Still blows my mind that "binaries available" is called open source in the machine learning sphere. It's like calling Office 2007 open source (as opposed to the current browser versions) because you could run the binaries on a local machine
That's source-available: you get to see the code and learn from it, but if you're not allowed to use it however you want (with as only common restrictions that you must then credit the creator(s) and also allow others the same freedom on derivative works) then it's not the traditional definition of open source
Wait, you pay extra for driving a cleaner vehicle when you live in that region? I'm not sure if I understand it correctly or if that's the full picture. Do EVs pay less for road taxes, emission fees, or get some different rebate that this fee is meant to balance?
It’s an attempt to get revenue that would otherwise be collected as gas tax. In practice it’s usually about twice as much as a gas car would generate in tax proceeds. Even in EV friendly states like the PNW.
Ah, I think I understand the difference: we pay taxes for electricity (it's ~35ct/kWh atm) and so there's plenty of proceeds for electric cars as well. Afaik for you it's normal to pay less than half, but then this flat fee for EV owners seems strange when everyone else (in the world, and those driving combustion vehicles) pays per actual usage
We tend to structure taxes with specific targets, rather than rely on general funds for everything. The idea being that public service funding is somewhat targeted towards those parts of society who take the most use of it. Gas taxes traditionally are how a good chunk of our road maintenance is paid for (a good bit comes from the general fund, too, but usually the gas taxes are restricted so they can only be spent on road-related expenses).
EVs throw a wrench into the plan, and so the flat fee is one currently popular attempt to even out the taxes amongst road users. Another idea that got floated was tracking mileage on all cars every year and then levying taxes based on that. But this gets shot down pretty quickly because people perceive it as government tracking of their movements, and that is unpopular.
Personally I think we should just make commercial trucks pay all of it. They already have the infrastructure and policies in place to collect mileage-based taxes, trucks do the vast majority of damage to the roads they regularly travel on, and taxing them would spread around the tax burden to all the citizens who benefit from the existence of the road network (i.e. you get goods shipped on roads, you ought to contribute even if you do not own a car). Local roads should predominantly be funded through property taxes IMO.
Seems like in other parts of the world pigovian taxes are way more popular. They are extremely unpopular in the US. AFAIK gasoline is largely the same price wholesale across the world, but Europeans (as an example) are completely okay with paying more than twice as much at the pump and so more than half the retail price is a pigovian tax.
The difference is that, in many places, the gas taxes are specifically earmarked for road maintenance.
Of course, a better solution would be to pass legislation properly funding road maintenance from the general funds, and raising income taxes to support that. But raising income taxes, even on those for whom a 50% increase in income tax would mean zero change in their actual lifestyle, is politically anathema in these benighted times.
That sounds like the extreme version of "but I need a fuel car because I want to drive it to France once a year for holiday". Driving something around all year for a once-a-year event is silly, but this is just insane. In a good life, you don't need this fallback from grid power even once in your lifetime!
At least, not beyond the inconvenience that is having to stay at home like 1 unplanned day per several decades. That's still three and three quarters of a nine of uptime even if you'd get the recent Iberian peninsula event every 10 years, and assumes you emptied the battery coincidentally the day before the outage. If you're not an EMT or power plant technician, you're doing more harm than good by being the person who can drive to work during a power outage and find that you're the only one there and nothing works anyway
> That sounds like the extreme version of "but I need a fuel car because I want to drive it to France once a year for holiday".
Having just made the 1,000km trip to the French Alps and back again in a Tesla Y, that's not a valid excuse any more. Back at home in Australia driving 2,200km from Mackay to Melbourne in a EV also a common enough holiday trip.
The 5,000km trip to Perth might be a stretch, but it's considered a major undertaking in a conventional car too. You are crossing some of the most remote places on the planet that has paved roads. The problem isn't charging. It's that you need to carry spares - like drinking water for emergencies, and spare tyres.
It's the tyres that would stop me from doing it in a Tesla Y. The Y doesn't have a place for a spare tyre, which is a disease that seems to afflict many modern cars of all types. It doesn't even come with a jack. Worse it needs special tyres that are hard(ish) to find in a major city, let alone 1000km from anywhere.
Unless grandma lives in a place without electricity, the one issue you won't have in Australia or Europe is charging. EV charging points are everywhere now. Most parking lots have them. I dunno what the situation is in the USA, but if EV charging points are a problem I'd suspect deliberate government interference because in Australia at least every one seems to have been built privately. Unlike Europe Australia does not have much in the way of EV subsidies, yet they are springing up like weeds.
I suspect the reason is location, location, location. Similar to petrol stations, but unlike a petrol station the upfront investment is low, they aren't manned so no wage costs, in a shopping centre they attract customers and they seem to markup the cost by 80..150%. What's not to like? So get in early and get the best spots.
I guess I didn't make it clear that this quoted argument was meant to sound silly. I know you can go on holiday with EVs! My mom was a bit apprehensive about spontaneously needing to find chargers and figure them out, and so I invited her to a weekend trip for just the two of us, one of the goals being to see together how charging works out in different places and countries and how often that ends up being necessary etc. It was no problem at all if you can figure out the different payment methods (most worked with a magic card she got with the car, others wanted paypal via a web portal etc.)
Considering how expensive cars are, I do find the trip-to-grandma reasoning useful. Most people want a single vehicle that can do everything. Dismissing that with, "Well just drive differently" or "You can do the hassle that is renting a car" is not a compelling sell. What if I want to do my vacation trips during the holidays where rentals are already booked?
I think full EVs are great if the lifestyle allows it, but plug-in hybrids seem a better fit for most people without requiring undue compromise.
What trip to grandma can't you do anymore with an EV?
> What if I want to do my vacation trips during the holidays where rentals are already booked?
The same as you do when any other part is booked out: go elsewhere or do something else. I don't buy a backup train in case the one I want is booked out one of the next ten summers
Consider also the lifestyle change that's "growing older more healthily" by not having a population sit in exhaust fumes for 2x the daily average commute length
Why there focus on sitting in traffic. Instead of more visionary solutions like banning single family homes and razing them all to ground and replacing them with high rises next to offices supported by forced public transport? Surely that should be the true alternatives for use of ICE and not EVs.
That's not how economics works. I can't do my job without a computer or glasses but that doesn't mean I can pay the suppliers of these things most of my salary each. Preventing a 100k€ problem says almost nothing about what the payout should be. As for them just causing chaos for fun, that nets them just about nothing (what's an evening of fun worth, like what are you willing to pay for a cinema ticket?). This is certainly more (hundreds of times more) and so covers that risk as well
In an ideal world, these bugs, especially low-hanging fruits, shouldn't be discoverable by some random kids. These billion dollar companies should have their own security researchers constantly monitoring their stack. But those costs are cut, because the law de facto doesn't hold them liable for getting hacked. It's a very good deal for companies to pay bug bounties, but they mostly cheap out on that, too.
It's like a finders reward elsewhere in life. If you lost your wallet, your immaterial and material loss is quite high, but apart from cash the contents are of way less value for a finder/thief. These type of rewards are meant to manipulate emotions and motivation. Twitter paid these kids each between $1 and $20. That's insulting. As I said elsewhere, bug bounties are PR. And it's bad PR in this case. Black market pricing is the absolute low end for valuation (it's basically the cash value in the wallet example).
> these bugs, especially low-hanging fruits, shouldn't be discoverable by some random kids. These billion dollar companies should have their own security researchers [...]
I'm twice this kid's age and have been doing this hobby-turned-work as long as they have. I can tell you the work we do is no different. It doesn't matter if you're 16 or 64 or what your credentials are or salary is. We're all just hackers. Hacker ethos is judging by skill, not appearance. Welcome to hacker news :P
> Twitter paid these kids each between $1 and $20.
The submission doesn't say they've even contacted Xitter. I thought it was in the title just to drop names that we've heard of that used this dependency. Did you legit find somewhere that they got ≤20$ for an exploitable XSS on the x.com or twitter.com domains? That is definitely a strangely low amount but then I'm not surprised by anything where Elon is involved. It could also have been a silent fix without even replying to the reporter; I've had that often enough. But yeah from X I would expect a few hundred dollars at least and from old twitter (or another legit business) more than that (as Discord demonstrated)
Get off your high horse. In this instance it's been a kid, and it does not concern some highly arcane flaw in a crypto library or chained kernel exploit, which may have passed even a pro. I already implied this bug should have been found by in-house security, so obviously it's within the domain of professionals and teenagers alike.
> The submission doesn't say they've even contacted Xitter.
This one doesn't. This one does: https://heartbreak.ing/. Or at least, I presume they meant Twitter when they wrote "one company valued 44 billion".
I've rarely gotten bug bounty money and not even always a written thank-you but it doesn't cross my mind to somehow seek out a malicious actor that wants to make use of what I found. Leave the place better than you found it and all that
That's how language shifts. Supply chain attacks are broadly seen as a scary new thing, so like with any such term, people try to shoehorn things they find into its meaning. Those who fall for and repeat it shift the language. The same happened to the word 0day: it used to mean "a vulnerability that you specifically haven't had a chance to patch because it has been known to the world for 0 days". A scary thing. Now it's commonly used as synonym for the word vulnerability
I wonder if every vulnerability is soon called a supply chain attack:
- Microsoft releases a Windows security update -> Discord uses Windows -> supply chain attack on Discord
- User didn't install security updates for a while -> brought their phone to work -> phone with microphone sits in pocket in meeting room -> supply chain attack
Everything has dependencies that can be vulnerable, that doesn't mean "the supply chain" was attacked in a targeted effort by some attacker
I critiqued the title elsewhere already so let me say here that the screenshot does show code running in Discord's browser context. They didn't send it to an employee and actually pwn the company, as one might understand from the title, but it doesn't strictly say that and I would count finding XSS as close enough. Saying they've pwned Discord, I think is fair enough
The other three companies mentioned though... yeah, they totally pwned the dependency first and foremost
That doesn't specify how many bugs there existed in the Discord codebase throughout the time where this person was active. Only once you know that, can you say whether they found a significant proportion relative to the effort they've spent and would spend as a part-time employee. That other people still find things also suggests that the statement above ("just hire him and you're secure") might have been a bit simplistic
reply