But what about the opportunity cost?

> What does that mean? What could it mean? Why is it there? This sounds like something that should be featured on Screenshots of Despair. Still empty - can be used. It’s like a mantra.

> I’m still empty. I can be used.

Fixing broken software the hard way.

> Errata patches will continue to be generated for 2 releases.

> What is this, sporting dozens of colorful knobs, almost like a “turn-the-knob” toddler’s game at a playground in a nearest mall? This the awesome British Bombe electro-mechanical codebreaking machine which only had one purpose: to determine the rotor settings on the German cipher machine “ENIGMA” during WW2.

Great collection.

source: grugq

> Simple Risk Measurement is written to help you measure complicated risks using a process that’s simple enough to work out on the back of a napkin and powerful enough to organize a rocket launch.

> If you are an engineer motivated by the reduction of risk and are frustrated by how to measure your progress, you may find this documentation useful. Simple Risk Measurement can get you started towards a comprehensive and scientific approach to risk. It is designed to enhance subject matter experts who work with risk, especially those who mitigate complex risks on an ongoing basis.

> So many folks spend time on their CSS and their UX/UI but still come up with URLs that are at best, comically long, and at worst, user hostile.

Problems found and (already) fixed.

Report: https://cure53.de/pentest-report_curl.pdf

> Somewhere between immediately and never.

On apparent false aliasing with vector instructions.

source: L

> “Public entities don’t like to sue other public entities.”

In other urban development news, half of center city Philly is millenial.

http://www.philly.com/philly/business/20161106_A_millennial_market_for_Market_East.html

> I believe that translation validation, a branch of formal methods, is just about ready for widespread use. Translation validation means proving that a particular execution of a compiler did the right thing, as opposed to proving once and for all that every execution of a compiler will do the right thing. These are very different.

> It’s important to realize that this company’s entire business model relies on a very compliant debt market. Understandably, stock investors like the Netflix strategy because the more the company borrows, the more upside they have. But bond investors are taking on more and more risk without that same upside.

> 1. U2F hardware token 2. Phone code generator 3. Offsite backup codes 4. No SMS

> libtls is shipped as part of libressl with OpenBSD. It is designed to be simpler to use than other C based tls interfaces (especially native OpenSSL) to do “normal” things with TLS in programs.

> The system call intercepting library provides a low-level interface for hooking Linux system calls in user space. This is achieved by hotpatching the machine code of the standard C library in the memory of a process. The user of this library can provide the functionality of almost any syscall in user space, using the very simple API specified in the libsyscall_intercept_hook_point.h header file:

source: grugq

> In some domains of programming it’s common to want to write a data structure or algorithm that can work with elements of many different types, such as a generic list or a sorting algorithm that only needs a comparison function. Different programming languages have come up with all sorts of solutions to this problem: From just pointing people to existing general features that can be useful for the purpose (e.g C, Go) to generics systems so powerful they become Turing-complete (e.g. Rust, C++). In this post I’m going to take you on a tour of the generics systems in many different languages and how they are implemented. I’ll start from how languages without a special generics system like C solve the problem and then I’ll show how gradually adding extensions in different directions leads to the systems found in other languages.

source: L

> The reason this is important is that everyone is listening in on root name server queries.

Silver certificates and provisional currencies.

> Some applications call GnuPG with --status-fd 2 such that stderr and the status messages are combined in a single data pipe. These applications try to separate the output lines afterwards based on the line prefix (which is [GNUPG:] for status messages and gpg: for stderr).

> GnuPG, with verbose enabled (either directly on the command line or indirectly through the gpg.conf configuration file), prints the “name of the encrypted file” (an obscure feature of OpenPGP under the control of the attacker) to stderr without escaping newline characters.

source: HN