Cops may ask you not to record and even threaten you with arrest for recording. Do not be intimidated; it is your right to record without obstructing.
If you find yourself in a situation where you might be detained and thereby unable to control interactions with your device, on iPhone you can disable TouchID and FaceID by holding one of the volume buttons and the sleep/wake button simultaneously for a few seconds. This will require you to enter your passcode the next time you want to unlock iPhone. Anyone have similar instructions for Android?
> Do not be intimidated; it is your right to record without obstructing.
Be very careful taking this advice. If you weren't already aware, the past week should make it crystal clear that police have absolutely no problem arresting or assaulting you for exercising your rights.
"When you are lawfully present in any public space, you have the right to photograph anything in plain view, including federal buildings and the police."
"Police may not confiscate or demand to view your photographs or video without a warrant, nor may they delete data under any circumstances. Visual records are fully protected, but some states have tried to regulate the audio portion of videos under wiretapping laws."
One of the main points of the article is that the law is not being respected by those tasked with upholding the law:
> Everyone in the United States — citizen or resident — has a constitutional right to record police who are performing their public duties. The police don’t have the right to stop you as long as you’re not disrupting their business, and they aren’t allowed to confiscate your phone or camera just because you were recording them. This is the consistent opinion of federal courts and the Supreme Court, which affirmed in 2014 (in a 9-0 decision) that cops need a warrant if they want to seize and search your cellphone.
> Of course, the nationwide protests are about the police ignoring civil rights. Indeed, the videos we’ve seen in the past week show widespread police lawlessness, with officers arbitrarily violating the rights of peaceful demonstrators in lawful assemblies.
I think for non-Apple users Periscope allows to automatically stream and record an event right? No need to "finish" recording as it directly streams and saves it to their servers. Is that correct?
On most Android phones after 3 fails the fingerprint is disabled. So touch it 3 times with your pinky or any finger that you didn't registered and that will do the trick.
> Cops may ask you not to record and even threaten you with arrest for recording. Do not be intimidated; it is your right to record without obstructing.
Better advice is to read the situation. Cops can make, and have made, people's lives very difficult, whether through legal harassment, false charges or bodily harm, and it is your word against a cop's when you go before a judge.
Phones can be confiscated or destroyed. Even if your video survives, it better have a clear shot of a crime and a clean chain of custody, because it's you versus a billion dollar union's team of lawyers.
You can also press the power button five times rapidly and it goes into emergency mode. It makes a loud sound and calls 911 automatically after three seconds if you don't hit cancel. It also locks out FaceID.
So if you're under eminent attack this might be a better option. It's all configurable in setting though, so test it before you go protest.
Why? What do you hope to achieve other than to possibly inflame the situation? I can't possibly believe that you think the cop is going to think "gee, that's a good point citizen, please carry on".
It forces the cop to either admit that he's a bad guy (or at least crossing the line), or else to not cross the line. It makes it so he can't try to pretend to me that he's squeaky clean while actually doing dirty stuff.
I don't think you're modeling the cop very well. They're not going to be in a state to reason or debate with you, and the statement "for your protection" if not paid close attention to sounds vaguely like a threat.
Correct. Go into settings, search for "lockdown" and enable. On my Pixel 3 XL, I can then hold down the power button and while holding it a menu comes up that includes the option to shut it down, reboot, lockdown, or emergency.
I think this is a great idea. Perhaps the "Github for data" copy could use some work, but the concept of obfuscating real data for use in building systems without the overhead or concern of operating on real customer data is valuable. Of course, the degree to which the obfuscated data represents real data is important to ensuring the systems built like this are robust, but this seems possible.
I graduated this past semester (Fall 2018), but I started working in industry a little over a year ago. I knew in my second/third year that academia wasn’t for me. However, grad school gave me a paycheck (albeit small) + tuition and time to develop other skills that I did not have after undergrad. Further I had an awesome PhD advisor and enjoyed my research.
My experience in grad school wasn’t bad and I think it only benefited me when transitioning to industry. At my job, I thoroughly enjoy my work and team (it’s important you find your fit). The compensation bump was also nice compared to a PhD student stipend.
It seems that the HN community responds interestingly to topics of discrimination in tech (or, "lack of diversity"). It seems that there is a bit of denial in this community that there is indeed a discrimination issue. This is merely my observation, it could be skewed or entirely incorrect. Just keep in mind, that discrimination occurs whether you notice it or not. Further, you might be less likely to notice it if you are part of a group that suffers less from discriminatory practices.
Nonetheless, data and personal testimonies suggest that women and minorities have a harder time being interviewed and hired for positions at tech companies. Women and minority founders typically have a more difficult time securing funding and/or resources that will help them build a successful company. This isn't an issue that is unique to tech at all, rather this problem exists in organizations of all types.
The HN community isn't of one mind on this. Rather, it's deeply divided, just like society at large—and just like most large population samples are on most divisive topics.
I suspect the HN community isn't as blinkered as you may think, and perhaps being of an analytical mindset aren't as easily fooled by the 'diversity theatre' that corporations are performing at present. Perhaps they are more likely to look at systemic causes and solutions than ill considered treatments of the symptoms.
> Women and minority founders typically have a more difficult time securing funding and/or resources that will help them build a successful company.
Well, but isn't it that normal ? is like saying that if you buy less lottery tickets you have it harder to win than those who buy more.
I think the issue is impossible to resolve, because we make groups based on attributes, so you can always make groups that share attributes that are less common among the total. Then those groups that are minority will always have less chance, unless you discriminate in favor them.
I'm open minded and I can accept that ok, gender is like very important attribute and we'll consider only that one, and we'll discriminate for some time until things are balanced. But, then we might need to change the constitution, and make discrimination by gender allowed temporarily, right ?
I think that a big component of that, and I could be wrong, is that a large part of the community isn't based in SF or even the US where these issues are more top of mind. Looking in from the outside, I'm sure it looks like those of us in the Bay Area might be focusing on perplexing things, which to many of us appear totally appropriate.
If there are less applications from some specific group of people, but the rejection rate is high in general, the rejection rate of the minority will tend to be very high. But that has nothing to do with discrimination.
To some extent I agree with you that behavioral science/psychology needs a unifying theory. Attempts at this have been made and are still alive and well. For example, take a look at Radical Behaviorism [1]--the philosophy of science behind (applied) behavior analysis.
The overarching goal of behavior analysis is to treat the study of behavior as a natural science. That is, to identify orderly relations (i.e., laws) between behavior and the environment.
Given that prosecutors tried to show that Sergey Aleynikov was acting maliciously by using Subversion [0] (obviously it's subversive!), I wouldn't be surprised if they tried that.
I don't really get the fuss about this one. It's annoying and a vector, true, but keep in mind that even with this fixed, a malicious gem can overwrite arbitrary files. A gem can bring with it a C-extension. This extension is compiled with a makefile created by the gem-provided extconf.rb. AFAIK, the code in the extconf.rb is executed at gem install time, so arbitrary code can be executed at gem install time.
Edit: Or, if you want to get a little more creative, have your gem include a plugin to rubygems itself, similar to what https://github.com/rvm/executable-hooks does.
I agree. Or how about one step away from just the installation? Once you load a gem it can do whatever the hell it wants to your system. This vulnerability feels very security-theater-ish. At the end of the day, someone needs to audit the gem or have deep trust in the supplying party (i.e. Rails) to protect against arbitrary file manipulation.
Installation and running are not necessarily done with the same account. Often, apps run with lower privileges than they're installed with, so the damage may be somewhat mitigated. I'd really treat that as a separate, albeit related problem.
The only difference is that you are perhaps more likely to install a gem system wide (which would require root rights normally) than run code from a locally installed gem with root rights.
I don't quite understand how this is different from the status quo? I guess gems may (sometimes) be installed with a different user (or even root) than the application server?
But even if: most systems today probably only run that one service, and the application server can rwx pretty much everything of interest because that's its job, right?
10 years or so ago you'd often see some company's server running apache as well as a mail server, the internal document repository and the financial systems. In that sort of setup, it's important to (try to) keep these systems isolated from each other. But today, all that root access would give you is the ability to read a few more Ubuntu man pages.
I wouldn't be so optimistic. There are often credentials to other systems (like databases, etc) on such servers, plus they now have access to the private network(s) the compromised server resides on. It gives the attacker the opportunity to serve exploits to users, to forward incoming requests from users to external servers (maybe there's an auth token or something they can use), and tons of other stuff.
Yep. Even if you only owned a perfectly sterile (no secrets) proxy tier to a distinct service tier, you are placed in the path of requests from clients to those services and can thereby extract credentials (passwords, tokens) or PII (names, emails), which would still be unacceptable.
> and the application server can rwx pretty much everything of interest because that's its job, right?
Eh, I don't know about that. I don't think most application servers are running as root, and I'm pretty sure it's considered bad practice to run them as root, no?
But yeah, they still need to have enough privs to do their jobs, which will be a lot of privs. But you still don't go from that to "might as well just run as root then".
Developer machines could be as interesting as servers, maybe more. If they can install a keylogger using a malicious or hijacked gem, then bingo!
The file overwrite and the ANSI sequence vulnerabilities are extra attack vectors. The main one has anyways been the code itself and its vetting process. This for Ruby gems and for any other open and closed source piece of code we run on our machines, starting from the processor(s) microcode.
There was recently a fiasco with NPM over a malicious node package whose name was an intentional typo of a popular package, and upon installation it exfiltrated all environment variables:
https://twitter.com/o_cee/status/892306836199800836
After this got uncovered, Duo published a blog post where they scanned for and found several others malicious packages:
Well an existing gem might not. But a gem you use has could have a developer's computer get compromised and could publish a malicious update. If you inadvertently download it while updating your gems you could get compromised.
The problem here is that you don't even have to get directly attacked to be affected.
Well it's a web of trust: typically people only trust their Gemfile, not their entire Gemfile.lock. If you audit the latter you should be fine (though of course you should upgrade regardless).
Most meaningful applications will require the use of pointers. For example, unmarshalling json comes to mind.
I wouldn't "avoid the use of pointers" if I were you. Rather, use them, run into problems, fix the problems, and you'll learn what you need to know about pointers in Go. Given your background, you code. Figuring out pointers in Go will be trivial for you, especially when you learn in context (e.g., writing something you think is cool). You got this.
