This is huge. I built SidianSidekicks and it is based on git because we don't want to lose your notes and thoughts, but convenience of Obsidan Sync are something that makes everything easy. I get this is in beta, and we will stick to git, but love what they are doing and looking forward to it.
Essentially Sync while you can emulate it on desktop, for mobile it is not good experience without Sync. And we want to have and record our thoughts with us all the time.
This is made by the company the inventor of the language created. Then he left it because Forth, inc. needed the language to be standardized, which wasn't his idea of Forth and, his point of view is that he solved the software problems and what was left was solving the hardware problems, so he moved to working on stack-based processors.
Swift Forth is literally a professional Forth and is well regarded. The other often recommend Forth is the FOSS GForth. They are good for starting because they are popular and standard, so you'll find help easily.
Other "smaller" Forth are often non-standard dialects and are more-or-less mature experiments.
I had the same feeling, so I began to read https://www.forth.com/starting-forth/1-forth-stacks-dictiona... with gforth installed with apt. And made few exercises to manipulate the stack with some words and get a grasp on it. Now I saw how it works, I came back to my imperative languages and won't come back to it.
IMO my skills in forth are not really enough to see the distinction between any implementation of forth, so the first one I stumbled upon was ok.
Gforth is free and well rounded so I'd recommend that if you want to experiment with Forth. It is not very fast though, SwiftForth with optimised subroutine threading will be a lot faster. I haven't tried SwiftForth though as you have to pay for it and it is x86 only.
if you are working with specific hardware (e.g. microcontrollers) it depends on which forth dialects are available but for the raspberry pico and pico 2 I recently found zeptoforth [1]
I think the problem is the process. Each country should have a reporting authority and it should be the one to deal with security issues.
So you never report to actual organization but to the security organization, like you did. And they would be more equiped to deal with this, maybe also validate how serious this issue is. Assign a reward as well.
So you are researcher, you report your thing and can't be sued or bullied by organization that is offending in the first place.
If the government wasn't so famous for also locking people up that reported security issues I might agree, but boy they are actually worse.
Right now the climate in the world is whistleblowers get their careers and livihoods ended. This has been going on for quite a while.
The only practical advice is ignore it exists, refuse to ever admit to having found a problem and move on. Leave zero paper trail or evidence. It sucks but its career ending to find these things and report them.
That’s almost what we already have with the CVE system, just without the legal protections. You report the vulnerability to the NSA, let them have their fun with it, then a fix is coordinated to be released much further down the line. Personally I don’t think it’s the best idea in the world, and entrenching it further seems like a net negative.
This is not how CVEs work at all. You can be pretty vague when registering it. In fact they’re usually annoyingly so and some companies are known for copy and pasting random text into the fields that completely lead you astray when trying to patch diff.
Additionally, MITRE doesn’t coordinate a release date with you. They can be slow to respond sometimes but in the end you just tell them to set the CVE to public at some date and they’ll do it. You’re also free to publish information on the vulnerability before MITRE assigned a CVE.
Does it have to be a government? Why not a third party non-profit? The white hat gets shielded, and the non-profit has credible lawyers which makes suing them harder than individuals.
The idea is to make it easier to fix the vulnerability than to sue to shut people up.
For credit assignment, the person could direct people to the non profit’s website which would confirm discovery by CVE without exposing too many details that would allow the company to come after the individual.
This business of going to the company directly and hoping they don’t sue you is bananas in my opinion.
Thank you for sharing this, this is very interesting problem to tackle.
I find this interesting mostly to understand how you are handling encryption and security. I think this is one approach but others expressed concern over long term viability.
Using Tauri is also very interesting. How did you find using it for this simpler case?
reply