4
points
LocalPCGuy
Joined 969 karma
- If I can run my own code but in your context, I can pull in malicious scripts.
With those (all these are "possible" but not always, as usual, it depends, and random off the top of my head):
- I can redirect you to sites I control where I may be able to capture your login credentials.
- May be able to prompt and get you to download malware or virus payloads and run them locally.
- Can deface the site you are on, either leading to reputational harm for that brand, or leading you to think you're doing one thing when you're actually doing another.
- I may be able to exfiltrate your cookies and auth tokens for that site and potentially act as you.
- I might be able to pivot to other connected sites that use that site's authentication.
- I can prompt, as the site, for escalated access, and you may grant it because you trust that site, thereby potentially gaining access to your machine (it's not that the browsers fully restrict local access, they just require permission).
- Other social engineering attacks, trying to trick you into doing something that grants me more access, information, etc.
- I suspect I'm preaching to the choir, but that is a communication issue and a sign the "rewards system" is out of whack, not a "reason" not to push for regular maintenance/tech debt/bug cleanup work.
It should be understood that there WILL be bugs, that is NOT a sign of incompetence, and so cleaning them up should be an ongoing task so they do not linger and collect (and potentially get worse by compounding with other bugs).
- In the spirit of that exercise, the fixes should not take an excessive amount of time to review. If they are, it's likely either the scope of the fix is too large for that kind of exercise, or the PR review process is too in-depth.
I would also question why only 3 of 8 devs approve PRs. Even if that can't change more broadly all of the time, this kind of exercise seems like a perfect time to allow everyone to review PRs - two fold benefit, more fixes are reviewed and gives experience reviewing to others that don't get to do that regularly.
So yes, definitely still do PRs, and if that is problematic, consider whether that is an indication the PR process may itself need to be reviewed.
- Not invalidating your viewpoint and I'd bet we are pretty well aligned, I too have a pretty local-first view and that as a country we put too much emphasis, energy, and discussion on national politics and could all benefit from "getting outside". That said, I did want to point out that this comes across as a very self-centric viewpoint, one that would differ greatly depending on who you ask. Even as an anecdotal story, it offers very little to say about the current state of affairs related to how people voted, which would appear to be the intent of the response.
As a bit of a semi-related aside, while everyone has different motivations when voting, as a whole when folks are able to vote for their gov't, one hopes that enough people are thinking about what is good for the majority and society as a whole and not only what is good for themselves. And that has more impact at local and state levels usually. A bit idealistic, admittedly.
- If there is any reason for the test, it would be diagnostic and not preventative, and that is generally covered. Just checking cause you want to know your levels generally wouldn't be, but there are any number of symptoms that could be related to that.
As for it being a "scam" - there are enough valid studies that show what this one did, that folks who are deficient that are able to raise their levels tend to be slightly healthier.
There isn't necessarily evidence for supplementation beyond "normal" range, and I do agree that no one should just take high-dose vitamin D supplements without data (tests) that it is necessary.
- Generally agree, but unlike water-soluable vitamins, vitamin D can store excess in fatty tissue and the liver, and so if a person takes a large dose (generally 10,000 IU daily or more), they could develop toxicity over time due to the build-up. That's why it's important to test and adjust dosages according to the data.
- As has been commented elsewhere, everyone absorbs vitamin D differently, this really is a matter where someone should just get tested, if they (and their doctor) decide supplementation is needed, do so, test again, and adjust dosage accordingly until desired levels are attained.
Not medical advice here, but harmful effects from vitamin D exposure/toxicity generally only happen at very high levels, or if high doses are taken over long periods of time (as excess can be stored in fatty tissue/liver). Doctors often prescribe a very high dose (like 50,000 IUs) for individuals who are very deficient (often taken once a week, not daily) for a short period before going on a more standard (400-2,000, maybe 5,000) IU dose for maintenance.
- Echo this with a PSA: it's a simple test to get your levels, and I'm a proponent of ensuring it's included when you have other regular blood tests (may have to ask for it). That can allow a person to see patterns, how effective any supplementation (and different amounts) are, etc.
- Just my results (n=1) and I don't think this is exactly what you were saying, but just in case other read it the same way I did at first: having had (lab tested) vitamin D deficiencies, vitamin D supplementation can help to restore levels back into the desired range. So supplementation can have the desired effect of improving vitamin D levels (more below). It is a simple test that most doctors don't quibble about adding on to other blood tests (i.e. during annual checkup, for instance), but isn't generally checked by default. (note: insurers may want it to be "diagnostic" rather than "preventative" in order to cover the test.)
Whether it has a "positive impact" on overall health (which I believe to be your point), that would be even more anecdotal and also impossible for me to narrow down whether that one factor had any significant effect, so I won't posit that. And I agree that from different studies I've read, the actual science on it is pretty varied and I haven't seen anything conclusive. Even this study notes their conclusion was "... among adults with suboptimal baseline vitamin D levels".
- I call BS on that given how many people ONLY read the headline. It is (well, should be) the responsibility of the journalism industry, of which the editors are still a part of, to accurately convey information, and that includes in the part of most heavily shared and read.
(and yah, yada yada about journalism no longer, or maybe never, being about truth, I get it, but still IMO the field should be held to the higher journalistic standard)
- I haven't seen this mentioned, but I immediately thought this could be a great tool for folks with ADHD. The potential for seeing what kinds of things regularly trigger distraction (I know, everything, right?) and any patterns that exist (i.e. every time I make a git commit, I go check Hacker News and lose 15 minutes). As well as being able to review day that was captured automatically is huge. The best success I had with tracking what I did was when I used to use TimeRescue to ensure I had accurate record of hours for clients, but every attempt to use anything that requires manual entry fails very quickly (either too distracting everytime I use it, or I literally just forget to use it).
Going a step further, "real time" (given processing delay) to help stay on task when the focus has shifted to something unrelated (maybe allow the individual to define this or say yes/no to train the prompts as it goes).
Anyways, it looks great. I also liked the _idea_ of Windows Recall, so to see something like this that can be privacy first is really nice.
- There really isn't a reason that the screen data, once you have it, can't be used for more than one thing. I would guess that there isn't a whole lot stopping Windows Recall from doing very similar things.
- This was my question also, I think "even better if it can record and analyze the entire multi-monitor desktop surface" would be the best option. I don't know what the impact of that would be on both recording size and AI processing time, but just because one monitor is focused doesn't always mean what's happening on another is ignored. Some examples: an ongoing meeting or watching a video on one screen while taking notes on another; or coding on one screen and a browser/app auto-refreshing on another.
- You are referencing your own personal experience, and while that is an entirely valid opinion for you to have personally about your usage, it's not possible to extrapolate that across an entire population of people. Whether or not you're doing that, part of the point I was making was how people who "think it makes sense" will often then not critically analyze something because it already agrees with their preconceived notion. Super common, I'm just calling it out cause we can all do better.
All we can say right now is "we don't really know how it affects our brains", and we won't until we get some studies (which is what the underlying paper was calling for, more research).
Personally I do think we'll get more studies, but the quality is the question for me - it's really hard to do a study right when by the time it's done, there's been 2 new generations of LLMs released making the study data potentially obsolete. So researchers are going to be tempted to go faster, use less people, be less rigid overall, which in turn may make for bad results.
- There is always a "better mousetrap", and there are those that continue to use the old one because they "know how it works and it's set up just the way I like it". And there are others that try every new mousetrap that hits the market. (and that's ok, not slighting either one)
I will say that I personally have never really gelled with VSCode no matter how much I try to customize it, it still is just a bit off. For me, it's like it's too much to be a simple editor like SublimeText or NeoVim, but not quite enough to be an IDE like IntelliJ or Visual Studio (full). It does just enough that I expect a bit more of it and it often fails to deliver. Right now I tend to just use 2 editors - one very simple one for viewing/editing text files and one IDE (currently IntelliJ) for coding in a project.
On topic - Zed is actually a really nice editor. It had some rough edges last time I tried it, but it's probably about time to give it another go.
- Yup, I even found myself a bit hopeful that maybe it was a follow-up or new study and we'd get either more or at least different information. But that bit of hope is also an example of my bias/sympathy to that idea that it might be harmful.
It should be ok to just say "we don't know yet, we're looking into that", but that isn't the world we live in.
- This is a bad and sloppy regurgitation of a previous (and more original) source[1] and the headline and article explicitly ignore the paper authors' plea[2] to avoid using the paper to try to draw the exact conclusions this article saying the paper draws.
The comments (some, not all) are also a great example of how cognitive bias can cause folks to accept information without doing a lot of due diligence into the actual source material.
> Is it safe to say that LLMs are, in essence, making us "dumber"?
> No! Please do not use the words like “stupid”, “dumb”, “brain rot”, "harm", "damage", "passivity", "trimming" and so on. It does a huge disservice to this work, as we did not use this vocabulary in the paper, especially if you are a journalist reporting on it
> Additional vocabulary to avoid using when talking about the paper
> In addition to the vocabulary from Question 1 in this FAQ - please avoid using "brain scans", "LLMs make you stop thinking", "impact negatively", "brain damage", "terrifying findings".
- The point is, you don't need to play with extra features and customizations if you don't want to, so you can keep it "a step above a text file". That said, having those additional features is nice when you want just a little bit more, or you want to link a note file with your todo file, etc.
- FWIW, most browsers by default now do a viewport zoom with Ctrl/Cmd-+ rather than a font-scaling zoom. I think browsers generally have the option to change that, so if you prefer the former but it's doing the latter, may check the browser settings.
- I don't begrudge them their ability to make a living, but it is a bit ironic that I can't read an article about reading without a subscription or archival service. I get that isn't really the point of the article, but I do think that news/magazines inability to find a way to successfully move beyond the heavily subsidized advertising-supported model (and so the current clunky experience in general) cannot help inspire more people to read. Not claiming it actively reduces readers as a whole, just that it's one less avenue for increasing the desire to do so.
- I would even say you could go with if duplicated words is an issue:
You can [get the Amaya Browser] from the download page - > ...accessibility issue? particularly when there's are buttons right above it that say...
Yes, those buttons may not be "in context" when the page is not being viewed in a visual medium.
> To download PiPedal, click here.
Another appropriate link in this case could be simply:
Or like your last example, just link it slightly differently to emphasize the action:*Download PiPedal* now!To *download PiPedal*, visit the Download Page. - We (probably) can guess the why - tracking and data opportunities which companies can eventually sell or utilize for profit is some way.
- Both of these are basically strawman arguments - there are legitimate, non-tribal reasons to be against the actions taken re: tariffs and the purported anti-corruption tasks. For example, a person can be strongly against government corruption but also be strongly against the current efforts/methods being used for a multitude of reasons. And similar for tariffs. (Not having those debates here, just pointing out that I don't believe those examples hold up.)
- As someone with 15+ years of experience, a lot of that FE specific, that is the advice I always give newer devs if asked. Learn the fundamentals of Javascript, HTML, CSS (it's like a 3 legged stool, even if the JS leg is oversized in the days of web apps). If you know how to program, and you know the fundamentals, you can work in whatever framework is thrown your way.
Now, practically speaking, that's actually probably better advice for someone with a job and 1-2 years in. To get an initial foothold in the industry, people often need to specialize in one specific thing (React at the moment most likely), in order to be able to demonstrate enough competence to get that initial job and so I understand how fundamentals can be backburnered initially. But I recommend devs don't let that initial success lock them into that framework - that's the time to get back and learn all the fundamentals, go wide, learn a couple other frameworks even so it's easy to compare and contrast the strengths/weaknesses of each.
And you will want to be well-versed in the framework you currently use day to day, knowing best practices, architecture patterns that work and those to avoid, etc. Knowing the fundamentals will help, but there will be framework specific things that will change from framework to framework, even code-base to code-base sometimes. So it's always going to be a bit of a balance. But long-term, IMO, being well-versed in the fundamentals affords you the most flexibility and employ-ability long-term.
- Not the author, but thought it was pretty nice.
- https://github.com/DigitallyTailored/Classless.css
I know this isn't the first, I have this note from a previous HN discussion:
- https://github.com/andybrewer/mvp
- https://github.com/kognise/water.css
- https://github.com/xz/new.css
- https://github.com/vladocar/Basic.css
- https://github.com/oxalorg/sakura
- https://github.com/igoradamenko/awsm.css
- https://github.com/hawkz/gdcss
- https://github.com/emareg/classlesscss
- https://github.com/vincentdoerig/latex-css
- https://github.com/dbohdan/classless-css
- https://picocss.com/examples/preview/
- https://github.com/kevquirk/simple.css
Aggregate tool: https://dohliam.github.io/dropin-minimal-css/
- Just adding on to number 4 - I didn't realize there was additional information explaining the pattern further below the interactive challenge for the first couple steps. When completed, it should then show the explanation and a button to continue.
As for CORS, they were uploading the SVGs to an account of their own, but then using the vulnerabilities to pivot to other accounts.