Are you asking if there are special numbers or strings or some other kind of plain data that would glitch out the interpreter when they're read back in? That would be an impressive failure of a programming language.
Yes it's safe as long as you're serializing correctly (which isn't very hard).
By definition you can't trust that "untrusted data" has been serialized correctly.
Lua has strong sandboxing capabilities (i.e. ability to limit and control the environment visible from a chunk of code), but the Lua authors years ago explicitly disclaimed the ability to sandbox untrusted code. The compiler and runtime are not bug free. They don't have the resources, notwithstanding that compared to any other non-formally verified implementation their track record is pretty decent, even compared to past and current efforts from Sun, Microsoft, Mozilla, and Google. If you want to run untrusted Lua code, Lua sandboxing should be just the first of multiple line of defense, just as modern web browsers rely on various operating system mechanisms to constrain breakouts.
> By definition you can't trust that "untrusted data" has been serialized correctly.
Please read the comment again. They said the person loading the data is the same person that serialized it. The data came from an untrusted source prior to being serialized.
For example, consider a guestbook program. People send it untrusted text and then the program serializes it into a database. Reading the database back is safe.
By definition you can't trust that "untrusted data" has been serialized correctly.
Lua has strong sandboxing capabilities (i.e. ability to limit and control the environment visible from a chunk of code), but the Lua authors years ago explicitly disclaimed the ability to sandbox untrusted code. The compiler and runtime are not bug free. They don't have the resources, notwithstanding that compared to any other non-formally verified implementation their track record is pretty decent, even compared to past and current efforts from Sun, Microsoft, Mozilla, and Google. If you want to run untrusted Lua code, Lua sandboxing should be just the first of multiple line of defense, just as modern web browsers rely on various operating system mechanisms (process separation, filesystem to constrain breakouts.
I'm glad it's been entertaining. This is the first time I've posted anything to HN that's gotten any real engagement/interest and I've thoroughly enjoyed the discussion.
I intentionally tried to keep it light / humorous to have plausible deniability. "I'm sorry your honor. This was just an elaborate joke that got out of hand."
I really don't have any way to prove this, but it's not a stunt and not connected to my employer in any way. I don't have anything to promote. I'm speaking in a purely personal capacity. I've attempted to remove references to my employer, so I'd appreciate it if you or a moderator could remove the reference from your comment.
I do enjoy intellectual discussions with smart people on thought provoking topics and that's primarily what this is. I am genuinely curious if my idea could work and I was interested in feedback from the HN crowd. I've been mostly lurking here for about 10 years, and just recently decided to start writing more and trying to participate more actively in HN discussions. This idea struck me as something that could spark a fun discussion, and it has.
Getting something to the front page of Hacker News is a bucket list item for me. It didn't happen this time (I think it got to page 4), but I learned a lot and really enjoyed replying to everyone's comments.
But to be clear, this was not a stunt. It was meant to be a little provocative and attention grabbing, but I do genuinely believe my idea has some merit and might improve a very difficult situation... if it could be done legally and safely.
Can confirm. Although I might say "moderately technical" rather than "slightly technical". Some of my interview questions got pretty deep into networking protocols and Linux OS internals. Regardless, it's a very different role than a software engineering position, which I wouldn't claim to be a good fit for.
Think tank events are a very good idea. Something similar had occurred to me.
Many successful startup ideas do sound very ill-conceived initially and often have legal problems, despite their success. Having strangers drive you places? Renting a room in a random person's house? Having a book retailer host all your IT infrastructure? So, although I do appreciate your point, I don't think those factors alone are reason enough to give up on the concept.
"Startup"? Maybe I'm misunderstanding what your plan is but you should know that you are legally not allowed to take money from these people. Every major cartel and their leaders are designated under the Kingpin Act or as Transnational Criminal Organizations which means you cannot "[make] any contribution or provision of funds, goods, or services by, to, or for the benefit of" them. Even if they weren't designated, you cannot take money that you knew to be from a crime. Either of these are punishable by a long time in prison. The only way this would work is if it was done under close supervision with law enforcement, but it's pretty evident that American police do not have much interest in harm reduction style solutions.
I don't know if this is some elaborate troll but if your idea is so great you should just publish it. I'm sure you would get credit if it was successful.
> The Sackler family is an American family who founded and owned the pharmaceutical companies Purdue Pharma and Mundipharma.[1] Purdue Pharma, and some members of the family, have faced lawsuits regarding overprescription of addictive pharmaceutical drugs, including OxyContin. Purdue Pharma has been criticized for its role in the opioid epidemic in the United States.[2][3][4] They have been described as the "most evil family in America",[5][6][7][8] and "the worst drug dealers in history".[9][10]
Thanks for the questions. Allow me to answer/clarify.
Improving drug cartel profit margins is not a direct goal. Reducing deaths and violence is the goal, but I don't see a way to do that without getting the cartels to change how they operate a bit. The only way I can think of to get them to want to change is with economic incentives. They seem to not respond to other types of incentives/punishments. If you have thoughts on what might motivate them other than profits, I'd love to hear it.
No, I have no interest in making money from this idea or sharing profits with the cartels. Doing so would obviously be illegal and I'm only looking for legal pathways to achieve my goals.
No, I wouldn't describe it as "growth hacking". I'm not interested in growing their businesses, just exploring creative options that might reduce the death/violence. I'm speaking here in a purely personal capacity. My employer has not endorsed anything I'm discussing, nor would I ask/expect them to. I recognize that there is a possibility of some negative blowback from this post. If they asked me to, I would be happy to delete it. It's certainly not my intent to embarrass anyone or create negative associations with my employer. My hope is that if my company's leadership does come across the post, they would recognize that there was good intent behind it and don't feel the need to cut ties with me to avoid repetitional damage over a fairly abstract/hypothetical discussion on a forum where users compete to gain the attention of other people in the community. It is nuanced and not without some professional risk, but I'm pretty sure my employer would give me a chance to fix things if they felt there was a problem.
Your question about the mods is a little too leading/loaded for me to simply confirm or deny. All I will say is that the post was flagged last night, I emailed the moderation team, Dang emailed me back and unflagged the post. If Dang is ok with it, I'd be happy to post his email here, but I don't want to assume that he would want comments he made privately to be shared publicly.
Getting involved with politics had crossed my mind. On this issue specifically, I suspect there are policy think tanks that might be open to giving me some advice. Maybe handing the idea off to one of them and letting them pursue related policy changes might be a better option. In my experience, lawmakers don't pay much attention to random people on HN.
