Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Remember Apple's initiative to scan photos on user's devices to find child pornography?
Today I finally decided to research this.
The evidence is conflicting.
For context, the database of prohibited material is called CSAM (child sexual abuse material).
“If it finds any CSAM, it will report the user to law enforcement.”
— Futurism
“Apple said neither feature would compromise the security of private communications or notify police.”
— NPR
CSAM initiative is dead. It won't scan photos in iCloud. It won't scan photos on your device. It will be a feature that only works in some countries, only on children's devices, and it will be opt-in. It will only work for iMessage attachments.
This is what Apple actually said at https://www.apple.com/child-safety:
- “Features available in Australia, Belgium, Brazil, Canada, France, Germany, Italy, Japan, Netherlands, New Zealand, South Korea, Spain, Sweden, UK, and U.S.”
- “The Messages app includes tools to warn children when receiving or sending photos that contain nudity. These features are not enabled by default. If parents opt in, these warnings will be turned on for the child accounts in their Family Sharing plan.”
News outlets telling people they will be automatically reported to authorities, and then telling there can be false-positives is a classic example of fearmongering. I hate this. Remember, anger and fear are the most marketable emotions. They make you click. News are and will always be worded to cause these emotions — it brings in money.
When presented with good news, people think they're not being told the truth. When presented with bad news, even when they're made up, people think it's the truth that's being hidden from them. This is how news works.
Now, a HUGE but:
Apple is a multi-billion dollar corporation. There is no such thing as good billionaires. Corporations will always wait for chances to invade privacy. It's like boiling the frog — one tiny measure here, one there, and just like this, step by step, they will eliminate the privacy completely. It's in their interest to have all the data about you. It brings control.
This is not the first time Apple tries to do shit like this, and it definitely won't be the last. You have to keep an eye on your privacy. If you want your privacy in the digital age, it's necessary to fight back. If you live in Europe, take the action and vote for initiatives that oppose corporate tyranny and privacy invasions.
Privacy on the internet is one thing, but scanning people's devices is a whole another thing. This is unacceptable no matter the rationale behind it. Expect more measures like that in the near future.
Research Linux. Find a distro that suits you. The notion that you can't switch because of apps/UI/etc. may be dictated by our brain's tendency to conserve energy and avoid the change.
Take a look at mobile distros like Graphene OS and LineageOS. The former only supports Pixel devices, the latter supports a wide range of devices including OnePlus and Xiaomi. They'll have FAR better privacy than iPhones.
Consider switching. It's easier than you think. Yes, it's me who's saying this. I do and will always protect people/companies from unjust criticism, and I consider myself an Apple fangirl for personal reasons related to my childhood, yet I won't fight blindly. CSAM initiative is a valid criticism, and there's nothing preventing me from saying this is unacceptable, and Apple deserves the backlash they got.11 -
Let me tell you a story.
Our company has a homegrown monitoring solution. Keeps track of our deployments and alerts us when something is broken. Really nice for the most part, except a little issue where we get up to 25 alerts PER DAY that our PRODUCTION ENVIRONMENT IS DOWN. Including weekends.
With this many false positives, we quickly learn to ignore the alerts and miss real incidents.
So we approached this team, remember its our own tool, and told them about the problem. Turns out it is a known issue. And here's the kicker: they aren't planning on fixing it!
It gets better. Rather than fix this glaring issue, their solution is to make ANOTHER ALERT that lets us know the monitoring is misbehaving.
To recap, we can now expect to get up to 25 false positive alerts per day that our production is down, followed immediately by more alerts that the monitor is broken, which means we can ignore the previous alert.
As our PM said when he heard this: fuck that noise. We are escalating the shit out of this!7 -
SM = Scrum Master
SM: "Card #130, you added a comment saying you aren't going to do update the report?"
Me:"Yea, I explained why in the comment"
SM: "Product owner wants it."
Me: "Product owner isn't the manager using it. I talked with Steve, he said the data is accurate and they have to go to the database anyway to verify the error. That report has no way of knowing the message logged could be a false positive."
SM: "That's not our job to decide. If the Product Owner wants the feature, we add the feature."
Me: "It is absolutely is our job. Steve is the user of the report. I could really care less what the product owner said. The only reason he created the card was because Steve told him a specific error logged could be a false positive, and only happens, maybe, once a month. I'm not wasting my time, Steve's time, or this project's time on wild goose chases."
SM: "I'll schedule a meeting this afternoon to discuss the issue with the product owner. Don't worry, if you can't figure out how to filter out the false positives, I'll assign the ticket to me."
fracking fracking kiss ass. I swear, if he goes behind my back again ....I... deep breath....ahhh...OK..Thanks devrant. Work place incident diverted.6 -
Installed SonarQube and Snyk on the CI/CD of a 2.5 year old project that only had a linter enabled previously.
Practically zero problems found. One minor problem (same code in different branches), a few false positives, and a few possible problems in dependencies that I have no control over.
Now wondering:
Am I really that good or are those tools just shit?
10 -
Lets play a game of spot the bug...
Too easy you say?
What if I told you that this code was written by a well paid dev over an exceptionally large period of time?
Crazy huh, but that's still nothing. The most ludicrous thing about it - is that you (like me) probably suffer from a mild case of impostor syndrome.
I just ended that suffering. The only thing worse than impostor syndrome is believing you actually know what the fuck your doing. Keep it in check but learn to love it... it's probably the reason you could spot the bug after all.
4 -
PSA: negate your tests and make sure they fail!
I have what I thought was a weird and slightly paranoid habit. When I write tests sometimes just as a sanity check negate the assertion to make sure the test fails and isn't a false positive. Almost always fails as expected.
But not today! Turns out I had forgotten to wrap my equality check in an assertion so it would always pass. It freaks me out to imagine pushing a test that always passes not just because it doesn't do its job, but could also obscure a bug and trick me into thinking it works differently than it does. Broken tests are the worst!
But it pays to be paranoid. -
The development department got an order to remove certain functionality from our current server monitoring solution, so that we had to use a new, still very in development solution, that is full of bugs and super unreliable.
End result? We now have to have two windows open all the time, while also hoping the new solution actually works, as it tends to stop refreshing randomly, and tends to give false positives a lot. -
In the 90s most people had touched grass, but few touched a computer.
In the 2090s most people will have touched a computer, but not grass.
But at least we'll have fully sentient dildos armed with laser guns to mildly stimulate our mandatory attached cyber-clits, or alternatively annihilate thought criminals.
In other news my prime generator has exhaustively been checked against, all primes from 5 to 1 million. I used miller-rabin with k=40 to confirm the results.
The set the generator creates is the join of the quasi-lucas carmichael numbers, the carmichael numbers, and the primes. So after I generated a number I just had to treat those numbers as 'pollutants' and filter them out, which was dead simple.
Whats left after filtering, is strictly the primes.
I also tested it randomly on 50-55 bit primes, and it always returned true, but that range hasn't been fully tested so far because it takes 9-12 seconds per number at that point.
I was expecting maybe a few failures by my generator. So what I did was I wrote a function, genMillerTest(), and all it does is take some number n, returns the next prime after it (using my functions nextPrime() and isPrime()), and then tests it against miller-rabin. If miller returns false, then I add the result to a list. And then I check *those* results by hand (because miller can occasionally return false positives, though I'm not familiar enough with the math to know how often).
Well, imagine my surprise when I had zero false positives.
Which means either my code is generating the same exact set as miller (under some very large value of n), or the chance of miller (at k=40 tests) returning a false positive is vanishingly small.
My next steps should be to parallelize the checking process, and set up my other desktop to run those tests continuously.
Concurrently I should work on figuring out why my slowest primality tests (theres six of them, though I think I can eliminate two) are so slow and if I can better estimate or derive a pattern that allows faster results by better initialization of the variables used by these tests.
I already wrote some cases to output which tests most frequently succeeded (if any of them pass, then the number isn't prime), and therefore could cut short the primality test of a number. I rewrote the function to put those tests in order from most likely to least likely.
I'm also thinking that there may be some clues for faster computation in other bases, or perhaps in binary, or inspecting the patterns of values in the natural logs of non-primes versus primes. Or even looking into the *execution* time of numbers that successfully pass as prime versus ones that don't. Theres a bevy of possible approaches.
The entire process for the first 1_000_000 numbers, ran 1621.28 seconds, or just shy of a tenth of a second per test but I'm sure thats biased toward the head of the list.
If theres any other approach or ideas I may be overlooking, I wouldn't know where to begin.16 -
!rant
Started Data Science course on big data universuty. The outcomes are heavily dependent on domain experts/stakeholders!!! Since all the answers are false positives and need to decide what make sense with the help of domain experts. And most of the Data scientists are not from programming background, they are domain experts who turned into Data scientists. Thoughts if I should continue with learning big data/data science, knowing that I have knowledge in information retrieval and search engines. -
Has anyone else actually *used* mutation testing at all?
Heard a lot about it recently - it seems all the rage amongst the bloggers, but I'm generally always very sceptical of things touted as the "latest hotness" (my thoughts on blockchain for instance are well known.)
So I went ahead and whacked http://pitest.org/ into one of my more recent pet projects to see if it offered anything decent. Surprisingly, it did - in particular it caught a number of places where switching "<" for "<=" and similar had no affect on the pass / fail rate (indicating the tests should be better.) There were a *few* false positives, and some which were borderline useful, but as a whole I'd say it was a worthwhile addition.
Curious as to if anyone else has had the same experience?1 -
PC-Lint is such a useless piece of shit! Tons of warnings with no actual benefit. The obvious motivation behind this crap was to throw as many warnings as this cheap sucker can even generate with no effort to minimise false positives. Typical snakeoil shit, reminds me of ZoneAlarm back then which reported every ping as "attack" just to fool the clueless into buying. Meanwhile, the actual bugs that sophisticated tools can find pass unnoticed through PC-Lint.
-
TL;DR: What do you hate about the current interview process for software dev positions?
I have been reading interview related posts on reddit and other places and I have noticed that there is a lot of hate, especially from more senior devs, towards the typical software dev interview pattern i.e. the one focused on algorithms and data structures and I don't understand why. The current methods may be far from ideal but I think they do a good job of eliminating the false-positives. Plus, I can't think of a better alternative. Sure, by using current interview methods some good devs might get rejected because they haven't used/needed/studied many algorithms and data structures after they left college, but for any big company that gets thousands of applications every year, that wouldn't be a big issue compared to the negative impact a false-positive may create. I am still in college so I maybe biased, I would like to hear your thoughts on this.3 -
Boss wanted our AES implemented to use an Initialization Vector. I changed the implementation to add an IV and all the tests passed on the first try!
I changed the implementation to fail just to make sure I wasn't getting false positives. -
In the saga of the unnamed SAAS I've talked about before, LOOK AT THEM USER-SESSIONS XD
And this is only from Android-App embeds since web-embed isnt even open to public yet, so no google-crawller false-positives
The country I'm in, has only 8 sessions waayyyy down below so my code isn't messing up the numbers :3
I'm still too much of a bitch to face this product head-on and "launch" it damn this feels good 😤🤘
3 -
Can someone help me? I'm getting this error in VS Code while working on my Unity project. Everything was working fine for last few months. Now I'm getting false positives, because everything works fine in Unity. The problem's gone when I open "ObjectInfo" class file and save it, but I have to do it every time I start VS Code.
The type or namespace name 'ObjectInfo' could not be found (are you missing a using directive or an assembly reference?) [Assembly-CSharp] -
describe logic/algorithm you would use to detect a (presence of) full name in a string. goals: obvious == Most reliable, hardest to fool, least false positives, as generic as possible ( == as few hardcoded data as possible)12
-
Happy new year Ragnar, doing such an amazing job that AI would be a down grade in any way. Two false positives since existance and rarely one slips trough. People do actually call @ragnar if smth slips trough. Makes me happy and surprised how much people did read the few times I mentioned that feature. Says a lot about activity regarding readers in the community.
The spammers didn't celebrate new years it seems. Hard workii workii. Also happy new year.
Buffon, especially happy new year to you. You owe me two days of work for your shit. At least happy to know that the spam king at least is a real dev.
I hope this will be a good year for devrant. There's no reason that it wouldn't. We're te coolest independent single subject reddit thread on the internet.
1 -
One of the worst practices in programming is misusing exceptions to send messages.
This from the node manual for example:
> fsPromises.access(path[, mode])
> fsPromises.access('/etc/passwd', fs.constants.R_OK | fs.constants.W_OK)
> .then(() => console.log('can access'))
> .catch(() => console.error('cannot access'));
I keep seeing people doing this and it's exceptionally bad API design, excusing the pun.
This spec makes assumptions that not being able to access something is an error condition.
This is a mistaken assumption. It should return either true or false unless a genuine IO exception occurred.
It's using an exception to return a result. This is commonly seen with booleans and things that may or may not exist (using an exception instead of null or undefined).
If it returned a boolean then it would be up to me whether or not to throw an exception. They could also add a wrapper such as requireAccess for consistent error exceptions.
If I want to check that a file isn't accessible, for example for security then I need to wrap what would be a simple if statement with try catch all over the place. If I turn on my debugger and try to track any throw exception then they are false positives everywhere.
If I want to check ten files and only fail if none of them are accessible then again this function isn't suited.
I see this everywhere although it coming from a major library is a bit sad.
This may be because the underlying libraries are C which is a bit funky with error handling, there's at least a reason to sometimes squash errors and results together (IE, optimisation). I suspect the exception is being used because under the hood error codes are also used and it's trying to use throwing an exception to give the different codes but doesn't exist and bad permissions might not be an error condition or one requiring an exception.
Yet this is still the bane of my existence. Bad error handling everywhere including the other way around (things that should always be errors being warnings), in legacy code it's horrendous.6 -
It annoys me immensely when I struggle with myself, criticizing my own lack of knowledge in certain areas and my colleagues say: "You'll learn by doing". No, I won't, that's a foolish dogma.
I won't and I have never learned by 'doing'. The best results I've obtained have been through understanding every last bit of what's under the hood of a particular functionality. I'm not going to understand the white box by constantly probing the black box, it's just unsatisfactory and insufficient information. It's even dangerous to base yourself on the black box results because you often might get false positives.
I got through university by massive multilateral sensory focus: kinesthetic (writing things down), auditory (listening to the professor), visual (observing graphs and models of the material taught), conscious (mentalizing it all and interlinking information so that later it's accessible from long-term memory). I can confirm this is necessary for the brain because a Neurologist once told me just that.
At least for me, I had the most horrible grades (D's and F's) in freshman year with the 'learn by doing' method and the best grades (A, A+) with the multi-sensory method in later years as I matured my studying methods. In fact, with that method I've continuously outsmarted other people who had 10 years more experience than me ('experts', 'consultants',..) but they preferred to stay in the ignorant 'bro zone' rather than learning things properly. Even worse, the day they arrived on the scene, they completely broke the production environment and messed it up for the whole team. I felt like banging my head on my desk. It just makes me disappointed in the system.
If you follow popular method, you'll soon find yourself in the same problems that arise from doing what everyone else does. What happens at that point? That's right, they have to call in someone who actually bothered learning things.10
Top Tags
Weekly Rant
View