Alternative image for C: Mr. Incredible: “A PARAMETER IS A PARAMETER!”

C, C++, C#, to name the main ones. And quite a lot of languages are compiled similarly to these.

To be clear, there’s a lot of caveats to the statement, and it depends on architecture as well, but at the end of the day, it’s rare for a byte or bool to be mapped directly to a single byte in memory.

Say, for example, you have this function…

public void Foo()
{
    bool someFlag = false;
    int counter = 0;

    ...
}

The someFlag and counter variables are getting allocated on the stack, and (depending on architecture) that probably means each one is aligned to a 32-bit or 64-bit word boundary, since many CPUs require that for whole-word load and store instructions, or only support a stack pointer that increments in whole words. If the function were to have multiple byte or bool variables allocated, it might be able to pack them together, if the CPU supports single-byte load and store instructions, but the next int variable that follows might still need some padding space in front of it, so that it aligns on a word boundary.

A very similar concept applies to most struct and object implementations. A single byte or bool field within a struct or object will likely result in a whole word being allocated, so that other variables and be word-aligned, or so that the whole object meets some optimal word-aligned size. But if you have multiple less-than-a-word fields, they can be packed together. C# does this, for sure, and has some mechanisms by which you can customize field packing.

That’s a good analogy.

It’s far more often stored in a word, so 32-64 bytes, depending on the target architecture. At least in most languages.

Yes, absolutely.

Since it’s worded a little weirdly in tbe title, and equally-weirdly in the article, I believe what they’re saying is…

“UHC didn’t lower their profit goals after Thompson’s murder, even though achieving those goals requires aggressive anti-consumer tactics, and they should have known that they wouldn’t be able to implement those, after the murder highlighted how anti-consumer the company is.”

So, in case it wasn’t clear, no, the plaintiff position doesn’t really give a shit about the anti-consumerism itself.

That is NOT a high bar to clear, but yes. It’s the only one that had any actual interesting point to make.

When did I say you don’t read the news much?

Ethnic cleansing could turbocharge ethnic cleansing? I mean, I guess, but that’s a really weird way to put it.

Por que, no los dos?

No idea. That’s the problem. ICE isn’t bothering to determine if the people it deports have proper documentation or not. The plethora of incorrectly arrested and/or deported people we DO know about, we only know because journalists and citizens did the investigating. Which is why ICE is working harder and harder to hide any details about what they’re doing and who they’re arresting.

My big reason would be “it hurts readability”. That is, when writing code, readibility for others who aren’t familiar with it (including future me) is my top-priority, and that means indentation and alignment are HIGHLY important, and if I spend the time to write code with specific indentation and alignment, to make it readable at a glance, I want to be certain that it’s always going to display exactly that way. Tabs specifically break that guarantee, because they’re subject to editor settings, which means shit like the below example can occur:

I write the following code with an editor that uses a tab size of 4.

myObject.DoSomething(
    someParameter:      "A",
    someOtherParameter: "B",
    value:              "C");

If someone pulls this up in an editor that uses a tab size of 8, they get…

myObject.DoSomething(
    someParameter:          "A",
    someOtherParameter:     "B",
    value:                          "C");

Not really a big deal, in this simple case, but it illustrates the point.

My second reason would be that it makes code more difficult to WRITE, I.E. it’s not that hard to insert spaces when you mean to insert tabs, considering that you’re not LITERALLY using only tabs just only tabs for indentation and alignment. And if you do accidentally have spaces mixed in, you’re not going to be able to tell. The guy on another machine with different editor settings will, though.

I’m aware there are fonts that can make spaces and tabs visible and distinct, but that sounds like a NIGHTMARE to write and read code with. I mentioned above, my top priority is easy readability, and introducing more visual noise to make tabs and spaces distinct can only hurt readability.

Denying that the logo used to have a cornucopia is a thing? Sheesh, TIL.

It was one of those tall, thin church candles that you normally put out with a long handheld suffocator. Me, I tried to just jump for it. Came down awkwardly on one of the thing’s feet, lost my balance, and my leg crumpled in under me as I fell.

I once fractured my fibula blowing out a candle. I was, like, 17. You’re telling me it’s going to get WORSE?!

You’re right to think that “since it’s open source, people can see what it’s doing and would right away notice something malicious” is bullshit, cause it pretty much is. I sure as hell don’t spend weeks analyzing the source code of every third party open source package or program that I use. But just like with close-source software, there’s a much bigger story of trust and infrastructure in play.

For one, while the average Joe Code isn’t analyzing the source of every new project that pops up, there are people whose job is literally that. Think academic institutions, and security companies like Kaspersky. You can probably argue that stuff like that is underfunded, but it definitely exists. And new projects that gain enough popularity to matter, and don’t come from existing trusted developers are gonna be subject to extra scrutiny.

For two, in order for a malicous (new) project to be a real problem, it has to gain enough popularity to reach its targets, and the open source ecosystem is pretty freakin’ huge. There’s two main ways that happens: A) it was developed, at least partially, by an established, trusted entity in the ecosystem, and B) it has to catch the eye of enough trusted or influential entities to gain momentum. On point B, in my experience, the kind of person who takes chances on small, unknown, no-name projects is just naturally the “exceptionally curious” type. “Hmm, I need to do X, I wonder what’s out there already that could do it. Hey, here’s something. Is it worth using? I wonder how they solved X. Lemme take a look…”

For three, the open source ecosystem relies heavily on distribution systems, stuff like GitHub, NuGet, NPM, Docker, and they take on a big chunk of responsibility for the security and trustability of the stuff they distribute. They do things like code scanning, binary validation, identity verification, and of course punitive measures taken against identified bad actors (I.E. banning).

All that being said, none of the above is perfect, and malicious actor absolutely do still manage to implant malware in open source software that we all rely on. The hope is that with all of the above points, as well as all the ones I’ve missed, that the odds of it happening are rare, and that when it DOES happen, it’s way easier to identify and correct the problems than when we have to trust a private party to do it behind closed doors.

Great recent example, from last year: https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know

Me, I see this story as rather uplifting. I think it shows that the ecosystem we have in place does a pretty good job of controlling even the worst malicious actors, cause this story involves just about the worst kind of malicous actor you could imagine. They spent a full 2 years doing REAL open source work to develop that community trust I talked about, as well as maintaining a small army of fake accounts submitting support requests, to put pressure on the project to add more maintainers, resulting in a VERY sophisticated, VERY severe backdoor being added. And they still got found out relatively quickly.

By Thursday afternoon, the attorneys were taken off the case while a transportation department spokesperson speculated they published the document as an act of sabatoge.

Props, if true. But this is the Trump administration, sabotage is absoutely not a requisite for incompetence.

Outshining JS in the backend is not an achievement.

Nutritious breakfast cereal.

The most straightforward thing to do, on a private LAN, is to make all your own certs, from a custom root cert, and then manually install that cert as “trusted” on each machine. If none of the machines on this network need to accessed from outside the LAN, then you’re golden.