@gronostaj I still think that the EFI specification is too complex for firmware authors. The firmware industry, even though it's old, is not as mature as the current software industry. There's not even a firmware industry! It's all hardware. Those companies are still stuck with the mentality from the 80s that "people pay for the hardware" and do not understand practices like automated testing or concepts like test coverage.

All they try to do is to give something that "works" somehow. Does it work in all scenarios? Does it support all use cases? Is it confirming to the spec? All these questions don't really matter to them.

Writing a spec like EFI and hoping that firmware authors will implement it correctly is a bit like giving a truck to a 6 years old to drive. They simply don't have enough experience and maturity to handle something that complex. And (sad to say but it's the truth) the world doesn't advance just with good intentions, but with experience and maturity.

@fuckwit besides this personal experience, I've been working with Secure Boot on servers at work for quite a while, and let me just say: it's extenuating and extremely time consuming.

And of course our firmware had bugs, so we also have to work with the hardware manufacturer to get those fixed, and they don't even take the time to reproduce the issues... Ah, don't get me started!

@gronostaj the fact that EFI solves a real problem does not necessarily make it a good technology

@fuckwit EFI is complicated per se, plus firmware manufacturers rarely implement it correctly in my experience. The quality of firmware is particularly low for desktops and laptops.

When I wrote this rant it was because I spent an hour trying to install a Linux system on a new laptop, which wouldn't boot. Turns out this crappy firmware was expecting to find the ESP as the first partition of the disk (which is very common, I know, but its not required by the EFI specification and it's not what I wanted to do)

If you are paid to work with this stuff, why don't you go and fix the bug yourself? Don't forget this is a free software project maintained by volunteers

This sounds like a typical interview where they check whether they agree with you or not, rather than testing your skills. Don't be too harsh with them: doing a good job at interviewing, just like software development, requires some practice and it's not as obvious as it seems.

Use an emoji

Maybe you're on Windows...

Dude, spend some time exercising before applying for the next job

Well, you can put that topic on hold for now, and talk about the next topic. There's always something to talk about when science is involved!

https://who.int/emergencies/...

@C0D4 dude I didn't know that option existed! You saved my life (from memes)!!

So tired to read this joke over and over again

And this is a rant because..?

Dude, if you wanted to communicate with him you should have just installed WeChat. Not the best app in the market, concerning from a security prospective, but at least doesn't require a VPN

@r-fu oh, and if you want a link, just search for "phishing redirect". Here's one result:

https://hacksplaining.com/preventio...

This is also why, as a user, you should always be paranoid about where you enter your credentials and check every detail.

@r-fu well, suppose you own goodsite.com, and I own evilsite.com. I want to steal the credentials of an user. Here's what I can do:

- I tell the user to visit goodsite.com/login?redirect=evilsite.com/login (the url can be made more concealed by adding nonsense params)

- The user insets their credentials and is redirected to evilsite.com/login

- The page at evilsite.com/login contains the same login form as before, with a message "invalid username/password, please try again"

- The average user will think they had a typo somewhere and they won't check the domain name, so they will try again with their correct credentials

- evilsite.com gets those credentials and redirects the user back to goodsite.com

End of the story: the user didn't notice anything wrong, I got their email/password

CORS won't stop you from _doing_ POST requests (or PUT, or DELETE, or GET, ...). It will stop you from _seeing_ the response to such requests. This is why CSRF is still needed.

CORS and CSRF are not competing, they take care of different problems.

While you fix the code, add a check to make sure that returnUrl is from a trusted domain. Otherwise, you open the door to a class of juicy pushing attacks.

Lol, maybe it was a test 😛

I'm completely anti-academy, but still I would discourage dropping just because of an offer. Definitely not worth it.

Firstly, those companies are overrated. Secondly, having an offer does not mean much. Role? Compensation? Career prospectives? Also, maybe you'll never want to leave your country, but if you do beware that having a degree gives you access to types of visa that wouldn't be available otherwise.

I call this a "backfired optimization"

As I often say, most professors have never had a job outside the academy, and have no idea what the real world looks like. This is yet another proof.

Lol, is it like a survival test?

grep?

He evolved the model, adding more different "score" fields that are mixed and grouped together in a second phase. Today, we have about 30 "score" fields and 5 "overall score" fields (not kidding).

Now you might be wondering: how did this lead to loss of data? Very simple: the formulas are so poorly engineered and the implementation was so rushed that some of those scores often end up being NaN. More precisely, 25% of our records contain at least a NaN somewhere.

Apparently, ElasticSearch doesn't like the way we serialize our NaNs, and simply reject those records. 25% of the outliers we found over the last month was never stored.

Turns out that some of the most interesting outliers produced by my new outlier detector were among the lost ones. I spent a day trying to figure out why my records were not showing up before discovering the root cause. Also, I wanted to share my results in a few days, but now I cannot anymore. I have to wait another month in order to have enough data.

@cprn well, for simplicity let's say that we have a system that ingests a big stream of data and tries to find outliers out of it. Those outliers are put in an ElasticSearch stack for later investigation (it's actually more complex than that).

Our genius ex-manager got a fabulous idea for assigning a "score" to outliers so that you could sort them by how "interesting" they are.

A team member went on to implement his idea and wrote some components to add this extra "score" field to each ElasticSearch record. After the initial implementation, it turned out that his idea was total shit, based on magical pseudo-scientific formulas that only flat-earthers could believe in.

So, what did our genius ex-manager did after failing so miserably? Did he admit his mistake? Did he move on to something else? Did he take a vacation? None of this.

It's been a while since I last saw a proper rant on devRant. Thanks.

That space in between 'Java' and 'Script' triggers my OCD

@NoToJavaScript the whole management here is fucked up, none of them would even be able to understand the content of that email