The problem is that they don't "need" to. There's no consequences for not caring, and no incentive to care.
We need laws and a competent government to force these companies to care by levying significant fines or jail time for executives depending on severity. Not fines like 0.00002 cents per exposed customers, existential fines like 1% of annual revinue for each exposed customer. If you fuck up bad enough, your company burns to the ground and your CEO goes to jail type consequences.
This kind of response went out of fashion after Enron. Burning an entire company to the ground (in that case Arthur Andersen) and putting thousands out of work because of the misdeeds of a few - even if they were due to companywide culture problems - turned out to be disproportionate, wasteful, and cruel.
First off, adults use capital letters. I know it’s hard but it’s a basic part of our language. I would respect you and your arguments more if you used them. Second, your idea is as naive as your writing is poor. The issue with AA was that accounting doesn’t provide a lot of bounce and recover space for people whose firms go belly up in the way that AA did. A social safety net has precisely zero to do with the loss of a lot of dreams.
If you read more you’d know that (and you would use capitals).
and I might respect your opinions if they weren't couched in vapid complaints over the formatting of casual online intercourse. nobody with an argument of substance starts off with a complaint on the casing of someone's statement.
if true, your claim of the inability of the financial worker sector to absorb masses of workers dumped from a company going under due to fraud committed by the company sounds like exactly something that a social safety net would assist with, giving the workers a larger space to safely transition from one position to another.
an emotional appeal to insist on allowing a company engaged in criminal acts to persist because it might have a negative impact on those working for it isn't logical. if the company valued its employees, it shouldn't have engaged in fraud and been folded under as it deserved.
That's exactly backwards. In the current regime, it's precisely the billions of people who are affected by data breaches (and who happen to be taxpayers!) who are footing the bill.
This is genuinely the stupidest thing I have read today. I get that anti-capitalism is cool now but this is fucking insane. You want to incarcerate someone for exposing email addresses on a public service? Absolute madness.
I think we’ll start seeing consulting agencies advertise how many vulnerabilities that can resolve per million token, and engineering teams feeling pressure to merge this generated code.
We’ll also see more token heavy services like dependabot, sonar cube, etc that specialize in providing security related PR Reviews and codebase audits.
This is one of the spaces where a small team could build something that quickly pulls great ARR numbers.
The same vertical-specialist logic applies in legal tech. Law firms are drowning in contract review — NDA, MSAs, leases — and generic AI gives them vague answers with no accountability. The teams winning there aren't building 'AI for lawyers', they're building AI that cites every answer to a specific clause and pins professional liability to the output. That's a very different product than a chatbot.
What is needed there are custom harnesses that don’t let the LLM decide what to do when. Use their power of pattern matching on data, not on decision transcriptions.
Does SonarCube use LLMs these days? It always seemed like a bloated, Goodhart's law inviting, waste of time, so hearing that doesn't surprise me at all.
More importantly people need to start voting out politicians who refuse to. It's easy to elect people because of things they promise, but its what they actually do that matters.
So not sure where you are from, but over here both main parties and almost all press and TV would viciously push back (and actually are trying to do it right now with another party).
The reason for it is very simple: big companies bribe politicians and.... buy ads in media.
Companies will only care if they have a reason to. People need to start caring about their privacy and security and be willing to change product if they have to. We can blame companies and insist they start caring, but this makes no difference to them, people complain for a while and then they move on and the earnings remain unchanged.
Not that I know. Maybe Cloudflare experiences an issue in your local region? At this moment the workers are serving a few hundreds request from all over the world.
The rule must be very simple: any occurrence of `eval()` should be a BIG RED FLAG. It should be handled like a live bomb, which it is.
Then, any appearance of unprintable characters should also be flagged. There are rather few legitimate uses of some zero-width characters, like ZWJ in emoji composition. Ideally all such characters should be inserted as \xNNNN escape sequences, and not literal characters.
Simple lint rules would suffice for that, with zero AI involvement.
I think there’s debate (which I don’t want to participate in) over whether or not invisible characters have their uses in Unicode. But I hope we can all agree that invisible characters have no business in code, and banishing them is reasonable.
How is it an accessibility issue? HTML allows things like little gif files. I've done this myself when I wrote text that contained Egyptian hieroglyphs. It works just fine!
Then use words. Or tooltips (HTML supports that). I use tooltips on my web pages to support accessibility for screen readers. Unicode should not be attempting to badly reinvent HTML.
In our repos, we have some basic stuff like ruff that runs, and that includes a hard error on any Unicode characters. We mostly did this after some un-fun times when byte order marks somehow ended up in a file and it made something fail.
I have considered allowing a short list that does not include emojis, joining characters, and so on - basically just currency symbols, accent marks, and everything else you'd find in CP-1521 but never got around to it.
Yeah it would have been nice to end with "and here's a five-line shell script to check if your project is likely affected". But to their credit, they do have an open-source tool [1], I'm just not willing to install a big blob of JavaScript to look for vulns in my other big blobs of JavaScript
The grep approach catches zero-width joiners and BOM characters but misses what GlassWorm uses - variation selectors (U+FE00-FE0F and U+E0100-E01EF). Those don't show up in most regex patterns people reach for, and they're valid Unicode so editors don't flag them either.
ESLint won't catch it because variation selectors are legal characters - they're meant for glyph selection in CJK text and emoji. The issue is that GlassWorm uses thousands of them per line where legitimate use is 1-2. It's a density problem, not a character-class problem.
We ran into this while analyzing the waves at work and ended up building a scanner around it - counts variation selector clusters per line, matches the decoder pattern (codePointAt + the specific arithmetic GlassWorm uses) in a narrow window to cut false positives from minified code. Open-sourced it last week: https://github.com/afine-com/glassworm-hunter
reply