Posts by david_chisnall@infosec.exchange
(DIR) Post #B6WF5KiPOGzPZCNEMC by david_chisnall@infosec.exchange
2026-05-21T09:55:50Z
0 likes, 0 repeats
@whitequark The next financial crash happens when it overflows a uint16_t and resets to 0.
(DIR) Post #B6WV0G8eZsPrBuFgvY by david_chisnall@infosec.exchange
2026-05-21T13:43:40Z
0 likes, 0 repeats
@futurebird then I remember “Hemiptera” Impressed that you got there before 'helicopter'.
(DIR) Post #B6WbnfSBqRFXcRKiDQ by david_chisnall@infosec.exchange
2026-05-20T08:37:14Z
0 likes, 0 repeats
Imagine being so bad at stuff that using an LLM makes you better.
(DIR) Post #B6YGlseC6vlPEoAs9g by david_chisnall@infosec.exchange
2026-05-22T07:40:33Z
0 likes, 1 repeats
@kasdeya @futurebird I find this one fascinating because it’s explained in ever book about dinosaurs I read and every plaque about one in every museum I visited, as well as being mentioned in school. Yet no one (including me) seems to remember it from there as an adult and the only people who do are ones who either worked it out or relearned it as an adult (again, including me). There seems to be something about that particular derivation that doesn’t stay in people’s head, even if they remember about terrible lizard (dinosaur) and tyrant lizard (tyrannosaurus).Possibly because the most common word we use with pter in it feels like the stem split should be in a different place: heli-copter, not helico (spiral) pter (wing).
(DIR) Post #B6dKBEPLc7grcSoFP6 by david_chisnall@infosec.exchange
2026-05-24T14:11:39Z
0 likes, 0 repeats
At several stages in my career, I’ve been very fortunate to work with smart and experienced people who have been willing to listen to my ideas and tell me what I misunderstood or didn’t take into account and why they won’t work. I’ve learned a huge amount from this kind of interaction.I find it immeasurably depressing to realise that there are large numbers of people out there like young me, who are talking to LLMs instead and being told that they are brilliant and their ideas are amazing. All of these people are missing out on the opportunity to learn and are completely unaware of it.
(DIR) Post #B6eaNez8Q2lTwlSOCe by david_chisnall@infosec.exchange
2026-05-25T11:21:40Z
0 likes, 0 repeats
@futurebird I mean, it wasn't until that big BibleCon in Nicaea that they even agreed which bits were canon! And even then, there are a whole bunch of retcons.
(DIR) Post #B6jQU9rzhOeKkkiyHo by david_chisnall@infosec.exchange
2026-05-27T12:35:46Z
1 likes, 0 repeats
@randahl It's also worth noting that a lot of the times people talk about economic growth in the US, they're talking about the growth of stock prices measured in dollars. A company whose shares were worth $100 in 2022 would be worth $113 today if they hadn't grown at all and were traded in Euros. I read a number of breathless headlines talking about amazing growth of US stocks, which were simply tracking the fact that these stocks were not losing real-terms value.
(DIR) Post #B6p6FjaZmWjH3UBJia by david_chisnall@infosec.exchange
2026-05-30T13:05:54Z
0 likes, 0 repeats
@futurebird @billiglarper I’ve been wondering for a little while if motorised wheely bins could be a real thing. Once a week, a truck blocks the road and slowly empties them all. But what if each one had motorised wheels, a battery, and a little bit of electronics, so once a week at, say 2am, they could all take drive themselves to a centralised collecting area. The batteries could be swapped out if needed and recharged, and then they’d be sent home.It doesn’t matter if it takes them an hour or so to get there and in smallish convoys they’d be easy to spot and overtake. If they go at a bit over walking speed, they’re no danger to people crossing the road, and at 2am they don’t need to avoid too much traffic. If you don’t want people to have to empty them overnight, just send out a clean replacement rather than sending it back: people don’t need to have the same bin every week and it’s fine to send the ones from Monday’ collection area back to Tuesday’s area the next night after they’ve been emptied, charged, and cleaned.Probably wouldn’t work somewhere as dense as NYC, since they’d need to be able to reach the road, but might even work there if you let them out in the evening and they trundle away as soon as traffic density drops low enough.
(DIR) Post #B6qtjDbaLnrtSWInfU by david_chisnall@infosec.exchange
2026-05-31T09:54:59Z
0 likes, 0 repeats
@futurebird Funding schools out of property taxes is an astonishingly bad idea. It guarantees that your education outcome, which strongly correlates with earning potential, is tied to your parents’ wealth. If I had to design a policy to impede social mobility, this would probably be my first choice. The people rich enough to live wherever they want should be funding the schools for the people who can’t do that.
(DIR) Post #B6qwAyKYvzum6PhYvo by david_chisnall@infosec.exchange
2026-05-31T10:22:25Z
0 likes, 0 repeats
@futurebird Though the point Bezoz was raising was more of a general "but we all HATE taxes" right sort of point. There's a group in the UK called Patriotic Millionaires that is pushing back on this idea and explicitly asking for higher tax rates for the most wealthy because they understand that the reason that they want to live in the UK is that it has a functioning society (still, mostly, despite Thatcher and her successors' sterling efforts to destroy it) and that requires investment to maintain. It also helps push back on the 'rich people will leave if you put up their taxes' narrative: they are rich people explicitly saying that they want to stay and be taxed more.
(DIR) Post #B6rNLMFRYvUFwIU4kS by david_chisnall@infosec.exchange
2026-05-31T10:41:08Z
0 likes, 0 repeats
What do people use for calling US toll-free numbers these days? I used to use Skype, but it shut down a little while ago.I need to update my W8-BEN on Morgan Stanley and their upload thing is broken. They have only phone contact.
(DIR) Post #B6sjxxGkl8Z9ubrliq by david_chisnall@infosec.exchange
2026-06-01T07:14:39Z
0 likes, 0 repeats
@foone Even if you care about the cutting edge, it’s a silly argument. When has being a late adopter ever been a serious obstacle in computing? About the only thing I can think of is that it turns out learning to touch type as a child was useful.I learned HTML and JavaScript in the mid ‘90s and PHP in the early 2000s. There are a lot of web developers who weren’t even born then who are much better at web development than me because the technology has changed hugely since then and the approaches I learned have been superseded. I learned multithreaded programming before SMP was something you saw outside of high-end workstations and no one does it the same way anymore (except on microcontrollers: some of the stuff I learned back then is useful now I maintain an RTOS, but even there were adopting techniques that hadn’t been invented when I wrote my first multithreaded program). I learned socket programming when needing to have code that worked over IP and IPX was important. Some of that is useful in an IPv4 / v6 world, but I wouldn’t write low-level code like that for most use cases now, I’d write something on a higher-level protocol unless I had very specific requirements.Object-oriented programming reached peak fashionability while I was a teenager, functional programming around the time I finished my PhD. People who learned Lisp in the ‘70s are not (aside from having 40+ years more experience in general) at a big advantage relative to people who graduated in the 2010s and learned a more nuanced view of where the ideas from OOP and FP are useful.What about tooling? Interactive debuggers, syntax highlighting, inline error reporting, semantic autocomplete, inline documentation, and a few other things have become ubiquitous since I started programming. I picked up some of these things early, some late. The point at which I started using them made little difference.I’ve seen several frameworks and coding styles jump from nowhere to ‘everything must be like this, it’s such a massive improvement that nothing else will be able to compete’ to ‘oh, I remember that thing!’. A few have stuck around, but the people who adopted those slowly are in a better position than people who jumped on the wrong one quickly.Business people talk about a first-mover advantage but it’s quite rare to be able to turn that into something that’s a big commercial advantage. Most first movers die, a few are massively successful. That gives a big survival bias to people looking at the results. But this isn’t true of technology-related skills. It’s generally easier to learn a mature technology than a cutting-edge one and those skills tend to be more durable.
(DIR) Post #B6toK1DdLhODVW8wjI by david_chisnall@infosec.exchange
2026-06-01T07:30:38Z
0 likes, 1 repeats
Remember kids, if you’re not writing your web apps in VBScript and ActiveX then you’re going to be left behind!
(DIR) Post #B6xAdd7NRiiZ17qxRQ by david_chisnall@infosec.exchange
2026-06-03T10:29:39Z
0 likes, 0 repeats
@futurebird A couple of days ago, we walked past a tree that had a line of ants going up and down it. They didn't seem to be carrying anything in either direction. What are they doing? Was this just a hundred ants going 'Geoffrey, did you leave a pheromone trail that doesn't lead anywhere again?'? Was there a party at the top of the tree with a strict one-in, one-out policy?
(DIR) Post #B6xZjsL0GnVKoPIkvw by david_chisnall@infosec.exchange
2026-06-03T12:59:10Z
1 likes, 3 repeats
It is okay to release a F/OSS project where the expected set of users is you.It is okay to declare that a F/OSS project that you maintain is feature complete and stop.It is okay to stop writing new code in a F/OSS project and just review patches from other people.It is okay to stop reviewing patches once other people are familiar enough with the codebase to do so.It is okay to admit that a F/OSS project that you created has so much technical debt that people would be better off reimplementing it than depending on it (especially if you write down the lessons that they should learn).It is okay if your F/OSS project doesn't meet the requirements of some potential group of users, as long as no one applies pressure to force them to adopt it.It is okay to tell a company that depends on your F/OSS project that it's unsupported and they can pay developers to contribute if they really need it.It's okay to say 'I created this F/OSS project to meet my personal needs, but someone else made something that meets those needs better and so I'll use theirs instead'.It's okay to say 'I made this F/OSS project as an experiment, and the result was that I learned that this approach is a bad idea'.
(DIR) Post #B6zrhJa2iHOBvSBVUu by david_chisnall@infosec.exchange
2026-06-04T07:15:58Z
0 likes, 0 repeats
One principle I’d like to be enshrined in law:If you create incentives that reward a behaviour, you can (and will) be charged as an accessory in any case where someone is doing something illegal as a result of optimising for that behaviour. An affirmative defence would need to demonstrate that you had safeguards in place to effectively disincentivise that behaviour.For example, if you are running a delivery company and you set targets that mean people are paid more if they drive or park illegally, you are automatically charged as an accessory to however many counts of dangerous driving your drivers are charged with. If you are a city councillor and vote to close all of the public toilets so that there’s nowhere for taxi drivers to relieve themselves, you can be charged as an accessory to a few hundred counts of public urination.
(DIR) Post #B7174XBTzeFxFSBdZY by david_chisnall@infosec.exchange
2026-06-04T12:02:32Z
0 likes, 1 repeats
@hpod16 Periodically people say '[abusive company with unethical business model] could only have originated in the USA, it could never have succeeded in Europe' and it takes me a minute to realise that they somehow meant this as an endorsement of the USA.
(DIR) Post #B71Pghpke4ykSLND4y by david_chisnall@infosec.exchange
2026-06-05T08:39:32Z
3 likes, 3 repeats
Almost 25 years ago, I wrote a blog post with the title ‘jumping ship slowly’ about leaving Windows (XP was awful, it was mind boggling to me that Vista managed to make people nostalgic for XP). My advice remains the same:Don’t try switching OS first. The OS is the most easily replaceable bit in the stack. Switch applications first. Most ‘Linux’ apps are cross platform. They’ll run on Windows, and the few that don’t will run in WSL2. You can switch out apps one at a time, and take the time to get comfortable with the alternatives.Once you’re comfortable not using any Windows-only apps, changing the OS but using all of the same applications is very easy to do. Changing OS and application stack at the same time is an enormous obstacle.I believe this is also why a lot of corporate and government Linux migrations fail: they try to change everything at the same time and that’s too steep a learning curve.
(DIR) Post #B77L0gUrzXF5HO4Zxg by david_chisnall@infosec.exchange
2026-06-08T08:11:52Z
0 likes, 1 repeats
I remain convinced that the reason most MS Office replacements struggle (beyond various anti-competitive behaviours) is that MS Office is really bad at what it does. Word can’t do line breaking properly, makes semantic markup hard, doesn’t keep cross-references in sync automatically, and renders inconsistently between local and online versions. Excel interleaves functions and data in the most error-prone way possible and randomly interprets data as other types. PowerPoint is worse for producing animations than a 1996 edition of Flash. None of these tools are good solutions for the problems that people apply them to. You cannot displace a bad tool with a copy of the bad tool. People have little incentive to switch (until people start chanting ‘sovereignty’ as if it’s a magic spell) because you don’t solve their problems. People who are using the existing tool have a load of work arounds to deal with the fact that the tool is not a good fit for the tasks and any deviation in your behaviour from their current tool will break some of these.You need to offer something that is actually a good solution to their problems. This is what I would build:First, a good vector drawing tool. Take a look at OmniGraffle for what this looks like (maybe a couple of releases ago. I haven’t used the latest one and Omni Group keeps making all of their products worse with each release). This is important because it is a building block for two other key parts.Next, a semantic text editor that tightly integrates with a desktop publishing program (they can be two views in the same program). Word is used in two ways, first to feed into publishing flows (where it’s a bad fit because it doesn’t do semantic markup well) and second as a DTP tool. But it’s a terrible DTP tool. Aldus Pagemaker on Windows 3.11 was better! The absolute minimum you want from a DTP tool is to be able to define to text boxes and have text flow between them. Word can’t even do that. But this is where you build on the vector editor: it defines page layouts and the text is flowed there. Ideally also provide an Access-like form tool, so people can fill in the top-level semantic markup without realising. You want to write a letter? Here’s a template that expects a to and from address, a salutation, a signature, and a message body. Fill in those bits and you get something properly typeset on company letterhead. Add a Flash-style keyframe animation layer that uses the vector-drawing core. Now you have a better presentation tool than anything that exists today. Provide the ability to add notes and export key frames as pages in a PDF, and export to something web based for presenting.The spreadsheet is the most interesting bit. You want something that behaves somewhere between Lotus Improv and Jupyter Notebooks: non-destructive data storage, generated columns, and a language that’s as easy to use as Excel’s calc language, ideally with the ability to plug in other languages for richer things. Rendered tables and graphs feed into the vector tool, where they can be used in the DTP model for print or the animation model for presentation. Provide a rich templating layer here, so companies can build the kind of data-processing that they want and have employees just fill in the data without touching (or being able to easily accidentally modify) the formulae, then have that feed directly into the rendering flow to produce reports.Notice how little this looks like LibreOffice, OnlyOffice, and so on?
(DIR) Post #B79cZ7tYidrZdVY9NA by david_chisnall@infosec.exchange
2026-06-09T10:36:18Z
1 likes, 1 repeats
One of the things that was drummed into my head repeatedly working with the late Ross Anderson was that most security problems are usability problems. It doesn't matter how secure your cryptosysetm is if people send unencrypted messages because they can't understand how to do key exchange. It doesn't matter how secure and fine-grained your sandboxing is if it has a user-prompted privilege elevation mechanism and users are trained to just hit 'approve' every time a dialog pops up.This is why #CHERIoT focused so heavily on building a usable programmer model from the start. Compartments communicate with other compartments by calling functions. Compartments share objects by passing pointers to them. Compartments have a mechanism to expose type-safe opaque types and that's surfaced directly in the source languages. There is no look-aside policy that you have to read to know whether a compartment exercises some right: it's all explicit in the source code. WebAssembly makes it easy to do the same kind of isolation, but not the sharing. A C pointer in WebAssembly is a 32-bit offset into a memory. If you want an object that's shared between two WebAssembly sandboxes, that's a totally different kind of pointer. Early CHERI work tried this and we gave up because the cognitive load and porting effort of having two kinds of pointer was too painful. #cheri