The fuel pump not automatically restarting on power loss may actually have been an intentional safety feature to prevent scenarios like pumping fuel into a fire in or around the generators. Still part of the Swiss cheese model, of course.
It wasn't. They were feeding generators 1 & 2 with the pump intended for flushing the lines while switching between different fuel types.
The regular fuel pumps were set up to automatically restart, which is why a set of them came online to feed generator 3 (which automatically spinned up after 1 & 2 failed, and wasn't tied to the fuel-line-flushing pump) after the second blackout.
There are dozens if not hundreds of issues just like this one in ffmpeg, except for codecs that are infinitely more common. Google has been running all sorts of fuzzers against ffmpeg for over a decade at this point and it just never ends. It's a 20 year old C project maintained by poorly funded volunteers that mostly gives every media file ever the be-liberal-in-what-you-accept treatment, because people complain if it doesn't decode some bizarrely non-standard MPEG4 variant recorded with some Chinese plastic toy from 2008. Of course it has all of the out-of-bounds bugs. I poked around on the issue tracker for like 5 minutes and found several "high impact" issues similar to the one in TFA just from the last two or three months, including at least one that hasn't passed the 90 day disclosure window yet.
Nobody who takes security even remotely seriously should decode untrusted media files outside of a sandboxed environment. Modern media formats are in themselves so complex one starts wondering if they're actually Turing complete, and in ffmpeg the attack surface is effectively infinitely large.
The issue is CVE slop because it just doesn't matter if you consider the big picture.
I don't get why you think linking to multiple legitimate and high quality bug reports with detailed analysis and precise reproduction instructions demonstrates "slop". It is the opposite.
This is software that is directly or indirectly run by millions of people on untrusted media files without sandboxing. It's not even that they don't care about security, it's that they're unaware that they should care. It should go without saying that they don't deserve to be hacked just because of that. Big companies doing tons of engineering work to add defense in depth for use cases on their own infrastructure (via sandboxing or disabling obsolete codecs) doesn't help those users. Finding and fixing the vulnerabilities does.
All of these reports are effectively autogenerated by Big Sleep from fuzzing.
Again, Google has been doing this sort of thing for over a decade and has found untold thousands of vulnerabilities like this one. It is not at all clear to me that their doing so has been all that valuable.
Google fuzzing open source projects has eliminated a lot of low hanging fruit from being exploited. I am surprised you think that finding these vulnerabilities so they can be fixed has not been valuable.
The article has good tips, but Unicode normalization is just the tip of the iceberg. It is almost always impossible to do what your users expect without locale information (different languages and locales sort and compare the same graphemes differently). "What do we mean when we say two strings are equal" can be a surprisingly difficult question to answer. It's practical too, not philosophical.
By the way, try looking up the standardized Unicode casefolding algorithm sometime, it is a thing to behold.
in particular, the differences between NFC and NFKC are "fun", and rather meaningful in many cases. e.g. NFC says that "fi" and "fi" are different and not equal, though the latter is just a ligature of the former and is literally identical in meaning. this applies to ffi too. half vs full width Chinese characters are also "different" under NFC. NFKC makes those examples equal though... at the cost of saying "2⁵" is equal to "25".
I'm Swedish and if someone insists on doing a transaction using cash when Swish or card is available, I'd immediately start to wonder if it's for some kind of more or less shady reason, probably tax evasion at the very least.
You have to differentiate common purchases from "large" purchases in this discussion. I'm certain you don't think there's something shady going on, or tax evasion happening, if someone uses cash in the grocery store or at Pressbyrån, or to pay for some little gadget or whatever at Kjell&Co.
This is what people think of when someone "uses cash". Not hauling tens of thousands to buy a used car or to settle the bill for having your bathroom tiled, which would be cases I too would raise an eyebrow over.
I think they're talking about when merchants insist that you give them cash ("cash only"), not when buyers insist on giving cash. The usual assumption is that if e.g. a street-food cart is cash-only, it's not because they can't accept cards (it's rather trivial nowadays) but rather that 1. they don't want to pay the interchange fees, and more importantly, 2. they want to be able to cook their books when reporting revenue.
There are businesses that attract people that use cards fraudulently and the business gets flagged demand eventually dropped. Gas stations in less desirable neighborhoods in the US have this issue and some only take cash.
Credit card fraud is not nearly as common in Europe as it is in the US.
Additionally, and specifically in Sweden, the fees that banks charge businesses for handling cash (picking it up and depositing it at the end of each business day) have increased significantly in the last decade or two. This has been a significant factor in driving businesses away from cash - it's just expensive for them to deal with.
Definitely cultural: Italy has a big tradition of merchants evading taxes, and there have been multiple steps over the year to mandate card payments cause those imply the merchant will pay taxes.
So if you are a law abiding citizen you can easily be pissed off that you get to pay taxes and they don't.
For a few years "we don't take card" was widely interpreted as a strong indicator the merchant would evade taxes, and "I won't go there anymore" was a common reaction from some people. These days it's technically illegal and yet you will still find _some_ shops that only want cash.
A cheaper alternative to cards here is app payment via Swish (approximately like Venmo). Goes straight to the vendor's bank account at a flat rate of the equivalent of USD ~$0.15 per transaction.
That used to be semi-common for smaller transactions in Sweden but was made illegal. Not sure why, probably to fight tax avoidance.
At this point the cost of handling cash is way higher than handling cards and as no one in Sweden ever uses cash its no longer relevant at all anyway. Now many (maybe even most?) dont accept cash to avoid the cost of handling cash instead.
No, it really doesn't, besides the fixed investment of buying a cash register. The idea of being forced to hand over a percentage of all my earnings to private company is abominable. I pay taxes to the elected government, not to some bank. It's why I only accept checks, ACH transfers or cash as payment, and it saves me 3% of my income a year over taking credit cards.
In the EU fees are capped at around 0.3 % I believe.
And you're mistaken if you think cash is cheaper for most stores. You risk theft (so need to pay for measures against that), you have straight losses from mistakes, have to spend time handling and counting cash, spend time depositing, spend time buying change, etc etc
I’m pretty sure there are fees involved with running a cash register, aren’t there? At least in Sweden, the machine has to be certified, registers with the tax authority and then inspected for re-certification regularly.
Regarding cash, does your bank not charge a fee for depositing cash?
What do you think happens to the cash at the end of the day?
Managing cash has costs too, they're just harder to quantify: you have to ferry it to a bank, you have increased risk of theft, fraud, and robberies, you need extra time to actually check the register etc.
And then you risk losing business if you don't offer card payments because it's just more convenient for most customers (you may like wise lose some if you don't take cash, but that's a vanishing market).
One big difference is that there's competition between cash handling providers, while there's essentially zero wiggle room for interchange fees.
That's what makes interchange and network fees so much more problematic than acquiring fees. There's very healthy competition between credit card acquirers and payment service providers on both features and price, but in the end, you have to accept whatever card your customer has or there won't be a transaction.
In the EU the authorities have recognized the power of the card networks and introduced price controls on interchange fees in 2015, capping them at 0.2% for debit cards and 0.3% for credit cards.
Note that Europe passed a law that limits interchange fees to something very low by US standards, like $0.20 or 0.05%, so it's not a reasonable excuse.
(The fact that credit card networks continue doing business in Europe proves they're still profitable and the US is getting ripped off by these fees)
Yeah there's that cash only bar in central Stockholm that's cash only. Everyone just "knows" they launder money there. I forget the name of the bar, it's on a barge near Tantolunden. it's the shadiest place I know where you can't barely find any shade!
FWIW I am Australian and we have a similar adoption rate of cashless payments.
If a merchant tries to promote cash options I immediately think they’re doing it for tax evasion reasons - not because of the touted reason that “card payments cost more to process” (they don’t once you factor in the cost of handling cash).
People forget that the credit card companies charge businesses to process transactions. Some stores/restaurants even give discounts for paying in cash because of this.
In my country if you pay with credit card at a grocery store (or anywhere) you get 3.5% tacked on to your bill. Merchants don't eat the cost, and don't hide it in the listed price of goods; it's explicitly passed on.
This is explicitly forbidden by almost all card processing networks (and by the government, in many countries). If you report a business who is doing this to the card processor, they'll likely get their card processing privileges suspended.
On the other hand, cash has its costs. You need to have a register, more training, more insurance, processing of cash at the bank, having it deposit cash at the end of every day, etc.
With credit cards you pay a fee, but you don't have to deal with all of those other things that people often don't consider.
If a significant amount of your business is cash based then the risk is much higher. If you're doing $100 worth of cash transactions per day then your registers and safe probably don't have much and you can probably get away with weekly or even monthly deposits. Whereas if you're dealing with $1000s in cash then you probably want to deposit daily, need a lot more security around your register and safe, and probably have a much higher quality safe too.
I've lived in Seattle for decades, and have -never- found a business that would not accept cash. If I -had- I would have set down my prospective purchase and walked out the door with a promise never to return.
Apart from a transit card (all the mass transit also takes cash ... no fee added), I'm not going to pay to feed the surveillance machine.
There have been a number of food trucks in the Seattle area that don't accept cash for the past 5 years. A popular food truck might have >$5k in cash sitting there by the end of the lunch rush - it puts an awfully tempting target on your back.
Where I live in Seattle, a lot of businesses simply don't handle cash at all, because break-ins for the cash register are quite expensive to deal with, and they circumvent that problem by simply posting outside the business that there is no cash.
One of the few businesses near me that must take cash, a dispensary, recently had an issue where somebody tried to break in using a stolen pickup truck to crash into the building. They didn't get the cash because they didn't get past the interior bollard system, but they did cause enough structural damage that the roof partially collapsed into the street.
I mean sure, US is special in this case, especially since you don't actually persecute small time thieves...
But i've paid with cash all over europe, and except for some vending machines, i've never been turned down, be it london, paris, berlin, belgrade or athens... from large supermarkets and museums, to local corner newsstands with a small fridge and cold drinks and local fast food joints. On the other hand, the most unsafe I ever felt as a traveller was in chicago, supposedly in a "nicer/safe area", and I've been through the balkans in the 1990s.
Here in the deep (American) South, small businesses give discounts for cash because those global elites are trying to take away our cash and want to track us or whatever. To that mindset, cash is a way to resist a theoretical oppression.
This is the reason I try to pay everything I reasonably can with cash. I’m about as northern as you get.
I’m definitely looked as crazy in my friend group from time to time, but over the years I’ve just become known as the guy who will always have cash on him if necessary so I guess the walking ATM bit helped with acceptance of it?
I figure that if folks don’t take a stand and use cash even if they don’t need to now, we will lose the ability to later. I don’t want to live in a world where all my purchases are mineable, because that eventually turns into monitored and then authorized.
The inconvenience is a small price to pay for freedom from surveillance.
It has amused me though over the years how bad cash handling skills have become. When I was a cashier as a teenager 25+ years ago, myself and all my fellow coworkers could break change at relative light speed and often just from mental math/memory. Now it’s amusing watching a young cashier give change back on a $48.31 order after handing them a $100 bill. Sometimes takes longer than the proverbial grandma writing a check back in my day.
Here in the Pacific Northwest, businesses give discounts for cash just because it saves them money. In Portland, we still have a fair number of bars that are cash only. And yeah, liberals here also consider it an invasion of privacy to have to use a card, but they couch it in terms of it being unfair to people without credit or bank accounts (which, tbh, is also a fair argument).
It's been 10 years since I lived in Argentina, but at that point having a credit card (not a debit card) was still reserved mostly for the folks in Barrio Norte. Has that changed now, or is it still mostly debit?
I know that this is true (I used to work in card payment infrastructure), but I've also talked to people who run cash businesses and deliberately under report their income. So I think it's not so uncommon.
I, as a private individual, can accept card payments for 1.69%. I have a physical chip and pin reader (that pairs with my phone), it cost me £25, but I can take contactless payments using just my phone. If I didn't want to use my phone, I'd need the £75 reader that comes with a 4G connection (at no extra transaction or subscription cost).
If I were charging £3k/month, I'd be just above the threshold where paying £19.99/month to get a transaction fee of 0.99% saves money overall.
I get the terminal directly from my bank here in Spain, it's something like €5/month + 0.02% of transaction. Is it much higher in other parts of the EU?
0.2% of 3000€ is 6€. I’m not sure how big of an impact that is, considering the non-negligible costs of handling this much money in cash. If a business earns more money after accepting cash, it’s probably because they don’t pay taxes.
> "FWIW I am Australian and we have a similar adoption rate of cashless payments. If a merchant tries to promote cash options I immediately think they’re doing it for tax evasion reasons"
I don't know about Australia, but in New Zealand many small retailers and restaurants add a card payment surcharge (typically 1.5%-2.5%) automatically when you pay by card. So you are somewhat penalised for the convenience of using a card. This never happens in Europe.
1.5%-2.5% card surcharges (both, debit and credit) are a commonplace in Australia as well.
Visa and Mastercard have successfully lobbied and conspired with local banks in both countries to bury EFTPOS, which were national debit card payment systems with a flat transaction fee ranging between 10 and 50 cents per transaction (depending on the bank).
A while back, Visa/MC realised that debit card transactions, being on the rise, were a highly lucrative market to tap into that they had been missing out on, so they set out on a war of attrition and conspired with the local big banks to phase out EFTPOS cards in favour of Visa/MC debit cards, where the cost of transaction was to be passed on to the card user. Tiered debit cards quickly followed (Platinum, etc.), that attracted higher fee percentages for Visa/MC – payment network commission fees are published on the respective payment network websites. Other than consumers, all parties involved (big banks, payment networks) became moist with excitement at getting a huge slice of the card transactions pie.
But there is the light at the end of the tunnel (other than the light of the oncoming train) – the RBA has moved to ban all card surcharges from July 2026.
It’s quite common in the US everywhere I’ve lived. Every tradesman I’ve used outside of large companies will offer a large discount for cash if you ask about it. They will likely not be the first to initiate though at a certain level of customer, since the social expectations change at a certain level of wealth.
This is almost always in a portion of the invoice written up at around half the agreed amount, and the rest in cash. Or for smaller jobs just on the side with no paperwork involved outside of a firm handshake.
This is the norm for the lower end of the trades. If you’re dealing with a single owner company with a few employees I’d be very surprised if they would not be willing.
Yeah, once you get into “real companies” that are charging upper middle class rates on million dollar properties it changes.
I haven’t had trades work done in Mexico, but considering all my visits were effectively cash only transactions I’d be pretty surprised if it wasn’t at least as common as in the US.
When you say "buying a used car"... do you mean from a dealership, or from a private party? In America, I almost can't imagine buying a used car from an individual without paying them in cash. Indeed, it's one of the few situations where a large amount of cash is almost always required. It's a pain to go to the bank and get that cash. However, this is not because of tax evasion or something ... it's to avoid any sort of dispute or reversal once the sale is final. I would take Bitcoin for a car, or a check I could cash before signing over the vehicle, but I'd never take paypal or some other method where the buyer could contest the charges.
We usually use an app for that (Swish, it's kind of like Venmo I guess, developed in collaboration between the six largest banks). We don't really do transaction reversals in the same way or as commonly as in the US.
Paying for a used car in cash would actually be difficult because handling an amount greater than the equivalent of around USD $1k immediately starts tripping KYC/AML flags at any bank if you try to deposit it, and it's hard to use in day to day life because few places other than grocery stores even accept cash anymore.
Wow... depositing more than $1k would trigger AML. That's incredible. In the US it's not uncommon for contractors to pull $10k cash at the end of a week to pay their workers. Some of that may be due to tax evasion or, just as likely, the workers being in the country illegally. I suppose this is another major reason cash is still "tolerated" in the US, because the casual labor market depends so heavily on undocumented workers. No one besides a few ultra-nationalists would really want to enforce such a thing, as it would drive up construction costs. And the nationalists are paranoid and stock up on cash and gold themselves.
Honestly, that system sounds a bit Orwellian. But also, does that mean that you have to pay a bank transfer fee every time you buy anything?
Generally there are never any transfer fees for private individuals doing domestic transfers. The banks just provide that service for free and eat the cost. Businesses wanting to accept payments via the Swish app usually pay a flat rate of the equivalent of approximately USD $0.15 per transaction (exact terms depends on which bank you use).
It's also worth noting that credit card interchange fees are price controlled in Europe; there's a EU directive that caps the interchange fees at 0.2% for debit cards and 0.3% for credit cards. Because of this, cashback on credit cards is pitiful in the EU; you can get 0.5% cashback but not much more than that.
> But also, does that mean that you have to pay a bank transfer fee every time you buy anything?
No, not at all. The Swish rails are free to users. But I've never had to pay any transfer fees for domestic transfers anyway. They are just much slower than using Swish (instant transfers) and much more clunky (bank account number etc. vs. phone number/QR-code).
Not every time, very certainly less than on 5% of all normal transactions, and the actual fraction will depend more on whether you count currency conversion fees and how frequently the person you are asking is buying from outside the EES.
I am danish so not quite as anti-cash as Sweden but if people use cash in grocery stores or just stores in general the general sentiment will be that its either because they are old , the cash they have is undeclared income or that it is income from illegal activities.
Swish uses the proprietary "BankID" system, and the company behind it has let frauds go on for years and blaming the victims. Therefore I have chosen not to support them.
It didn't have proper two-factor authentication when you just had to tap a button on the smartphone to approve a log-in or a bank transfer (and users didn't always tell which was which). Now it requires reading a QR code — which it should have done all the time.
AFAIK it still does not use any secure key storage on the smartphone, so if your phone gets rooted by an attacker, the attacker could gain access to your bank accounts. So far, frauds have been much easier to pull off, so criminals have not bothered to hack it. (that we know of)
I'm not an huge fan of BankID either, but a few corrections/clarifications:
1. BankID always allowed to have different settings for login and for signature. I have done that since forever. For example, I configured login to allow biometrics but not signature. If it's forcing me to enter the security code I know it is a signature, which forces me to pause. I cannot sign anything by mistake (like a transfer) because I'm forced to enter my long security code to complete it. And for the much more frequent scenario of pure logins, I can just use my finger.
2. I believe it does use the hardware-backed keychain if the device has one. I cannot prove it as the source code is not available, but I remember being curious and checking this on a rooted device.
I am Swedish and have lived here all my life and I have no idea what the current banknotes look like. I have literally never used them. I remember what they used to look like 20 years ago, but I know they have changed since then.
The core issue the article is pointing to is that most database indexes are B-trees, so if you have a predicate on the form (col_a = 'foo' OR col_b = 'foo'), then it is impossible to use a single B-tree lookup to find all rows that match the predicate. You'd have to do two lookups and then merge the sets. Some query optimizers can do that, or at least things that are similar in spirit (e.g. Postgres bitmap index scan), but it's much more expensive than a regular index lookup.
The linked article’s optimization applies to compound index queries, not “OR” condition optimization.
Unrelated or not, skip-scan will be useful in some cases. However, the cases where it adds noticeable benefit are the cases where a separate index should have been used for leading columns anyway (and in memory-constrained/frequently-cold-cache situations, a separate index might even be faster). If you can’t even begin to guess at the order of magnitude of cardinality, or if your leading-column-lacking queries are quite rare and not that perf-sensitive on a big table exerting index cache pressure, then skip scans make sense.
Astrophysicist Angela Collier's video essay "the sham legacy of Richard Feynman" [0] is a good introduction. Her accounts of her own encounters with "Feynman bros" are heart-wrenching.
She seems to have missed the real reason why Feynman became so "popular": his series of textbooks. Maybe his name is not associated with such historical discoveries as those of Newton, Boltzmann or Einstein are, but writing one of the best textbook series is also a good reason to be famous, at least for as long as the content will remain relevant. Feynman, to me, is the American Landau: A mathematical and scientific genius whose immensely valuable legacy consists of teaching and textbooks rather than any novel breakthrough in theory.
Apart if you want more clicks on YouTube, I don't think it's fair to call him a sham, unless you believe every popularity is a sham, but I don't think it's the case being made here.
Not all Nobel prizes are equivalent to Newton, Boltzmann or Einstein. Have a look at the video if you wonder why I focus on those three.
I am well aware that he did not publish his lecture notes himself, yet I believe he had written some notes and was not improvising in front of the amphiteater every day. Let's not argue about such trivia though.
These days the manuscript is quite conclusively dated to the first half of the 15th century; the parchment it's written on is definitely from that period, since it's been carbon dated to 1404–1438 with 95% confidence. The general style is also consistent with that dating. For example, medievalist Lisa Fagin Davis writes in a recent paper: "[t]he humanistic tendencies of the glyphset, the color palette, and style of the illustrations suggest an origin in the early fifteenth century" [0].
Edward Kelly was born over a hundred years later, so him "being at the right time" seems to be a bit of a stretch.
I think it's entirely possible the inks are much later. Possibly Kelly erased whatever was on the parchment previously. In fact the drawings might have made liberal use of the original, just to hide that fact.
Which is worse actually. Kelly may have semi-erased an existing valuable manuscript.
The hypothesis that the manuscript is a palimpsest (that is, written on an old parchment that was scraped clean of a previous text; such recycling was common because parchment was expensive) has been thoroughly rejected. That sort of thing is detectable, in fact there's an entire field of research dedicated to recovering lost texts from palimpsests, but the Voynich manuscript shows absolutely no signs of that.
You're right. I have just read a bit about this[0] and agree. I do still believe that it's possible for the expensive parchment to have been obtained by someone uneducated or "naive", or quack and used by them.
