The article contains the passage below twice.
I mean how does that happen? No proofreading? Cut and paste editing. I am always surprised when I see this in professional new sources.
——
That the amendment died quietly does not erase what its introduction signals: opposition to police LPR programs is reaching higher levels of the political agenda, and Flock is increasingly at the center of it.
This would be kind of a fun challenge. If you are handling random numbers, well you are limited by disk or memory size. But if the numbers are compressible ala LZ77 or Gzip, then there are ways to use the value’s compression trees to sum the numbers from the least significant digits using the LZ77 style compressed value tree representation. If you go that route, and the numbers are compressible (not random) then the question is whether the compressed input and output trees fit in memory or disk.
The security model, or almost lack of any whatsoever in VSCode drove me to only install MSFT extensions, then use Code Server in a docker container, but I decided I didn’t like using my editor in a browser.
Finally I have decided to start using Zed, which isn’t perfect on the security front, but much better IMHO.
The combination of WASM extensions, and the ability to put language servers, etc, in dev-containers seems like a great step forward.
I hope Zed continues to improve their extension and language server security model.
Actually I hope VSCode does too, but honestly, I am not optimistic.
Wait, how do you arrive at the thought that Zed is more secure? The one time I gave it a try, it tried to silently run npm -- yes, THIS[1] npm -- in the background without telling me, and I noped the heck out. Did I miss something?
Maybe I am wrong about this, but I think Zed will run the npm stuff on the dev-container if you are using dev-containers. That can be your isolated virtual machine image or docker instances. But I believe you do need to use Zed (stdio or ssh) dev containers to get that security isolation. I know it’s a pain, but for me, I am going to pay the logistics price for security until a better solution comes along.
Zed plugins execute in wasm. LSPs execute outside of any sandbox, but that's still an obvious win. Your link isn't particularly relevant to an LSP unless the LSP itself is compromised.
Hopefully the system matures with time, but at least they're taking the problem seriously.
Not defending the default behavior of zed, but it is possible to disable this. Setting `"lsp.<server>.binary.path": <some-path>` will stop zed from trying to install that server.
On my machines, the "languages"/"node" directories for zed are empty and owned by root and the lsp servers are provided by nix. But you could also pin known good versions with npm.
As far as I know Vscode has no equivalent way to do this.
Pretty sure any IDE worth anything that has JS support pulls NPM packages at some point to lint code, no? You're not giving me much to be outraged about without more information. Zed tries to set things up for you so you're not wasting hours trying to figure out how to set them up in a brand new editor.
I do not use JS and certainly was not doing anything JS-related, and I do very much not expect my tooling to silently run code from insecure Internet sources on my machine. Which does not seem like an outlandish position to me? If you consider that acceptable, yourself -- fair enough, that's your call and it's your machine, but let's please not label that anything but grossly insecure?
No doubt an unpopular opinion, but if I install an app that is going to do things in the background, I'm going to hold that apps developers responsible for any breaches. If Zed needs javascript to do its job, it probably should be downloading it from their own servers, or even better, just ship the editor with all the code it needs to do its job.
Yes, please ship everything that's needed because otherwise when I run your app in an isolated network namespace it will break. This also applies to builds. If I can't build your project from a clean git repo without internet access you are doing something wrong. (Yes I am aware that I likely just accused the majority of software devs of being wrong. I don't care I'm yelling at clouds here.)
I think we reached the point where it's not reasonable to expect that Microsoft is capable of improving anything. Their products all go in the same direction.
The best case for Microsoft software I hope for is that they do only some minor UI cosmetic changes, but even that often goes catastrophically wrong.
I just don't use VSCode and I discourage its use in any environment in which I have to work. It has already been demonstrated that it is a major security hole - not just through the public extensions, but also in terms of the telemetry data transmitted back to Microsoft in order that they can invest millions in it and yet charge nothing for it...
I'm also currently trying to switch from VS Code to Zed and my biggest hope was a better performing editor. The startup time is way better but the typing input is so laggy on my 2018 MacBook Pro 15". It's far worse than VS Code. Also the power usage of Zed is high.
Zed plugins are wasm / somewhat isolated. LSPs are not sandboxed, but that's a massive reduction - trusting the LSP is far different from trusting arbitrary extensions.
The system is immature but it's directionally correct.
At least some of your extensions will still run in the client editor instance, not on the server side. That limits exposure a bit but when colour themes have been known attack vectors in VSCode it’s far from a panacea.
> I hope Zed continues to improve their extension and language server security model.
To be honest I doubt there's much that they can do. Many many language servers cannot run in WASM, or it would be super hard to compile them to WASM. So Zed either has to allow running arbitrary binaries like VSCode, or accept that they're going to have really poor extension support.
Running binaries I already have installed in a containerized environment is fine, automatically installing them on host machine and/or container is not.
I should be able to limit what binaries extensions have access to though.
That’s far more believable than 10,000 elevator attendants. I was an adult in 1990 and used travel agents. But I can’t remember ever encountering an elevator attendant.
It would be fascinating to know where the remote drivers were located that were remotely controlling these vehicles. Wasn’t there a big hubbub about using remote staff in the Philippines a while ago? This can change the reliability profile quite a bit. (Internet quality)
Driving skill (and road manners) is also a serious issue, not only Internet quality (it's mostly solved nowadays with dual 5G/dual residential, Starlink is also available, np), getting a driver license is basically just paying a fixer for $200 (equivalent in PHP) and even if you attend the school genuinely and all, it's still super easy versus the west.
You might be overestimating how hard it is to get a license in the states.
My test was literally pay private driving school operator $50, pull onto a four lane road, change lanes, change lanes back, turn right three times to get back to the road, turn left, park successfully between the lines nose in, …and here’s a piece of paper for the DMV to give you a license. Maybe ten minutes, and have never had anyone check to see if I still know the rules in the 20 years since.
I’m sure it has gotten harder in some places, but we really don’t ask for much of new drivers.
Not just the test though. In some states you need approaching 100 hours of signed off driving with an experienced driver (honor system though) and a certified course
Ah. Good fact check. I swapped the numbers on minimum community service hours to graduate high school and this. But I think my point still stands that you can't just walk in and take the test
In hindsight, getting my driver's license was uncomfortably easy in the US. We crammed the answers right before the written exam as a class, I did 8(?) hours driving with an adult, and the practical exam was 2 left turns, a k-turn, 2 right turns, and parallel parking between 2 cones.
Having taken a license in both Denmark and the states, the test in the states was laughable in comparison. In Denmark, there are like 20 mandatory lessons, wet-surface practice, a theoretical exam and a practical exam, both of which people routinely fail (because they're hard). In the US, I paid 20 bucks, drove around the block, parked and received my license.
It's not for anyone else: the non-Tesla AV companies use teleops to at most place breadcrumbs that the vehicle attempts to follow while still in full control of collision avoidance and lower level navigation.
There is never an actual remote driver turning the wheel.
While working at Cruise, i built tech to measure the latency even though they just draw a path. Latency absolutely does matter, otherwise you’re drawing that path through a crowd of people. You admit yourself they still need to be responsible for collisions, which you cannot safely do if the latency exceeds the safe tolerance. It doesn’t matter whether you’re drawing a path or turning a Mario kart steering wheel if the information you’re acting upon is incorrect or outdated.
Read my comment again... the vehicle is doing collision avoidance.
If Cruise really rolled out teleops that relied on low latency reactions from remote operators to not drive into crowds (not to mention perfectly reliable uplink), I'll have to file that away under reasons they're not around anymore.
i think the bigger problem is the mechanical turk "solution" where remote drivers are suppose to suddenly be a driver in corner cases as if thats a safe fallback
This is not how it works. The vehicle autonomously stops and/or pulls over, and then a remote driver takes over. Control is not handed over to a remote driver while the vehicle is barreling down the road and "jesus take the wheel"
> I would NOT be using Starlink for remote vehicle teleoperation even as a fall back.
I had to use Starlink last year, and latency was way more acceptable than expected even when under load (I did try to analyze and remove bufferbloat). Considering Tesla could likely get priority bandwidth from SpaceX basically for free, that would mean good latencies (I had 90ms tops in speedtests). Anyway you tell the car where to go, but it's the car following the path you draw for it and following traffic rules and collision avoidance, you're not directly driving the car. Even 1 second latency with 2s round-trip would likely not be a problem in these conditions.
90ms is absolutely not an acceptable delay. On a 25mph road, each 90ms is .0006 mile ~= 1 meter. Latency goes both ways, so that is a possible 1 meter before operator reacts and another meter before the corrective action takes place. Like other comment mentioned, remote operations can only be used for high-level instructions (or simpler highway driving).
this is 100% because we are under full-on cultism. you say anything anti-Tesla and army of elon defenders will go after you immediately. none of them would put their kids in one of these “robo”taxi “F”SD shits but they will defend elon/tesla mercilessly
To be fair it seems worse on the other side here on HN at least, I rarely see positive comments about Elon, so both sides seems to be doing the echo-chamber and defender mode, it's getting seriously absurd to not be able to have talk on technology itself without it getting into politic, especially for non-US residents :/
One, a low-latency fallback beats no fallback. Two, at least for Waymo, the system is engineered to be high latency. Back-up drivers seldom directly drive the car, and when they do, it's not at the last minute. Instead, they give high-level instructions the car actuates.
Says this:
"Unless previously approved, Anthropic does not allow third party developers to offer claude.ai login or rate limits for their products, including agents built on the Claude Agent SDK. Please use the API key authentication methods described in this document instead."
Again, it seems Anthropic prefers to bill API token rates (long run), not subscriber effective token rates.
It seems clear that Anthropic wants users pay API rates for tokens when use in a programatic way, and not subscriber rates for tokens when used from code. As a user, I want to pay the subscription rates with -p, but it seems they want to block that.
I don't claim to understand the factors which cause this, but a lack of security and exposed valuables at unlocked-doors, pre-opening mall in Shenzhen China without issues at 8am in the morning is very curious.
——
That the amendment died quietly does not erase what its introduction signals: opposition to police LPR programs is reaching higher levels of the political agenda, and Flock is increasingly at the center of it.
reply