Posts by T. F. M. Reader

Re: Never understood certs

You are not alone. You simply can't understand certs in terms of security or privacy. They are not about either. They are about (scalable) trust. Before you even consider the question whether amazon.co.uk are jerks or you can really trust them to deliver the goods after you paid them you want to know that they are, in fact AMZN. If you don't believe that you shouldn't give them any money even over a secure channel.

Your bank might be run by some jerks whom you don't even know. The cert of the bank's site does not make them righteous or trustworthy. The only thing it does - or, rather, tries to do - is assure you that it is your bank you are talking to. You need to trust every single jerk in the certificate chain to believe it. In practice you trust the browser maker to do the checking for you, automatically. If you don't trust one of those jerks it is possible to revoke the corresponding certificate and your browser will warn you about anyone who presents that jerk as a character or identity reference.

As far as I understand the proposed law will break that trust completely. The cert can be used to make you believe that a jerk you are really talking to is the righteous and trustworthy person you think you are talking to. And you can't revoke the (trust in the) cert. From this point on you can't trust any communication whatsoever: you no longer can trust your browser maker to do the checking because they would be breaking the law by doing that. So you can't trust anyone's identity. The trustworthy guy you want to talk to is still trustworthy, you just don't know it's him on the other end of the line.

Security - including password security - is derivative. You can encrypt everything you send, but if you don't know whose key you are using you don't know who the man in the middle might be.

Your only solution in such a situation is to meet the guy you trust in person, verify that it's him (knowing him personally will help, checking his ID card or driver's license or whatever will help only if you are sure that the security services - or another resourceful organization - didn't send someone with a fake document), and exchange keys. Then you will be able to communicate securely and privately without any certs. I remember the times when it was done routinely, in F2F meetings. Not scalable, either for AMZN or your bank, and extremely difficult, bordering on impossible, even after the key exchange if either of you has resourceful adversaries (it's a great intellectual exercise to figure out how difficult assuming you have to deal with MI5/MI6/GCHQ or CIA/FBI/NSA or some other alphabet soup).

Re: a Polish AI ad biz owner

Not if is done in the name of the church. Sort of like the Spanish Inquisition.

I didn't expect that!

Re: Jira is the single source of suckage

I am a Red Hat user both at work and personally, and have been for many, many years. I have many years of experience with Bugzilla and JIRA. I have been through a few Bugzilla-to-JIRA transitions. I can only regard them as complete madness.

The "suckage" link above is good, but it's mostly about UI/UX (not only). JIRA was apparently created by people who don't understand SW development and failed - or never took - data structures at college. The most important (the only really important?) relationship between tickets is what blocks what - that determines a partial order. The appropriate data structure is a tree (or, more generally, a lattice). Bugzilla, with a simple plugin, allows one to view the dependencies graphically, as a tree, which is immensely useful. JIRA diesn't - I've been looking for years for the feature since it is so useful.

Bugzilla search and filtering is a lot saner, too. Usually no quasi-SQL queries are involved (not a big problem for me, but too often I've seen managers ask developers to create and save useful JIRA queries).

As the above link mentions there is no real difference between tasks, bugs, stories, etc. They are all things you need to do. The workflow is exactly the same. They can't really be treated differently by anyone. Inexperienced product managers often decide to make features to be developed "tasks" and bugs to be fixed - "bugs". They can't avoid mixing them, however. E.g., one can't prioritize them separately: for each new release there is a bunch of features and a bunch of fixes that customers are waiting for that will consume the same (human) "resources". If any need to be deferred or discarded - which?

And it what may be the biggest (or at least most annoying) workflow problem of all (if it was mentioned in the UI/UX link I missed it): both Bugzilla and JIRA notify you of changes/comments/etc. by email. So you get an email and see someone's comment - what do you do? With Bugzilla you can just reply to the rmail you've just got, keeping the necessary context, and your response will appear as a comment in the ticket. If you send a mail to someone or a group of people, even customers, that is related to a ticket you can just Bcc Bugzilla and add the ticket number in the subject you mail will appear as a comment, etc.

With JIRA you need to switch the interface (between mail and web), possibly more than once, just to react to a comment. In my case, since I work mostly on Linux (yes, mostly Red Hat), but for reasons of "organizational compatibility" (compatibility done backwards, of course) I do mail and some other administrative tasks on a Windows VM I need to switch VMs, virtual desktops, etc. Terrible waste. To be fair, you can email JIRA and make some garbage appear as a comment, but it will be malformed garbage. I have tried using JIRA's markdown to improve formatting - it didn't work.

In short, while it is possible that Red Hat can make it work with a tonne of customizations, etc., I think they are still mad to make this move. Or maybe just not forceful or effective enough to LART some sense into their IBM-minded bosses. Disclaimer: I am a former IBMer as well, and I did run undeclared team/department git and Bugzilla servers there. Well, before JIRA was a thing you could use. Besides, maybe it was just easier in Research.

Re: AI is EVIL….

head of one of the most abhorrent organisations that has ever existed

The organization that promised not to do EVIL in not so distant past, you mean?

"Presumably, the idea is that users will run it full-screen."

Good luck with that on a Mac.

Especially on a Mac with a couple (or more) external monitors. Bring any application - say, a browser - to full screen on one of the displays and the others will go totally black. Used to annoy the hell out of me when I had to do stuff on a Mac - I wanted my VMs in full screen in Mission Control (Apple's lousy - unless you come from Windows - implementation of virtual desktops) and it was very frustrating.

Re: The what?

predict the future of X.com

Predict the future of X.com? Or the past?

Re: Apatite

Superconducting teeth!

The horror.

Or a new Bond movie?

If Meta owns a trademark on X in the context of Social networks, surely then Twitter rebanding to X is going to infringe their trademark?

What's another lawsuit between friends?

Re: "The San Francisco AI startup"

I think "startup" usually refers to a company that still burns early investors' (typically VCs') money rather than lives off sale revenues. A startup may have products and generate revenue, but is not self-sufficient. While there may be a reasonable time limit on the term I don't think 8 years is all that long, especially in an entirely new and unproven field (not "AI" but this particular niche of it, I mean).

Re: Quelle surprise

Status meetings are never about the status of the project. They are about the status of the manager.

Re: Deja vu all over again

Deja vu = all over again

Not for any of the teams Yogi berra played for.

Re: Oh, the humanity!

Bravo Bing!

Not bad at all. To sound more human-like I'd say "sono Bing"[*] ("I am Bing") is marginally preferable to "questo è Bing" ("This is Bing") that sounds a bit like Google Translate from American - oh, what am I saying?!?!? Come to think of it, "Posso capire" has a similar smell - sounds fluent in English but, to my ear, not the most natural in Italian. I may be wrong, or biased, or hallucinating...

But seriously - not bad.

@katrinab: I guess it can indeed understand Italian - I suppose it can recognize Italian and apply the same "stochastic parrot" algorithm on whatever Italian sample it ingested during training.

[*] Can Bing be configured or trained to sound as Inspector Montalbano: "Bing sono..." ? I think it would be cool... ;-)

I think that's the main driver of compliance business, from companies like CyberArk selling you a lot of words and a checkbox to scorecards and certifications from the likes of MITRE.

The actual value of those things is somewhat limited. E.g. CyberArk will say a lot about preventing another Snowden but in practice their methodology would be unworkable in any organization and what they really sell is a checkbox (I got this admission from a pushed-to-a-corner employee, who shall remain anonymous, at one of their customer conferences). MITRE will gladly take your money (for their non-profit purposes, of course, a.k.a. drive compensation up enough and you won't have any profits) for testing you, but they generally tell you in advance what they will test. Etc., etc.

However, to qualify for cyber insurance you need some acceptable - to insurance companies who are not cyber experts themselves - and independent benchmarks that will let you qualify for sane premium rates, and this is where compliance companies and organizations like MITRE come handy. You will pay through the nose to the former and you will demand the latter's scores from security vendors (who will pass their MITRE costs to you) to get lower insurance rates and mitigate risks if something bad happens. Just cost of doing business.

With this decision, consider buying compliance stock?

Re: What a future

I assume in the future "programmer productivity" will be measured in KLOC/sprint or something. As opposed to today's infinitely more reasonable measure of... Hold on...

I have lost count of how many times I told various people around me that software engineers are not paid to write code. They are paid to think. Writing code is trivial effort in comparison.

An LLM can't help you think. Optimizing a trivial part of the overall effort is, to paraphrase Donald Knuth a bit, "the root of all evil".

the forlorn hope that trade would somehow lessen Russia's expansion tendencies

Forlorn indeed, considering that Germany's largest trading partner in 1938 was France.

Re: makes a smidge of difference

He didn't do it for money.

So, it's not the first of the 4 main reasons for betrayal (MICE: Money, Ideology, Coercion/Compromise, Ego), but it well may be the last.

Re: Where were the plastic police?

designed to not kill us in an earthquake

That's what you hear in California. When you ask a Californian why they build from the same papier-mâché in the Carolinas where there are no earthquakes but lots of hurricanes the answer is, "Oh, there they can't afford better materials." Seriously, I had this conversation with a Californian. [Disclaimer - he said that, I am only reporting it.]

The real answer is, of course, Hollywood requirements: movie scenes where a car smashes right through a building, emerges on the other side, and continues on its way with barely a scratch look quite realistic and can be shot on location.

It's the largest war since WW2.

I can only assume you mean, "in Europe".

How does one determine the "scale" of a war? The death toll is one criterion (certainly a lot more people are involved or affected than dead). The Korean War, the Vietnam Was, and the Soviet invasion of Afghanistan all had a much higher death toll than the Russia-Ukraine war, all happened after WW2, and all are very well known indeed. But even at the same time with the Russia-Ukraine war the Ethiopia-Tigray(-Eritrea) conflict has killed a lot more people (and more again if you count the Ethiopia-Eritrea war ~20-25 years ago - that alone probably caused more deaths than the War in Ukraine so far). It just doesn't dominate our news cycles. I have no idea whether Norwegian ammo is involved, either - for all I know the weaponry may be primarily Russian/Chinese.

The war in Ukraine is horrible, don''t get me wrong. The point is that it still fails to give one quite the full picture of the horrors of either the past or even of today.

Re: Needs A Re-write......

Has there ever been any proof of this beyond an article in one publication?

Not that I know of. The report (multiple reports, but they were repetitions) were quickly disparaged. One big reason was that it is not enough to sneak a chip onto the board - it must do something detectable to do something useful, e.g., phone home, respond to external connections, etc. Nothing of the kind was ever detected on sites that were allegedly subject to the HW supply chain attack, and those sites deployed IDSs of various kinds. Those were serious players, Amazon among them IIRC (I don't recall who else, it should be relatively easy to dig up).

This is a general weakness of these HW supply chain conspiracy theories. It is possible to place an extra chip on a board, it is not quite so feasible to keep what it does undetectable, even without super special means.

Now, if Huawei, ZTE, etc. have their equipment installed on every street corner and o military bases and in Matt Hancock's office and no one checks what they send to the mothership there may be a problem. There is no contradiction.