Posts by Steve Hersey

The simple solution to ensuring that X complies with EU law

would be to just block X domains EU-wide until they come into compliance. Hit them where they hurt, and dispense with chump-change fines that they'll never pay anyway.

It's the shutdown, riiiiight...

The party in power with majorities in both houses of Congress has, <checks notes> failed to pass a budget despite ALREADY having gotten a several-months extension (that first continuing resolution) to give them extra time to do it, and all the while has been systematically destroying security resources. But somehow it's the party NOT in power that is to blame?

Pull the other one, sirrah, for it hath got ye bells on it.

Defensive use of profane user dialogs

Many years ago, when I wrote a thoroughly annoying remote access program for a portable flowmeter, I had the problem that Sales insisted on testing the unreleased beta versions, but ALSO refused to abide by the "don't give out the beta test version to customers" requirement. Even adding a big splash screen with "INTERNAL TEST ONLY, NOT FOR CUSTLMER RELEASE" didn't help.

Plagued by complaints that the beta didn't do X or Y (which, of course, weren't implemented yet!), I added a profane version of the "NOT FOR CUSTLMER RELEASE" warning to the splash screen.

Naturally, a sales rep immediately gave it to a customer, and complained bitterly on his return to the office. I calmly explained to management that Sales had been repeatedly warned not to distribute unreleased versions, the salesman thus knew he was not supposed to do so, and therefore the consequences were entirely his own fault.

I had to remove the profanity from the message, but the point was made and Sales behaved themselves for a while thereafter.

What makes you think you'll stop getting those heavy-handed "reminders?"

It's perfectly plausible that Microsoft's last or near-last "update" will set that cursed nag screen to reappear endlessly at random but frequent intervals once support ends. It would definitely be on-brand for them.

The Trumpians have never yet hesitated when it comes to destroying irreplaceable things.

With that in mind, I wouldn't expect this crew of incompetent shitweasels to let the inevitability of horrendous damage to a one-of-a-kind artifact stand in the way of their egos.

Justice for some,,,

"Today's sentencing demonstrates that anyone who helps others profit from theft, fraud, and other cybercrimes is not out of reach."

Unless you're a GOP supporter or a member of the Trump administration.

He has a good point, but gods below, some of this isn't news.

"...that approach is necessary because technological development is now so rapid it’s no longer sensible to expect that studying narrow skills can sustain a career for 30 years."

50 years ago, on the advice of my physics professor, I decided that studying narrow skills wasn't a sensible career choice, got a degree in Engineering Physics instead of straight EE, and became more of a generalist. I did wind up specializing along the way, but that was more adaptation in the presence of opportunity than specialization beforehand. It was a good idea then, it's a good idea now.

And yes, failing to foster the development of new talent is a dead-end proposition, whether you supplant them with AI or outsource the jobs to sweatshop developers in Asia. It always has been.

Contextual awareness? Piffle.

Well, that second word is the key here, isn't it? LLMs don't *have* awareness, they're just spicy autocomplete, so "contextual awareness" is fundamentally out of the question. Any researcher recommending that is falling into the trap of imputing capabilities that an LLM cannot, does not, and never will have.

netizens aren’t aware LLM-powered chatbots can get things wrong

Gods below, people really ARE too stupid for words.

Lots of trouble with lunar laser rangefinders lately...

ISTR that several of the recent failed landings involved trouble with laser rangefinders. I wonder if they're underestimating the amount of dust kicked up in low gravity by the descent rocket's exhaust plume, or its optical properties? That could certainly interfere with a time-of-flight range measurement.

Seems too obvious to overlook, but who knows.

"It had no idea it had fabricated the log."

Of COURSE it had no idea. AI programs are not capable of having ideas.

Never trust them.

"basically kill the AI industry in this country overnight"

I'm good with that. Please proceed!

I once coded APPROPRIATE profanity in a splash screen.

Decades ago, I worked on a truly awful project building an app to talk to a portable instrument.

The entire software spec was, "We want it to talk to the flowmeter." Predictably, it just got worse from there.

There was a series of internal-only test versions; predictably, sales, who were expressly forbidden to give them to customers, did exactly that, and demanded that I support these incomplete test apps.

I responded by incorporating a special splash screen in the next test version that read, more or less, "INTERNAL-ONLY <EXPLETIVE> TEST VERSION, NOT FOR CUSTOMER USE."

To the utterly predictable howls of outrage from sales conveyed to my manager that this was inappropriate language to expose to customers, I responded by by pointing out that internal-only test versions were never supposed to be given out in the first place.

So after January 20, ...

The Orange One will have a phone call with Chinese leadership, they'll assure him there's nothing to this and also they've stopped doing it, then he'll announce victory and close down the government part of any security efforts.

And then we're well and truly fucked.

This is like using a police siren on an ice cream truck.

These folks need to be punished.

And we need to vastly expand the ability of agencies to impose meaningful penalties on corporate violators, especially large ones. F'rinstance, statutes could set the maximum fine as a percentage of the offender's assets, with a floor for the maximum fine to deter gamesmanship.

There are two fundamental problems here.

One: Generative AI is irredeemably crap. There's no way LLM tools can possibly replicate human judgment, filter for truth in any reliable way, or stop parroting obvious BS because it's on the Internet. To an LLM, Donald Trump's statements are equally valid input to Kamala Harris', and Fox News stories are as valid a source as NPR. Expecting sense from these tools is a fool's errand.

Two: There are lots of people intent on making money off these things, and determined to convince us all that they can do what they clearly cannot. There are also people who want to (mis)use these tools to get rid of those pesky, expensive human employees and make their quarterly financials look better. AI chatbots instead of human tech support, f'rinstance.

Problem one is a technical question; problem two is a social and ethical one.

I did that to a Sun Ultra One station once...

About 25 years ago, my US employer provided weather satellite instruments to the European Space Agency, and I did on site ground support, which included setting up the instrument test console; a Sun Ultra One if recollection serves me. The test control room was wired for 220V 50 Hz, and after procuring the relevant power cords with Schukosteckers, I connected the Sun monitor to the mains - having first verified that it was automatically dual-voltage agile, and didn't require a switch.

Alas, I then neglected to verify that the CPU was ALSO auto-adaptive. (The nameplate said 105-230V AC, 50/60 Hz - we checked that before shipping it - so we were good, right?). Plugged it in, flipped the switch, and POP! Oops. Dead, smelly PSU. The CPU DID have a selector switch. which was, of course, still set to 110V.

Fortunately, I had good relations with the local techs, and even more fortunately, the PSU was a standard PC type. We made a quick trip to the local Mega store, where I bought a replacement and swapped it in. Mission rescued. (I think we first temporarily pillaged an idle Sun workstation for its PSU so I could get the console up and running, verifying that the rest of the station hadn't died as well.)

Never made THAT mistake again.

Ironically, some of the other instrument contractors were using 110V-only computing gear, and had a separate AC supply through a stepdown transformer. Which I didn't use, since the Sun station was dual-voltage capable.

Even not-so-nice people can be cheated.

Here's hoping the shady contractor is permanently beggared, even jailed. While reading that someone like Altman has been cheated is good for a moment's Schadenfreude, I'd prefer for the cheating contractor to be doing most of the suffering.

Interesting, but frustrating.

It seems that the Github Web interface provides no way for the user to identify what server version is running. "About" and "Status" redirect to generic GitHub pages. Kinda pathetic.

They missed an opportunity

They should have named this feature "Panopticon."

The obvious but largely unmentioned part: We're just going to have to moderate our power demand.

I find it curious that the discussion of renewable energy generation doesn't seem to include one blazingly obvious aspect: The world, and in particular the rich, highly industrialized countries, are going to HAVE to become much more economical in our use of energy in general, and electricity in particular. We simply cannot endlessly consume ever-increasing amounts of power and expect to survive. Nor can we demand that developing nations economize where we do not; that's a recipe for failure, massive unrest, and mass migration.

The US in particular (and probably China, but I'm less sure of that) could do much better in energy efficiency. When I've been in Europe, folks there seem to be much more conscientious about energy use in general, as illustrated by simple things like not lighting unused spaces. I've seen more motion-sensor lights there than I ever saw in the US.

Human civilization will not survive climate change without getting serious about energy use, and this is going to mean making do with less, especially for rich and powerful nations. That is an uncomfortable truth as well as a very hard thing to sell politically, but it IS a truth. Fortunately, there are signs that people are becoming aware of that fact and are willing to make necessary sacrifices, IF they see that process as equitable and fair.

Sounds like a good time for a union organizing drive

If not an unfair labor practice complaint. Demanding that folks return on site isn't improper per se, but if it's being used to trim the workforce in discriminatory ways, they're courting a court appearance.

Video is rather unimpressive.

We see a tracked vehicle tooling around in open country, over uneven ground that the vehicle chassis can obviously just bull through without navigation assistance. We do not see it maneuvering among anything I would call an obstacle, even to a vehicle that couldn't just drive right over medium-sized shrubbery.

There may well be high-performing autonomous systems here, but the video shown doesn't substantiate that proposition.

Summary of the quarterly earnings call

"Look! A monkey!"

Nothing, not even free rides, could persuade me to trust myself to one of this man's robocabs. That's even assuming they ever happen, which I think is highly unlikely.

NPR reports that he's planning to achieve low manufacturing cost by using a "revolutionary" manufacturing process where almost the whole body is cast in one shot. Surely I cannot be the only person thinking "This isn't going to be as quick or as cheap as he seems to think. Process revolutions never do."

"The takeaway here is obvious: Keep training people not to click those phishing links!"

Obvious, but also obviously NOT ENOUGH. You can reduce the incidence of your staff being phished, but you *cannot* totally eliminate it. Therefore, you cannot responsibly base your cybersecurity strategy on that assumption.

For those few of us readers who may not already understand that point, defense in depth and robust intrusion detection and response are essential.

Also essential, if perhaps a tad less obvious, is NOT shaming the phished victims into hiding the fact. That just helps the bad guys. Establish an infosec culture of *immediately* contacting Security, and of Security responding immediately in a supportive manner. No blaming, no shaming. THAT way you get the fastest possible notification that you've been attacked, and you stand the best chance of minimizing the damage.

Sure, you may get some false positives this way, but that is far outweighed by the benefit of quick and effective detection.

OK, so you MAY need to shame some C suite idiots into being more careful and more forthcoming, but that's a tool to be used sparingly and with great care.

Edit, please.

After being adopted by cybercriminals, law enforcement quickly became effective at tracing the owners of Bitcoin tokens through analysis of blockchain transactions.