A newly convicted criminal arrived in prison, and on the first night he was puzzled to hear his fellow inmates yelling numbers to each other. "36!" one would yell, and the rest would chuckle. "19!" went another, to uproarious laughter. "50," remarked a third wryly, which provoked groans and ironic cheers. Eventually his cellmate sat up and cried out "114" and it brought the house down.
In a lull, he asked his cellmate what on earth was going on? The cellmate explained that most of them had been in prison so long that they already knew all the jokes, so to save time they just referred to them by number. "Oh," says the man, "that makes sense. Can I try?"
His cellmate encouraged him to go ahead, so he stood up and went to the bars and shouted as loud as he could "95!"
Absolutely no reaction. His cellmate looked at him and shook his head. "You didn't tell it right."
And some time later, someone shouts “72!” Everyone chuckles except from the one in the corner cell, who laughs so loud and for so long people think he'll have a heart attack. When eventually he stops laughing, someone yells: “Hey Fred, why did you laugh so much?”
“I'd never heard that one!”
Ha, you made me think of casually referring to xkcd's by number just as we did with RFC's back in the day. "I don't know, the socket states seem to follow RFC 793, but remember it's a 1918 address on the southside of the NAT."
I gonna keep a look out for doing this with xkcd's now :)
There are a few that pop out but the one that has managed to stick (aside from 1053 that just came up), is 927 for standards, which you can remember as 3^2 for 9 and 3^3 for 27. Or Yoda's age + the 27 club.
There's such an opportunity for people to actually explore ideas whose prototyping cost would have been too high with both time/money to not be worth it earlier.
And even outside that perspective, there's a lot of broken corpo software now. The indie hackers are fighting back. See Helium by imputnet, for example. Ghostty by the revered Mitchell Hashimoto is another example of something I daily and is relatively indie.
Corpo-slop seems to be enshittifying at an exponential rate due to decision paralysis and general management talent decay.
I shifted from Crush to Opencode this week because Crush doesn't seem to be evolving in its utility; having a plan mode, subagents etc seems to not be a thing they're working on at the mo.
I'd love to hear your insight though, because maybe I just configured things wrong haha
I can't understand why every CLI tool doesn't have Plan mode already, it should be table stakes to make sure I can just ask questions or have a model do code reviews without having to worry about it rushing into implementation headlong.
I've run into a few odd instances of headscale not working where I'd expect it to and I don't understand how it's failing.
- Connected to my phone hotspot in the car outside my son's therapist, it worked for months, but then for 2-3 weeks tailscale wouldn't connect. Browsing worked fine. In the 6 weeks since then, it's worked fine.
- A couple nights ago I was in a Holiday Inn Express. I could successfully connect to tailscale, and ssh to machines at the office (which has tailscale on a public IP, but couldn't pass traffic to my machine at home (behind NAT, we have a DERP next to the machine at the office and also another one on the headscale node at AWS). Maybe they blocked the DERP port?
Not allowing random VPN connections on a LAN is pretty standard. I've been surprised at how many people here are able to use tailscale and the like. Guessing it's just because there are likely smaller teams here that don't have any kind of managed network.
About that, we actually tried (with support from the network team) to open a small VPN Fron our office for some mobile devices as part of an event installation. Just plain wireguard on a public IP.
After two weeks of back and forth the wireguard packets were still being discarded somewhere by a firewall/router thanks to "deny VPNs by default". Tailscale got through those immediately though by using their relays + one of the workarounds for standard wireguard ports being blocked. Point being, the service provided by a mature solution like Tailscale for punching through networks is surprisingly effective even for corporate-level networks.
Smaller teams, yes, but also it seems as though the SaaS explosion has led to many enterprises significantly relaxing the "hardness" of their network boundaries, at least when it comes to integration with companies whose services they depend on. I've seen Tailscale and tools like ngrok being approved to get into large enterprises who you might think wouldn't allow it. Some of these enterprises will set up a bastion in a DMZ to control that, but I've been surprised by how many don't do that.
That relaxation tends to have ripple effects - once you allow tunneling tools in for one purpose - like SaaS integration - then it becomes more normalized and people start using it for other purposes.
Someone is making your IT team do extra work without a good understanding of their systems if they're banning tailscale or granting special network level access thinking that ip or mac address based profiling is secure.
Your network should be zero trust. That means you want to treat every host that connects as if it's on the public internet; the corollary to that is you should give your hosts access to the public internet, unrestricted, and treat your users like adults who don't need micromanaging or constant surveillance (do sane logging, ofc.)
If you need a host that's subject to continuous surveillance, design it as such and require remote access with MFA, and so on.
Give your end users as much freedom as possible, and only constrict it where necessary, or you're going to incentivize shadow IT, unintended consequences, and a whole lot of unnecessary make-work that doesn't contribute to security.
Unrestricted access forces change management, design choices, and policy to confront each user and device for the attack vector they are, and to behave accordingly.
And then a few of those users who you treated like adults who don't need surveillance make a private network among themselves and other nodes in Russia and China to exfiltrate the corporation's most sensitive intellectual property, serve as a bridge for state-sponsored bad actors to bypass your firewall, and tunnel command-and-control traffic through your "unrestricted" egress, and now your zero-trust philosophy has created a zero-accountability blind spot that your IR team discovers eighteen months later during a breach investigation.
If your threat is state sponsored bad actors you've already failed. OK, great you blocked VPNs. Now they tunneled their vpn through as HTTPS. You successfully annoyed all your legit users and completely failed to stop the real problem.
Https is also inspected in our place and has been for a decade.
Also there's different classes of state sponsored APT groups. You won't stand a chance against the NSA but there's a lot of state sponsored groups in Russia that are just looking for low hanging fruit to get some foreign money for their regime.
You know, that makes sense for a corporate network. They have an extremely aggressive firewall on the academic campus, which is how it should be.
However, they have failed to provide isolated networks for the research labs which just need it for even downloading LLMs (they have banned huggingface!).
Moreover, a hostel is residential. They should provide either the option of getting an external connection (which I would happily do!) or provide a means of non-stupid internet which they aren't.
Then you've failed in security infrastructure, policy, and enforcement, and you've infantilized your users and wasted a bunch of IT time on checking boxes. The real power move in that case would be ensuring some third party vendor checked the boxes for you, so that your ass gets sufficiently covered and you have a narrative that goes something like "well, we did everything you're supposed to, those pesky superhackers are just soooo devious and skilled that they can get anywhere!"
The actual fix for things like that is to ensure that your sensitive data is properly protected, and things that you don't want exfiltrated aren't put into scenarios where exfiltration is possible. If you need to compromise on security for practicality, then make those exceptions highly monitored with multiple people involved in custody and verification. Zero trust means you don't give any of your users or host devices any trust at all, and modern security software can require multiple party approvals and MFA.
You can use a phone to scan documents as you scroll through them, or mitm hardware devices that appear to be part of a cable, or all sorts of sneaky shenanigans, and it's a never-ending arms race, so you have to decide what level of convenience is worth what level of risk and make policies enforceable and auditable. In some cases that might mean SCIF level security with metal detectors and armed guards, in other cases it might mean ensuring a good password policy for zip files shared via email.
Inconveniencing users by limiting web access and doing the TSA style performative security thing is counterproductive. This doesn't mean you give them install rights, or you don't log web activity, or run endpoint malware scanning, or have advanced unusual activity monitoring on the network and so forth. It just means if Sally from accounting wants to go shopping for ugly christmas sweaters for staff on Etsy, she doesn't have to fill out forms in triplicate and wait 3 months while the IT department gets approvals and management has meetings and the third party security vendor does a policy review and assessment before signing off on it, or telling her no.
I'm from a cybersec and devops background, and the IT admin here is just an ancient family-appointed person with no idea of how stuff works and with a lot to gain from under the table corporate dealings.
This is a man who believes that 15 megabit is sufficient bandwidth for CompSci students in their hostels (not the college, mind you, the hostel specifically) and decided that banning games was a "hero move".
Vendor locked into Sophos and a custom third party provider, these people have zero idea about what they're doing. I've met them various times and had various discussions up and down the org chart - this is a man who thinks he should have full access to every student's browsing history in their own time and that all VPNs are the same (he doesn't know how VPNs work btw) and allow for evasion from their network policies.
It's all a bit cursed because he fear-mongers the upper echelons of the college administration by showing them made up logs saying "students are hacking the network" to justify this.
Yeah, it's actually quite decent, but I still feel that most of those features are basic UX that really shouldn't be application/vendor tied.
I found Goose (by Block) - https://block.github.io/goose - much better in this regard. Granted it perhaps doesn't have the app tie ins that most other providers do, but I can kinda just ask it to perform tasks in a specific kind of folder and it does, using whatever provider I want.
I got the GLM coding plan earlier, and given its generous rate limits, I found using it to do tedious tasks (like folder organization, which is perhaps my greatest weakness; especially Downloads) was a true addition to my productivity.
I feel there's a lot of scope for applications to focus on task contexts (with/without code agents having a ton of files like AGENTS.md, CRUSH.md, CURSOR.md spammed around) in specific folder bounds with proper user sandboxing.
Pytorch + CUDA is a headache I've seen a lot of people have at my uni, and one I've never had to deal with thanks to uv. Good tooling really does go a long way in these things.
Although, I must say that for certain docker pass through cases, the debugging logs just aren't as detailed
Yup. The beauty of it is that the underlying ai accelerator/hardware is completely abstracted away. There’s a CoreML ONNX execution provider, though I haven’t used it.
No more fighting with hardcoded cuda:0 everywhere.
The only pain point is that you’ll often have to manually convert a PyTorch model from huggingface to onnx unless it’s very popular.
Granted I'm a bit of a Randall Munroe content addict, but it's become second nature now.
reply