Easy there, you’re making a bunch of assumptions and accusations here. For starters, I do understand how spoilers work, I read the spoilers and I don’t think it adds a lot of value to the conversation.

I’m technically from a CS background, but not in the field relevant to this post. I also don’t think people assume this topic to be basic. I happen to understand about 80% of it, but only ever have contact with about 20%, and that’s despite working in a CS-related field myself. And yes, I’ll keep using that abbreviation, because it’s convenient and I know that you understand it.

The short answer to “how does this affect me?” is “if you don’t know what npm is it, it doesn’t affect you”.

The intention of the blog article and the post sharing it is to get a specific warning out to a specific technical group. This group doesn’t want to scroll past three paragraphs of context they already know to get to the parts that matter. They can’t cater to every audience, so they prioritise the people that can do something with their understanding.

Unfortunately, that means that other people are left out of the conversation, because frankly, they have nothing to contribute. That’s neither malice nor arrogance, but simply expediency.

However, you’re welcome to ask! Chances are, someone will be happy to answer and fill you in on the background. More specifically, someone may be able to give a subject-specific explanation. Most importantly, that explanation will be more reliable if it comes from a human familiar with the topic.

Chatbots, no matter how diligently made to look like they know stuff, don’t and can’t know anything except the likelihood certain words occur together. They don’t have the required structure to understand the concepts behind the words. At best, they have memorised hundreds of generic explanations they can reconstruct, and hopefully that reconstruction will be accurate. But how would you know? You yourself don’t have the expertise to tell if they’re right.

And because they don’t understand the concepts, they also can’t reliably connect the dots the way a human can. The more dots to connect, the greater the chance something will go awry. The bot can’t tell you “I don’t know” if it doesn’t understand what it means to know. It will generate a text that looks plausible, and you can’t verify whether it’s actually true.

In the interest of actually getting a useful understanding, ask humans. The answer might look something like this:

NPM packages are boxes of highly specialised supplies and tools. NPM itself is an assistant that keeps your supplies stocked and your tools in shape. You tell it what you want for your project and it’ll make sure you have it.

The thing this post is about is a kind of evil robot that hides in these boxes. When your friendly NPM helper restocks, the robot crawls out of the box and starts exploring your workshop. It tells others what you’re building, what it looks like, shares any secret technology you’re using, creates and sends out copies of your keys – anything you’ve got lying around, it will attempt to make available for the people that built it.

The worst thing is that it’ll build copies of itself and hide them in any boxes you create and send out to other people. If one supplier ships to five others, that’s five more recipients under attack. If two of them also ship out to five other people each, that’s another ten. And it gets bigger and bigger from here.

So there we have it: An evil robot stealing your secrets and sending clones to anyone who trusts your product.

We realise we’re not mundane. We just don’t have the time to explain everything all the time. That’s a problem all sciences (and many other disciplines) face: When you’re working in a deep well, you can’t come up to the surface after every step of your work or you’ll never get anything done.

For CS, it’s probably more visible because the field is fairly young, rapidly changing, pretty large and the “basics” aren’t taught anywhere near as much as those of other, more well-established sciences.

But if you ask, there’s a chance someone is available to help you out. Be friendly, and they’re more likely to be friendly back.

I understand you care about making knowledge accessible and I applaud that. I acknowledge that CS has a long way to go still on that front. Let’s work on it together, shall we?

Kind regards, LVK

My part-timer gives me his schedule on Monday.

It’s project work, the “schedule” is really just “when do we do our regular check-in?” and I don’t give a rat’s ass when he does his work, as long as I can reach him whenever he said I could. My boss doesn’t give a shit either, as long as our work gets done.

Why do you tell us that?

If true, that’s an intent I can get behind. But even if it isn’t, given my own inclination towards contrived shenanigans to scratch some weird itch in my brain, I’ve come to accept such things as harmless quirks and treat them with the same patience I’d want others to treat my own with.

And every now and ðen, I try someþhing myself and realise what fun it can be ;-)

Something about the density of innocent and helpless prey really appeals to people who like to prey on the helpless and innocent.

Nerds doing something unnecessarily complicatedly for the fun of it? I’m not particularly surprised.

I hope your weekend is as awesome as you are

Rough estimate using 30 days as average month would be ~35 months (1050 = 35×30). The average month is a tad longer than 30 days, but I don’t know exactly how much. Without a calculator, I’d guess the total result is closer to 34.5. Just using my own brain, this is as far as I get.

Now, adding a calculator to my toolset, the average month is 365.2425 d / 12 m = 30.4377 d/m. The total result comes out to about 34.2, so I overestimated a little.

Also, the total time is 1041.66… which would be more correctly rounded to 1042, but has negligible impact on the redult.

Edit: I saw someone else went even harder on this, but for early morning performance, I’m satisfied with my work

if you have nothing worth bragging about, resorting to basic functions of sapient life for clout is the best you can do. I’m a thinker too. I’m also a breather, an eater and plenty moee things that aren’t special.

I’ve got some actual achievements too, such as being a former piece of shit, so I’ve actually got a leg up on him!

I never had one of my wired earbuds fall off the platform at the train station and disappear in the gravel, nor did I ever have isues with forgetting to charge them, let alone their case being brolen and not charging at all. And if I want to switch my favourite headphones over from my PC to my phone, I’m really glad my old phone still has a jack.

Money in my bank account I can spend on just about anything. If I realise “shit, I’m out of toilet paper”, I can go to the grocery store and pay by EC, with the money in my bank account. The money that I keep in there, just in case there’s something I want or need to spend money on literally anywhere.

Besides, my bank is subject to my local jurisdiction and my own country’s laws and regulations. If my money is with some US company, I can’t be sure whether they’ll suddenly go “sorry, pal, your money has been confiscated on some bullshit pretense you have no way of actually fighting back against”.

Valve could extend a limited credit for the first two hours of play time. If after downloading and playing for two hours there’s still no confirmation from the bank, they’d then block your access to the game.

I believe that’s what a write down generally reflects: The asset is now worth less than its previous book value. Resale value isn’t the most accurate way to look at it, but it generally works for explaining it: If I bought a tool for 100€, I’d book it as 100€ worth of tools. If I wanted to sell it again after using it for a while, I’d get less than those 100€ back for it, so I’d write down that difference as a loss.

With buying / depreciating / selling companies instead of tools, things become more complex, but the basic idea still holds: If the whole of the company’s value goes down, you write down the difference too. So unless these guys bought it for five times its value, they’ll have paid less for it than they originally got.

I wish you a speedy and affordable recovery

Which words do you mean? Because I understand them all. They convey information, the fundamental point of language, hence they don’t detract. Just because you can’t make sense of them doesn’t mean they’re nonsense.

If you’re talking about “Mach Yeet”, yeet refers to forceful movement. This specific combination then means really fucking fast. The exact speed doesn’t matter. The frivolity of the language underscores their excitement or might just be their idiolect.

Either way, so long as it’s nothing hateful or harmful (beyond hurting your linguistic sensibilities), trying to police other people’s vocabulary is narrow-minded and needlessly stuck-up.

Why don’t you yeet that shit (throw it far away) and come join us in watching the fascinating evolution of language?

For some character sets with a lot of different characters like the Han Unicode representation, that could be cumbersome. Granted, Han might not be a great risk for confusion so you might just whitelist them collectively, but my point is that the approach would have to be more nuanced and complex. Ultimately, humans are complex and so are their languages.

If AI constantly refined its own output, sure, unless it hits a wall eventually or starts spewing bullshit because of some quirk of training. But I doubt it could learn to summarise better without external input, just like a compiler won’t produce a more optimised version of itself without human development work.

To clarify, I meant that from the devs’ perspective: The effort of individually vetting every single character for possible confusion is immense, and the end result would still be just as western-centric. Imagine having a domain name in Greek where some characters are replaced because they might be confused for Latin characters. Or, conversely, having a few characters replaced by similar Latin ones for an attack, which your solution wouldn’t catch.

The result would also still be unreliable even for Westerners. If some other character set you didn’t vet also contains similar looking characters, there’s a new surface for attack.

To properly close that security gap would be an immense arms race… or you could simply shut down the entire attack vector.

So when you consider the importance of protecting gullible people from insidious attacks and the complexity of trying to allow non-Latin characters without creating openings, the question “How widespread are non-Latin URLs in my target audience and is it critical that they be rendered in their native script?” becomes a calculation of cost and benefit.

It’s a shit compromise to deal with the shit fact that some people being assholes ruins good things for the rest of us who aren’t.

Yeah but the compilers compile improved versions. Like, if you manually curated the summaries to be even better, then fed it to AI to produce a new summary you also curate… you’ll end up with a carefully hand-trained LLM.

Though I guess that would be a lot harder.

From the devs’ perspective, the relevant question will be this: How hard is it to map out all the lookalikes, and just how important is it to render foreign domains properly?"