tunnels that israel uses as justification to bomb a school or hospital?
Pravda has been out of print since 1991. So, while I get your sentiment, it's probably good to acknowledge that propaganda has gotten a bit more... subtle in the meantime?
But, yeah, my three 18MW/y racks agree that more power efficiency would be nice, it's just that Rewrite It In (Safe) Rust is unlikely to help with that...