* Posts by Michael Wojcik

12239 publicly visible posts • joined 21 Dec 2007

We never agreed to only buy HP ink, say printer owners

Michael Wojcik Silver badge

Re: This feels like an own goal...

Yes, I have a LaserJet 4M which I upgraded to a 4MP by stealing the Postscript card out of a broken one. It was purchased in 1992 and still works fine. Had to buy a USB-to-Centronics cable, and finding the Windows driver for the thing at Microsoft's graveyard-of-old-drivers website took a bit of hunting, but after that it works just fine with Windows 10, and of course driving it with Linux shouldn't be a problem (I haven't had a reason to try yet).

AWS must pay $525M to cloud storage patent holder, says jury

Michael Wojcik Silver badge

No, it really does not. DHTs are a specific family of data structures. They're not just whatever sort of distributed directory you happen to be familiar with.

Michael Wojcik Silver badge

Re: Plantents

Well, thanks for your expert and detailed analysis.

The bar for a patent is a mechanism which is 1) not already patented, 2) not clearly duplicated by prior art, and 3) not obvious to an ordinary practitioner in the art.

An ordinary practitioner. I'm quite certain that among a random sample of, say, a hundred software developers, very few would be able to tell me what a distributed hash table is. Do you know what a DHT is, without looking it up? Can you implement one, without doing some research?

Opinions are cheap. Try coming up with an actual argument.

Michael Wojcik Silver badge

It may be "notorious", but it's also incorrect. USPTO patent examinations typically take years and rarely result in a patent on initial review — most applications have to be revised and resubmitted. And USPTO has consistently denied around half of all submissions for years now.

I really wish people would stop repeating this bullshit argument, particularly without citing any evidence. Put up or shut up.

(I note you have no lack of supporters, which just demonstrates that most people are happy to endorse unsubstantiated claims. Hell, why think when you can just be angry, eh?)

Boffins deem Google DeepMind's material discoveries rather shallow

Michael Wojcik Silver badge

Re: S&M - Sales and Marketing

I vote for belief, hearsay, truthiness, gossip, religion, upvotes, wishful thinking, mythification, salespersonship, sophistry, scant evidence...

You and at least half of the American electorate, alas.

US 'considering' end to Assange prosecution bid

Michael Wojcik Silver badge

Re: Wikileaks

Wikileaks is just Cryptome for amateurs. Not the first, not the best — except at self-promotion.

Michael Wojcik Silver badge

You do realise it was Obama and Biden who went after him?

Oh, get a clue.

The IRTF which requested Assange's extradition was a DoD body. Obama was POTUS (just starting his first term; the IRTF was established in 2010 and met for about ten months), but this wasn't some personal vendetta of his. I don't see much evidence that Obama particularly cared, especially given Obama's commutation of Manning's sentence; the pursuit of Assange appears to have been primarily driven by the Defense and State departments, possibly spurred on by DHS and the intelligence agencies (though I suspect by that point they didn't much care either). And even then it was fairly weak, for example with Carr undermining his own task force's recommendation when testifying at the first extradition hearing.

And you hugely overestimate the influence of the Vice President here.

Assange is almost certainly very, very far down on the list of things Biden personally gives a damn about.

Michael Wojcik Silver badge

Re: “The Land Down Under's”

Meanwhile, OP apparently hails from the Land Down Voted. Congratulations on racking up that score, AC.

Rust rustles up fix for 10/10 critical command injection bug on Windows in std lib

Michael Wojcik Silver badge

Re: sooo what [you're] saying is

Eh? An attacker who controls which libraries are used doesn't need to use a vulnerability. Controlling which libraries are used is an exploitable vulnerability.

Michael Wojcik Silver badge

And that's why CVSSv2 and CVSSv3 have Environmental score modifiers. The base CVSS score isn't terribly meaningful for users of a software package; it's more relevant for maintainers. Users should be recalculating with Temporal and Environmental values appropriate to their situation.

Michael Wojcik Silver badge

Right. It's more accurate to say that C implementations on Windows pick an approach, and then at least it's consistent for programs using that implementation; and because (as you say) C has been around on Windows for a long time, those implementations are more or less the de facto standard for argument splitting for programs running under cmd.exe, and they've been fixed for at least some of the corner cases. So other implementations, in whatever language, need to conform to what the major C implementations do for consistency and avoiding surprise, and they need to try to address those corner cases.

To answer OP's question: Calling out Rust in the headline was clickbait, pure and simple. It's just one among many. But since it's both popular and controversial right now, it'll attract more readers than, say, "Erlang fixes critical command injection bug on Windows". (JFTR, many security claims have been made about Erlang, too, and with some justification.)

Michael Wojcik Silver badge

Sigh. Expected stupid comments are expected.

I'd be surprised how many people think it's clever to make this "joke", if I didn't know people.

Michael Wojcik Silver badge

Re: Ha! Rust Is The Answer To All Our C Programming Security Issues?

"Rust", not "RUST". It's not an acronym.

It's 2024 and Intel silicon is still haunted by data-spilling Spectre

Michael Wojcik Silver badge

Re: 3.5 KB / sec

They extracted the shadow file, according to TFA. That's a pretty significant demonstration.

There have been many demonstrations of using side-channel attacks to exfiltrate sensitive data. The literature is full of them.

Michael Wojcik Silver badge

Re: As an outside observer...

Yes. And if you generate your own electricity you don't have to worry about attacks on the power infrastructure.

Michael Wojcik Silver badge

Re: As an outside observer...

Right. Also demonstrated in some ARM designs and in PowerPC — references are easy to find online.

The x86 ISA, with its deep pipelines, would be completely uncompetitive in today's world (and indeed decades ago) without speculative execution. Perhaps that would have been a better world (I'd be happier if Power or some ARM variant, or failing that Alpha or MIPS or SPARC, had become dominant); but it's not the one we live in, and discarding x86 will not happen quickly or comfortably.

And, of course, even those RISCier ISAs eventually got spec-ex because the performance gaps between CPU and cache, and between cache and RAM, are just too big. You want branch prediction and speculative loads and the rest, because otherwise your actual computational units just sit there much of the time waiting for data. This sort of thing hits deep-pipelined CPUs harder, but even the simplest RISC designs will run into it.

X fixes URL blunder that could enable convincing social media phishing campaigns

Michael Wojcik Silver badge

The poo-emoji response is gone...

... because journalists now know they can simply infer it, under the old rule that no news is poo'd news.

Intel CEO suggests AI can help to create a one-person Unicorn

Michael Wojcik Silver badge

One-person unicorn is a triumph

I think everyone's overlooking the obvious here. A one-person unicorn is a major win for AI. Current pantomime state of the art requires twice as many people for a unicorn.

Michael Wojcik Silver badge

Not me. I'm going to have an AI-based company which actually produces something. I'm thinking cryptocurrency scams.

Michael Wojcik Silver badge

Re: Billion dollar unicorn?

Or to put it another way: If readily-available machines are doing all the work, where's the moat?

Currently the answer seems to be "prompt engineering", but the size of that moat is directly proportional to the amount of work you put into it. There's no evidence yet to believe with any decent probability that there are "genius" or "extraordinarily creative" prompt writers. So if Hypothetical Single-Person Unicorn Inc is making a large profit, then Hypothetical Small-Team Unicorn Inc can just put a handful of people on prompt creation until they achieve a similar product, as you suggest. You'd need a prompt writer (or other form of AI wrangler) who's several orders of magnitude better than the average to have any sort of decent defense against near-instantaneous competition.

In industrial capitalism, there are four main forms of defense against competition: having more capital (and high capital costs as a barrier to entry); intellectual property; marketing and brand lock-in (so the market gravitates toward your product not out of intrinsic value over competition but for external reasons); and "market distortions" such as regulations and tariffs. AI's supposed promise is to destroy the first and largely destroy the second. The fourth is very difficult to apply against similar AI-based competition, because it's hard for the law to distinguish between you and your competitors and because the law moves slowly. That leaves only marketing and lock-in, and a deluge of cheaply-produced content will swamp marketing in noise.

Michael Wojcik Silver badge

Oh, many people have answers. Whether they're good answers is another question, but you can find plenty of links to pieces speculating about how a post-AI, post-AGI, or post-ASI economy would look like in, say, the LessWrong archives. Believe me, these topics are fiercely and extensively debated in some quarters.

There are plenty of people who claim that a post-AI economy will have so much surplus value that it'll be relatively trivial to distribute it among people who lose their jobs, in an extremely vague macroeconomic "rising tide" way with little in the way of specifics. That's generally the line that corporate AI boosters from Microsoft et alia take. Then there are the e/acc types who think we'll rapidly end up in a post-AGI and post-scarcity economy where there will be more surplus value than we know what to do with, and everyone will live in luxury courtesy of our AI overlords.

Post-ASI the economy is all paperclips, so no need to worry about it; no one will live to experience it anyway.

Some others, of course, are dubious about how much value will be produced, and/or about how it will be distributed, and/or about how well things will work out in general. Many of these are the same Debbie Downers who didn't think cryptocurrency was a great idea, or aren't sold on the obvious enormous benefits of the Internet of Things, or don't believe in the wonders of self-driving cars.

Despite two previous court victories, Tesla settles third Autopilot liability case

Michael Wojcik Silver badge

Re: NDAs

Geriatric-in-chief could be applied to either candidate.

Indeed. Trump, at 77, is 94% of Biden's age; the difference is irrelevant.

Most US Presidents were in the office in their 50s and 60s. I think Eisenhower might have been the first to be in office at 70. Reagan was the first, and before Biden only, to be in office at 77, and that was his final year, and he was in significant cognitive decline. If you want to simply go by years of age, there's no reason to believe Trump is any less impaired.

The first several presidents served in their 60s, in an era when gerontological medicine didn't exist, we knew far less about nutrition, tobacco use was common, and so on. Conversely, most people were exposed to much less in the way of industrial pollutants — but there's still no reason to believe that the average person of, say, 65 years in the early 19th century was more mentally fit than the average 75-year-old is today.

The age argument against Biden and for Trump is vacuous and a sign that the person making it has nothing real to offer.

Michael Wojcik Silver badge

Re: NDAs

the complainant has to balance an NDA based payout and justice for themselves against a different payout, smaller or bigger, or nothing at all while holding to a principle of justice for all

And the psychological cost of enduring a trial, which for most people is considerable, while for most corporations is negligible.

Someone I know well took a settlement for precisely this reason. The case was nearly certain to go the plaintiff's way, but it just didn't seem worth the stress when the settlement being offered was decent.

Ex-Microsoft engineer gets seven years after trying to hire hitman for double murder

Michael Wojcik Silver badge

Re: Crappy plan

Nancy Brophy murdered her husband after writing a book about murdering one's husband.

A plan so cunning...

Techie saved the day and was then criticized for the fix

Michael Wojcik Silver badge

Re: I have done the air-con shuffle in the past!

Celsius is clearly the better system

Rubbish.

It's tied to some of the other SI units in a convenient fashion, true; but then Kelvin is superior, because it does away with negative values and the notion of "degree".

Fahrenheit made more sense when it was invented. It's based on two reference points which are 64 degrees apart, making it possible to graduate thermometers that used a linear mechanism by successive subdivision of the scale. Celsius was just arbitrary. And since Fahrenheit degrees are just a bit less than half the size of Celsius degrees, Fahrenheit offers more precision without specifying fractional degrees, which is useful for casual use.

There are only two things which recommend Celsius today: a zero which is at a temperature familiar to many people, which is convenient for some intuitive interpretation of temperatures on human scale but inconvenient for scientific or industrial purposes; and familiarity. While I would never suggest anyone switch to Fahrenheit — a scale that's no longer particularly useful, any more than Celsius is — there's little rational justification for Celsius either. If you're not using Kelvin, you're using something moderately foolish.

Oh, and: "boiling is when you see bubbles, not when your pot reaches 100°". Yes, exactly. Boiling is most definitely not when your pot reaches 100° (Celsius, at sea level), because of water's very high enthalpy of vaporization. When you reach the "boiling point" temperature you have a long way to go yet before boiling.

Michael Wojcik Silver badge

Re: I have done the air-con shuffle in the past!

Celsius is for children. Adults use Kelvin. (The mad use Rankine.)

Hotel check-in terminal bug spews out access codes for guest rooms

Michael Wojcik Silver badge

I have to admit, though, after reading it six times, I'm still really wondering just what OP means. It's like some sort of lock-related koan, but even with slippers on my head, I don't get it.

Michael Wojcik Silver badge

Usually there's a pop-up banner that notes the post is flagged for moderation, but it disappears pretty quickly. So, yes, if you were expecting to see your post and don't, it's a good idea to have a quick look at "My Posts". (That is, click the "My Posts" link. It's always a good idea to read my posts, of course, but carefully and with a quiet sense of awe, rather than quickly.)

Michael Wojcik Silver badge

Re: You know there's another key

Exactly. Hotel rooms are secure against casual attempts to gain entrance, at best. That's all they're designed for.

That doesn't mean we should ignore exploits like these — at the very least, they tell us something useful about the vendors (i.e. their secure-development practices suck). And publicizing this sort of thing will somewhat increase the pool of potential attackers; not everyone wants to social-engineer access to a room, or lift a keycard from a staff member, or what have you. But the actual delta in security for a typical hotel guest is fairly small.

VMware customer reaction to Broadcom may set the future of software licensing

Michael Wojcik Silver badge

Re: Actual Customer Defections ...

And one factor at play is that senior management often use applications strongly tied to the organization's DBMS, ERP, and other major software packages — but the virtualization system is pretty much invisible to them. Where they might resist ditching SAP in favor of something that would require them to learn a new interface, they won't much care about a switch that only the datacenter nerds need to understand.

Michael Wojcik Silver badge

Re: Know your customer

Honestly, I've heard more than one person say it's because they can drink more of it, since it contains relatively little alcohol.

(I don't drink beer myself, so I have no personal experience in the area. If I did, though, I doubt I'd drink Bud Light, because water is cheaper.)

404 Day celebrates the internet's most infamous no-show

Michael Wojcik Silver badge

Re: Its worse than you could imagine....

You're wasting your time. A certain type of person has been railing against the plain-text IETF protocols since they appeared, and always will. In this particular case we have some special nonsense ("stream to datagram" is both technically incorrect and rubbish anyway), but it fits the general case.

In any event, those who want a binary HTTP have had one for nearly nine years now, courtesy of RFC 7540 (since obsoleted) and HTTP/2. And those who want binary HTTP over a datagram protocol have HTTP/3, which runs over QUIC; that was standardized in 2022. A year ago, HTTP/3 accounted for around 30% of the traffic seen by Cloudflare, and another 60% or so was HTTP/2.

Michael Wojcik Silver badge

Re: Grot

Sure. You just need to check the output using your Linear A dictionary and grammar.

I'd lend you mine, but they're on loan to a friend in an alternate universe.

Michael Wojcik Silver badge

Re: A 404 is better than...

Yes. 404 exists for a reason. Don't show me some crap instead.

Personally, I've always found the "comical" 404 pages a bit annoying, too. I don't need anything more than a text/plain "not found". If you have something useful to add, such as an email address for the site admin, then I'll allow HTML (only). But to each his own.

Michael Wojcik Silver badge

Re: Train 404

I'm pretty sure someone at Microsoft thought that was an architectural specification when they were building Sharepoint.

Slightly related: I recently discovered a book of essays by Jerome K. Jerome in Project Gutenberg, and it's a good read as well. He also wrote a sequel to Three Men in a Boat called Three Men on the Bummel about a bike ride through Germany which is even more Top Gear-ish, and ends with a fascinating pre-war chapter on the German character; I wonder if JKJ reflected on it when he was an ambulance driver in France during WWI.

Michael Wojcik Silver badge

Re: It's in octal

Look them up? You don't have local copies? RFC 9110 and 9112, for HTTP/1.1. (HTTP/2 and later can go die, as far as Poul Henning-Kamp and I are concerned.)

The concept of the first digit of an ASCII 3-digit result code indicating the result category is older than HTTP, of course. FTP did that, and it may well not have been first. It's a Good Idea.

So there are only four errors that "come before" 404; there are no HTTP response codes < 100, the 100 series is for pre-responses (notably 100 Continue), the 200 series is for success, the 300 series is for redirection. It's sensible that 400 (Bad Request) and 401 (Unauthorized) come first, even if 401 should be called Unauthenticated (because authz and authn are different things, damn it). 402 (Payment Required) is an aberration and should never have existed, but you'll have to take that up with TBL. 403 (Forbidden) is the one that actually typically means "unauthorized", and again it makes sense to have it come before 404.

There's also the "even more 404" result code, 410 (Gone). You don't see that one very often. And the tragic case of 418 of blessed memory. And 419 and 420, and 423-425, which are just ... not found.

German state ditches Windows, Microsoft Office for Linux and LibreOffice

Michael Wojcik Silver badge

Re: Outlook/Exchange ?

It's widely reported. I've seen it happen myself. Maybe you aren't everyone?

Michael Wojcik Silver badge

Re: Outlook/Exchange ?

Yes, I'm the one that mentions CAD because our office runs CAD software, (3) 3D printers and (1) 3D milling machine. All but one run on Windows, exclusively. I'm the photographer / graphic designer of the outfit, so I use the Adobe suite - again, Win/macOS only.

Here's a tip: Your situation is not universal.

Michael Wojcik Silver badge

Re: Outlook/Exchange ?

My, this story has brought out the hard-of-thinking.

GP's post said explicitly to use a VM-hosted Windows for required applications that are only available on Windows. Linux would still be used on end-user machines for all other applications, including the ones most users use for the vast majority of their work: browser, email, "office" suite, virtual meetings, etc.

Michael Wojcik Silver badge

Re: Outlook/Exchange ?

The Outlook PWA (Outlook Web Access or whatever they're calling it now) is fucking horrible. Absolutely abysmal usability. I've had to use it on several occasions due to hardware failures on my primary machine, and it's just dreadful. It makes desktop Outlook seem ... well, not as bad.

It also lacks the Journal feature of desktop Outlook. While Microsoft have largely abandoned that, it's still present, and it's useful for time- and activity-tracking.

And it orphans the quite large historical archives of email in PST files that some users have.

Ivanti commits to secure-by-design overhaul after vulnerability nightmare

Michael Wojcik Silver badge

Re: How many of the previous owners knew / didn't know about the PulseSecure problems???

Reports in SANS and elsewhere made reference to "old PHP code" and that sort of thing, which certainly doesn't inspire confidence.

Michael Wojcik Silver badge

Re: Ancient Joke

Damn it, now I have the image of an anime character yelling "Supply Chain Attack!"1 before unleashing his formidable Solar Wind2 power stuck in my head.

1サパーライー・チェーイン・アタックー!!

2ソーラー・イーンドー!

Michael Wojcik Silver badge

Actually I think Ivanti has only been a "security software" firm since 2013, when LANDESK acquired Shavlik. Though I guess a decade counts as "long-time" in this industry. And LANDESK has been around in one form or another since the mid-1980s, so the corporate culture really ought to have had time to optimize a bit toward safer software.

(Yeah, glass houses. I know. I am reminded daily.)

Michael Wojcik Silver badge

Re: They still have customers?

A good point. Most of the VPN appliance products seem to regularly rack up CVEs. Remember that fun Fortinet ssh backdoor back in 2016?

VPNs are part of defense in depth, but you want a lot of depth.

Michael Wojcik Silver badge

Re: They still have customers?

Might be a more attractive target than Ivanti Secure Access, though.

Tech titans assemble to decide which jobs AI should cut first

Michael Wojcik Silver badge

Re: Bollocks

Yes. LLMs by their nature tend toward low-information, highly-expected output. They're great for producing Grammarly-style vapid, soulless text absolutely devoid of interesting style. There's been some suggestion that the proliferation of mediocre writing will increase the value of good writing, but that rarely happens in other industries — usually mass-produced crap drives out quality, because the market doesn't care enough. It's entirely possible that decent prose will become as rare in the not-so-distant future as decent handwriting is today.

Michael Wojcik Silver badge

Re: Bollocks

My immediate and second managers actually perform quite a few useful functions for me, such as cross-team coordination, mediating disputes, putting pressure on unresponsive corporate functions (hello, IT!), and perhaps most importantly running interference on time-wasting distractions.

YMMV, of course. And I don't work for IBM — haven't since 1991. I suspect that Krishna could be replaced with an LLM without much impact. Or even with a state machine that loops through Lay off workers -> Big up new technology -> Buy back stock until there's nothing left.

Google ponders making AI search a premium option

Michael Wojcik Silver badge

Re: Great Idea

Shrug. They're poor now. They're still faster in most cases than going to the library and grubbing through the Reference section.

Not that I oppose the latter option, mind you — I largely agree with Krakauer about competitive cognitive artifacts, and with Carr about acquired stupidity. And I have several shelves of reference books behind me that I frequently consult, and a lot more in softcopy. But there's an occasion for real research, and an occasion for "just remind me of something I already know".

Of course, for the latter, regular keyword search is far superior to conversational interaction with an LLM. Agrawala did a good ACM presentation on why conversation is a lousy UI. Chatting with machines is not a good way to get work done, and significantly misunderstands why and how humans use natural language. (I agree with Davidson and Rorty on how natural language works.)

Michael Wojcik Silver badge

Re: Good luck

It's entirely possible that demand will rise if they start charging. Years ago when I was on the board of a non-profit, someone claimed that charging a small amount for a service that we could provide for free gave it credibility in potential users' eyes, and they'd be more likely to use it. That seemed to be subsequently borne out by experience.

In essence, charging money for something can be a form of value signaling to the market. It's sort of the small-scale version of a Veblen good.

Michael Wojcik Silver badge

Re: AI - No thanks!

Exactly. "Premium" is just another word for "opt in". And "haha fuck no" is another phrase for "no thanks".