The key insight is that the preempter can introspect the program counter of the code being preempted (which is now stable since it was preempted) and act accordingly. The simplest mechanism is to reset their program counter if in a critical section. The more generic mechanism is to jump them to a supplied address. This allows you to do things like hard abort and more.

You can further remove the need for the preempter to understand the preempted code by having the preempted code create a self-introspection code snippet and supplying that with the program counter at preemption. So the preempter just vectors them to their own code which knows how to interpret its own state at any preemption point.

And that is precisely what they said:

> Ideally people who don't care about secrurity [sic] should not write code when security matters.

The absence of legal consequences further supports the fact that it does not matter.

For instance, in Germany [1] collective bargaining agreements are agreements between employers and unions, and are only required to be applied to union members. Companys may voluntarily choose to extend those same benefits to non-union members. Despite the fact that unions are voluntary in Germany, they still have significant union membership as a whole and German unions are frequently held up as a good example of the benefits of unions to both workers and society which is evidence against the claim that it is necessary to legally enforce union membership.

[1] https://www.diw.de/documents/publikationen/73/diw_01.c.86564...

If you think you are part of that top percentage or even if you think that the union is not representing your interests, tough luck. It is illegal to quit or reorganize like-minded individuals to form your own that better represents you. To reform the union you need to get 50% of the members to vote for change instead of just forming a new, smaller organization that represents your interests.

This is in contrast to many European unions where you can choose to join because you think they provide worthwhile benefits. Or you can choose to not join because it does not. Unions need to compete on benefits to their members and are thus incentivized to provide better benefits.

> Starbase, a sprawling launch-and-manufacturing site that recently incorporated as its own Texas city, logged injury rates that were almost 6x higher than the average for comparable space vehicle-manufacturing outfits and nearly 3x higher than aerospace manufacturing as a whole in 2024, according to Occupational Safety and Health Administration (OSHA) data released in May.

Literally the second sentence which answers all of the questions you just posed and invalidates your accusations in the second paragraph. Geez.

Furthermore, you have gotten the burden of proof backwards. The default presumption is non-safety. The burden of proof is on insiders (who have all the access) to robustly demonstrate in a clear and convincing manner that things are safe, not on outsiders (who only have limited access) to demonstrate in a clear and convincing manner that things are dangerous.

So, please present your evidence that their injury or fatality rate is normal. Absence of evidence defaults to your claim it is safe being unsupported.

edit: codingdave comment has a more recent link that also determines 2023 and 2024 also had injury rates multiple times higher than industry average.

https://news.ycombinator.com/item?id=48214074

[1] https://www.reuters.com/investigates/special-report/spacex-m...

You are correct that there were Space Shuttle missions to the vicinity of the ISS until 2011. I was talking about ISS crew rotation missions where the last Space Shuttle mission was STS-129 in 2009. The Space Shuttle was still used for ISS assembly flights until 2011. I was using crew rotation missions to highlight that not just commercial satellite launches, but also one of the other important class of missions, crew rotation, also regularly used alternatives to the Space Shuttle disproving your point that the Space Shuttle had some sort of magical monopoly on launches and thus the only alternative to compare against.

You were the one arguing that alternatives cost over 100x more than SpaceX. Even deceptively comparing against the Space Shuttle you were still off by a factor of 3x and comparing against actual competitors your claim is off by a factor of 16x-30x. Your claim is egregiously wrong. Continuing to argue it means you are either completely ignorant or utterly biased or both. I am done here.

[1] https://datatracker.ietf.org/doc/draft-ietf-quic-ack-frequen...

And again, you do not seem to understand how percentages work. If I have a thing that costs 1,000 $ and I find a 99% cost reduction it is now 10 $. A 97% cost reduction means it is 30 $. That is a 3x difference. The difference between 1% and 3% is a factor of 3x. That is half of a order of magnitude right there and here you are claiming it is small.

So you are wrong on history, wrong on comparables, and wrong on math to defend a man who runs a company that is legally, and I quote a actual legal decision: a "greviously reprehensible... grossly racist workplace"[1]. But, you know, racism man good because he slightly lowered the cost of cruise ship internet I guess.

[1] https://www.govinfo.gov/content/pkg/USCOURTS-cand-3_17-cv-06... Page 31.

If you use the default parameters with such a implementation you will likely cap out at a pretty slow ~10 Gbps/core, but if you reduce the ACK frequency you can probably get to ~30-50 Gbps/core without too much trouble.

The Ariane 5, first launching in 2003 which is 7 years earlier than the first Falcon 9 launch, had a launch cost of ~150 M$ in 2015 with a payload to LEO of ~16,000 kg for a cost of 10,000 $/kg. The Soyuz-2, first launching in 2004 which is 6 years earlier than the first Falcon 9 launch, had a launch cost of ~35 M$ with a payload to LEO of ~8,000 kg for a cost of ~4,500 $/kg.

The truth is 3-6% of your claim of 100x cost improvement.

He had both the technical and executive authority to determine if the product was fit for customer usage. He had direct executive responsibility for the product on the road between 2017-2022.

If he, the lead architect and executive responsible felt the product was dangerous and then he was overridden, he can not get away with claiming he was “just following orders”, he had a moral duty to not sign-off or quit otherwise he is clearly complicit in deploying a dangerous product for his own self-enrichment.

When people talk about engineering ethics, this is literally a completely uncontroversial textbook example. The only way you accept this is if you do not want ethics in engineering.

Furthermore, he was extremely hireable with numerous job opportunitys available to him. He would not be destitute or even particularly worse off if he did quit for ethical reasons. Any self-preservation defense is also invalid.

[1] https://techcrunch.com/2017/06/20/tesla-hires-deep-learning-...

SpaceX Falcon 9 has a launch cost of 74 M$ with a payload to LEO of 22,800 kg for a launch cost of ~3,200 $/kg to LEO.

So you are incorrectly claiming that space launch costs were 320,000 $/kg. Elon Musk is a habitual liar, but you should try not to be one as well as it demonstrates your argument to be based in ignorance and deception.

Absent a misunderstanding on your part, the only way I can coherently interpret your argument is that you are arguing that the presence of kernel data structures mediating the handles somehow makes it not a capability system. That there is some background element mediating the validity of your capability representation and thus that is just a MAC layer; unless you can write the byte representation of your handle into memory and somebody else can read it out and then have access to that resource it is not a capability.

One, that allows forging capabilitys unless they are cryptographically secure against collisions.

Two, the actual essence of capabilitys is not being bearer tokens, it is non-construction. Capabilitys are derived from existing capabilitys, not manifested into existence. They have provenance. It is the OS equivalent of not allowing programs to cast arbitrary integers to pointers and thus manifesting pointers into existence which breaks basically every high level memory safety guarantee. You do not allow programs to cast arbitrary data into handles to resources which is what ambient authority systems effectively require.

In a capability system, you pass resource capabilitys to subsystems. You can not use resource handles that were not passed to you just like a function can not access variables that were not passed to it (except for explicit global variables.

In ambient authority systems, as a common example, you can just blindly convert what are effectively strings into resource handles (the metaphorical equivalent of casting integers to raw pointers). Your access is mediated by a orthogonal system that tells you which resource handles/pointers you are allowed to use. That is like having a program that runtime checks every pointer access is allowed instead of just preventing you from manufacturing pointers.

You coordinate across subsystems by naming certain resources in the global ambient space in a coordinated fashion (effectively a global variable which is basically just a named memory location in the common memory space). That way the subsystem knows the global you put their parameters/resources in.

While you can still program like that, everybody now knows it is a terrible way to live. Parameter passing and local variables with explicit global variables is almost always the way to go. That same lesson should be learned for operating systems.

I said that “protects against state actors” means the cost of finding a exploit as generally applicable and powerful as a zero-click RCE needs to cost on the order of hundreds of millions to billions of dollars per exploit to be problematic for state actors to field.

That amount of resources is a competent team of 100 skilled individuals finding zero zero-click RCEs after 3 years of full time investigation. That could credibly be called secure against state actors, though would still not be out of reach of a real military operation as a hundred million dollars is still just the cost of a single jet fighter.

[1] https://mansionengineer.com/2018/08/10/elon-musk-tesla-and-t...