Watch the whole thing for yourself https://www.youtube.com/watch?v=zicGxU5MfwE He talks about light for the first two things (cover the body and put it under the skin) and then switches to disinfectant. Was clearly talking about some kind of chemical to "clean the lungs" like you would clean you bathtub.
The bit I love is that countries with which the US has a trade surplus aren't getting the opposite of a tariff (a grant, I guess) on their imports to the US, they aren't getting zero tariffs on their imports to the US, they're getting 10% tariffs.
Heard Island and McDonald Islands, two Australian territories inhabited only by penguins, get singled out for a 10% tariff.
Norfolk Island, an Australian community of 3000 with no exports to the US, gets its own 29% tariff. They're expecting a tourism boost from the publicity.
Now what the underlying items are that were traded? Not sure. Guessing you can dig it up in AES https://www.census.gov/foreign-trade/aes/index.html but have not been able to figure that out. Let me know if you do.
Nah, they just went down the Wikipedia list of places that trade with the US. This is how Réunion winds up on there, despite being actually part of France.
That might be the case with places like the UK which has a trade deficit with the US but still gets taxed at 10%. I feel however the penguins put up an obvious non tariff barrier by only accepting fish rather than hard currency.
Norfolk Island is part of Australia. Logically it would be swept up in the 10% tariff on Australia. It has no exports to the US, that being the US government's justification for tariffs over 10%, let alone an individual 29% tariff.
A comparison would be another country putting a 10% tariff on the US, but singling out Rhode Island for its own 29% tariff.
"To calculate reciprocal tariffs, import and export data from the U.S. Census Bureau for 2024. Parameter values for ε and φ were selected. The price elasticity of import demand, ε, was set at 4.
Recent evidence suggests the elasticity is near 2 in the long run (Boehm et al., 2023), but estimates of the elasticity vary. To be conservative, studies that find higher elasticities near 3-4 were drawn on. The elasticity of import prices with respect to tariffs, φ, is 0.25."[0]
>It explains why they singled out Reunion from France, it has a separate ccTLD
It also has a separate country abbreviation (RE). You know, like you'd see on an address. The thing that tells you where something, like a good imported in to the United States, is coming from.
This is is why it has a separate ccTLD by the way.
This blue sky thread is just an incredible example of motivated reasoning.
> It also has a separate country abbreviation (RE). You know, like you'd see on an address. The thing that tells you where something, like a good imported in to the United States, is coming from.
Yes, obviously, it's ISO 3166-1 but that's a batshit way of assigning tariffs. To the point I suspect it's a LLM.
Norfolk Island? The island with 3000 people, which in the context of international trade is a speck at the side of Australia. Or the uninhabited Heard Island and McDonald Islands with zero trade?
If Reunion and Norfolk Island are to be considered separately from their mainlands, where are the tariffs for Easter Island (Chile)? It has more people than Norfolk and probably more trade, it's 3700ish km from the administrative region it belongs, so it geographically distinct like Reunion.
Anyone (with a pulse) tasked with calculating the tariffs would see this and think "I have to remove these outliers". So the two options are:
A. Someone took the ISO 3166-1 codes and brainlessly calculated their batshit formula without noticing that HM doesn't produce anything. They did not instead do the more natural thing, go from highest imports to lowest which would've eliminated HM and most anomalies. They didn't even check their work.
B. They asked an LLM, which calculated this in the most naive way possible one-shot.
I dunno governor, this looks like vibecoded Excel spreadsheets.
>If Reunion and Norfolk Island are to be considered separately from their mainlands, where are the tariffs for Easter Island (Chile)?
Easter Island's mailing address says Chile. Norfolk Island mailing address does not include Australia, nor does Reunion include French.
>They asked an LLM, which calculated this in the most naive way possible one-shot.
Whats the connection between LLMs and domain name endings or whatever again? Like why does using them necessitate the use of LLMs?
Let's think through it from the ground up... How would you expect them to come up with a list of countries? Are they supposed to just get a group of people together and compile a list of countries they can think of by memory? Clearly they will refer to some standardized list.
Its worse than that. Its like saying you must have used chat gpt because you answered that 2+2= 4 and gasp so do the LLMs! Nevermind that its just the obvious answer to the question.
Lets see the prompt. The prompt further down in the thread that reproduces it was asking how to use tariffs to balance trade deficits with a 10% minimum. Is there any other answer then set the rate such that the deficit goes away or 10%, whichever is greater? No. That's just the answer to the question and is why ALL LLMs give the same answer.
LLMs are basically just good at sourcing ideas from the internet. Me thinks this just means that this tariff idea exists on the internet, especially since grok, chatgpt, etc all come up with the same idea. We used to not have income taxes and funded the govt with tariffs so this probably isn't a new concept despite media outlets pretending like it is.
Are you implying there is a very small chance that if someone posted in 2018 reddit "We should tariff Algeria at 35% because X", the LLM that the administration may have used would have agreed with random redditor?
It is really silly to say that because an LLM gave a similar approach a single time and someone took a screencap of it without full context, that Elon and Trump are sitting in the whitehouse asking Grok what to. This level of hyperbole is why reading about anything to do with the two of them is really exhausting.
People are saying they literally used the trade deficit and the formula they published that they claim doesn’t do this multiplies that value by 4 and then 0.25. Yeah… that is what we are dealing with.
> Elon and Trump are sitting in the whitehouse asking Grok what to
Not perhaps Elon or Trump themselves (doubt Trump can actually use a computer), but it could very well be one of the teens like the so-called "Big Balls" that apparently have their hands in everything.
> This level of hyperbole is why reading about anything to do with the two of them is really exhausting
Almost as exhausting as their daily actions / tweets / rants.
>It is really silly to say that because an LLM gave a similar approach a single time and someone took a screencap of it without full context, that Elon and Trump are sitting in the whitehouse asking Grok what to.
A similar approach to a close-ended question.
The original screenshot doesnt show the prompt. The one reproducing it asks for a tariff policy to eliminate trade deficits with a 10% minimum. Umm... hello? There is only one answer to that. The greater value between 10% and a rate based on the deficit. Of course the Trump policy and all 4 LLM answers agree. The answer is determined by the question.
Its like accusing little Timmy of cheating on his math homework because he said 2+2=4 and -- GASP -- so do all the LLMs!
Wow. So they came up with zero-effort estimates of the tariff rate which would balance the trade deficit. The method is like something you'd be asked to criticise in A level economics.
Then they incorrectly labelled these numbers as reciprocal tarrifs implying this is what other countries charge the US.
The worst of it is that all of this misinformation will be happily accepted as truth by so many people. It's now going to be almost impossible to have people realise the truth, especially those people who support Trump. Ugh.
Are we factoring in digital/service trades? For example, Netflix is in Vietnam. There are many Netflix subscribers in Vietnam. Does that get factored into the trade deficit? Or is it only physical goods that get factored in?
Vietnam uses many US services such as Microsoft Office, Netflix, ChatGPT, Facebook ads, etc. This is revenue that directly go into the pockets of American companies.
No services, only goods. This is according to @JamesSurowiecki on Twitter, one of the first to reverse engineer the equation for how they’re coming up with the numbers. So Office, Netflix, etc wouldn’t count against the deficit.
This is where the calculation is extremely unfair to a country like Vietnam. They export low value physical goods and import high value services like ChatGPT, engineering consultations, etc.
They're getting screwed by this tariff plan.
Any tariff based on trade deficit needs to account for services.
You shouldn't put tariffs based on deficits period because it's a brain dead way to think about international trade. The whole idea is flawed from the jump so there's no way to make it rational, it's inherently irrational.
No it doesn't. Trump's whole issue here isn't making more money for the federal government. His issue is that the American economy no longer works for you if you are a blue collar worker.
The services we export are performed largely by white collar, college educated people. A good number of whom are here on H1-B visas. What service can an unemployed factory worker export to Vietnam? We have to end globalization of industry or wealth inequality will just continue to spiral.
There are ~600k H1B visa holders in the US. the tech sector alone has ~10M workers, and professional workers are ~9x that again. That boogeyman represents < 1% of the relevant workforce.
“White collar” work is the majority of US employment. It’s unclear to me if you’re proposing sacrificing white collar for blue collar jobs, but that’s not a trade our economy overall wants to make.
Relatedly, the unemployment rate for US factory workers is 2.9%. This is a very low unemployment number - 5% is generally considered “full employment,” and anything below that indicates a labor shortage. So your hypothetical factory worker should probably just go get another job.
I don't understand the nostalgia for manufacturing jobs.
My mom worked in a factory putting pickles into glass bottles. It was not her dream job. I can still remember how she smelled after a shift.
But it was the only employment she could find in that village.
Things got better when we moved after a few years and she shifted into a healthcare job. White collar if you will.
His issue is actually that Putin told him to jump, and so he has to jump. You're utterly delusional if you think Trump gives a single diaper filled with shit about the "blue collar workers"
I'm glad I read your comment because I've been wondering the whole time whether services are factored in. It's absolutely insane that the administration is ignoring the exported value of some of the biggest companies in America that all these countries are buying services from.
Of course not. The entire time Trump is railing against the deficit, he's talking only about goods. He wants to bring back manufacturing to America, didn't you hear?
I can think of at least a dozen reasons but I'll give you one: We are in delicate peace negotiations with Russia _right_ now. There is good reason to isolate all foreign policy decisions with that country to those negotiations. It is called doing more than one thing at a time.
We are also in delicate peace negotiations with Ukraine right now, but we still put import taxes on them. If you think that the administration would put more import taxes on Russia after the negotiations are done, then at least you're consistent. I need your other 11+ reasons to be convinced.
If we were in delicate peace negotiations then we should put more pressure on them. Tell them extra tarrifs will be removed if they agree. The main reason there is still war is Putins stubbornness in admitting he started an unwinnable war. More pressure is helpful
This is down from $23B in 2019, and is basically just fertilizer and minerals used to make fertilizer.
Fertilizer is not sanctioned due to the fact it’s needed for food security in the EU (surprise suprise, the EU is not just insecure domestically in terms of military and energy and technology, but also in terms of fertilizers needed to grow food, fantastic governance they have over there…leaving potash mining or nat gas extraction to other countries does look good for those domestic net zero calculations though!).
EU peace is assured by inter-locking trade within the block. Countries within the EU are gently encouraged to trade essential goods with one another instead of producing them themselves.
This policy dates back to the end of WW2 as an attempt to prevent one country getting too aggressive and hence starting another war.
Since the fall of the wall, Russia was seen as a legitimate trading partner for the block and, in the long term (just as Türkiye), as member of the block.
Hence sourcing fertiliser from Russia was taken to be a strategic positive since it tired Russia to Europe.
I think we should be aware of history, that does not imply acceptance nor agreement.
Instead had I said this ten years ago, the majority of politicians in the EU would have been d’accord. What does that imply about our political systems?
There have been a bunch of alliances in Europe over the centuries, none have been permanent.
It was a rational and logical thing to do, assuming Russia wants prosperity. Sadly, it turns out people with power in Russia don't really care about that for regular people.
So... I think it was a good thing after all. It could've worked out, and bring us peace. A moonshot with great payoff but some chance of failing is often a risk worth taking, HN should know that :)
Stealing the assets of countries like Venezuela and Russia caused this to happen by making the rest of the world move off of the dollar to secure their asses. Doing more of them is the dumbest idea that can be proposed.
> Don't start a war against neighbours or other neighbours might get angry
Those other neighbors themselves invaded many countries. They stole the money of other countries. Like Venezuela. They never had their assets stolen. Apparently, they subscribed to none of the moral values and ethics they have been advocating. So that argument doesn't count.
Those are currency reserves. Not the changes in the usage of currencies in international trade. But hey, don't let me disturb the comfortable numbness...
I see how the tariff numbers may have been calculated. But why is it done that way? What is the rationale behind such a calculation? Is this a way to balance the existing trade deficits? How does it work?
Would appreciate you (or anybody else) shed some light on the economics of the thing.
The label "tariffs charged to the US" is just straight-up wrong, either due to incompetence or malice (likely to justify the high tariffs).
But basing the tariffs on import/export ratio makes sense if your goal is to be a net exporter with every country, as it discourages imports until that's the case. It's still somewhat arbitrary though; my guess is that the White House is pursuing that goal mostly for political, not economical reasons.
I would love to hear the plan on how the US can be a net exporter of coffee with, say, Indonesia (32% tariff). Perhaps we can take the funds from the tariffs and build mass greenhouses?
The Eu will take care of that by slapping taxes/tariffs or regulations, and the rest of the world will also do the same. Play stupid games, win stupid prizes.
Interesting. While I think these tariffs are a bad idea, I'm not qualified to fully pass judgement. However, knowing Trump, when I saw the numbers I instantly suspected they would be wrong.
Probably Miranda. Brings back a lot of memories from the flint/flame/inferno days. I remember buying a tezro for ~150k USD in 2005/6. We also were "gifted" an Inferno around that time which I heard originally cost multiple hundreds of thousands. When it showed up it was the size of a refrigerator and took dual 30A power feeds. Sounded like a jet and didn't last long.
Teradici came on the scene and started running everything over IP. Hardware at first (old EVGA pyramids were everywhere) where you had to route the video out into a custom card that then put out the signal via IP.
Now it's all software with the leaders being teradici (merged with HP anywhere which came from IBM), nicedcv (Amazon), parsec, and a few others.
The big advantage in content production over something like vcn/rdp was color fidelity, local cursor termination, and support for hardware like Wacom tablets. You can even do 7.1 audio and multiple monitors. Turns out when you are an artist having a local like feel is incredibly important. 60fps is 16ms per frame. So even with virtual workstations on AWS you want to deploy them in a region that is relatively close to the end user.
Yes and no. It's all about the people and specifically the people in leadership positions. Money can make it easier for very obvious reasons (unlimited resources to hire the best people, have the best equipment, focus on the product and not the bottom line, etc..).
The reason it can make it harder is because if you don't have the right people being held accountable to make the studio successful on an agreed up timeline along with what the definition of success looks like from top to bottom and a well defined organizational structure that takes into account growth, those unlimited resources tend to result in over hiring before the recipe has been figured out, politics, moving targets, fractured focus, and organizational chaos.
The secret is networking. I don't have the numbers but annecdoteally what I saw was every (and I mean every) hire at Director level and above at big tech was a friend (or friend of friend) of someone at that company.
One thing that I don't see mentioned very often with regards to the last pass breach is that 2fa seeds for their Authenticator product were also compromised and taken. Meaning not only could the attackers gain access to passwords, if you were using last pass for 2fa they had that as well.
"i wanted to get on the machine where the application gets built and the easiest way to do this would be a postinstall script in package.json, so i did that with a simple reverse shell payload"
Just want to make sure I understand this. They made a hello world app and submitted it to todesktop with a post install script that opened a reverse shell on the todesktop build machine? Maybe I missed it but that shouldn't be possible. Build machine shouldn't have outbound open internet access right?? Didn't see that explained clearly but maybe I'm missing something or misunderstanding.
In what world do you have a machine which downloads source code to build it, but doesn't have outbound internet access so it can't download source code or build dependencies?
Like, effectively the "build machine" here is a locked down docker container that runs "git clone && npm build", right? How do you do either of those activities without outbound network access?
And outbound network access is enough on its own to create a reverse shell, even without any open inbound ports.
The miss here isn't that the build container had network access, it's that the build container both ran untrusted code, and had access to secrets.
It's common, doesn't mean it's secure.
A lot of linux distros in their packaging will separate download (allows outbound to fetch dependencies), from build (no outside access).
Unfortunately, in some ecosystems, even downloading packages using the native package managers is unsafe because of postinstall scripts or equivalent.
>Unfortunately, in some ecosystems, even downloading packages using the native package managers is unsafe because of postinstall scripts or equivalent.
Funny you should mention this because I was just psyching myself up to submit my blog piece from last night on the topic.
In Python, downloading packages using the native package installer (Pip, which really doesn't itself do anything that could be called package management) is unsafe because of build scripts - unless you tell it to only accept pre-built packages, defeating the point of the systems these Linux distros are using. (I assume/hope people in this position are aware of the problem and have rigged up another solution with the API. In the post I commented that I don't know of such solutions being publicly available, but surely they exist somewhere.)
You'd be justified in wondering why the build script runs when you only ask to download the package. It's mainly because of the historically atrocious approach to metadata (and all the legacy packages for which installation is still supported). But from reading the issue trackers, it seems like the code paths aren't especially easy to disentangle, either - since they've gone so long with the assumption baked in that the problem isn't really solvable.
In other HN posts I've complained about people pointing out things in the Python packaging ecosystem that aren't really problems. But this really is one.
Even if your builders are downloading dependencies on the fly, you can and should force that through an artifact repository (e.g. artifactory) you control. They shouldn't need arbitrary outbound Internet access. The builder needs a token injected with read-only pull permissions for a write-through cache and push permissions to the path it is currently building for. The only thing it needs to talk to is the artifactory instance.
If you don't network isolate your build tooling then how do you have any confidence that your inputs are what you believe them to be? I run my build tools in a network namespace with no connection to the outside world. The dependencies are whatever I explicitly checked into the repo or otherwise placed within the directory tree.
You don't have any confidence beyond what lockfiles give you (which is to say the npm postinstall scripts could be very impure, non-hermetic, and output random strings). But if you require users to vendor all their dependencies, fully isolate all network traffic during build, be perfectly pure and reproducible and hermetic, presumably use nix/bazel/etc... well, you won't have any users.
If you want a perfectly secure system with 0 users, it's pretty easy to build that.
I'm not suggesting that a commercial service should require this. You asked "In what world do you have ..." and I'm pointing out that it's actually a fairly common practice. Particularly in any security conscious environment.
Anyone not doing it is cutting corners to save time, which to be clear isn't always a bad thing. There's nothing wrong if my small personal website doesn't have a network isolated fully reproducible build. On the other hand, any widely distributed binaries definitely should.
For example, I fully expect that my bank uses network isolated builds for their website. They are an absolutely massive target after all.
Most banks and larger enterprises do exactly this. Devs don't get to go out and pick random libraries with out a code review and then it's placed on a local repository.
There are just far too many insecure and 'typo' malware to pull off the internet raw.
This is npm with all dependencies stored in a directory. Check them in. You do code review your dependencies right? Everywhere I’ve worked in the last 10 years has required this. There is no fetching of dependencies in builds. Granted, this is harder to pull off if your devs are developing on a totally different cpu architecture than production (fuck you apple).
> The miss here isn't that the build container had network access, it's that the build container both ran untrusted code, and had access to secrets.
If you're providing a build container service then you pretty much have to run untrusted code (the customer's) in the container, yes? So then the problem is really just the bad Firebase config... ?
There are plenty of worlds that take security more seriously and practice defense in depth. Your response could use a little less hubris and a more genuinely inquisitive tone. Looks like others have already chimed in here but to respond to your (what feels like sarcasm) questions:
- You can have a submission process that accepts a package or downloads dependencies, and then passes it to another machine that is on an isolated network for code execution / build which then returns the built package and logs to the network facing machine for consumption.
Now sure if your build machine is still exposing everything on it to the user supplied code (instead of sandboxing the actual npm build/make/etc.. command) you could insert malicious code that zips up the whole filesystem, env vars, etc.. and exfiltrates them through your built app in this case snagging the secrets.
I don't disagree that the secrets on the build machine were the big miss, but I also think designing the build system differently could have helped.
You have to meet your users where they are. Your users are not using nix and bazel, they're using npm and typescript.
If your users are using bazel, it's easy to separate "download" from "build", but if you're meeting your users over here where cows aren't spherical, you can't take security that seriously.
The simple solution would be to check your node-modules folder into source control. Then your build machine wouldn’t need to download anything from anywhere except your repository.
Isn't it really common for build machines to have outbound internet access? Millions of developers use GitHub Actions for building artifacts and the public runners definitely have outbound internet access
Indeed, you can indeed punch out from an actions runner. Such a thing is probably against GitHub's ToS, but I've heard from my third cousin twice removed that his friend once ssh'ed out from an action to a bastion host, then used port forwarding to get herself a shell on the runner in order to debug a failing build.
So this friend escaped from the ephemeral container VM into the build host which happened to have a private SSH on it that allowed it to connect to a bastion host to... go back to the build host and debug a failed build that should be self-contained inside the container VM which they already had access in the first place by the means of, you know, running a build on it? Interesting.
A few decades ago, it was also really common to smoke. Common != good, github actions isn't a true build tool, it's an arbitrary code runtime platform with a few triggers tied to your github.
It is and regardless a few other commenters saying or hinting it isn't...it is. An air gapped build machine wouldn't work for most software built today.
Strange. How do things like Nix work then? The nix builders are network isolated. Most (all?) Gentoo packages can also be built without network access. That seems like it should cover a decent proportion of modern software.
Instances where an air gapped build machine doesn't work are examples of developer laziness, not bothering to properly document dependencies.
Ya too many people think it's a great idea to raw dog your ci/cd on the net and later get newspaper articles written about the data leak.
The number of packages that is malicious is high enough, then you have typo packages, and packages that get compromised at a later date. Being isolated from the net with proper monitoring gives a huge heads up when your build system suddenly tries to contact some random site/IP.
Bingo. YouTube has a massive audience and builtin social aspects. Something will eventually go viral from this and draw customer acquisition to the WB platform.
reply