The Best Textbooks on Every Subject (lesswrong)
w/ grain of salt, but a useful list nonetheless

wondering when I will ever have time to work my way through even a couple of these though
books  to-read-maybe 
Why Create a New Unix Shell?
OSH is a new shell implementation that's part of the Oil project. It's compatible with both POSIX and bash. The goal is to run existing shell scripts. As of January 2018, I've made major progress toward this goal.

The Oil language is a brand new, incompatible, shell language. The idea is to fix more than four decades of accumulated warts in the Unix shell. Many Unix users are angry that shell is so difficult, and Oil aims to fix that. (Example: why is x=1 different than x = 1?)
unix  tools  programming-languages 
21 days ago
Spectre Returns! Speculation Attacks using the Return Stack Buffer
The recent Spectre attacks exploit speculative execution, a pervasively used feature of modern microprocessors, to allow the exfiltration of sensitive data across protection boundaries. In this paper, we introduce a new Spectre-class attack that we call SpectreRSB. In particular, rather than exploiting the branch predictor unit, SpectreRSB exploits the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return addresses. We show that both local attacks (within the same process such as Spectre 1) and attacks on SGX are possible by constructing proof of concept attacks. We also analyze additional types of the attack on the kernel or across address spaces and show that under some practical and widely used conditions they are possible. Importantly, none of the known defenses including Retpoline and Intel's microcode patches stop all SpectreRSB attacks. We believe that future system developers should be aware of this vulnerability and consider it in developing defenses against speculation attacks. In particular, on Core-i7 Skylake and newer processors (but not on Intel's Xeon processor line), a patch called RSB refilling is used to address a vulnerability when the RSB underfills; this defense interferes with SpectreRSB's ability to launch attacks that switch into the kernel. We recommend that this patch should be used on all machines to protect against SpectreRSB.
papers  research  security  hardware  exploits 
28 days ago
Karl Isenberg @KarlKFI Even with kubeadm and a team of 6 you can’t get upstream K8s production ready in 6 months. We tried.
Even with kubeadm and a team of 6 you can’t get upstream K8s production ready in 6 months. We tried.

Hard Problems:
- High Availability
- Single Sign On
- Multitennancy
- Resource Isolation
- Permission Management
- Upgrades
- Backups
- Package Management
- CI/CD Integration

8:57 PM - 20 Jul 2018
devops  kubernetes  twitter-threads-with-useful-replies 
4 weeks ago
I left the vendor world and decided to go work as a CISO...
<< I left the vendor world and decided to go work as a CISO (an actual CISO, not a marketing or “advisory” CISO, y’all know the difference). Nothing will humble you faster than seeing how your 20 years of security expertise run into the cold, hard wall of reality.


The first thing I noticed is that when ALL my contacts from the #infosec vendor world started calling me and pitching me on their solutions (including my own company!) I found myself laughing at the presumption: “You don’t even have an $XYZ solution in place?”

My answer was “NO, I don’t have an $Xyz solution in place and I probably a year away from that problem even making it onto my Top 10 list”. This was after YEARS of me telling the world that $Xyz solution should be the first thing you invest in, and BELIEVING it!

Every security vendor and every researcher sees the industry through a soda straw, inside a soda straw, inside another soda straw. >>
security  management  technology-industry  tweet-threads-that-should-be-blog-posts 
4 weeks ago
Fundamental Value Differences Are Not That Fundamental | Slate Star Codex
Once in a while Alexander manages to write something that is good and not way too long and not mixed with anything outrageously wrong.
philosophy  rhetoric  politics 
4 weeks ago
Some Quick Things Every Founder Should Know (Mark Suster)
probably employees of any startup that is taking VC funding should know these things too?
startups  technology-industry 
4 weeks ago
Alan Cooper @MrAlanCooper From the beginning, I insisted that every office, every room, at Cooper have a whiteboard. 6
Good thread which discusses, among other things, why whiteboards should be perpetually erased and not covered with post-its.
tweet-threads-that-should-be-blog-posts  design  tools  office-space 
5 weeks ago
Interviewing.io with Aline Lerner
Skip to the PDF transcript; there are some transcription errors but they are not insurmountable. Some good bits in here. Hard to pick the best but here are a few:

One of the main other problems with interviewing, and this is kind of a by-product of the kinds of questions people ask is that it’s pretty non-deterministic. What does that mean? It means that if the same person does a string of interviews over a pretty short span of time, they’re probably not always going to end up with the same results. So they’re not always going to pass. This is something that I think people just really suspect, especially if they’ve been through a few interviews themselves. But this is something we have actually collected data on at Interviewing.io. The data is exactly as I described, so you look at a person who participates in a series of technical interviews over a fairly short span of time and then you see how they do.

The fact is that most people, even if on average they’re killing it, like doing really, really well, they’re going to have an interview that they bomb every 1 in 5, every 1 in 10. While it’s not that often, most people are not that consistent, so people will mess up 1 in 4, 1 in 3. These are still very, very good engineers. Many of whom are getting offers from top companies, but what ends up happening is not only is it a poor signal, which means that interviewers waste more time and companies spend more time paying time and spend lunch time on interviewing.

A lot of our users are engineers that do work at companies like Facebook or Google and have been there, for I don’t know, like four years and they’re maybe thinking they’re a little bored and maybe they want to get out there and then try a startup, but they realize that they have to go through the interview [gauntlet] if they’re going to do that. If you’re an engineer with that seniority, with that much brand sparkle behind you, it’s so intimidating to have to get out there and represent one of these big friends. Because if you fail, you really look like an idiot, right? Everyone is expecting you to kill it. Then if you’re a Google engineer who can’t reverse a link list or whatever, you really look stupid.

Ha ha! So true. I am thinking of the day that I got a really bad case of interview brain and wrote unique_ptr<char> instead of unique_ptr<char[]>. There is a dude in the Valley who now thinks that I am a clown who doesn't know how to delete arrays in C++ despite claiming C++ proficiency on my resume. Then there was the time I fucked up longest common subsequence.

a few years ago, I was still working as a recruiter and one of the things I was doing as a recruiter was because I come from a technical background that I use for my code before doing for about five years. I was in a position where I could interview my own candidates.

I always felt like if I’m going to endorse a candidate and say, “They’re good.” I want to make sure. I run them through some technical questions, so I could feel good about it. Then I present these candidates to some of the companies I was working with. They would say, “No.” I’m like, “Well, what do you mean no? I know this person can code.” They’re like, “No, it doesn’t matter. We have a hiring spec. Essentially, we are looking for people from these schools and these companies.”

There is one startup that I actually with that I won’t name, but actually gave me a flowchart to make my life easier. They’re like, “You’re a recruiter. You work with us. Here is a flowchart. Did they go to this school? No, they didn’t. Okay, then do not pass – do not collect the $100. Fuck you, we’re not taking this candidate.”

This is something that really pissed me off as you can imagine. One of the companies I work with actually issued me this challenge and they ended up being one of my favorite companies to work with, and I still work with them in the Interviewing.io capacity. Today they said, “Look, you have a bunch of people that look really weird on paper. We’re going to give this a shot. So no matter who you send us, if you feel good about them, we’ll talk to the first five. Then by that point, if –” I forget exactly what the terms were, but it was like, “If at least two of them don’t get an offer, or at least one of them doesn’t get hired, whatever it was, then we’re never working with you again.” I was like, “All right, guys. Challenge accepted. Let’s do this.

That ended up working out so well.

after I graduated, I ended up cooking professionally for three years, which was one of the most intense periods of my life, and one where I got to meet people that I never would have met otherwise. I’m really grateful that I did it, one because I have some crazy stories, but that’s not the main reason. The main reason is that that was the first time that I really got to see a different hiring process as in aside, like when you get a job as a cook, you don’t really talk about your resume or your experience or your hopes and dreams or your five-year plan or whatever. You just show up and you bring your knives and then that’s what you do. You just start doing the work.

You’re at the restaurant, in the morning you’re prepping for the station where you’re going to be working. Then the evening, you’re putting out dishes that the station that you’ve been assigned to is responsible for. The whole time, someone is watching you. At the end of the night if you did a good job, then you get a job offer and they feed you. If you didn’t do a good job, maybe they feed you then they send you home. To me, that was just eye-opening, because I had always thought that engineering was supposed to be something that was super meritocratic. Then I realized that the way that engineers are hired is just not meritocratic when compared to this other industry that’s much older.
hiring  technology-industry 
5 weeks ago
A web application completely in Rust
Right now this is more like code golfing than a serious methodology for development but I look forward to seeing this type of development become more widespread, both Rust and other languages.
web-development  rust 
6 weeks ago
Adversarial Reprogramming of Neural Networks
Deep neural networks are susceptible to adversarial attacks. In computer vision, well-crafted perturbations to images can cause neural networks to make mistakes such as identifying a panda as a gibbon or confusing a cat with a computer. Previous adversarial examples have been designed to degrade performance of models or cause machine learning models to produce specific outputs chosen ahead of time by the attacker. We introduce adversarial attacks that instead reprogram the target model to perform a task chosen by the attacker---without the attacker needing to specify or compute the desired output for each test-time input. This attack is accomplished by optimizing for a single adversarial perturbation, of unrestricted magnitude, that can be added to all test-time inputs to a machine learning model in order to cause the model to perform a task chosen by the adversary when processing these inputs---even if the model was not trained to do this task. These perturbations can be thus considered a program for the new task. We demonstrate adversarial reprogramming on six ImageNet classification models, repurposing these models to perform a counting task, as well as two classification tasks: classification of MNIST and CIFAR-10 examples presented within the input to the ImageNet model.
neural-networks  security  machine-learning  exploits 
6 weeks ago
Big Tech’s Hot New Talent Incubator: Community College
fine as far as it goes & I'm sure that the CC route grants the chance at upward mobility within the tech industry to a lot of people who should have it but don't, but this article fails to look at the qualitatively different jobs that these degrees are likely preparing students for, vs. e.g. a 4-year CS degree from an R1 (e.g. "IT support" vs. software engineering).

must dig up Ed Lazowska's deck explaining why community college was not the answer for Washington State a decade ago.
education  higher-education  technology-industry 
7 weeks ago
Joe Duffy - Hello, Pulumi!
someday I am going to tell people what I learned about configuration management at Google and the pitfalls of the approach described here...
configuration-management  programming-languages 
9 weeks ago
Follow-up: Neil Trevett and Tom Olson from Khronos Group Discuss OpenCL and Vulkan Roadmap | PC Perspective
this is maybe the biggest current gaping hole in my systems programming knowledge. going to become more important. should digest this more thoroughly as well as the current state of opencl/CUDA
programming  gpu-programming  to-read 
9 weeks ago
Bad Blood: Secrets and Lies in a Silicon Valley Startup, by John Carreyrou (@Kindle)
Finished 2018-06-10. Recommended. A brisk read, funny and maddening.

A consistent theme here is very successful old men deciding to rely too much on social proof and gut instinct over due diligence, physical evidence, and the advice of more conscientious but lower status people around them.

Also, to be frank, Stanford doesn't come off looking too great, particularly the Hoover Institution, although I guess anyone with a clue already knew that Hoover is a pernicious parasite.
booklog  nonfiction  finished:2018  silicon-valley  biotechnology  venture-capital  stanford  conservatism 
10 weeks ago
Opinion | Don’t Blame Silicon Valley for Theranos - The New York Times
Theranos did make presentations to many, if not most, of the top life sciences firms. Part of the company’s appeal was the familiar origin myth of Theranos’s founder, Elizabeth Holmes, who, like Bill Gates and Mark Zuckerberg before her, dropped out of college in order to found her company.

That might impress some social media investors, but in life sciences, everyone puts in years of formal study just to earn a seat at the table. For example, at MPM Capital, a venture firm that invests in life sciences, almost every one of its 20 investing directors and partners has either a Ph.D. or M.D., and one has both. Even the general counsel has a Ph.D. in cell, molecular and developmental biology.

GV, formerly Google Ventures, has a five-person investment team for Life Science & Health that includes two members with Ph.D.s in bioengineering; another with both an M.D. and a Ph.D. in biophysics; and a partner who, unlike Ms. Holmes, finished at Stanford, then went on to earn an M.D. and M.B.A. at Harvard.

Theranos approached GV twice and was turned down twice because of what one partner called “so much hand-waving.” People I have talked to at other investment firms said they turned down Theranos for similar reasons, unsatisfied with Theranos’s attempt to substitute its intangible “coolness” in place of technical details needed to validate its diagnostic technology.

Another tipoff? Theranos wouldn’t publish in peer-reviewed journals. Guy Cavet, chief technology officer for the biotech firm Atreca, said: “Every smart prospective partner of a life sciences start-up looks for strong peer-reviewed publications. It’s a way of getting expert due diligence at zero cost.”

Experience in health care is critical for a company like Theranos, which has to comply with government regulations. Instead, even the board of directors was weighted during most of the company’s life with older political figures like George P. Shultz and Henry A. Kissinger.

Luke Evnin, a co-founder at MPM Capital, said he had never met with Theranos or Ms. Holmes, but he found the makeup of the board puzzling: “It is pretty weird that if you look at her board, there’s not a single person who knows what they’re doing in the business.”

The first million dollars that the company received was from Tim Draper, a venture capitalist who became a venture capitalist through a very un-Silicon Valley-like route: His father was one (as was his grandfather). Mr. Draper had known Ms. Holmes as a childhood neighbor and playmate. The investors that followed Mr. Draper are a motley group, at least the ones visible in S.E.C. filings: a tiny firm named ATA Ventures; Continental Properties, a real estate company; and Donald L. Lucas, whose claim to fame was having invested in Oracle Corporation early.

But while Silicon Valley Proper wasn’t interested, the media was. Ms. Holmes was on the covers of Fortune, Forbes, Inc., and T: The New York Times Style Magazine. “The Next Steve Jobs” promised the cover of Inc. Richard Kovacevich, then a board member and a former Wells Fargo C.E.O., crowed, “We didn’t need advertising.”

No, they needed results. Theranos might still prove viable. But if Walgreens ends up with swampland, it’s not Silicon Valley’s fault.

It has been amusing to watch the media, which hyped Theranos far harder than the actual Silicon Valley venture scene, rush to use Theranos as an object lesson in the corruption of Silicon Valley.
silicon-valley  venture-capital  nepotism  journalism 
10 weeks ago
[1711.01254] Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features
Double-fetch bugs are a special type of race condition, where an unprivileged execution thread is able to change a memory location between the time-of-check and time-of-use of a privileged execution thread. If an unprivileged attacker changes the value at the right time, the privileged operation becomes inconsistent, leading to a change in control flow, and thus an escalation of privileges for the attacker. More severely, such double-fetch bugs can be introduced by the compiler, entirely invisible on the source-code level.
We propose novel techniques to efficiently detect, exploit, and eliminate double-fetch bugs. We demonstrate the first combination of state-of-the-art cache attacks with kernel-fuzzing techniques to allow fully automated identification of double fetches. We demonstrate the first fully automated reliable detection and exploitation of double-fetch bugs, making manual analysis as in previous work superfluous. We show that cache-based triggers outperform state-of-the-art exploitation techniques significantly, leading to an exploitation success rate of up to 97%. Our modified fuzzer automatically detects double fetches and automatically narrows down this candidate set for double-fetch bugs to the exploitable ones. We present the first generic technique based on hardware transactional memory, to eliminate double-fetch bugs in a fully automated and transparent manner. We extend defensive programming techniques by retrofitting arbitrary code with automated double-fetch prevention, both in trusted execution environments as well as in syscalls, with a performance overhead below 1%.
security  program-analysis  research  papers 
10 weeks ago
Dinosaur Comics - June 4th, 2018 - awesome fun times!
a solid and novel science fictional premise, and here executed with almost borgesian finesse
humor  science-fiction 
10 weeks ago
Revisiting the Marshmallow Test: A Conceptual Replication Investigating Links Between Early Delay of Gratification and Later Outcomes - Tyler W. Watts, Greg J. Duncan, Haonan Quan, 2018
Entirely predictably, this study is being misreported as completely debunking the original study, whereas (if I understand the abstract), in fact it merely shows an effect size that is smaller:

<< Concentrating on children whose mothers had not completed college, we found that an additional minute waited at age 4 predicted a gain of approximately one tenth of a standard deviation in achievement at age 15. But this bivariate correlation was only half the size of those reported in the original studies and was reduced by two thirds in the presence of controls for family background, early cognitive ability, and the home environment. >>
psychology  child-development  research 
11 weeks ago
Against trendism: how to defang the social media disinformation complex
I have thought that (5) (hide favorite counts, retweet counts, & follower counts) would improve Twitter considerably for some time now; of course they will never do it.
social-media  social-software  social-formation-of-belief 
11 weeks ago
Is the use of Facebook turning into a social class indicator? - Femke Goedhart | Tableau Public
maybe FB really is turning into a declasse social network for middle aged people, as I said years ago (& later changed my mind about), rather than becoming the identity layer for all human interaction? but it will be interesting to see what happens as this cohort ages and finds that it has to engage with all the real-world social networks that are stuck on FB through groups etc.
visualization  facebook  social-media  class 
11 weeks ago
Trade sanctions against America won't work. Sanctioning Trump himself might. - Macleans.ca
accurate. I fully endorse this course of action for foreign countries that want to bring pressure against this President. (Note that he would be immune to these tactics if he had divested on assuming the office.)
international-relations  united-states  canada  trump 
11 weeks ago
Marketing Technology Landscape Supergraphic (2018): Martech 5000 (actually 6,829) - Chief Marketing Technologist
surely every one of these firms is backed by VCs and led by an executive team that displays the utmost concern for protecting the privacy of individuals
marketing  internet  privacy  lol-what-am-i-saying 
11 weeks ago
One year of C
I disagree with a lot of this and suspect that this does not scale to large team projects but it advocates a style of C programming that I had not seen before which is interesting.
programming  experience-reports 
11 weeks ago
Why Doesn't Anyone Answer the Phone Anymore? - The Atlantic
<<in the last couple years, there is a more specific reason for eyeing my phone’s ring warily. Perhaps 80 or even 90 percent of the calls coming into my phone are spam of one kind or another.>>
culture  communication 
11 weeks ago
Moving Fast and Securing Things – Several People Are Coding
sigh. file under "stuff your startup can do when investors have given you astonishing amounts of resources".
security  software-development 
may 2018
PostgreSQL's fsync() surprise [LWN.net]
when the PostgreSQL community found out that the way the kernel handles I/O errors could result in data being lost without any errors being reported to user space, a fair amount of unhappiness resulted. The problem, which is exacerbated by the way PostgreSQL performs buffered I/O, turns out not to be unique to Linux, and will not be easy to solve even there.
Craig Ringer first reported the problem to the pgsql-hackers mailing list at the end of March. In short, PostgreSQL assumes that a successful call to fsync() indicates that all data written since the last successful call made it safely to persistent storage. But that is not what the kernel actually does. When a buffered I/O write fails due to a hardware-level error, filesystems will respond differently, but that behavior usually includes discarding the data in the affected pages and marking them as being clean. So a read of the blocks that were just written will likely return something other than the data that was written.

What about error status reporting? One year ago, the Linux Filesystem, Storage, and Memory-Management Summit (LSFMM) included a session on error reporting, wherein it was described as "a mess"; errors could easily be lost so that no application would ever see them.

databases  linux  operating-systems 
may 2018
xkcd: Python Environment
sigh, so true, it's gotten to the point where I just try to do Python coding entirely in a Docker container whenever I can
python  programming  humor  or-is-it 
may 2018
Kengo Kuma to build aquatics centre and harbour bath in Copenhagen
I will be very impressed if they manage to execute on this design. Even if they do, it will be jam packed on any nice day and look nothing like this. Still, it's not often I see architecture this striking.
architecture  design 
april 2018
« earlier      
academia advice algorithms america apple architecture art artificial-intelligence asian-american-issues bay-area biology blog-posts blogs book-reviews booklog books bullshit business calendars california capitalism career-advice catosphere cats child-development china civil-liberties climate-change coding-boot-camps comics comics-strips computational-geometry computer-science computer-vision computing concurrency confederate-states-of-america conservatism corruption crime cryptocurrency cryptography culture data-structures databases demographics design devops digital-art distributed-systems docker economic-inequality economics education edx environment exploits facebook fantasy-fiction feminism fiction film finance finished:2006 finished:2007 finished:2009 finished:2011 finished:2012 finished:2013 finished:2014 finished:2016 finished:2017 fonts food free-as-in-beer free-as-in-speech funny futurism game-theory games genetics google government graphics hacks hardware health higher-education hiring history housing humor intellectual-property internet javascript journalism korea labor language law law-enforcement leftism libertarianism linux luggage machine-learning management maps math media microsoft mit-4.605x mobile-computing music music-recommendations musiclog new-york-city nonfiction nutrition online-courses operating-systems papers people performance philosophy photography photos plutocracy police politics poverty privacy programming programming-languages propaganda protocols psychology public-policy publishing python racism real-estate redecentralize religion rent-seeking republicans research rhetoric rust san-francisco science science-fiction security security-state sexism sexual-equality sexual-inequality shopping silicon-valley social-engineering social-formation-of-belief social-inequality social-media social-networks social-organization social-science social-software software software-architecture software-development startups statistics strange-loop surveillance-state talks technological-progress technology technology-industry to-blog to-read to-read-maybe to-watch todo tools transit trump tweet-threads-that-should-be-blog-posts twitter uber united-states urbanism user-interface via:cshalizi via:hackernews via:marginalrevolution via:metafilter via:twitter video videos visualization war web-development welfare white-people

Copy this bookmark: