"The Firefox 150 data suggests a tool that is genuinely useful for defensive security work, especially at scale, but the public record does not justify the strongest claims people want to make from it. The headline number is impressive, yet it bundles together bugs of very different significance and does not publicly resolve into a clean accounting."
I mean: Obviously. Does not matter how good or bad a product is, the current meta is to over-hype it in order to achieve maximum "news-penetration".
Anthropic seems to have sth. "real". However, Since there is no way for outsiders to calculate real metrics like false-positive rate, cost (tokens, Dev hours for setup and review, ...)/ Issue found, ... there is no real way to put any scale on the hype-graph.
If anything brakes on the Framework, you get all the docs you need to attempt a repair yourself, also spare parts are available, also, you can upgrade SSD/RAM/Mainboard and ports.
Apple: Every repair is Mainboard replacement and costs 70% of the used value of the Notebook. Upgrades are impossible. Have a nice day!
"Bonus bonus chatter: The xor trick doesn’t work for Itanium because mathematical operations don’t reset the NaT bit. Fortunately, Itanium also has a dedicated zero register, so you don’t need this trick. You can just move zero into your desired destination."
Will remember for the next time I write asm for Itanium!
Yep. The XOR trick - relying on special use of opcode rather than special register - is probably related to limited number of (general purpose) registers in typical '70 era CPU design (8080, 6502, Z80, 8086).
Unfortunately, 6502 can't XOR the accumulator with itself. I don't recall if the Z80 can, and loading an immediate 0 would be most efficient on those anyway.
XOR A absolutely works on Z80 and it's of course faster and shorter than loading a zero value with LD A,0.
LD A,0 is encoded to 2 bytes while XOR A is encoded as a single opcode.
XOR A has the additional benefit to also clear all the flags to 0. Sub A will clear the accumulator, but it will always set the N flag on Z80.
Yeah, the article seems to have missed the likely biggest reason that this is the popular x86 idiom - that it was already the popular 8080/Z80 idiom from the CP/M era, and there's a direct line (and a bunch of early 8086 DOS applications were mechanically translated assembly code, so while they are "different" architectures they're still solidly related.)
The 6502 gets by doing immediate load: 2 clock cycles, 2 bytes (frequently followed by single byte register transfer instruction). Out of curiosity I did a quick scan of the MOS 1.20 rom of the BBC micro:
Are you sure you're not an LLM? There is no way anybody writing 6502 would do anything else, because there's no other way to do it.
(You can squeeze in a cheeky Txx instruction afterwards to get a 2-or-more-for-1, if that would be what you need - but this only saves bytes. Every instruction on the 6502 takes 2+ cycles! You could have done repeated immediate loads. The cycle count would be the same and the code would be more general.)
I suppose using Txx instructions rather than LDx is more of an idiom than intended to conserve space. Also, could an LDx #0 potentially be 3 cycles in the edge case where the PC crosses a page boundary? (I'm probably confused? Red herring?)
I don't know how the 6502's PC increment actually worked, but it was an exception to the general rule of page crossings (or the possibility thereof) incurring a penalty, or, as was also sometimes the case, just ignored entirely. (One big advantage of the latter approach: doing nothing does take 0 cycles.)
The full 16 bits would be incremented after each instruction byte fetched, and it didn't cost any extra if there was a carry out of the MSB.
And [as mentioned in the article] even modern x86 implementations have a zero register. So you have this weird special opcode that (when called with identical source and destination) only triggers register renaming
A move on SPARC is technically an OR of the source with the zero register. "move %l0, %l1" is assembled as "or %g0, %l0, %l1". So if you want to zero a register you OR %g0 with itself.
Even tiny tiny CPUs can do sub in one cycle, so I doubt that. On super-scalar CPUs xor and sub are normally issued to the same execution units so it wouldn't make a difference there either.
On superscalars running xor trick as is would be significantly slower because it implies a data dependency where there isn't one. But all OOO x86's optimize it away internally.
It would probably run really fast, considering that Itanium's downfall was the difficulty in compiling. (Including translating x86 instructions into Itanium instructions)
Not really. Itanium was a result of some people at Intel being obsessed by LINPACK benchmarks and forgetting everything else. It sucked for random memory access, and hence everything that's not floating-point number-crunching. Compiler can't hide memory access latency because it's fundamentally unpredictable. VLIW does magic for floating-point latency (which is predictable), but
- As transistors got smaller, FP performance increased, memory latency stayed the same (or even increased).
- If you are doing a lot of floating point, you are probably doing array processing, so might as well go for a GPU or at least SIMD).
- Low instruction density is bad for I-cache. Yes, RISC fans, density matters! And VLIW is an absolute disaster in that regard. Again, this is less visible in number-crunching loads where the processor executes relatively small loops many times over.
Naive question: shouldn't vliw be beneficial to memory access, since each instruction does quite a lot of work, thus giving the memory time to fetch the next instruction?
- Even each instruction does a lot of work, it is supposed to do it in parallel, so time available to fetch the next instruction is (supposed to be) the same.
- Not everything is parallelisable so most of instructions words end up full of NOPs.
- The real problem are data reads. Instruction fetches are fairly predictable (and when they aren't OOO suck just as much), data reads aren't. An OOO can do something else until the data comes in. VLIV, or any in-order architecture, must stall as soon as a new instruction depends on the result of the read.
iirc alcohol is the drug with the highest amount of 3rd party harm due to the high number of people beating their spouse, children and sometimes random strangers under the influence. (+ 3rd party property, car crashes, ...)
Keep in mind this was evaluated with current laws, which bans most kinds of indoor-smoking.
Still a good idea to ban cigarettes and force people to consume their nicotine in healthier ways.
They're not banning smoking in general (which would be impossible anyway, what are they going to do, make it illegal to set something on fire and breathe it in?), they're banning nicotine products. I also really doubt that they will legalise weed and then say "but of course you're not allowed to smoke it, edibles only".
They ban buying cigarettes, not nicotine in general, correct?
In that case, I would compare it to making catalytic converters mandatory in new cars in the 1970s.
You still can pickup nicotine consumption, but with xx % less carcinogens :)
Well, reality called and says: Like ID, drivers license, credit cards and guns: Phones are sth. you dont just "share" with your kids. Also there is an option to guard the ID App with an additional PIN/Biometric.
That's not reality for many of us. I don't consider my phone a secure device by any means. It has nothing on it that I'd regard as something I'd need to guard against my family.
I know a fair number of especially elderly people who want to disable PIN and bio-metrics from their phone, because they view it as a pain to deal with.
PINs can also be guessed or someone might look you over the shoulder and steal it that way. Many phones still doesn't have biometrics, or people don't want to use it.
Our realities might be different, but in my reality a cell phone, which you almost by definition brings with you out in the world, should never be considered a secure device.
Oh man, if the kid gets hold of both of their parents phones with login, they could divorce them. I don't have kids yet, so this might change, but I would not give them login and / or unsupervised access.
I don't think you can guess pins, as the phones locks after a few failed attempts.
You keep using the term “secure” that it sounds like you think education is like a prison sentence. You’re not doing this for security but for safety. A stair gate or drawer child-proofing lock are by no means secure but you use them anyway for the child’s safety.
You can’t just leave every dangerous thing out in the open because you “view it as a pain to deal with” storing them safely and then blame everyone else for the situation that follows.
Our realities might be different but in my reality if you put 0 (zero) effort to keep some critical things safely away from your child because it’s too much of a hassle to do it, or they’ll get around that anyway, etc. then you’re failing your children.
You make it sound like you put no effort in understanding my comment and just followed up with whatever supported your view.
If you have anything on your phone that should be off limits to your child but make no effort to ensure that (give them the phone, no passwords, no supervision) because it’s too inconvenient you are failing the child. Can I put it in simpler words?
> What do you have on your phone that's dangerous?
I hope you were asking hypothetically.
For one, the phone itself since staring into a small screen at god knows what because supervising them is a chore is bad for anything you can imagine, from eyes, to posture, to brain development. But also a browser that can access anything on the internet (modern Goatse, Rotten, Ogrish, other wholesome sites like that). My credit card numbers. All my passwords. Hardcore porn. Facebook and TikTok. The app that delivers booze to my doorstep. 50 shades of grey (the book and the movie). X (Twitter), I left the worst for last. If you really think a completely open internet connected phone is perfectly safe for a kid at the very least you’re in the wrong conversation.
It doesn’t matter, the discussion is about age verification for things that a child should be kept away from, whatever that is. If you’re trying to protect the kids from anything, especially legitimate concerns, then you can’t expect some mechanism to magically do all that parenting for you. It can help but not be the parent when the parent thinks it’s too inconvenient to actually do some parenting.
I don't like the idea of a central authority determining what "my child should be kept away from" and then implementing Orwellian surveillance laws to enforce it. "For the sake of the children".
Seeing something scary, disturbing, or sexual on the internet as a child does not result in a maladjusted adult. These laws are about one thing and one thing only - furthering the global surveillance network.
Everything else is a smokescreen. Pretending that a phone or any Internet-connected terminal is something that should be kept secured and away from children is a parenting decision, not a policy one, and any attempt to justify it as a policy decision is toxic nonsense at best and astroturfing for the surveillance state at worst.
| 'I don't like the idea of a central authority determining what "my child should be kept away from" and then implementing Orwellian surveillance laws to enforce it.'
Well thank God this about a double-blind way to verify your age and not that.
The surrounding context is that. Why else would you participate with a government in an age verification system?
Maybe your argument is that it's not a surveillance state because it is implemented with a 0 knowledge proof. Sure, the age verification is, but that is only part of the system we are talking about. The rest of the system is the demand that every adult play keep-away with their verification, and every host on the internet (that can be adequately threatened) play, too.
The only way for this to be anything else is if every participant can individually decide what should and should not be kept away from children. Such a premise is fundamentally incompatible.
A phone isn't going to run off the road and kill 7 people. This is nonsense and you know it.
And yes, phones are something parents do "just" share with their kids because nobody is bizarre enough to look at a phone the same way as a gun or a car. It's the YouTube device that can talk to grandma. All you have to do to see proof that it's something people "just" share is to walk into a grocery store and look at parents pushing kids in carts while those kids watch videos. 25 years ago those phones were Game Boys. Nobody is seeing them as a gun. That's the most disconnected from reality take I've seen in my life.
Whats the diff between today giving you phone to your 8-year and making sure /having trust that they do not use it to e.g. order a new toy from Amazon and tomorrow that he is not using to verify they are an adult?
I mean, most things today (like accessing porn, buying alcohol) do not require any extra age verification. They can just do it using your phone/accounts.
Not everyone views their child as an enemy that just happens to be in close quarters with them. Most people trust their kids to generally not do bad things. People keep knives in their kitchen and kids, explain the danger, and kids are generally responsible enough to not play with them.
If this is a concept that you can't grasp, then words will never convey it. It's simply a detachment from reality to think people are viewing their phones as a loaded gun and their child as someone hellbent on betraying them and causing massive societal damage.
The phone is the YouTube device. If they get a notification that their kid ordered from Amazon, they'll cancel the order and tell their kid not to do it again. It's seriously that simple. Just go and talk to a parent. They'll think viewing their phones as a WMD is insane.
The problem comes in when they feel their opinions should carry weight about other people's kids. There are very limited ways in which we should allow that, and to an oversimplified approximation, they boil down to "don't do kids harm that prevents them from becoming an intact person society treats as a human allowed to make their own decisions". And then the problem is that some people think some websites do such damage, and other people think some websites provide help to survive such damage.
Okay, so those parents can just not give their kids their phones, and everyone else can continue living life as usual without needing a fancy new way of telling websites how old they are
Giving your kid a gateway to every bad thing on the internet is not life as usual. It's incredibly recent, and I don't have shares in SSRI manufacturers, so I don't like it.
Having a smartphone at all also is incredibly recent, so by that logic we shouldn't let anyone have them. Alternately, maybe we can recognize that they haven't been long enough for any specific way of using them to be the long-term universal standard.
In the meantime, I still don't understand why someone with no kids should have their access gated based on what opinions other people have on parenting. I literally don't have any stake in whether you give your kids access to your phone or not, and I don't make any claims that I would have any clue what the correct way to raise a kid is. That doesn't make it reasonable to have a policy that requires literally the exact people who aren't the ones that are ostensibly supposed to be protected by the system tracked by it.
> so by that logic we shouldn't let anyone have them
It's pretty normal to treat kids differently to adults in specific areas.
> I still don't understand why someone with no kids should have their access gated based on what opinions other people have on parenting
This argument goes both ways - currently there are no safety rails for kids, and that is imposed on people who want safety rails.
> That doesn't make it reasonable to have a policy that requires literally the exact people who aren't the ones that are ostensibly supposed to be protected by the system tracked by it
And there are definitely situations where adults' experiences are degraded because a place has to accommodate children. I agree that I hate tracking and so forth, but I wouldn't pretend that children using smartphones isn't a pretty well-understood bad idea either.
> This argument goes both ways - currently there are no safety rails for kids, and that is imposed on people who want safety rails.
No, it's imposed on every adult regardless of if they want safety rails, and in a way that literally only affects the people who aren't actually the ones the rails are ostensibly supposed to be protecting.
> I wouldn't pretend that children using smartphones isn't a pretty well-understood bad idea either.
You literally just said that it's "incredibly recent", and now you're claiming that it's well understood. I'd argue that those things are inherently at odds; we literally don't know what a young child who used a smartphone looks like at 30 years old right now because they haven't been around long enough. On top of all of that, there's literally nothing about invading someone's privacy that's needed to stop a child from using a smartphone: just don't give them the smartphone! That's always been an option, and nothing about this policy that will have any effect on whether parents give their kids access to their smartphones.
> No, it's imposed on every adult regardless of if they want safety rails
I don't understand. We're talking about something that hasn't happened yet. The safety rails do not exist, even for those who want them.
> You literally just said that it's "incredibly recent", and now you're claiming that it's well understood
Yes - incredibly recent in the grand scheme of history, but still we have a lot of evidence of the negative aspects of onlineness and phone use over the last 15 years at least. And, as another example, it's far more recent that girls turn 18 and celebrate that on OnlyFans. I would argue that while I haven't waited 30 years to see how they turn out at 50, that it's a bad idea.
> On top of all of that, there's literally nothing about invading someone's privacy that's needed to stop a child from using a smartphone: just don't give them the smartphone! That's always been an option, and nothing about this policy that will have any effect on whether parents give their kids access to their smartphones.
I agree - I think this is a parenting issue, but at least on the left, which the EU tends to, parents should offload their responsibility where possible to the state. But that's my answer to this overall. I'm just arguing specifics.
You're the one who said kids would be accessing age gated sites with their parents' credentials. You're the one who made the case that it's useless. Don't go back and forth on it lol
"The Firefox 150 data suggests a tool that is genuinely useful for defensive security work, especially at scale, but the public record does not justify the strongest claims people want to make from it. The headline number is impressive, yet it bundles together bugs of very different significance and does not publicly resolve into a clean accounting."
I mean: Obviously. Does not matter how good or bad a product is, the current meta is to over-hype it in order to achieve maximum "news-penetration". Anthropic seems to have sth. "real". However, Since there is no way for outsiders to calculate real metrics like false-positive rate, cost (tokens, Dev hours for setup and review, ...)/ Issue found, ... there is no real way to put any scale on the hype-graph.
reply