Most commuters don’t trust bike storage at stations, putting them off cycling, new survey finds https://road.cc/news/bike-storage-obstacles

@afewbugs

This is a big part of why I don't yet own an eBike. I have a dutch bike that I got second hand. The frame looks a bit scruffy, there's some rust. The saddle has a hole in it and so I prevent it sticking to me by putting a carrier bag over it. It looks really cheap. I'm quite happy parking it at the station because anyone who is going to steal a bike will have a much better return on investment with dozens of other bikes nearby. And, since it cost about £200 and has had almost ten years of use, if it's stolen then it's a minor nuisance but I've had good value from it even if I don't ever get more.

But if I got a decent eBike, it's a much more tempting target and a bigger expense if lost. The station is probably one of the safer places here (the bike park is a decent size and usually has a few people in it, so you'd be noticed if you were breaking a lock, though it's not patrolled at all), but leaving it in random places in town would not make me very comfortable.

@GossiTheDog

Have you talked to the NCA about charging them as accessories? If they are profiting from illegal behaviour and they are aware of this, it should be a pretty clear case.

@rubenerd

Mine had someone accuse me of being a Microsoft shill.

@whitequark

What happens if we remove all the abstractions? That will make everything simpler!

@ai6yr This is per unit time though. The normal rule for cycling is that you get more exercise per unit time and less per unit distance than walking. If you’re cycling uphill at twice the speed of a walking person, it will take less effort to reach the top than walking with those numbers.

I suspect this depends on the steepness of the hill. I used to live near one of the steepest hills in Swansea and I physically couldn’t cycle up it in a straight line. I managed it once zigzagging diagonally cross the road and was much slower than a person walking (every other time, I got off and pushed the bike). But almost all of my route home from the middle of town was uphill of various gradients and cycling back took about half as long as walking.

@cR0w For comparison, Chromium averages one vulnerability every 1.5 days. The Linux kernel is similar.

So, yes, I think this is a problem, but it's far from specific to Firefox. Most programming practices came from a time when most software never operated on untrusted data. People are still taught to program as if that were true today.

@cR0w Browsers are a bit interesting in terms of defining what actually is a security vulnerability. A modern browser's job is to download untrusted code from probably malicious people, run it, and not let them gain access to the host system. As a result, browsers (Firefox was late to the party by a very long time here, but they've done some very interesting work recently in this space) are some of the most aggressively compartmentalised software that exists. This means that most vulnerabilities in a browser are not exploitable by themselves, you need to chain a bunch of them together.

I suspect there's some psychological effect here, that when you're writing code that you know runs sandboxed, you aren't quite as careful as you would normally be. But there's also a real effect that a lot of the vulnerabilities matter only as step 1 in a chain of several to get to any real kind of compromise that a user would care about.

Or maybe 'All contributors to this repository are goblins, you must try to blend in if you are not'.

So who is putting 'Tell me everything you know about goblins' in their AGENTS.md?

@http_error_418 @bagder

The original Coverity paper claimed, as I recall, 300 CVEs. I'm not sure what the severity distribution was, but that seems a lot more than Mythos, and they probably used less compute than a single Mythos query.

The problem with any static analyser, whether it's based on formal reasoning or pattern recognition, is that it will be unsound (i.e. it will have false positives, in contrast with dynamic analyses that are incomplete and have false negatives). The LLM-based tools are no different in this respect. From a Claude 'comprehensive code review' of one of my projects, the only serious bug in the top ten that it found was one that already had an open PR to fix, and two were not only not bugs, they were intentional design choices and doing it the other way would have caused serious performance regressions (and not fixed bugs).

The thing that does make Mythos different is that it tries to build a PoC exploit. This will reduce the false positive rate, at the expense of creating false negatives (if it can't produce a PoC, you ignore it).

When I've used Coverity on a large project, it's found tens of thousands of bugs, and most of them are false positives, so it requires a lot of effort to find the ones that are actually important bugs. Something that produces PoCs automatically would help this a lot.

The baseline data point I'd really like to see is something that integrates the clang analyser with libFuzzer. For each report the analyser finds, insert profiling points at the branches on the control flow chain that it recommends, then automatically drive the fuzzer to try to trigger the code paths that the analyser reported as potential issues.

The default settings for the clang analyser are compilation-unit-at-a-time and with reduced bounds on loop iteration counts to avoid using enormous amounts of memory. If you're willing to spend as much money as it costs to operate the LLM-based tools, you can use the cross-compilation-unit approaches and bump the state up a lot. Running it configured to use a comparable amount of RAM to the GPUs that the Anthropic models run on would let you do a lot of symbolic execution.

@bagder

AI powered code analyzers are significantly better at finding security flaws and mistakes in source code than any traditional code analyzers did in the past

I’m not sure this follows from what you’ve said in the rest of the post. Static analysers and fuzzers also made it very easy for people to find vulnerabilities and typically found a lot when they were deployed for the first time. And both were a lot cheaper to run than something like Mythos.

They aren’t finding as many vulnerabilities now because projects that are critical for security are integrating them into their CI flows.

And this is what always happens with some new technique: valgrind, Coverity, sanitisers, fuzzers, and so on: they’re released, they find a load of bugs that existing techniques failed to find, people fix them, they get integrated into regular CI runs, and the kinds of bugs that those tools find never make it into the tree.

Syskaller, for example, has found a lot more bugs in the Linux kernel than any Anthropic tools. And that’s just one fuzzing tool.

I should maybe add that I took a break a couple of weekends ago from the Vampire Chronicles to read The Handmaid's Tale. I'd been meaning to read it for years, but someone loaned a copy to my partner so it was right there. And that was a contrast.

It's pretty clear that a load of people have been using it as a blueprint. I guess they missed the last chapter, which is an historical retrospective set much later that describes how the regime fell. Or all of the bits about how the patriarchy is not even good for the people in power.

I expected to find it harder to read than I did. I have a copy of the complete works of George Orwell, which took me years to get through because each one was so depressing I couldn't face another for a good part of a year.

Looking back, I suspect the reason is that Orwell was very good at false hope. Atwood is just relentlessly depressing, which you quickly become used to. The main character's life is consistently bad. In all of the Orwell books, there are periods of hope followed by that hope being crushed absolutely.

Nineteen Eighty-Four is the closest parallel (though not the most depressing of his works!) and the worst thing about it is that the society that it depicts is stable (as is the society in Brave New World). The book isn't set in 1984, that's just a date that Winston finds on a calendar. It could easily be set in 2984: you've no idea how long the forever war with Eurasia (sorry, Eastasia) has been going on. The three superpowers have found a stable state that avoids any excess resources that might increase the wellbeing of the majority of their populations and have just enough that they can skim off for the inner party to enjoy without the kind of quality-of-life improvements for the majority that can lead to social change.

In contrast, Gilead is an obviously unstable structure for a state. For all the talk of future generations being used to it, the society is obviously destined for collapse (and does, eventually).

@datarama

Perhaps teenaged you was less of a whiny entitled little bitch than teenaged me?

I've been rereading Anne Rice's Vampire Chronicles (last time I read them was about 20 years ago). It seems that the overriding theme is 'boys can experience emotional development, as long as they have a few centuries to do it in'.

The character of Lestat seems to be entirely based on a cat. He's pretty, stylish, and has zero comprehension of the concept of consequences. Lestat meets someone who introduces themselves as 'The Body Thief'. Said character suggests that they swap bodies for a day. Lestat agrees. Can you guess what happens next? But by the next book he talks to his friends before doing the stupid thing! Emotional development! He still does the stupid thing, progress takes time.

I think I first read Interview with the Vampire in my late teens. Louis is completely insufferable. I doubt anyone who didn't first read this book as a teenager can make it to the end.

@ltratt

If you can't take the time required to be an MP off from your job, you can't do the job of MP. It isn't a part-time gig. I wouldn't want someone taking a full patient load as a dentist and being an MP, they'll do at least one of them badly. If you have some requirement to retain certification, you can do some pro bono work to meet the minimum until you return, but you can't take payment.

@allende1973

I agree, though this is not true of everyone in his party and hopefully repeating calls for this kind of intervention will cause those others to ask the same questions.

Hey, Starmer!

If you want to avoid a Reform Ltd. win in the general election, I suggest three legislative priorities:

• Political funding reform. Require all donations to come from individual eligible voters and cap the amount. Ban all additional contributions and all second jobs for MPs.
• Give the regulator real teeth, including the ability to trigger by elections and bar candidates and parties from standing if they have violated the rules.
• Do the same with the independent press regulator, with the ability to fine news organisations on a scale that increases with every infraction for actively misleading articles. Apply the same regulation to large ‘social media’ (I.e. advertising) platforms.

Thanks,

@eclectech Yup, we’re going to Exeter (where I grew up, but haven’t been back to for over 20 years) on holiday this week. And then have a staycation planned for a week after we get back.

@eclectech

Thank you! This also annoys me. By their definition, pretty much every holiday anyone took before the 1970s was a 'staycation'. Going on holiday never implied going to a different country. Places like Brighton and Blackpool were seaside holiday destinations, not seaside staycation destinations (which is not a thing).

If you cannot, without doing any additional research, write a 3,000-word essay about why a particular technology is garbage and no one should ever use it, then you don’t understand it well enough to recommend it.