Posts by thames

Taiwan placed their main bet on the AztraZeneca vaccine, with that to be half of the total ordered vaccine supply. The other half was split between Moderna and Biontech.

They got some AstraZeneca type vaccine from the South Korean licensee, but the big global exporter was supposed to be India, who aren't exporting any now. Europe refused to export any to them (or to anyone else).

The US cut off exports of Moderna and only a trickle was coming out of Europe to anyone.

Biontech have a 50 - 50 joint venture with a Chinese company called Fosun to cover the China, Taiwan, Hong Kong, and Macao markets. This is comparable to Biontech's joint venture with Pfizer for the rest of the world.

Fosun are providing the money and Biontech providing the technology to produce the Biontech vaccine. Fosun also handle sales, and they have imported vaccine from Biontech for the Hong Kong market already. Fosun's own plant is expected to be ready to ship vaccine this summer.

Fosun have said they are happy to sell vaccine to Taiwan, but the Taiwanese government won't talk to them because it would be a political hot potato to spend tax money on vaccine bought through a Chinese company.

Taiwan tried to buy directly from Biontech, but Biontech told them to go through the local sales agent, Fosun. You have to remember that for Biontech, vaccine is a business and they aren't going to tear up their contract with Fosun in order to please the political sensibilities of Taiwan's government.

Taiwan also put a big bet on developing domestic vaccines, but those have taken longer to develop and go through trials than expected.

Taiwan, Japan, Australia, New Zealand, Thailand, and most other countries in the Far East are far behind Europe, the US, and Canada in getting their vaccination programs going. The exceptions are Singapore, China, and Mongolia. There are probably many reasons for that, but government purchasing strategy will be at the head of the list.

So, the spin seems to be that it is all China's fault that the US, Europe, and India cut off Taiwan's vaccine supply and the Taiwanese government refused to deal with the local distributor of Biontech for domestic political reasons.

Canada was in a similar position to Taiwan earlier this year. The US had cut off vaccine supplies and only a trickle was coming from Europe, India, and South Korea. At one point vaccine supplies from Europe were totally cut off. We could have bought vaccine from Russia or China, but that was unthinkable from a domestic political standpoint. Domestic vaccine production capacity is being built, but it won't be ready until the autumn.

Over the past couple of months however growing quantities have been coming in, and now it's a flood. Things are looking fairly good. I expect the same will be true for Taiwan.

The reason why Canada is in a better position than Taiwan is that Taiwan ordered when they were sure the vaccines were going to work and only as much as they needed. Canada placed big advance orders with cash in advance before it was known whether any of the vaccines would work and we ordered seven times as much as we needed on the assumption that some of those orders would not be able to be delivered.

Most of the world are worse off than Taiwan, with many countries not having received a single dose of vaccine yet.

What will probably happen with respect to the news story is that Foxconn and TSMC are worried about their Taiwanese plants getting shut down, so they want to buy vaccine from Biontech to distribute in Taiwan. Biontech will probably point them to Fosun, Fosun will import it from Biontech and collect their commission while they sell to Foxconn and TSMC, Foxccon and TSMC won't say where they got it from, and everybody will be happy.

Re: Covid profits

AstraZeneca are selling their vaccine at cost during the pandemic, but Pfizer are making billions in profit from selling theirs.

For Pfizer, their COVID-19 vaccine is the majority of their current sales, and they have a high profit margin. They plan on raising prices substantially in future when they are no longer selling directly to national governments but are dealing with health care providers directly, and so can set whatever price they want instead of having to negotiate with big national buyers.

So, if you are planning on targeting a pharmaceutical company, make sure you pick the right one. Some are raking in the cash while others don't have as much financial motivation to pay up.

Re: One Time Pads.

Or just use public key cryptography. It's well known and widely available.

The problem with one time pads is that the key is as long as the message and you have to have a secure means of distributing the OTPs. If you can solve the OTP problem then they're great, but their use is limited by the inherent difficulty of this in most cases.

They key exchange problem and the defeating traffic analysis problems are the big issues with any sort of Internet chat.

Even public key cryptography has a pair of problem. One is doing the initial public key exchange. If someone can man in the middle all the conversations, he can substitute his own sets of keys during the initial exchange and man in the middle all the subsequent conversations. To really be sure, you would need to exchange keys in person with someone you can trust present who can vouch for the identity of each party.

The other problem is the traffic analysis one. It is sometimes more useful to know who is talking to whom than it is to know what they are talking about. Find out who is talking to whom and you can find out what the organizational structure is, which can give you clues as to where to infiltrate it. When the secret police excuse their tapping everyone's conversations on the grounds that "we're only collecting metadata", then they're being disingenuous because the connections between people are what they really want to know anyway, rather than just someone saying "I'll have the thing we talked about to you a day later than the time we agreed".

The whole idea of a special secure chat network dedicated to criminal activity is a bit dubious, and I don't mean from a moral or legal standpoint. I mean as in it is such a massive target for the police to infiltrate, and it is an evidence and criminal intelligence collection machine par excellence, that I can't see how anyone could think they could trust it. I certainly wouldn't.

I suspect the intention is to supply these laptops to developers who can then work on porting, testing, and optimizing software for RISC-V. It's much easier to work on stuff on your own PC than on a server via SSH.

Once they've got those issues sorted out, then they could worry about using the RISC-V CPUs in smart phones, tablets, and embedded devices. Servers, desktops, and commercial laptops could then follow.

I've got a Raspberry Pi 3 and 4 which I use to test software. During lockdown this past winter my PC died and I used the Pi 4 as a desktop temporarily for a day until I could get a new part to fix the PC. Running Ubuntu I found it to be quite usable. A RISC-V chip that could match whatever ARM chip is in the Pi 4 would be viable in a low end laptop, provided they had a comparable graphics chip to go with it.

Re: Apple and GPL

See my comment above. I said that every holder of substantial copyrights can sue. I also said that this is in fact a problem in some cases, as there have been instances where one copyright owner sued when the rest wanted to continue negotiating license compliance.

And the FSF can't sell a proprietary license to Google because the copyright assignment contract commits them to always releasing the code under a license which is similar to the GPL.

The FSF had some fairly good lawyers go over all of this looking for the sort of loopholes you are trying to imagine. They didn't just have some programmer bang out what looked good to him.

Re: Or...

I've done plenty of real time embedded work in interpreted Basic running on an Intel 8052AH 8 bit chip with 32kb of RAM and clocked at around 10 MHz. Loads of other people have done the same. The market for this was big enough that several companies were making dedicated versions of this chip with the Basic interpreter masked into ROM on the chip itself. It's a variant of the 8031, which was a top selling micro-controller CPU/SOC.

All of the major industrial control vendors (Siemens, AB, Schneider, etc.) sold them as modules for their control systems. Numerous single board computer vendors, whose market is entirely focused on embedded, sold them as well.

Loads of major industrial processes and equipment with more dedicated embedded control systems used this as part of their system, or as the complete thing.

Someone who genuinely knew more than a smattering about embedded control and had years of experience in the industry would know all this.

These days I would quite happily use a Raspberry Pi running a Python program in many types of real time embedded applications. People who have genuine experience in a wide range of embedded control applications would know that "real time" actually means "can meet the process deadlines".

And while we're on the topic of interpreted languages in real time applications, I should mention that I've used Python in PC based embedded industrial systems doing real time interaction with robots and measuring equipment.

I'll keep this short, but here's a list of other interpreted language systems that I've used or are familiar with which have seen widespread use in real time industrial control or test and measurement: Python, GWBasic, QBasic, HP Rocky Mountain Basic, UCSD Pascal, and a host of proprietary languages.

And I should add that until very recently most or all of the PLCs used to control factories around the world used interpreters.

I would suggest that you wind your neck in on this topic.

Re: Hardware dongles?

The main problem with the few CAPTCHAS that I see is that they tend to be ambiguous street scenes from American suburbia. If you happen to live in American suburbs, like say the sort of people at US tech companies do, then they may make sense.

If you're not an American living in an American suburb, then you end up having to ask yourself "how would an American answer this question?" based on what you know about the US from American movies.

What they need is less ambiguous CAPTCHAS, but I suspect they are afraid that people will then use image recognition and AI to solve them.

Not that I think the Cloudflare proposal is a better solution. In fact I think it's worse.

Re: python to the rescue

It's perhaps fortunate then that Python was created by a PhD mathematician. It uses Karatsuba arithmetic, which has been around since the early 1960s.

Python is also the only language that I am familiar with that does modulo operations in the mathematically correct manner in all cases. Every other language that I have tested (as well as spreadsheets) will produce mathematically incorrect answers under some circumstances because it was "faster" (because the CPUs produce incorrect answers). Python's creator insisted on mathematical correctness over performance in that case, so I'm pretty sure he did the same with other integer operations.

As a typical example, the sum of a large integer array in pure C is roughly 7 times faster than in Python (the exact amount in C will vary by integer size and type). In Python however the sum will never overflow while with C you are pretty much guaranteed to have an integer overflow even with a relatively "small" array.

You can do integer operations in Python without ever having to check for overflow. In typical languages using native integers people don't often check for overflows either, but then we get constant security notices about vulnerabilities due to unchecked integer overflows.

I can pretty much guaranty that the majority of programmers don't even know how to check for integer overflow correctly. There are many corner cases that will vary depending on operation and integer type. Several years ago I had reason to find all the integer overflow cases for all the integer types and operations, and I could not find a comprehensive single source for this. Not that it matters of course, since as I said the average programmer never checks anyway.

If you really need maximum numerical performance in Python, then you are almost certainly using a numerical library anyway, the most common ones are written in C or Fortran and operate on native integers or floating point numbers in native arrays. The libraries can take care of the details.

If however you just need to add two numbers together, then just do it in Python and you can be assured that the result will never overflow without you having to add multiple lines of code around each operation to prevent it. If you are just adding a couple of numbers the performance overhead is insignificant in practical terms.

With Python, pragmatism is the preferred course of action.

Re: C and then some

The main driving force behind adding optional type hints into Python has nothing to do with compilers. It's there strictly because people flogging IDEs want it so their static analysis algorithms in their IDEs can work better at code completion. The original "unofficial" version was ported in from an IDE by the maker (I can't remember which one), and the current "official" one was created to get rid of that one with something better. I was a case of "well if you're going to do it anyway we might as well make sure that it gets done properly".

Cython have their own type declaration system, but it's oriented just towards giving the C compiler more information. It isn't part of the Python language itself though, and Cython isn't backwards compatible with Python. This is why you add the type declarations as part of the final optimization process after you are satisfied your Cython program is working correctly.

Personally I do however think that the Cython approach is the one most likely to produce the greatest performance improvements, although I wouldn't do it exactly the way they did. The main issue with performance is actually related to how dynamic the language is. This requires constant run time type checking and all the baggage that goes with that. It lets you do things in far fewer lines of code than most other languages, but it comes at a price. If you could selectively sacrifice some dynamic features on a method by method basis to automatically generate C extensions then you could have the best of both worlds. There are some third party add-ins such as Numba which do this for numerical processing, but I think that much better could be done if it were part of the language.

Re: Not uncommon

Yes, well you'll notice that McDowell's statement was qualified as "above 10 tonnes". Europe was intentionally dumping spent 8 ton rockets into the general area of Canada and Greenland, including roughly a ton of highly toxic hydrazine into the atmosphere as recently as 4 years ago, and may still be doing it for all I know. Protests from Canada to Europe were met with a "do I look like I give a ****?"

Perhaps when he presented his "brilliant new plan" to the board one of them asked him "WTF? Are you on drugs or something?", to which he answered "why yes I am, how did you guess?"

Re: What ?

The only large scale reactors that have actually been built that can use thorium that I am aware of are heavy water moderated ones. Reactors of this sort are used around the world as major power producers. The main attraction of these reactors is that they can use natural uranium, and so countries can have a secure fuel supply without needing a uranium enrichment plant. Their very high neutron efficiency theoretically allows them to use thorium as fuel, but all currently use uranium fuel, as uranium is cheap enough that it isn't worth the bother to use thorium.

Canada is the leader in this field, and most of these types of reactors are based on Canadian technology. This has included experimental work on thorium fuel. India however have done the most work on using thorium fuel, as their thorium reserves are much larger than their uranium reserves and so they have the most interest in this.

There are other theoretical reactor designs which might use thorium, but so far as I am aware none have actually been built and demonstrated.

Iran are considering building heavy water reactors. However, these are precisely the type of reactors that the US are the most upset over. So, I don't think that this is the sort of solution you imagine it to be.

Precisely, that is exactly the issue. The problem is that a lot of developers are writing for mobile first, with desktop as a secondary target. Ubuntu are bowing to the reality that if they want to get more application developers to port their apps to Linux then they need to offer development tools that those developers are familiar with on phones and tablets rather than expect them to learn all new ones for desktop.

Right now a lot of cross-platform stuff is being written in things like Electron, which is rather sub-optimal to say the least. Flutter sounds better than Electron, although I haven't tried it yet.

Ubuntu have been writing a new installer using Flutter to replace the two separate ones they use for Server and Desktop. They will do the same for some of their other system management GUI tools.

I plan on giving it a try some time soon before passing actual judgment on it.

Re: Sanctions are messy, politics is worse.

The question of "double criminality" (whether there would have been a crime under Canadian law) was apparently always the weakest defence, even if that wasn't obvious to someone not familiar with how this works. The US framed the extradition request as "fraud" specifically to get around the issue of Canada not having sanctions in place (as we didn't pull out of the agreement with Europe like the US did).

At one point the judge basically just asked the crown (who are handling the extradition request from the US) whether he would prosecute this case as fraud, to which we shouldn't be surprised to hear that he said "yes".

Not an awful lot of thought seemed to go into it by the judge, and of course the Canadian court isn't concerned with the issue of whether any fraud actually occurred, just that "fraud" is a crime in Canada. The issue of whether Meng broke any US sanctions or whether she committed any fraud in doing simply isn't an issue that the court will have any interest in.

This is why her defence rests on procedural issues, as these are the only issues the court may have any actual interest in. This is why her strongest defences are whether there was abuse of process through the US providing false or misleading information to Canada or whether Canadian police and immigration abused their powers when questioning her and if they illegally handed information over to the US.

Re: Ronacher's Rant

I normally apt install the packages that I use, including libraries. The distro maintainer takes care of ensuring that dependencies are consistent.

This way I don't have to manually keep track of which version of which third party library had an unpatched security bug which the author couldn't be bothered to fix because he fixed it in another release three versions later. Once you start doing your own mix-and-match of different library versions you take a huge security testing and maintenance burden upon yourself which few developers have the resources to do properly.

I do use projects that I pipped from Pypi and I have projects on Pypi, but when I use libraries from there I am very selective about which ones I use, and only use them when I have assured myself that they aren't in the distro repository.

Bloomberg were laughed at throughout the technical press in 2018, even if the general media took them at face value. The one person they were willing to cite as a "source" was interviewed by a security podcast and said that he didn't find Bloomberg's claims credible and that they had misrepresented what he had said. They were pretty comprehensively discredited back then, at least among the segment of the audience who would form Supermicro's customer base. There wasn't a lot of reason for Supermicro to sue then.

Since 2018 not a single solid piece of evidence has emerged to support Bloomberg's claims. Back in 2018 Bloomberg relied on second hand information from various unnamed officials in Washington and their one named source said he had been misrepresented and that he didn't believe Bloomberg's story.

This time their story is once again various unnamed officials in Washington, and their one named source just turns out to be someone who heard the same second hand story they did. In other words, it's just 2018 all over again with even less evidence this time.

Where's all these Supermicro boards that have hidden chips in them? If they're out there and been discovered, why aren't we hearing any first hand reports? If the US really had any of these boards they would be holding the biggest IT security press event of the decade with one, rather than feeding stories anonymously to compliant reporters. They're not shy about showing off Russian rootkits to the public, so where's the evidence in this case?

I'll believe it when I actually see some credible evidence in the hands of a neutral party who has a convincing chain of custody for it. Until then, I'll just put it down as Bloomberg being their usual less than credible selves again.

Re: Nothing to hide

Tying it together with the reports of court proceedings in Canada, Meng's lawyers are arguing that the US government presented false, misleading, and incomplete evidence with regards to Meng's dealings with HSBC, but HSBC are required by the US to obey their orders (they are under a "cooperation" order from the US).

The US case revolves entirely around whether HSBC was aware of the full nature of Huawei's relationship with Skycom. If they were, then any US complaints have to be directed to HSBC. If they weren't, then this is what the fraud claim is based on.

The problem for the US case is that one of the important elements of their case is that they claimed that only junior HSBC employees were aware of Huawei's relationship with Skycom. Legal discovery in Vancouver has shown that these supposedly "junior employees" held the position of VP at HSBC.

The US also presented copies to the court of Meng's Powerpoint presentation with critical bits which might absolve her edited out. Some might call this tampering with evidence, but not being a lawyer I won't speculate on that.

What Meng's lawyers appear to be trying to do in this case is get their hands on original copies of HSBC's own documents relating to this before the US applied their creative writing skills to them.

I suppose that if it turns out that if the extradition case gets tossed out in Vancouver then the US may take out their frustration on HSBC, so the bank may have something lo lose in this after all.

One of the key witnesses in the Canadian police or customs (I can't recall which) engaged in Meng's arrest is currently hiding out in Macau, has hired his own lawyer, and is refusing to testify in the case. This certainly caused a few eyebrows to be raised among people that I know. I supposed it's rather odd that he feels safer in Macau than in Vancouver, but there have been quite a few odd things about all this.

Recent speculation in Canada has been that Ottawa may get Washington to agree to drop charges against Meng personally and to charge Huawei as a corporation instead in return for considerations on other bilateral diplomatic issues (oil, climate change, electricity, or something else that Biden wants from Canada). That way Canada can escape from being a pawn in a fight which has nothing to do with it.

There's a saying that goes along the lines of "when two elephants fight, the grass gets trampled". We'll have to see how this all goes I suppose.

Why do you think that Microsoft bought LinkedIn for $26 billion if it wasn't to mine your information and used it to sell products and services to you? The same goes for buying Github for $7.5 billion. Combine this with MS Azure and it gives them a huge amount of data about you which they then link together to find all the connections which you thought you had kept isolated.

The whole point of social media is to mine your personal information, link together data from multiple sources, and use this to target you for sales and marketing efforts. If that sort of thing doesn't appeal to someone, then they shouldn't have Facebook, LinkedIn, or Twitter accounts.

Re: Wow

Ubuntu already have live kernel patching. They call it "Livepatch". When you install Ubuntu they ask you if you want to enable it. I never have because I don't see a personal need for it.

I don't think they have it for the Raspberry Pi yet however.

Re: They still don't get the issue with "stream"

I have an open source project which I test on about a dozen different distros, including a couple of BSD variants. I have a fully automated test system which cycles through all the supported platforms. When I make a new release I then give a list of platforms which it was tested on, including which version.

One of those distros is Centos. If Centos Stream is just a rolling release then there's not much point in testing on it, as I can't then say that a specific version is tested and supported.

I have no intention of signing up for a developer account as I have no desire to jump through their hoops and become one of their minions just so I can do free work for them.

I'll keep the current Centos VM in the test system so long as it remains relevant, but once it gets too old compared to their current Red Hat release however, then I'll just drop it. As someone running an open source project, It's really not worth the effort to support a distro that anyone puts hurdles in front of.

Re: The recent court procedings have been rather interesting.

I wouldn't jump to any conclusions about the outcome at this point. The legal standard for extradition seems to be much lower than for an actual criminal case, so the judge could decide to ignore issues that might cause the case to be thrown out in a criminal trial and sweep any police misdeeds under the carpet.

None the less, the American party requesting the extradition do not have reason to believe that everything is going their way on this.

Redis does a lot more than just act as a key-value store. There are numerous instructions for sorting, filtering, and manipulating data. There are message queues, sets, publish/subscribe channels, and even a built in Lua interpreter to run scripts.

If you are looking into using it for anything, it's worth reading the full documentation to find out all it can do. I'm working on a project which uses it, and I'm not aware of anything else that is similar.

Ruby has declined because it's main use was with the Rails web framework. As web applications have evolved and changed how they interact with servers and browsers, Rails has fallen out of favour and Ruby has fallen with it.

Python has a very broad range of uses and so is not dependent upon any particular one framework or application.