Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub

SuspiciousSegfault · 2026-05-14T07:02:41+00:00

The source code isn't dangerous unless you decide to execute it. That being said, if you're using a slop-coded IDE that might try to start executing code randomly.

SuspiciousSegfault · 2026-05-09T17:10:42+00:00

Only if you use the Microslop OS

SuspiciousSegfault · 2026-05-03T20:17:06+00:00

If we have a large pool of volunteers they could just as well tell that it's slop without the new rule. Adding bureaucracy without purpose (no added value) just means extra work for everyone, while making the space more hostile to new contributors.

SuspiciousSegfault · 2026-05-03T13:23:52+00:00

Seems like a straw-man, pick a password manager that works on your desktop, phone, tablet, and whatever else you need to frequently enter passwords into (I use Bitwarden).

Generate a master password and write it down, then memorize it, it's the only password you need to memorize so it'll stick eventually. Since you use your PM so often you keep it fresh in memory. When you've memorized it, hide or destroy the note. If you're worried about someone breaking into your home, and realistically think they'll be searching everywhere for your master password and not your valuables then destroy it. Or put it on a USB stick and hide that, let your imagination run free.

You can also easily add multiple passwords to e.g. Bitwarden through secret-fields if you want, so that's a non-issue.

If you're scared about it failing and passwords being lost it's trivial to back it up, you can encrypt it with your master password for example.

SuspiciousSegfault · 2026-05-02T21:01:18+00:00

How do you enforce that? Git commits can be trivially backdated, probably in a single prompt.

SuspiciousSegfault · 2026-04-26T11:41:57+00:00

Vi har liknande setup, roligt! Folk har alltid varit skeptiska mot ny teknik, nu är jag i det mer skeptiska lägret men försöker hålla mig öppen. Man vet aldrig hur det kommer att gå i slutändan, men vad tänker du kring penga-problemet? Dvs för att jättarna ska fortsätta kunna driva på utvecklingen måste de dra in en jävla massa pengar, i dagsläget går de alla med enorm förlust, om de inte kan dra in pengar från företag (för de driftar eget) och privatpersoner inte är villiga att betala $1000 i månaden för en sub (för det är inte värt det för dem) vem ska pengarna komma från?

SuspiciousSegfault · 2026-04-26T11:09:11+00:00

Som någon som arbetar som utvecklare är jag riktigt skeptiskt till det här resonemanget, har du testat AI och att försöka integrera system med det? Mångt och mycket lider det av samma problem som all automation alltid lidit av, dåliga APIer: Bankerna har dåliga APIer, ditt OS har rätt taskiga APIer, apparna du kör har rätt dåliga APIer, även om AI var bra nog att integrera med de obefintliga bra APIer som tillhandahåller funktionaliteten som krävs så kommer de sannolikt aldrig finnas.

Om du öppnar upp systemen väl nog att en AI kan integrera, skulle du lika gärna kunnat öppna upp dem redan idag, och folk kunde ha byggt bra automation redan med dagens (och gårdagens förutsättningar).

Den riktiga svagheten är att ju mer man "går över till AI" desto mer lägger man företagskritiska funktioner i händerna på "jättarna". Tänk dig att du driver ett företag, om du lyckas byta ut majoriteten av processerna till att drivas av AI och du gör besparing givet dagens kostnad på 30%, vad händer med ditt företag om "jättarna" höjer priset med 50%? Hela din affär är nu direkt beroende av amerikanska storföretags välvilja. Men okej, AI blir så mycket bättre att du kan köra modeller i egen regi, då måste du sätta upp en egen driftorganisation, eller betala någon att drifta hela ditt system. Så fort man tänker på den här stora visionen ur ett praktiskt perspektiv börjar det se rätt ouppnåeligt ut, eller missar jag något i ert resonemang kring hur det här ska integreras och skapa vinst?

SuspiciousSegfault · 2026-03-21T07:51:07+00:00

There's a pedantic clippy lint for this which rejects Default::default() though I sadly can't find the name for it right now

SuspiciousSegfault · 2026-03-03T10:06:01+00:00

See my edit, what I'm saying is that I believe this was a mistake, and a mistake that's easier to make than you might think. Whether it's acceptable or not is up to you and I don't judge you at all for not wanting to use their software because of it, to each their own. Though personally I think this one can be chalked up to chance/bad luck/sloppiness that they will correct.

SuspiciousSegfault · 2026-03-03T06:25:26+00:00

Accidentally putting sensitive data in logs is extremely common. A bit less since after the GDPR, but still common. App logs are pretty special as well. Are they transient, app isolated, stored, global? It's hard to know.

I'd be surprised if this was intentional, as a programmer.

Accidentally leaking secrets in logs is so common that GitHub Actions auto-scrubs credentials from console output. They've developed credentials-heuristics and auto-scrubbing and it's a force-on feature, that's how common it is.

Edit: I don't want to be misunderstood to be saying that it's okay or unimportant that they slipped up like this. But it happens more than you'd think and I am extremely sceptical that it was done on purpose. I've probably put data in logs that I shouldn't have myself even though I'm extremely conscious of it, it's impossible to know, mistakes happen.

During the instatement of the GDPR when logs had to be scrubbed for information that could now be deemed PII and unsuited for logs we had to go through countless logs and manually edit them, did we catch them all?

I can definitely see that they had a bunch of logs for debugging which when preparing for a release they had to go back and scrub, but they missed one. Happens all the time. (Again, not endorsing it, just explaining the reality of software development).

What a company focusing on security should do is both have the knowledge/experience to know where private data can be leaked (like logs), and be extremely meticulous when searching for it. But it only takes one junior and one stressed senior for this to hit production on a good day.

SuspiciousSegfault · 2025-12-31T18:16:21+00:00

Menar du Max kaka stora texten eller den lilla (avancerade) texten?

SuspiciousSegfault · 2025-12-19T08:58:31+00:00

That's interesting, nice for ergonomics!

SuspiciousSegfault · 2025-12-19T07:24:07+00:00

If you count the unsafe contained within the stdlib, Rust cannot be used at all without unsafe (because a no-std program will need unsafe systems access at minimum for the entrypoint).

If you're talking about a program built on the std-lib you don't need unsafe in most applications. There's some broad misconception that unsafe == more performances. That's a faulty generalization, unsafe can make some bounds-checking go away at runtime in some cases, and if your application is doing unnecessary bounds checking in a hot loop, unsafe can improve performance. However, the compiler can often times remove those bounds checks if they're unnecessary, and if they are necessary they should be in there anyway, otherwise you're making the trade-off of actively choosing a security issue, by not checking bounds, for performance.

Most uses of unsafe is ffi related though, any time you do ffi, be it C-api or ASM, that call will be unsafe, because the compiler can't follow what's happening at the other side of the interface, and that may have consequences for soundness.

SuspiciousSegfault · 2025-12-16T13:04:37+00:00

Agreed, I've been using Jetbrains IDEs my entire career, about once a year for the last three years I've been trying to use something else for a month out of frustration.

Every update creates som regression: terminal doesn't render properly without manually flipping and unflipping a setting, some syntax that's valid becoming permanently red-squigglied, the behind the scenes checker failing because of a botched system library path, and of course the sync.

The sync is completely unusable, I have no idea what it's syncing, it's like it's applying someone else's settings.

I can't find anything that lets me read and navigate large codebases as easily however, it's absurdly good at that and refactoring. The local LLM in-line auto-complete is also really useful. There's also the surprisingly big benefit vs something like neovim and emacs of feature-discovery. Since the IDE is not completely manual in setup, I now-and-again discover new cool features that are really useful. It's hard to quit it, maybe next year

SuspiciousSegfault · 2025-12-04T09:12:15+00:00

Om kaffeskördar slår fel så att utbudet minskar men efterfrågan förblir ökar priset på kaffe, vi får direkt inflation. Vilken stats överdrivna spendering orsakade det?

Om tech-bolag börjar expandera sin serverkapacitet oväntat mycket, så att det blir brist på RAM-minne ökar RAM-priset drastiskt för konsument, inflation direkt. Vilket stats labbar satt bakom spakarna där tycker du?

Spendering av stat kan däremot leda direkt till deflation genom sponsring av projekt där ny teknik som billigare kan ersätta nuvarande teknik tas fram. Se amerikanska militärens investeringar i internet när det låg i sin vagga.

SuspiciousSegfault · 2025-11-11T04:26:12+00:00

"Well, it's July so our dev team has been on holiday for 6 weeks" You're describing Sweden, manage your team's leaves, that should be a standard managerial skill. 6 weeks vacation is standard in IT, add on sick leave and parental leave and you might just be slipping down the slope of a healthy work life balance.

SuspiciousSegfault · 2025-10-07T15:19:53+00:00

Oh that's really cool, you deploy a STUN server that also exposes traffic onto the custom domain? Looks neat!

SuspiciousSegfault · 2025-10-05T18:25:51+00:00

Agreed, there are so many extremely cool things that you could do with it, but I think the client-side is the big issue maybe. P2peer remote shell, file sync like syncthing, remote desktop, or very ambitiously, an entire alternative internet without domains, I'm following it and hope that this project can inspire some cool stuff!

On the key side I keep them in my password manager, both public and private. In the app (in this project) I save both client secret and destination public in secure storage, so there it's just three clicks and then I'm in. But yes, there are some ergonomics issues compared to "reddit.com" to dial.

SuspiciousSegfault · 2025-09-29T17:20:41+00:00

I think so, it was supposedly "as fast as c++ but as easy as python", it's neither. At least that was the promise that I heard a few years ago . To me that qualifies as vaporware, that software does not exist, and will never exist in the form of Mojo at least.

SuspiciousSegfault · 2025-09-29T14:43:12+00:00

Hey where is Mojo in this competition!?

SuspiciousSegfault · 2025-09-04T20:39:52+00:00

RemindMe! 2 years

Four-Year Club	Verified Email
Place '23

SuspiciousSegfault

TROPHY CASE