I used GitHub's Copilot once and let it check one of my repositories for security issues. It found countless (like 30 or 40 or so for a single PHP file of some ~400 lines). Some even sounded reasonable enough, so I had a closer look, just to make sure. In the end none of it was an issue at all. In some cases it invented problems which would have forced to add wild workaround code around simple calls into the PHP standard library. And that was the only time I wasted my time with that. :D

Wouldn't telemetry solve this problem automatically? I mean: they should get some signal back when people opt-out no? :)

How about computers to have replaceable SSDs? There's no point you can exchange the battery when the hard-soldered SSD dies first. (I had more dead SSDs than batteries)

This should be mandatory, although I never had a computer where the SSD was not replaceable.

Some were a bit of a pain in the ass to replace though.

At least there's a choice there. I've never bought a computer with a soldered-on SSD.

And get rid of soldered RAM while we're at it as well.

Once I played a similar prank to a computer science teacher. Back in the Windows 3.x for Workgroups era this was. I made a screenshot of the desktop (showing a window), and put it on as wallpaper. Took the man a little while to figure out why that window couldn't be closed (after a hard reboot later when the window popped back up :) )

It's probably for "agents" that want to make websites for other agents. This has nothing to do with us humanoids.

I'm getting a lot, and I mean A LOT, spam recently from various "<IP in reverse notation>.bc.googleusercontent.com" domains. Not sure what can be done about that. But the uptick is very noticeable.

Yup, same. I'm blocking bc.googleusercontent.com and also firebaseapp.com for now. The reverse DNS should also be able to be used, as the fakey spam domains don't match up with the PTR record, but I want to wait until I can watch the logs for a bit to make sure that works nicely.

e.g.

PTR: 53.220.83.34.bc.googleusercontent.com

HELO: sax.co.uk

Depends on the mail server. I'd probably 5xx all mail from googleusercontent.com as I don't give a toss if something Google breaks, and could debug what happened from the mail server logs. Google's incompetence in marking all the OpenBSD mailing list traffic as spam is why I'm running my own MX. If you have actual customers on your mail services you should audit the logs, see if anyone is actually using Google for something legit (usually it's the spam, I mean, marketing department being their usual sleazy selves), maybe flag the messages as potential spam by default. If you do have users doing something wacky with googleusercontent.com (email notifications from batch jobs, or something?) there are other ways those notifications could be done, e.g. over a VPN or via some other service that would allow all googleusercontent.com to be blocked by default from doing SMTP, ideally at the firewall level so less CPU is wasted on them. Complications here are that people forget or leave and so there might be some wacky workflow that uses Google running on some walled off server somewhere, so it may be a months long "slow simmer" to see if there is anything legit hiding in the noise. Or you could yank the band-aid off and see what breaks?

I always force myself to do this too. The only 3rd party python library I regularly use is "requests" basically —a dependency that comes with its own baggage, see the recent controversy about "chardet"— but I go out of my way to grab it from pip instead installing it via pip. :-)

Something like this:

    try:
        import requests
    except ImportError:
        from pip._vendor import requests

I thought it was only me. Or it's temporarily down because some HN overload or something.

Or just use it as an example to vibecode your own. Extension laundering through vibecoding.

A lot of extensions are simple enough you can write your own *monkey user js