So gain access to a machine that can ask microsoft intune to eviscerate the company, ask it to do so, done. Bit of a shame all the machines had that installed really. Reminds me of crowdstrike.
Microsoft keeps disappointing and chief technology officers keep paying them. Wasn’t Elon Musk supposed to prove you could vibe code their entire product line? What happened to all that?
My 95% bet is that the attacker just gained access to an account with suitable privileges and then went on to use existing automation. The fact that it’s intune is largely irrelevant - I’m not aware of any safeguards that any provider would implemen.
So the options here are MDM or no MDM and that’s a hard choice. No MDM means that you have to trust all people to get things as basic as FDE or a sane password policy right. No option to wipe or lock lost devices. No option to unlock devices where people forgot their password. Using an MDM means having a privileged attack vector into all machines.
How does that look exactly? Someone has to be able to use MDM to manage devices or there’s no point in having it. This scenario is firmly in rubber hose/crescent wrench cryptanalysis territory. Can updates have delays with approval gates built in? Does MDM need a break glass capability?
Do not use global admin or admin account as daily driver for one. Dont save it in browser etc either.
Limit roles, even within the application, here Intune.
Office 365 also has conditional access and many policy leavers to tweak, many cases of people locking themselves OUT of 365. So the gates work but you need to configure them.
For Stryker specifically? We don't and probably won't know details.
For companies in general? Background checks, security clearance etc are done if the company determines this necessary and are willing to pay for the process and higher salary.
Well, all the machines in the current outfit are Linux as far as I know. Services are self hosted. Seems to be fine, teams et al run adequately in a browser for talking to people on other stacks.
Previous place had a corporate controlled windows laptop that made a very poor thin client for accessing dev machines. One before that had a somewhat centrally managed macbook that made a very poor thin client for accessing dev machines.
You don't have to soul bond to Microsoft to get things done.
I don't see how Linux would prevent anything if company wants similar controls on their machines. Like tracking update status, forcing updates when needed, potentially wiping entire device when stolen and so on. Fault really is not the OS but the control corporate wants over their devices. And it does make some sense.
Indeed. You'd expect a corporate IT system to be able to ssh as root into all their devices. And the cloud is even worse: if you get hold of the right IAM role, you can simply delete everything! That does usually get locked behind proper 2FA, but it's not impossible to phish even experienced admins once in a while.
All the Linux kernel development work is organized around a mailing list, and some private IRC chats for the core people. It's the technology of the nineties but it works for them.
A lot of corporate stuff seems to be much worse than even a random vibe coded web app. I have to book holiday through something called "HR Connect", watching pages load laboriously and redirect every login through several very long URLs. Slowly.
Yes, the Linux kernel people can be trusted to manage their own machines. Random corp employees cannot. Also corp machines are corp property, not the employees own. If you have 1000 or 10,000 machines you need to manage them. Full stop.
Yes, many corporate websites are bad. Like ERP or HR systems. None of that has to do with device management, RMMs/MDMs or Intune.
>Bit of a shame all the machines had that installed really.
Are you new to Windows sysadmin stuff? Or you have 0 idea whatsoever and you are just vibein?
How else are we supposed to deploy/push programs and settings and in the past over SCCM, an entire OS, if the machines don't have it installed?
This is also how your precious Linux tool Ansible and Puppet works btw.
And MDMs like Mosyle for OSX. They need it installed. Because IT need to keep check on updates and settings and programs. But I suspect you are a rockstar dev and dont need no IT.
Go on, I'll wait.
mmm yeaaah just downvote me instead. Hide the wrongthink. You people need to not be so sure of yourselves.
An alternative is people install the software they choose to on the machines they're using. Optionally write a list of suggested programs down somewhere.
In that world, there is no central IT team pushing changes to machines and arguing with developers about whether they really need to be able to run a debugger.
I don't know how to keep windows machines alive. It's probably harder.
I, for one, don't really want employees to install video games, porn cam clients, torrenting apps, shady vpn clients, crypto miners, remote access tools, dns "optimizers" and more generally viruses on their work computers.
- Ensure the machines are up-to-date and users are not just indefinitely postponing OS updates?
- Same as above but with programs/software
- How do you ensure correct settings configuration in terms of security? Say default browser, extensions, program access etc?
- Re-image or reinstall the OS when there are issues or PC handover to another employee? Manually with a USB stick?
This kind of control exists and is needed for Linux and MacOS too. RMM is not a Windows only thing...
The critics here see Intune but what if they used another RMM and they compromised another cloud RMM account? Same issue.
Also, here there is no "arguing". They order the software from our portal and it gets pushed into Company Portal via Intune...
Write down a list you say... idk what to say. You have only worked for small startups I gather? Nothing wrong with that but please recognize that these types of limits and programs are not deployed for fun or to ruin your day.
On HN, if you have a valid point but get unnecessarily aggressive about it, people will downvote you for attitude. This mostly keeps the forum under control.
I am sorry and I get carried away sometimes but it is frustrating seeing comments from cowboy devs saying to just give everyone admin, have an excel sheet of software and have people manage their own PC and to get rid of IT just because as here they got phished or breached.
That works for a 5 person company but not a 1000 person company. Or a 10 person company with 1000 machines.
I used to work in test automation for a huge company with terribly annoying IT. I can tell you for a fact that our entire department had well-developed workarounds for the most annoying policies. We even had a few intune 0-days that we literally kept to ourselves to be able to do our jobs properly.
Because in the end, it’s not IT on the line for their odious policies causing late delivery, it was us.
What was so annoying? Having to reboot for Windows updates/programs and MS Defender running?
Also, if the company is certified in some way there are audits for these things, you understand? Such as updates, backups, security, PAM, antivirus etc :)
Subvert these controls intentionally, especially security ones = bye bye. Logs don't lie. We see you.
Some bigco jobs have felt that way to me: I don't know if I'm actually creating anything valuable, but I'm getting paid. I think the people who are most anxious right now are the ones who suspect they're not really creating anything of real-world value, and they're terrified that they're about to stop getting paid as well.
It's often way easier to capture value than to get compensated for creating it.
It's definitely indicative of an unhealthy organization or society when this happens but generally I've still found this to be the norm.
Indeed, maybe one of the reasons why free market capitalism functions is because it has a built in check (bankruptcy) against this natural human organizational tendency.
I think a large part of why software devs were so well compensated in the last decade was because we were helping build the systems which made the capture of value more efficient (whether from taxi drivers, smbs, property rentals or whatever), not because we were facilitating its creation.
Maybe in the first 10 years of your career, after that you totally have the skills needed to create value from nothing - something no value extracting actor will ever be able to learn.
Might take a while but the milk surely becomes butter. His point is valid, maybe your pov is a bit clouded because his baseline is quite high (fame, money) but its not that different at a lower baseline. You bring 1.x to the world that fights over a deemed finite set with 0.x tools.
Who creates value in the art market? Is it the artist who creates the work? Or the dealer who persuades the buyers that the work has value? As a builder I’m attracted to the fantasy that I can create value with my bare hands just by writing code (or telling the AI to write the code), without needing any of those horrible slimy people in suits to build a business around it. Rock n roll man. If you build it, they will come. Is that the reality though? Or just survival bias based on the fact that a few geeks got lucky during the original dotcom boom when they had no competition from actual businessmen?
you can create value by preventing damage in the future, this will get rewarded by the ecosystem itself. That's really hard to describe, but you can try simply removing a danger or annoyance in an ecosystem like your hood or local park then be attentive about what will be better in your own life.
Art creates value with measurable 1.9x in my country, its studied and thus gets funding because they know every 100€ funded will create 190€ of economic value. This means if you give an artist 100€ doesn't matter how - the local economy will grow by 190€. Magic? Well it's just many soft factors - higher quality of life leads to more educated and productive people!
Understand these are all tools to make more of WHAT IS ALREADY THERE and has nothing to do with extracting resources and selling them or bartering. I think your dotcom bubble is an extreme with no value for general advice.
> If you don't worry about the returns, you won't get any.
He was focusing on value, not returns.
That being said, his take is still a dumb take - if you focus on creating value you may not capture any of that value for yourself. If you don't capture that value, someone else certainly will.
The age of creating value for the public good is well and truly over - any value you create for the public good in the form of intellectual output is immediately captured by profit-maximising companies for training your replacement.
It's not just a case of having your value captured by someone else, the AI corps are actually taking your captured value and then using it against you.
Well yeah, business has literally always extracted value from open source software, that’s one of the main benefits of it… (although license violations have been unprecedented with AI)
“Creating value” in open source has never been about capturing value at all, it’s always been about volunteering and giving back, and recognising the unfathomable amount of open-source software that runs the modern world we live in
“Capturing value” is the opposite of this, wall-gardens, proprietary API’s, vendor lock-in, closed-source code… it’s almost antithetical to the idea of open source
> “Creating value” in open source has never been about capturing value at all, it’s always been about volunteering and giving back
I disagree; the GPL has always been transactional. You capture the value in your product by ensuring improvements come back to you. The user "pays" by not being able to close the product off.
> If clean-room re-engineering a MIT code base starting from a GPL one is legit, then AI has just made that the status quo for everything.
I agree; this is what I meant by "the value is being captured by someone else".
GPL provides the author with a specific value - you get back improvements. Using AI to launder that IP so that improvements don't have to be upstreamed is effectively capturing the value.
> The age of creating value for the public good is well and truly over
It's not a zero sum game. Someone putting my open-source contributions (for example) in their dataset isn't subtracting value from me, or the rest of society.
So you think that engineers that maintain and write the FOSS that runs most of the world IT infrastructure ( Linux, Curl, GIT etc. ) do it for the returns ?
They don't, and as a result most don't get much if any.
For them to survive, they have to have got returns from somewhere - maybe welfare, inheritance, a day job. Someone has to have worried about the returns so they can be free from thinking about it.
And if you don't worry about returns, you will let someone extract it ruthlessly from you, that you contribute millions of value to a company that gives you nothing back. This may be fine to you at some level, but many of the people who you allow to exploit you use the resources they gain as leverage to further their selfish ends, like a certain richest man in the world who helped a certain politician buy an election at the most powerful country in the world.
No, that's exactly parent's point. The premise of the title can be read as "just create value, don't worry about monetizing, things will work out (financially)". Which is invalidated by FOSS
It isn’t. FOSS doesn’t just create value it gives it away for free usually in a not so friendly way to the point entire companies exist to streamline and support projects (eg redhat)
I am pretty sure not most of them. In something like linux, that is the case, but I think there are so many other projects that barely receive financial or any other kind of support
I just do my job to the best of my ability. If I can help a colleague I do. I don't expect to get explicitly credited for everything I do.
If my employer can't see or don't care about the value I bring, I simply go to one who values me higher. I refuse to participate in office politics and that kind of BS.
This. First, the employer has to worry about the returns from which they draw some money to pay you. And for you to even get paid for doing a job, the company has to fear that you won't do it if you don't get paid - in most cases, it's not from the good of heart, but an implicit or explicit threat made by you or on your behalf by other people.
The current problem is automating yourself out of the job. You creating value compounds but as soon as you’re no longer needed the fruit of that compounded value is cut off from you.
Well if you want to spend your days doing something trivial enough to be automated I guess that might be a concern.
I mean I'm not sitting around doing data entry. If I'm automating something it's not my job it's someone else's. Ad a lot of the time that someone else really has other stuff they'd rather do as well.
I work on a product, I see sales generated by my work. By me specializing in my role and sales specializing their role we both benefit. Is that outsourcing the the worries? I don’t know, but when we get a client email it’s both product and sales collaborating that resolves it.
There are also co-ops, worker owned companies, etc.
Not necessarily true. If you're employed by e.g. a contracting company or consulting firm, your value to your employer is in #hours_billable because you are their product.
Not really sure what your point is. The employer is worried about getting good return on their investment in me, I am worried about getting good return on the time I'm investing in the company.
So my interest is that they recognize that I provide value, and pay me accordingly. It's possible that they recognize my value but choose to underpay.
I want them to pay me as much as possible, they want to pay me as little as possible. We reach a compromise, and if a different company offers a better deal I take it. That's their incentive to pay me a competitive salary. Doesn't matter what I say or how well I play office politics, they are most likely going to try to get a bargain and I am most likely going to leave for a better deal because there's always someone willing to pay more.
A square foot is bigger than the area used by a person standing and people mostly weigh more than 40 pounds so that seems unlikely to be the design criteria for places people walk.
You're confusing the concept of concentrated load and the uniform load for a floor or room. See page 7 of the HUD guide [1], but local building codes may be stricter. Materials like floor boards must be able to support 250-300 lbs in the center between supports, but that's very different from a whole floor supporting 250 psf.
If you manage to squeeze 400 people weighing an average 150 lbs each into the average 400 sq ft apartment room, it will probably suffer structural damage unless it's a on a solid ground floor. That's one of the factors that goes into calculating the room and building "occupancy limit" signs you see in public places.
The game is deeper than that. Your model is probably about right for the compiler you're using. It shouldn't be - compilers can do better - but it's all a work in progress.
Small scale stuff is you don't usually spill around every call site. One of the calls is the special "return" branch, the other N can probably share some of the register shuffling overhead if you're careful with allocation.
Bigger is that the calling convention is not a constant. Leaf functions can get special cased, but so can non-leaf. Change the pattern of argument to fixed register / stack, change which registers are callee/caller saved. The entry point for calls from outside the current module needs to match the platform ABI you claimed it'll follow but nothing else does.
The inlining theme hints at this. Basic blocks _are_ functions that are likely to have a short list of known call sites, each of which can have the calling convention chosen by the backend, which is what the live in/out of blocks is about. It's not inlining that makes any difference to regalloc, it's being more willing to change the calling convention on each function once you've named it "basic block".
Why is almost no one in this comment thread is willing to face the scenario where the function call has to actually happen, and be an actual function call? The reactions are either "no-no-no-no, the call will be inlined, don't you worry your pretty head" or "well, then the compiler will just use less registers to make less spills" — which precisely agrees with my point that having more registers ain't necessarily all that useful.
> Small scale stuff is you don't usually spill around every call site.
Well duh: it's small, so even just 8 registers is likely enough for it. So again, why bother with cumbersome schemes to extend to 32 registers?
And this problem actually exists, that's why SPARC tried register windows and even crazier schemes on the software side of things had been proposed e.g. [0] — seriously, read this. And it's 30 years old, and IIUC nothing much came out of it so excuse me if I'm somewhat skeptical about "compilers can do better - but it's all a work in progress" claims. Perhaps they already do as best they can for general-purpose CPUs. Good thing we have other kinds processing units readily available nowadays.
Good post! Stuff I didn't know x64 has. Sadly doesn't answer the "how many registers are behind rax" question I was hoping for, I'd love to know how many outstanding writes one can have to the various architectural registers before the renaming machinery runs out and things stall. Not really for immediate application to life, just a missing part of my mental cost model for x64.
If you’re asking about the register file, it’s around a couple hundred registers varying by architecture.
You’d need several usages of the ISA register without dependencies to run out of physical registers. You’re more likely to be bottlenecked by execution ports or the decoder way before that happens.
I've seen claims that it's different for different architectural registers, e.g. _lots_ of backing store for rax, less for rbx. It's likely to be significant for the vector registers too which could plausibly have features like one backing store for the various widths, in which case deliberately using the smaller vectors would sometimes win out. I'll never bother to write the asm by hand with that degree of attention but would like better cost models in the compiler backend.
In the Intel-AMD CPUs, there are separate register files for renaming the 16 general-purpose registers (which will become 32 registers in Intel Nova Lake and Diamond Rapids, by the end of this year) and for renaming the 16 (AVX) or 32 (AVX-512) vector registers.
Both register files have a few hundred of scalar, respectively vector registers.
Besides these 2 big register files, there are a few other registers for renaming some special registers, e.g. the flags register and the AVX-512 mask registers.
Between the general-purpose registers there are no renaming differences, any of the 16 registers can be mapped to any of the hundreds of hidden registers, regardless if the register name used in the program is RAX, RCX or whatever.
Some differences between apparently similar instructions may be caused not by the fact that they use RAX or another register, but by whether they affect the flags or not, because the number of renaming registers available for flags is much smaller than the hundreds available for GPRs.
It'll go much faster if you give each process a warp instead of a thread. That means each process has its own IP and set of vector registers, and when your editor takes a different branch to your browser, no cost.
Merely mislead by marketing. The x64 arch has 512bit registers and a hundred or so cores. The gpu arch has 1024bit registers and a few hundred SMs or CUs, being the thing equivalent to an x64 core.
The software stacks running on them are very different but the silicon has been converging for years.
Relatively successful was slotting the cat5 jacket, cutting off two or three of the pairs, twisting/tying the remaining pair to the old wire, then sliding the jacket back over the join before wrapping in a conservative amount of electrical tape. You want the join to be similar width to the cable and preferably flexible.
I have a suspicion that pulling fishing line first is the right play if you can manage to connect it to the old wire. Flexible, very high tensile strength, small.
In addition, in one room I ran two CAT5E cables as there was conduit along the entire way. So I took a CAT5E cable double the length of the conduit, stripped the outer sheath in the middle, folded the cable to get a loop and then attached the phone cable to that using the individual inner wires. Plus tape.
Pulling cables through walls is really easy for some construction styles and really difficult for others.
Can involve taking up floorboards and drilling horizontally through beams, plumber style. Or cutting slots in masonry with angle grinders. Sometimes there are existing wires you can tie to and pull through, sometimes the existing wires were stapled to the walls.
On the bright side everything about the ethernet wires and connections is trivial. Like demo to a friend in 20 minutes and let them walk off with the toolbox and they'll be fine wiring their house, if the construction style is amenable.
Agreed. I tugged on each phone wire a to see if they were free. And I got lucky on all of them.
One of the problems I had was a kinked conduit where concrete was poured on top, or at least that is what I assumed. Was a bit difficult to get the “knot” (where the phone wire was connected to the CAT5E) through that spot.
The twisted pair (should be two but one pair is broken...) installed in the 60s in my home are so stuck you will never, ever, get those out without ripping the wall apart. Originally the coaxials should have gone through the same pipes, as there should be enough space, but there is so much gunk in there it was impossible and they layed out a new tube though the floors and ceilings in the corner. For fun and because institutional knowledge is for suckers, they tried the same with fiber and simply gave up so now we are in limbo because computer says we have fiber but we don't.
reply