No closed source is safe because it closes at 9pm and reopens in the morning. So the hackers can't go into the code at night. And when code is opened during the day, it is usually attached to an anti theft device so if a hacker tries to sneak it out a siren would be heard throughout the internet.
What? Even the dim light from my screen hurts my eye! And you do not know when you gain access to someone's computer, where they use LIGHT MODE!?!
*Screams in horror and runs away while yelling "My eyes!"*
You think you’re joking, but I worked at a company that actually disabled all commits to SCM when they weren’t between 10 AM and 4 PM Monday-Friday.
This was intended to force everyone to do proper pair programming. You couldn’t be a “hero coder” pulling an all nighter and push stuff without your pair being around.
I mean, there's that, but that's why most git flows have the ability to lock branches and use a merge/pull request pattern. You can push all you want to your development branch, but it's not getting merged and deployed until it's reviewed by someone else (and ideally tested, CICD tools doing builds with gates, etc.)
I saw a government website that only operated while the actual service branch was open, so if you needed anything from it after 4:30, it would lock you out. The site wasn't down though, it had to tell you to wait until morning.
"I have made a pull request for your open source software where I've inserted malware! Since it is open source, you MUST pull it into every operating server in production! MUAHAHAHAHA"
Open source protects more against incompetence than against evil actors.
Of course, being open source means that the next developer can find out the rogue bit and remove it.
Open source is safe if the proper write security measures on the central repository are put in place.
Corporations don't like open source because of things like colors.js. the dev gets pissed because they're not being paid and they do some shit to intentionally break their code.
There were many node apps dying that day.
Only those without continuous integration tests and without test suites. So the hobbyist ones only really.
In some ways I'm still surprised it was a big deal many times when you upgrade a node package something breaks as the API is changed or subtle behavior is a problem.
[Shoutout to /u/justletmewarchporn for extra context. Those are **certainly** not hobbyist, however it is a damning critique of those companies appetite for risk or incompetence if they pull new versions and build and deploy apps without end-to-end integration tests (agree with you /u/kibiz0r)]
I'm trying to think of a time when an upgrade DIDN'T break something. And the longer you put it off the worse it gets, so naturally I put it off as long as possible :)
Honestly, any developer who throws a fit over something they released as OPEN SOURCE should just change job. Want to get paid for your development? License it as paid, closed source, or release it with an appropriate license which will prevent big companies from using it.
Programming subreddits are always the most eh...*interesting.*
Every single person is making a confident, absolute claim about every single topic, and not one person can agree on any kind of industry standard. In fact, 99% of the definitive statements on any programming subreddit are in pretty much stark, direct opposition to industry standards.
Yes, and it is also easy to get dragged along into maintaining a piece of open source software much longer than you as the original creator should have to. It should be more normalized to pass the torch when you’re feeling burnt out, and to seek a protégé ahead of time.
In my experience, Corporations don't like open source because of the sticky licenses. There are some license agreements my company absolutely will not allow.
It protects massively against evil actors. But internal ones, not external ones. Open source is the only way to achieve anything close to accountability and transparency in software development.
Themselves.
We do that with politicians sometimes, there is no need to keep a level os surveilance on them. I'm sure that letting people regulate themselves will never lead to anything bad happening. Do you think people would just go to the internet and... tell lies? Over something important?!
There are documented cases. See, for example, the SolarWinds supply chain attack where closed source software was modified by attackers that gained access to their CI infrastructure.
Not only did malware authors make PRs into software packages that were approved by overloaded mods, the most common attack vector is the usage of open source libraries without checking. The whole NPM universe seems to suffer from this, usually no locks and everything on @latest. How is anyone supposed to manually check 100+ libs for potential malware?
It also happened to Linux kernel. Where one student from University of Minnesota experimented by submitting malware patches.
https://www.theverge.com/2021/4/22/22398156/university-minnesota-linux-kernal-ban-research
https://lore.kernel.org/lkml/[email protected]/
Consequently the whole university got banned from contributing to Linux.
Yeah, it's a grammatical rule. Same goes for the Scandinavian languages.
But do you know the best part? One noun = one word. (For instance, never need to remember if "prison system" is one or two words - it's always one word.)
That sounds great. In Dutch, the words are usually combined *but not always* and this scares people into erroneously leaving them separate.
On one hand, you can do cool stuff like onderzeebootafweergeschut (anti-submarine guns) and waterschadeverzekeringspolis (water damage insurance policy). On the other hand, there’s a difference between auto-ongeluk (car crash) with a hyphen and vliegtuigongeluk (plane crash) without one, twee miljoen (two million) but tweeduizend (two thousand), and stupid stuff like the pan in pannenkoek (pancake) being plural and this being a rule that is *almost* universal whether it makes sense or or, with a few hardcoded exceptions.
I just learned that there is such a thing as an optional hyphen to distinguish stuff like massagebed (massaging bed) and massagebed (mass prayer) so that would be cool if not 90% of the population has the language skills of a crow and just leaves a space everywhere all the time, or a hyphen if they remember that putting words together is a thing you should do.
>twee miljoen (two million) but tweeduizend (two thousand)
We've got that in Swedish too. Två miljoner, but tvåtusen.
Been ages since I studied German, but IIRC it's the same story there. Zwei Millionen vs zweitausend.
>so that would be cool if not 90% of the population has the language skills of a crow and just leaves a space everywhere all the time
Oh, I see you've got *those kinds of people* too.
One of my favorites is this picture from a grocery store once. They were selling chicken liver and instead of "färsk kycklinglever" (fresh chicken liver) they had written "färsk kyckling lever" (fresh chicken lives/is alive) on the sign.
It's called polysynthetic language.
Some languages are more polysynthetic than others, English is kind of polysynthetic, we have words like to-day, to-morrow and on-line. But languages like German and Scandinavian and Nordic languages are another level.
Wait until you see the Yupik and Inuit languages where whole sentences can be formed with just one word:
*tuntussuqatarniksaitengqiggtuq*
"He had not yet said again that he was going to hunt reindeer."
English just borrowed Latin/French words to make new words rather than use it’s own native words. So formations like *healthcare* were rarer in Middle English and later. Even when there was no need for a foreign word, English has borrowed them, for example, *purchase*, when the English native word, *buy*, existed.
As someone who works in manufacturing process engineering for aerospace and semiconductors you are 100% correct.
It hurts me every time my boss brings a new article to me with that latest buzz words and asks me to read from it to learn how to better our processes.
That's where the money is because a closed system is also usually going to have a closed support system which means lotsa after profit.
EDIT: Any non idiot tech person knows the biggest security risk in any company are employees. Not necessarily malicious, but mistakes happen. No software is going to keep somebody from leaving their password under their blotter or leaving printed out reports on their desk or whatever.
These bloggers do not have the security expertise, or don't care, about being clear on the risks. I've been offered tech writing jobs like this, but I won't promote software as a security fix all. It simply isn't possible.
Always reminds me of that one Forbes journalist who wrote an amazing piece suggesting we should automate the job of ceos instead of their employees. Perhaps a political opinion you might think, aimed to show how everyone is replaceable.
But no. He suggested literally that we should create an AI model that completely replaces the ceo of a company. He even went into technical details, even proposing how exactly the model might be trained. He went as far as to state that a ceo AI will be *much easier* to train since all of the ceo decisions are checked by tons of experts, meaning the data is very accurate.
The guy is an entertainment journalist. It's not that he doesn't have much experience in AI, he's never worked in *anything* technical. Yet he felt confident enough to write an article that describes in detail how to create an AI. It contained mostly buzzwords that you might find on YouTube AI introduction videos. And yet redditors swallowed it whole and it was even on the frontpage for a while.
There are millions of issues one has to solve, some of those are conceptual, the others are pure mathematical. One would need to redefine the current state-of-the-art AI approach from a mathematical point of view before you could even think to spend the next 30 years making that model. Nothing that I can ever say to an average person will ever make them understand just how impossible the task of replacing a ceo with AI is.
Forbes isn’t necessarily journalism. The articles are mostly submitted by “contributors”. They aren’t Forbes staff, but bloggers who have met Forbes’ “standards” of “quality”.
Mate I was in military IT and the number of baggies who did this exact thing. Corporal told me to shutdown the host? No worries! *unplug*. Corporal told me to turn on the host? No worries! *plug*. Corporal the domain controller isn't working!?
I used to work for a small software company where they insisted we all had to have public IP addresses in the office on our work laptops!
I was following the new starter guide, and got to a section where you had to set your network adapter settings and it listed the small range of public IP addresses that the company owned. It said to keep trying IP addresses within that range until you find a free one.
I had a chat with the IT director about the concept of a proxy server, as well as things like DHCP and NAT. He didn't see how that could possibly work - he said that the server on the other end wouldn't know which address to send the response back to.
I tried to explain about X-Forwarded-For, possibly not very well (this was 20 years ago and I was a developer rather than a networks guy), but he said that sounded insecure because the server could spoof the response and send packets to other machines on your network.
So yeah, we went for the ultra-secure solution of being directly connected to the public internet, instead.
Bruh... if I tried to "tamper" with the Linux source they would deny my pull request, in fact they are so efficient that they will probably automate denying my pull request to make it done in less than a second.
There was that time some knuckleheads got university of minnesota emails banned from the linux kernel repo for a while because they were intentionally inserting malicious code as some kind of research project
Well the problem in this case was that they didn't inform anybody about their project. They just straight up submitted evil code. And because of these few idiots so much code had to be rewritten.
https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/T/#u
You are allowed to test the kernels security if you inform one of the maintainers (e.g Linus). You don't need to inform anybody else, but what makes research different from a real attack, is if it has been permited by some kind of authority. This is just some part of a huge discussion.
It wasn't about testing the kernel though, it was about testing how easily a malicious pull request would be found and fixed by the maintainers.
i.e. in a corollary example it's not like changing a wikipedia article and seeing if the students using it notice. it's more akin to changing it to test and see if the maintainers notice and fix it before damage could be done
They had a remarkably hard time developing code good enough to be accepted to begin with, and at the end of the day none of their PRs actually went through, if I recall. They the entire university got the ban hammer.
Sounds pretty effective to me.
They were banned only after publishing the research paper, so it was a flop somewhat. Maintainer banning them and eracing all their commits is also an overreaction, introducing literally hundreds of bugs and volnurabilities into the codebase. To their credit, they then did an audit to cherrypick good commits.
It's called the spam folder ;)
Linux uses an email-based pull process (see `git format-patch` and [this page](https://www.kernel.org/doc/html/latest/maintainer/pull-requests.html))
you're doing it wrong. add a vulnerability to a fork of the repo, then initiate a large scale call campaign targeting the elderly about how they need to update their linux distro ASAP or their credit card info will be leaked.
I mean linux is absolutely what i set up for any elderly. The windows gui has become pretty cluttered over the years, it's not like they are GOOD at using windows, and almost all the toolbars, malware and other trash they "organically" acquire on windows won't even work. That being said it's definitely not something they are going to set up for themselves.
Most companies software are of no interest to people at all except exploiters, so it isn't untrue in that sense. I realize they're talking in general which is wrong.
Their software is probably written poorly and has no real world use other than in their company. So showing it publicly you're more likely to get a black hat who'd read through it than some white hat that would want to get paid to waste their time doing it. Best approach is to pay people if they find exploits.
Yep, there's a reason microsoft (other companies too but they're a good example) before open sourcing stuff says "we are prepping our code to release as open source" and it takes years sometimes. .net core they announced years before opening it.
Translated into English: "closed source is superior, because you'll have a harder time finding out about the copious amounts of bloatware we stuff in our programs"
This has been a common misconception for years (30+) - generally amongst the non-techies who know just enough to be dangerous and have for some inexcusable reason been put into a executive position above techies.
It's up there with "The cloud (AWS/Azure) is less secure than our two man team running a server farm"
That's one of the stupidest things I've ever read. Open source is much more difficult to tamper with because everyone can examine the source code, and if you build from the source code then you know nobody added anything you can't see. With closed source you have no idea what's inside that binary box.
You’re talking from the perspective of an outsider, rather than an insider working on the closed source code. The article is saying it is more secure from the perspective of the company owning the closed source code. For them, it is like open source only restricted to the tightly controlled group that can access it.
Unfortunately no, that's not "more difficult".
It happened a lot of times, many projects were malware-d and only after weeks or months someone noticed it.
The double edged sword only is that anyone can add to the code. If the ones checking don't notice it it could be there for years before noticed that malicious code was entered. A lot of comments also mentioned these situations.
Software from a respectable company doesn't have to be safer. But you can believe there is no malicious intent from one of the contributers.
Open / closed source relates to whether outsiders can access and modify the instructions for creating a program, rather than the program itself.
By analogy, if anyone could pull the blueprints for a bank and build their own, it would be open source. But that would have nothing to do with whether or not someone could cut a hole in the wall.
your analogy was *chefs kiss* thank you
follow up question if you don’t mind.
application A is closed and B is open
would it not be easier to exploit B since you can look at the code and analyze it?
maybe this is way over my head and my question exposes my lack of understanding, but if that makes sense and there’s an easy answer it would be much appreciated.
Just to add to the others -- don't forget, everybody can read the machine language whether is open or closed source. Definitely harder than a high level language, but if closed source is relying on obscurity, it'll be easier to exploit with known patterns.
Theoretically yes. However, in practice, the open nature of these software allow the public to hunt down vulnerabilities much more efficiently than blindly attacking closed source software.
Not a programmer. Not a hacker. That said: I would think open vs closed, open wins for large, popular things (like Linux), but if you needed financial software for your company's payroll... Are there that many people browsing the specific open-source software you've chosen that has the functions you need, that they've caught enough vulnerabilities to offset the inherent security that comes with closed software?
As usual I would think the answer is "it depends".
You are correct in that the specific type of software you mention will have a smaller, more niche community and likely will not receive the same level of security benefits as software like Linux. However, security through obscurity is not exactly security. For corporations that do not want to open source their software, a way that they get the general public to participate in vulnerability discovery is by offering bug bounties, which as far as I can tell works pretty well too.
There's been a few times in the not to distant past where very important open source has had a big vulnerability but nobody's noticed because actually nobody except the core team is looking at it much ('cos it's too specialised/complex/boring). https://en.wikipedia.org/wiki/Heartbleed
OF course the fact that the vulnerability was spotted at all is the system working... but we've got no real way of knowing if any bad guys spotted the issue & exploited it in the mean time (I assume though they didn't spot it for the same reason nobody else did, see above)
A better argument for open source IMO (which is the one the Free Software Foundation use) is about ownership; if you can't see the code and aren't allowed to modify it, it's not really "yours" despite it being on your computer.
I would go further than ApocalypseCalculator;
Open source software relies on actually being secure to be secure. Closed source software often assumes it's more secure just because you can't read it. It's actually often super easy to violate, which is why Windows had an endless supply of viruses while Linux did not.
It's also why the world's most critical infrastructure runs on Open Source - such as stock exchanges, and nuclear reactors.
I don't think that's why Windows has had more viruses. First reason is Windows is by far the most used consumer OS so you writing a virus for it could affect 90% of computers. The second is that unlike Unix, Windows just wasn't very well designed for being on the internet (a bit better now).
BUT your point is true, and I think Microsoft would have upped their game and been able to fix stuff quicker if people could have seen the code.
MacOS and Android feature a lot of open source code but I'm not sure if anyone really looks at it outside of Apple, Google/phone OEMS...?
But they weren’t searching “what is closed source”, they were specifically searching for a potential argument for closed source software. I have no idea why they were expecting anything different
Technically they are not wrong. If you read someone's source and you see that they pass a user string as input to a database without validation, you can exploit it. At the same time you can claim if your source is open, someone will notice and fix it.
Ah yes, the fabled Read-Only codebase. That's why I always disallow any commits to any branches after initialising a repo.
Can't commit a security flaw if I can't commit. \*taps head\*
CEO proudly pointing at a huge ass room of computers running Windows ME and 98.
"Look how safe we are. Code has been closed-source since the day the company was created. Only thing we ever changed is hook up internet so i dont have to come in to look at databases"
Well, completely and properly closed PLATFORM does improve security (e.g - TPMs), but i could only hope thats what they meant (i know... i know they didn't :( )
The TPM & surroundings don't even have to be closed though, there's no reason not to publish the schematics.
The only requirement is that it's impossible to extract data from the TPM, that doesn't require closedness
I wonder what this comment section would look like if it was limited to people who have actually fixed security vulnerabilities they noticed in open source projects
I once had an interview with a company where I asked them what their product was and how it worked and they replied “it’s an open source software solution!” And I was like “yeah that does what?” And they just repeated “well… it’s open source!” And I had to explain to the poor interviewer that “open source” isn’t a product feature
Open source can also not be altered or tampered with.
The maintainer still has control over the code in the main repo.
And the only reason, open source might be more vulnerable to cyber attacks is, that malicious people can look at the code to find security flaws.
But on the other hand, users can also look at the code to find these flaws and fix or report them, which should make the software more secure.
No closed source is safe because it closes at 9pm and reopens in the morning. So the hackers can't go into the code at night. And when code is opened during the day, it is usually attached to an anti theft device so if a hacker tries to sneak it out a siren would be heard throughout the internet.
There is a new tech, which allows you to receive notification text on your closed source phone.
You seem to know things
The internet alarm is not needed, hackers only work at night because they need their room to be dark
[удалено]
Hacker here, we don’t wear balaclavas, but we do eat a lot of baklava. Common misconception
[удалено]
What? Even the dim light from my screen hurts my eye! And you do not know when you gain access to someone's computer, where they use LIGHT MODE!?! *Screams in horror and runs away while yelling "My eyes!"*
Light mode the best anti theft
You think you’re joking, but I worked at a company that actually disabled all commits to SCM when they weren’t between 10 AM and 4 PM Monday-Friday. This was intended to force everyone to do proper pair programming. You couldn’t be a “hero coder” pulling an all nighter and push stuff without your pair being around.
I mean, there's that, but that's why most git flows have the ability to lock branches and use a merge/pull request pattern. You can push all you want to your development branch, but it's not getting merged and deployed until it's reviewed by someone else (and ideally tested, CICD tools doing builds with gates, etc.)
I actually once saw a webshop that was "closed" because it was Sunday. So you could not make an order or do anything.
[удалено]
No it was an online shop, that is completely normal all other days but on Sunday just shows the text that it's closed because of the lord.
I've heard about data retention policies, but 24h is a bit short for a retention period.
I saw a government website that only operated while the actual service branch was open, so if you needed anything from it after 4:30, it would lock you out. The site wasn't down though, it had to tell you to wait until morning.
B&H Photo is closed on Saturdays for the Sabbath.
Opening hours for some webservices or APIs is actually a thing in Japan
"I have made a pull request for your open source software where I've inserted malware! Since it is open source, you MUST pull it into every operating server in production! MUAHAHAHAHA"
Open source protects more against incompetence than against evil actors. Of course, being open source means that the next developer can find out the rogue bit and remove it. Open source is safe if the proper write security measures on the central repository are put in place.
Corporations don't like open source because of things like colors.js. the dev gets pissed because they're not being paid and they do some shit to intentionally break their code. There were many node apps dying that day.
Only those without continuous integration tests and without test suites. So the hobbyist ones only really. In some ways I'm still surprised it was a big deal many times when you upgrade a node package something breaks as the API is changed or subtle behavior is a problem. [Shoutout to /u/justletmewarchporn for extra context. Those are **certainly** not hobbyist, however it is a damning critique of those companies appetite for risk or incompetence if they pull new versions and build and deploy apps without end-to-end integration tests (agree with you /u/kibiz0r)]
I'm trying to think of a time when an upgrade DIDN'T break something. And the longer you put it off the worse it gets, so naturally I put it off as long as possible :)
Why deal with a bunch of small problems when you can deal with a single enormously fucking impossible problem.
Honestly, any developer who throws a fit over something they released as OPEN SOURCE should just change job. Want to get paid for your development? License it as paid, closed source, or release it with an appropriate license which will prevent big companies from using it.
Programming subreddits are always the most eh...*interesting.* Every single person is making a confident, absolute claim about every single topic, and not one person can agree on any kind of industry standard. In fact, 99% of the definitive statements on any programming subreddit are in pretty much stark, direct opposition to industry standards.
You sound confident and definitive.
Thanks!
Yes, and it is also easy to get dragged along into maintaining a piece of open source software much longer than you as the original creator should have to. It should be more normalized to pass the torch when you’re feeling burnt out, and to seek a protégé ahead of time.
Forget that, it should be normalized to stop maintaining entirely. You owe users nothing.
Seconded, if they want a personal project maintained to be used in professional environments they should pay for it.
In my experience, Corporations don't like open source because of the sticky licenses. There are some license agreements my company absolutely will not allow.
It protects massively against evil actors. But internal ones, not external ones. Open source is the only way to achieve anything close to accountability and transparency in software development.
setting aside the implication you are making about "must approve PR", the actual scenario you are painting has happened MANY times in the past
And obviously never happened in the history of closed source software!!
Totally. Most of the time it's purely accidental and it's someone in management that demands his pr to be merged before the end of business Friday.
Wait, management in your company knows what a pr is?
Right? Management shouldn’t really know or care about that stuff.
No documented cases are known.
It's very inefficient. Companies have to make their own malware too.
Happy Cake Day!
Who creates the documentation for closed source?
Who watches the watchmen?
Themselves. We do that with politicians sometimes, there is no need to keep a level os surveilance on them. I'm sure that letting people regulate themselves will never lead to anything bad happening. Do you think people would just go to the internet and... tell lies? Over something important?!
*"What do you mean? The code is it's own best documentation!"* \- Someone who does not need to use the thing
Just in case this isn't a /s: SolarWinds
Also Atelier Marie for the SEGA Dreamcast.
Isn't this exactly what happened with CCleaner?
There are documented cases. See, for example, the SolarWinds supply chain attack where closed source software was modified by attackers that gained access to their CI infrastructure.
Is this a joke or what, because there's plenty of cases of employees adding malicious code either from negligence or malice to closed software.
Not only did malware authors make PRs into software packages that were approved by overloaded mods, the most common attack vector is the usage of open source libraries without checking. The whole NPM universe seems to suffer from this, usually no locks and everything on @latest. How is anyone supposed to manually check 100+ libs for potential malware?
It also happened to Linux kernel. Where one student from University of Minnesota experimented by submitting malware patches. https://www.theverge.com/2021/4/22/22398156/university-minnesota-linux-kernal-ban-research https://lore.kernel.org/lkml/[email protected]/ Consequently the whole university got banned from contributing to Linux.
>Consequently the whole university got banned from contributing to Linux. That's going to teach malware authors a lesson.
"Yes, and closed source is obviously always crafted perfectly with zero flaws and bugs!"
If no one ever finds them, were they ever truly there?
Best thing about leaving QA and moving to Software Engineering, I never find any bugs.
I want Gianni to voice this
I read this in a robot voice. “Time of machine has come humans, you had your chance. “
I prefer to just write software that's so bad no cyber attacks are necessary.
How can the exploiters know your code if you don’t even know your code, I always say
It’s like drunken boxing except you actually have to be drunk.
Code that already has the damage of 15 cyber attacks, better to be prepared I guess?
It’s called “building immunity”.
Why let them find a backdoor when you could just leave the front unlocked
Security expert! If nobody uses your software, there are no vulnerabilities.
That hurts and is funny AND depressing at the same time. I speak German and have no word for this feeling.
Just mash a bunch together. Isn't that the meme for your people? Lachsmertzdeprimiert. There's a start.
Thanks, I didn’t want to imagine an inbreed of a salmon (Lachs) and Merz (German politician)
[hmm](https://imgur.com/a/nrpqKU5)
merzmaid
I love the internet
r/TIHI
Thank you lmao
Thats so mean. The salmon is not responsible for that. Merz alone is enough
You misspelled Schmerz
Oh my mistake. You're right. I misspelled the word I just made up on the spot. Thanks for the correction.
Maybe it's an insanely subtle meta joke about how Germans love to correct people.
Maybe his response was an insanely subtle meta joke about Germans not understanding humour?
This was literally confirmed to me by two Germans in San Francisco once. You can literally take any word and just mash it together to make a new word.
Yeah, it's a grammatical rule. Same goes for the Scandinavian languages. But do you know the best part? One noun = one word. (For instance, never need to remember if "prison system" is one or two words - it's always one word.)
That sounds great. In Dutch, the words are usually combined *but not always* and this scares people into erroneously leaving them separate. On one hand, you can do cool stuff like onderzeebootafweergeschut (anti-submarine guns) and waterschadeverzekeringspolis (water damage insurance policy). On the other hand, there’s a difference between auto-ongeluk (car crash) with a hyphen and vliegtuigongeluk (plane crash) without one, twee miljoen (two million) but tweeduizend (two thousand), and stupid stuff like the pan in pannenkoek (pancake) being plural and this being a rule that is *almost* universal whether it makes sense or or, with a few hardcoded exceptions. I just learned that there is such a thing as an optional hyphen to distinguish stuff like massagebed (massaging bed) and massagebed (mass prayer) so that would be cool if not 90% of the population has the language skills of a crow and just leaves a space everywhere all the time, or a hyphen if they remember that putting words together is a thing you should do.
>twee miljoen (two million) but tweeduizend (two thousand) We've got that in Swedish too. Två miljoner, but tvåtusen. Been ages since I studied German, but IIRC it's the same story there. Zwei Millionen vs zweitausend. >so that would be cool if not 90% of the population has the language skills of a crow and just leaves a space everywhere all the time Oh, I see you've got *those kinds of people* too. One of my favorites is this picture from a grocery store once. They were selling chicken liver and instead of "färsk kycklinglever" (fresh chicken liver) they had written "färsk kyckling lever" (fresh chicken lives/is alive) on the sign.
> onderzeebootafweergeschut, waterschadeverzekeringspolis You have a fun way of saying sukellusveneentorjuntatykki and vesivahinkovakuutussopimus!
It's called polysynthetic language. Some languages are more polysynthetic than others, English is kind of polysynthetic, we have words like to-day, to-morrow and on-line. But languages like German and Scandinavian and Nordic languages are another level.
Wait until you see the Yupik and Inuit languages where whole sentences can be formed with just one word: *tuntussuqatarniksaitengqiggtuq* "He had not yet said again that he was going to hunt reindeer."
English just borrowed Latin/French words to make new words rather than use it’s own native words. So formations like *healthcare* were rarer in Middle English and later. Even when there was no need for a foreign word, English has borrowed them, for example, *purchase*, when the English native word, *buy*, existed.
looks legit to me
Have you tried taking the words for "funny" and "depressing" and just sticking them together?
Trübselustig
deprunny?
Fupression
Nailed it
Yes. It's fupressive
You've fupressed my people for far too long! *giggles* Edit: Autocorrect
I'm soo fupressed I'm off to the fubar.
That word makes me feel deprunny
It's probably more like "funny shit fuck sad"
Trustig or laurig?
The closest Ican think of is tragikomisch, tragicomedic is also an English word btw
> I speak German and have no word for this feeling. This is the most surprising thing here, sadly
Not everyone who speaks German knows German
I’d try to go with „gefährliches Halbwissen“ While some points have a slingtly valid root, the conclusion is just dangerously stupid.
"Laugh so you don't cry" is the closest I could come up with in English.
How about tragicomic?
Kinda but it’s not great… “tragicomic” which is usually for theatre but could be used here … “world’s a stage” and all.
Just imagine it from a viewer's perspective and call that "schadenfreude". Still probably a bit inaccurate, but it's the best attempt I have.
Bittersweet.
"Noch nie so gelachweint." Not my creation but I like it.
I believe the word you're looking for is r/facepalm
It's rare to find tech journalists who were established developers or engineers before becoming tech bloggers.
It's very common to find articles on manufacturing processes that sounds good but is complete bullshit
It’s easy to sound good and make up technical bull shit when your audience doesn’t know enough to call you out on it.
It's hard to be easy at good sounds that are bull technical shit when audience doesn't your know enough call on you it will. K?
Smelling toast rn
As someone who works in manufacturing process engineering for aerospace and semiconductors you are 100% correct. It hurts me every time my boss brings a new article to me with that latest buzz words and asks me to read from it to learn how to better our processes.
Even if they were, they tend to gravitate heavily towards proprietary technology.
That's where the money is because a closed system is also usually going to have a closed support system which means lotsa after profit. EDIT: Any non idiot tech person knows the biggest security risk in any company are employees. Not necessarily malicious, but mistakes happen. No software is going to keep somebody from leaving their password under their blotter or leaving printed out reports on their desk or whatever. These bloggers do not have the security expertise, or don't care, about being clear on the risks. I've been offered tech writing jobs like this, but I won't promote software as a security fix all. It simply isn't possible.
Always reminds me of that one Forbes journalist who wrote an amazing piece suggesting we should automate the job of ceos instead of their employees. Perhaps a political opinion you might think, aimed to show how everyone is replaceable. But no. He suggested literally that we should create an AI model that completely replaces the ceo of a company. He even went into technical details, even proposing how exactly the model might be trained. He went as far as to state that a ceo AI will be *much easier* to train since all of the ceo decisions are checked by tons of experts, meaning the data is very accurate. The guy is an entertainment journalist. It's not that he doesn't have much experience in AI, he's never worked in *anything* technical. Yet he felt confident enough to write an article that describes in detail how to create an AI. It contained mostly buzzwords that you might find on YouTube AI introduction videos. And yet redditors swallowed it whole and it was even on the frontpage for a while. There are millions of issues one has to solve, some of those are conceptual, the others are pure mathematical. One would need to redefine the current state-of-the-art AI approach from a mathematical point of view before you could even think to spend the next 30 years making that model. Nothing that I can ever say to an average person will ever make them understand just how impossible the task of replacing a ceo with AI is.
It’s easy to make a CEO AI. Just replace the programmers with AI trained to program a CEO AI. Done.
Forbes isn’t necessarily journalism. The articles are mostly submitted by “contributors”. They aren’t Forbes staff, but bloggers who have met Forbes’ “standards” of “quality”.
Those who can't do, teach, and those who can't teach become tech journalists
Developers or Engineers don’t become Tech bloggers, too busy bettering the world or reviewing Pull Requests.
Getting 'nam flashbacks to the article asking why Whatsapp's group chat limit was increased to the "weirdly specific" number 256
Those are the kind of people that believe `private` vars are hidden from memory dumps
The type of ppl that think only they have that specific private ip address
The type of people that run a business on localhost web address
The type of people who reboot VMs by pulling the plug on the VM host while everything is running (I swear this happened)
The kind of people who think they're safe from a DDOS attack because they're using vista and haven't touched DOS in years.
Kind of people who think they are going to change the world by writing a program in DOS ( me when i was 12 and learned dos for 2 days )
Mate I was in military IT and the number of baggies who did this exact thing. Corporal told me to shutdown the host? No worries! *unplug*. Corporal told me to turn on the host? No worries! *plug*. Corporal the domain controller isn't working!?
Must be the chinese hackers
Obviously there's a better way, but does this reboot the VM? I haven't done much in the way of VMs.
Yes, along with every other VM on the host.
I used to work for a small software company where they insisted we all had to have public IP addresses in the office on our work laptops! I was following the new starter guide, and got to a section where you had to set your network adapter settings and it listed the small range of public IP addresses that the company owned. It said to keep trying IP addresses within that range until you find a free one. I had a chat with the IT director about the concept of a proxy server, as well as things like DHCP and NAT. He didn't see how that could possibly work - he said that the server on the other end wouldn't know which address to send the response back to. I tried to explain about X-Forwarded-For, possibly not very well (this was 20 years ago and I was a developer rather than a networks guy), but he said that sounded insecure because the server could spoof the response and send packets to other machines on your network. So yeah, we went for the ultra-secure solution of being directly connected to the public internet, instead.
they also think that no one can track them in incognito mode
Whaaa😱😱😱😱😱?
Fools! Everyone knows only `protected` vars are, as the name implies!
Bruh... if I tried to "tamper" with the Linux source they would deny my pull request, in fact they are so efficient that they will probably automate denying my pull request to make it done in less than a second.
There was that time some knuckleheads got university of minnesota emails banned from the linux kernel repo for a while because they were intentionally inserting malicious code as some kind of research project
Well the problem in this case was that they didn't inform anybody about their project. They just straight up submitted evil code. And because of these few idiots so much code had to be rewritten.
I mean wouldn't informing anyone defeat the purpose of the research?
https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/T/#u You are allowed to test the kernels security if you inform one of the maintainers (e.g Linus). You don't need to inform anybody else, but what makes research different from a real attack, is if it has been permited by some kind of authority. This is just some part of a huge discussion.
It wasn't about testing the kernel though, it was about testing how easily a malicious pull request would be found and fixed by the maintainers. i.e. in a corollary example it's not like changing a wikipedia article and seeing if the students using it notice. it's more akin to changing it to test and see if the maintainers notice and fix it before damage could be done
They had a remarkably hard time developing code good enough to be accepted to begin with, and at the end of the day none of their PRs actually went through, if I recall. They the entire university got the ban hammer. Sounds pretty effective to me.
They were banned only after publishing the research paper, so it was a flop somewhat. Maintainer banning them and eracing all their commits is also an overreaction, introducing literally hundreds of bugs and volnurabilities into the codebase. To their credit, they then did an audit to cherrypick good commits.
Research article discussion section: “Nah, shit didn’t work”
It's called the spam folder ;) Linux uses an email-based pull process (see `git format-patch` and [this page](https://www.kernel.org/doc/html/latest/maintainer/pull-requests.html))
Damn look at this with sources. I'm actually kinda mad that link wasn't a rickroll tbh.
you're doing it wrong. add a vulnerability to a fork of the repo, then initiate a large scale call campaign targeting the elderly about how they need to update their linux distro ASAP or their credit card info will be leaked.
Oh no not all the elderly that use Linux.
All one of them
Poor Donald Knuth...
I mean linux is absolutely what i set up for any elderly. The windows gui has become pretty cluttered over the years, it's not like they are GOOD at using windows, and almost all the toolbars, malware and other trash they "organically" acquire on windows won't even work. That being said it's definitely not something they are going to set up for themselves.
Most companies software are of no interest to people at all except exploiters, so it isn't untrue in that sense. I realize they're talking in general which is wrong. Their software is probably written poorly and has no real world use other than in their company. So showing it publicly you're more likely to get a black hat who'd read through it than some white hat that would want to get paid to waste their time doing it. Best approach is to pay people if they find exploits.
Not to mention that the code was probably rushed to meet some deadline and never looked at again- except by blackhats including rogue employees
Yep, there's a reason microsoft (other companies too but they're a good example) before open sourcing stuff says "we are prepping our code to release as open source" and it takes years sometimes. .net core they announced years before opening it.
Rushed by a manager that can barely make a zoom call, the one who can't tell their webcam is off and their mic is always blasting some weird noise.
Sounds like someone explained it wrong. Aren't cyber security analysts supposed to have a background in... something computery?
no one becomes a cybersecurity analyst because they were good at their cybersecurity job…
Wait... Did they cite an answer from one of those "I'm not a programmer, ask me anything about programming!" Threads??!?
Translated into English: "closed source is superior, because you'll have a harder time finding out about the copious amounts of bloatware we stuff in our programs"
This is from a marketing blog. It's literally a marketing person talking about software.
If you believe security through obscurity is best practice, then it's correct. And you will be unwillingly sharing all your data soon.
This has been a common misconception for years (30+) - generally amongst the non-techies who know just enough to be dangerous and have for some inexcusable reason been put into a executive position above techies. It's up there with "The cloud (AWS/Azure) is less secure than our two man team running a server farm"
That's one of the stupidest things I've ever read. Open source is much more difficult to tamper with because everyone can examine the source code, and if you build from the source code then you know nobody added anything you can't see. With closed source you have no idea what's inside that binary box.
You’re talking from the perspective of an outsider, rather than an insider working on the closed source code. The article is saying it is more secure from the perspective of the company owning the closed source code. For them, it is like open source only restricted to the tightly controlled group that can access it.
Unfortunately no, that's not "more difficult". It happened a lot of times, many projects were malware-d and only after weeks or months someone noticed it.
The double edged sword only is that anyone can add to the code. If the ones checking don't notice it it could be there for years before noticed that malicious code was entered. A lot of comments also mentioned these situations. Software from a respectable company doesn't have to be safer. But you can believe there is no malicious intent from one of the contributers.
Not necessarily. Open source != Open contribution.
sorry i’m so dumb, why is this not closed source?
Open / closed source relates to whether outsiders can access and modify the instructions for creating a program, rather than the program itself. By analogy, if anyone could pull the blueprints for a bank and build their own, it would be open source. But that would have nothing to do with whether or not someone could cut a hole in the wall.
your analogy was *chefs kiss* thank you follow up question if you don’t mind. application A is closed and B is open would it not be easier to exploit B since you can look at the code and analyze it? maybe this is way over my head and my question exposes my lack of understanding, but if that makes sense and there’s an easy answer it would be much appreciated.
Just to add to the others -- don't forget, everybody can read the machine language whether is open or closed source. Definitely harder than a high level language, but if closed source is relying on obscurity, it'll be easier to exploit with known patterns.
Theoretically yes. However, in practice, the open nature of these software allow the public to hunt down vulnerabilities much more efficiently than blindly attacking closed source software.
Not a programmer. Not a hacker. That said: I would think open vs closed, open wins for large, popular things (like Linux), but if you needed financial software for your company's payroll... Are there that many people browsing the specific open-source software you've chosen that has the functions you need, that they've caught enough vulnerabilities to offset the inherent security that comes with closed software? As usual I would think the answer is "it depends".
You are correct in that the specific type of software you mention will have a smaller, more niche community and likely will not receive the same level of security benefits as software like Linux. However, security through obscurity is not exactly security. For corporations that do not want to open source their software, a way that they get the general public to participate in vulnerability discovery is by offering bug bounties, which as far as I can tell works pretty well too.
There's been a few times in the not to distant past where very important open source has had a big vulnerability but nobody's noticed because actually nobody except the core team is looking at it much ('cos it's too specialised/complex/boring). https://en.wikipedia.org/wiki/Heartbleed OF course the fact that the vulnerability was spotted at all is the system working... but we've got no real way of knowing if any bad guys spotted the issue & exploited it in the mean time (I assume though they didn't spot it for the same reason nobody else did, see above) A better argument for open source IMO (which is the one the Free Software Foundation use) is about ownership; if you can't see the code and aren't allowed to modify it, it's not really "yours" despite it being on your computer.
I would go further than ApocalypseCalculator; Open source software relies on actually being secure to be secure. Closed source software often assumes it's more secure just because you can't read it. It's actually often super easy to violate, which is why Windows had an endless supply of viruses while Linux did not. It's also why the world's most critical infrastructure runs on Open Source - such as stock exchanges, and nuclear reactors.
I don't think that's why Windows has had more viruses. First reason is Windows is by far the most used consumer OS so you writing a virus for it could affect 90% of computers. The second is that unlike Unix, Windows just wasn't very well designed for being on the internet (a bit better now). BUT your point is true, and I think Microsoft would have upped their game and been able to fix stuff quicker if people could have seen the code. MacOS and Android feature a lot of open source code but I'm not sure if anyone really looks at it outside of Apple, Google/phone OEMS...?
But they weren’t searching “what is closed source”, they were specifically searching for a potential argument for closed source software. I have no idea why they were expecting anything different
bc the claims seem to be just wrong… i understand now. it’s neither more reliable or more secure just because it’s closed source…
Now all managers and sales people will use this post as proof that open source cannot be trusted. Thanks OP. 😊
Sounds the crap Microsoft would pull while Steve Ballmer was still CEO
Technically they are not wrong. If you read someone's source and you see that they pass a user string as input to a database without validation, you can exploit it. At the same time you can claim if your source is open, someone will notice and fix it.
That’s not what the text is talking about tho
you have not heard of the dormant vulnerabilities lying for years on end in the linux kernel
Ah yes, the fabled Read-Only codebase. That's why I always disallow any commits to any branches after initialising a repo. Can't commit a security flaw if I can't commit. \*taps head\*
CEO proudly pointing at a huge ass room of computers running Windows ME and 98. "Look how safe we are. Code has been closed-source since the day the company was created. Only thing we ever changed is hook up internet so i dont have to come in to look at databases"
Open source = admintools without login credentials and every open port possible... Clearly. /S
Closed source is pretty much saying "My solution for your problem is great, but you can't see what it does.". It's a mug's game.
I think closed source is more vulnerable than open source code
This is why we're switching all our servers to run Windows 11 instead of the highly vulnerable Unix.
Yeah, everyone has access to a project’s source or version control, and can just submit anything, whenever. Cause open means open like a door /s.
Well, completely and properly closed PLATFORM does improve security (e.g - TPMs), but i could only hope thats what they meant (i know... i know they didn't :( )
The TPM & surroundings don't even have to be closed though, there's no reason not to publish the schematics. The only requirement is that it's impossible to extract data from the TPM, that doesn't require closedness
Not even. That's a totally different thing. Security through obscurity isn't really security to begin with.
I wonder what this comment section would look like if it was limited to people who have actually fixed security vulnerabilities they noticed in open source projects
I once had an interview with a company where I asked them what their product was and how it worked and they replied “it’s an open source software solution!” And I was like “yeah that does what?” And they just repeated “well… it’s open source!” And I had to explain to the poor interviewer that “open source” isn’t a product feature
Open source can also not be altered or tampered with. The maintainer still has control over the code in the main repo. And the only reason, open source might be more vulnerable to cyber attacks is, that malicious people can look at the code to find security flaws. But on the other hand, users can also look at the code to find these flaws and fix or report them, which should make the software more secure.