Yeah, that and the companies who don't want to do "military applications" can just do pure research. Pure, ivory-tower research... which the DoD can just pay someone else to integrate into an actual weapon system. It's not like a machine learning algorithm knows or cares to what use it's put, once it is out there.

Dumb posturing; I also wonder if these people have considered what a world dominated by Chinese and Russian military AI will look like, and what effect it would have... I am not sure it would be the best of all possible worlds, exactly.

The day will come when people will grumble their old 64-bit computers are still working fine and yet they are being forced to replace everything with 128-bit computers.

That seems unlikely, even even with a bus speed of 1 terabytes per second it would take over 200 days to visit all bytes in a 64-bit address space once, and with processor frequencies being stuck in the GHz range it seems unlikely we'll have processors that can consume terabytes of memory per second. Of course we can simply keep adding more processors, but transistors simply can't get smaller than one atom so there is a hard limit to Moore's law.

There are various annoying physical limitations that limit how powerful computers can be. There is a maximum information density (bits per volume), the minimum required energy to process information, etc. You can't count to 2^256.

Since you feel so strongly about this subject, and you're posting on slashdot, I'm sure you (or someone you hired?) have audited the 29k lines of code at https://a.fsdn.com/sd/all.js which get loaded on this very page (well, actually https://a.fsdn.com/sd/all-minified.js gets loaded, but I'm dangerously assuming that the former is the original version of the latter). So did you find anything suspicious? When was the last time those files got updated?

If you haven't actually inspected that JavaScript file, would you agree that your concerns are completely theoretical and that nobody is really going to bother to spend hours reading JavaScript for every new domain they visit (or spend thousands of dollars hiring a consultant to do so)? Given that the vast, vast, vast majority of people have come to like and expect the kind of behavior that scripts in the browser provide, wouldn't it be much more effective to do things such as lobby for user/browser tracking to be outlawed, inventing better tracking protection, etc.? Opposing scripts in the browser sounds like a technical solution to a social problem, which rarely work.

If you can minimized JavaScript I'm sure you can learn to read WebAssembly (with a bit of effort).

I'm speaking to the point that they will be exploited for their processing power by WebAssembly. It wasn't until recently that it became a real option.

If it's the processing power you fear, I'm sure it's trivial for browsers to slow down WebAssembly execution so it matches that of comparable JavaScript code. If cryptocoin mining through WebAssembly/JavaScript becomes so widespread that average users really start to suffer, I'm sure browser vendors will find some sort of solution. E.g. throttling scripts that originate from a different domain than the website you're currently visiting, or throttling all scripts by default and having a button that enables unthrottled execution, which can be toggled per domain or url. Or perhaps they'll take some inspiration from virus scanners and build scanners that detect cryptocoin mining code and refuse to run it (with an opt-out for the false positives?).

WebAssembly will probably change some things about the web, but I don't think the future is as dark as you predict. Perhaps we'll go through a period where things will be a bit worse, but I fully expect the browser vendors to strike back when/if things get too bad: there is market share to be gained there.

It's the most important because it's the final nail in the coffin for readable JavaScript.

Clearly you haven't been reading minified JavaScript recently. JavaScript hasn't been readable for years, and the world didn't end.

JavaScript as we know it is now over

I'd love to hear how you "know it" today, because the JavaScript served by most websites might as well have been a big binary blob.

Downthread you mention:

You're missing the point, this about more than just advanced users.

Surely that is a completely separate concern? Non-advanced users have never been able to read JavaScript. And when WebAssembly becomes more popular, the non-advanced users won't be able to read that, too. So from their perspective nothing changes.

What are you talking about? As far as I'm aware nobody is working on rewriting Firefox's javascript in engine in Rust. Various other parts? Yes, but not IonMonkey.

I doubt this has been lost on the DefCon organizers. Presumably they think that they'd lose more attendance by moving to Europe than by having people who can't safely travel to the US just not come, or attend/present via videoconference or something. And I suspect that's probably true -- very few people (in my experience) go to DefCon or similar conferences on their own dime; you go on your employer's money. And getting your employer to comp you a few hundred bucks for a flight to Vegas and a shitty hotel room (Vegas hotel rooms are notoriously cheap) is a heck of a lot easier than getting a company to cough up for a transatlantic ticket, hotel in Europe, etc. As long as the majority of the attendees are in the US, this is where the conferences are going to be.

But coming here if you're involved in cybercrime is probably, uh, not a very smart idea. That Hutchins came at all suggests to me that he didn't know that the FBI was onto his alleged previous (pre-Wannacry) activities; the alternative is that he's dumb, and he doesn't seem dumb. (Though a fair number of very smart people are also arrogant and don't give other people credit for being able to figure things out, so that's also an option, I suppose.)

There is a legitimate question as to whether there should be some sort of cyber amnesty program, though, given the number of mostly-legitimate "security researchers" who have shady backgrounds but seem to have moved on from them. I've got some mixed feelings on that. On one hand, getting blackhats and their knowledge out into the open so vulns can be remediated and the network in general made more robust is a Good Thing. But I don't know if it outweighs the message it would send, which is that you can basically play Computer Mafioso when you're young and then retire to a nice, secure, respectable position as "security researcher" without the threat of your prior activities coming back to bite you. That's not really how things work in the non-IT world; if you spend your 20s working for the Mob, and then retire to a respectable profession, that respectability is unlikely to protect you from getting a knock on your door sometime later, depending on the statue of limitations, for stuff you did earlier. Might make a judge or jury go easier on you, but it's not an ironclad defense.

I think it's more like "one good deed today doesn't get you off the hook for the bad deed you did last week".

In other words, if you're a blackhat who happens to take down another blackhat, that doesn't buy you a get-out-of-jail-free card that you can play when other things you may have done in the past surface.

Or at least, not to an extent that stops you from getting indicted. It might play pretty well in court if the whole thing actually goes to trial, I'd imagine. Can't hurt anyway.

That doesn't make any sense and has no basis in fact.

There are enough legitimate issues with the FBI / CIA and their handling of cybersecurity issues that creating conspiracy-theory narratives is both unnecessary and counterproductive. Frankly it just muddies the waters on the real issues.

I could see the point of having a compiler in C/C++, but what would be the point of having a bootstrap compiler written in C/C++?

And if that index would be 'out of bounds' for the object as the C abstract machine understands it, that's UB, and an optimizing compiler can do very unexpected things.

In the Netherlands it used to be the case that you could buy booze with less than 15% alcohol (so beer and wine) from age 16+, and the stronger stuff was 18+. Sadly the law was changed a few years ago, and now all alcohol is 18+.

Surely Apple isn't an American company! It's head office is in Ireland, and almost all of its profits are made there.

But outbound connections to port 80 and 443 are guaranteed to be allowed in almost every environment, and an attacker can usually control the remote server, including on which port it listens and which protocol it speaks. And an attacker could also easily disguise communication as normal http or https traffic. In addition, a protocol has been created, standardized, and implemented in all modern browsers designed to work around the annoying port blocking restriction: websockets. So can we all stop pretending that blocking outbound connections to certain ports is actually helpful, rather than just making things harder and less efficient for everyone, without posing a significant barrier to actual attackers?

If GP was already under arrest, wouldn't they simply take them with them and wait outside, rather than release them again until they obtained the warrant?