Agreed. It would be one thing if it was a regular bash project that got minified via a script or something, since at least you could tell what it's doing.
This is just spaghetti. Maybe it's spaghetti that runs, but code of this quality does not engender confidence.
> The missing macro is that during and after WWII, the US had the luxury of being the only intact industrial economy.
While true, this is generally overemphasized. The destruction of industry in other countries helped the postwar US, but the US didn't need that help to begin with to achieve an absurd lead over everyone else.
If we look at 1938, the US still has a higher GDP than Germany and the USSR (#2 and #3) combined. This is just before the war, so everyone has had over 20 years to recover, and they hadn't started bombing each other yet.
The US is massive, has cheap undeveloped land, natural resources, and easy transit (you have a massive river running down the center for barges, along with lots of flat runs for railroads). Compare with Europe, where space and resources are a constant problem, alongside tensions between countries wasting time.
The US was playing the industrial revolution on easy mode, in comparison to everyone else
The future is going to be arguing with AI chat agents designed to waste your time. It's phone menus, but worse - at least most phone menus can get you to a human if you figure out the right incantation.
This issue would have never gotten a response if it didn't go viral.
I don't think it's as one sided as you think. I made a skill that has been exceptional at using Claude to handling support and getting me refunds with minimal friction on my end. It's got many pathways for escalation if customer support is unresponsive: social, TrustPilot, etc.
The state is capable, it is just unwilling to leverage its power to achieve a meaningful outcome. This is relatively normal across the country; NIMBYs and small landowners have outsized influence and ability to delay.
China builds high speed rail at half the cost of the US.
European countries of comparable size and GDP to California do not experience own-goals of this magnitude.
It's just sloppy. Readers are human, and little mistakes like this take away from the article. Then you add a nonexistent RHEL version, and it just isn't a good look. Which is a shame, because it's otherwise a very interesting vuln.
Maybe you didn't care, but the length of this comment chain clearly shows that it matters. Effective communication is just as important as the engineering.
i just dont understand huffing and puffing over "os as g" in a 10-line poc script, and saying "well i would never approve this". its not enterprise code. its not code that will ever be used anywhere else, for anything. its sole purpose is to prove that the exploit is real, which it does!
the rest of the information is in the actual vulnerability report. the poc is a courtesy to the reportee, so that they can confirm that the report itself isnt bullshit.
evidently, given the downvotes i am getting, people think exploit scripts should be enterprise quality code. ¯\_(ツ)_/¯ half of the reports i see flowing through mailing lists dont even have a poc.
amazingly HN-like to be upset about a variable name
>Disagree because to run the PoC you really ought to understand what it’s doing.
that is contained in the report, which will look similar to the blog. the maintainers will have an open line of contact with the reporters as well. the poc is a small part of the entire report. its not like the linux maintainers only received this poc and have to work out the vulnerability from it alone.
>It is failing at letting people confirm the exploit easily.
it confirms the exploit incredibly easy. just run it, and you get confirmation.
go ahead and explain your point, rather than be cryptic, if you you want to have an actual conversation about it.
you said "I need to know what the code does before I run it.".
you know its an LPE. the mechanisms of the exploit are fully explained. what more do you need to know? please imagine yourself in the position of the kernel security team who would have received this poc in the first place when you answer, because that is the intended context of the poc.
if you think the kernel security team is going to get tripped up over "os as g", you have a crazy low view of the team.
I don't anyone is saying it's not "enterprise" it's just that they clearly went out of their way to make it less readable. By all means advertise the golf'd line count but just have the non minified script.
The struggle is the high level regulatory bodies (with the exception of aberrations such as the current admin's approach to appointment) generally select for individuals with a low risk tolerance. Low risk tolerance is generally incompatible with speed - it's a miracle the covid vax and treatments were approved as quickly as they were in 2020.
Biggest example of this risk aversion is the peptide craze going on (the most famous of which are GLP-1 antagonists). It's pretty much a wild west where people read a low-sample animal study, and buy a drug that's "for research only, not for human consumption" off of a compounding pharmacy in China.
Few human studies because even if you have willing and enthusiastic volunteers it's too expensive and creates legal liability. And the FDA cannot approve it without a high bar of evidence (for effective treatment and low risk) and costly, time consuming reviews. Because of this, there is a black market for the things and people are basically being their own test subjects.
> The struggle is the high level regulatory bodies (with the exception of aberrations such as the current admin's approach to appointment) generally select for individuals with a low risk tolerance.
This may be true, but I don't think it's the major driver of conservatism. Two thoughts/observations:
1) Bodies like the FDA face a strongly skewed set of incentives. If they take a risk on something and people get hurt, they face huge public criticism. If they take a risk on something and it's all fine, very few people care or notice. As such, they are strongly driven to not make a public mistake - which drives ever more conservatism.
2) FDA can actually be innovative compared to other health authorities. Breakthrough therapy designation, Project Optimus, Project Frontrunner, and others - show this. However, they've got a strong 'not invented here' mindset - they flatly refuse well-meaning individual innovations from pharma companies, if they're not compatible with FDA's guidelines. And they're heavily bureaucratic, meaning the innovations that do appear are usually following years of process (which probably links back to #1).
That's the purpose of reproducible build initiatives like TFA. The idea is to ensure that identical source produces bit-for-bit identical builds on multiple machines when the packages are built.
Sure, if the source itself gets got, then it does nothing. But it at least puts up one more barrier against tampering with the artifacts.
It would be much better to just have a deterministic minification script.
reply