Posts by doublelayer

Re: It's FLOSS btw

This argument is nice, but it doesn't always work. If you write code and make it copyleft, I'm happy because yay, free code. If you build a car and give that away too, yay, free car. This is not a moral imperative though. It's just a nice thing to do. I write code and release it for free (variety of licenses, but I have written GPL3 stuff because I want the license terms to apply). When I do, I understand that I'm not going to get money for the work unless I'm very lucky. It is also my right to create software which I don't release so freely as long as I don't use others' GPLed code to do it.

If someone writes some code, not using any copyleft components, and doesn't give that code to everyone but instead sells it, that's not an immoral act. Acting like it is is weird and is exactly the kind of thing that makes the original poster not want to take you into a meeting. Not having access to the code may be a sufficient reason not to use it. That's your choice, not an ethical certainty. Sadly, we don't always live in a world where code written from pure altruism is available or superior to proprietary code written for profit, which means that people who either don't care about or don't understand the license wars may choose the proprietary option.

I read the comment as giving Stallman credit for the Linux kernel. Now that I'm reading it again, it could be that or they could be correctly setting it apart and giving Stallman credit for the rest. I'm not sure which it is. If it's the latter, then my original critique is incorrect.

If it is the latter, it's unfair to lots of people who are not the FSF. This is the problem I have with those who are intent on calling Linux GNU/Linux. Yes, GNU deserves credit for lots of nice code they've written, but by including them in the name as some demand, it does two things that I see as harmful. The first is that it implies that GNU code is required for a Linux system that respects user freedoms. This is not true. Almost all the most popular and required GNU programs have non-GNU alternatives. There are alternatives for libc, GCC, the core utils, and quite a few other things.

The second problem is that plenty of other projects deserve some credit and don't get it when GNU and Linux are listed as if they're the most important. Most running Linux installations, desktop or server, have lots of software written by people who are neither the Linux foundation nor GNU. If the name of the system has to list all the important players, then it will be a very long name. KDE/Mozilla/Python/TDF/ApacheFoundation/Apple*/GNU/RedHat/Linux describes a basic desktop distro before the user installs anything, and there are undoubtedly plenty of others who deserve membership in the list but I stopped listing them. Not that it diminishes the real contributions made by the GNU project and the FSF, but such statements are often a lot more limited than they should be for honesty.

*Apple, in the Linux company list? Yes. Several important components rely on Apple-maintained components. They include CUPS for printing, OpenCL, LLVM and Clang, etc. One could list each project by its independent name, but so the name fits in this comment box, I'm recommending we don't just glob together all the installed package names.

"I think Stallman ought to be recognised for his tremendous contribution to FOSS (as Linux is much more than just a kernel),"

Sorry in advance for the pedantry, but this is the wrong way round. Stallman didn't write Linux at all, and the people who did are not associated with the FSF or GNU. What those projects created are a lot of the utilities that go around the kernel. This has led to arguments between the two projects, for example Linux sticking with GPL version 2 only while the FSF is intent that version 3 is much better. Also, insert the Linux versus GNU/Linux argument here.

Re: "paint encrypted mobile phone services as something used exclusively by criminals"

You are wrong several times. Let's start with the obvious one:

"The culpability in this case is two-fold: (a) he sold strong encryption to drug dealers for the purpose of evading detection while committing a crime and (b) in the process of committing (a) he violated ITAR and US Export Control regulations."

A is covered in my original comment, short version is "more proof than that needed". For B, no, he did not violate U.S. export controls. He and his company are Canadian. The exports happened from Canada. U.S. export controls only apply to people exporting stuff from the U.S. Same with ITAR. It's a U.S. law and applies only to the U.S. Other countries have similar legislation, at times structured to be compatible, but it's not ITAR. Canada has export control legislation. Calling it ITAR and alleging that U.S. export regulations apply to Canadians makes it clear you do not understand how those laws work.

Now let's consider Canada's legislation. Actually, it's best we don't, because Canada hasn't charged anybody with breaking its export legislation, and they are the ones who would have to. But let's consider it anyway. In the list of controlled items, it originally seems somewhat damning since symmetric cryptography which works is prohibited (limit of 56 bit keys). However, there are long lists of exceptions. One of them looks like this:

"e. Portable or mobile radiotelephones and similar client wireless devices for civil use, that implement only published or commercial cryptographic standards (except for anti piracy functions, which may be non-published) and also meet the provisions of paragraphs a.2. to a.4. of the Cryptography Note (Note 3 in Category 5 - Part 2), that have been customised for a specific civil industry application with features that do not affect the cryptographic functionality of these original non-customised devices;"

Well, the phones themselves are mass-market with hardware modifications unrelated to the cryptography. So as long as they use public algorithms, they count under this exception. Public algorithms include AES and RSA. So now, if Canada wants to charge him, they will have to identify the encryption in use. I'm guessing it's likely to be a public one, in which case they have already allowed it.

Also see this FAQ about cryptography exports. It's useful in determining what is allowed and what is not.

By the way, you'll find that no charges for breaking export controls, whether Canadian or U.S., have been filed. That's because the lawyers understand what is illegal and what isn't. They are hinging their entire case on point A, and point A is quite plausibly true. Still, it needs more proof than you have.

Re: "paint encrypted mobile phone services as something used exclusively by criminals"

Well, they can both be used to commit a crime. A car lets a criminal get to or away from a crime scene a lot faster or you can kill someone with it. For the same reason, encryption can be used to hide information about your crime. Both can be put to nefarious use. They are also similar because both are heavily used by others for entirely legitimate purposes.

The important detail is whether the operators of the encrypted communication company knew their products were being sold to criminals. The wording there is important. It's not enough that the equipment was being used by criminals; car companies know that criminals will use cars and ISPs know that people will send malicious packets. The business has to know that they're interacting with a criminal for them to share culpability. Again, the wording is important. If they went to strange steps not to know their customers because they knew they would be criminals, then they knew and the circling around doesn't help them. If they actually thought the products were being used by normal businesses which would have a reason to want secure communications, they aren't culpable. This is the reason the trials of these companies have to be based on specific evidence from each company. There have been many companies deliberately aiding criminals and this might be one of them, but that has to be proven and just saying "they provide useful stuff that criminals used" isn't enough.

Re: Sounds “interesting”

"I once knew someone who left their wifi completely open (was a few years ago) so anyone could access it. Know I don’t know why unless he planned on hacking everyone who connected...."

I once considered doing that basically as a service. I already had a guest network set up which couldn't see my normal network, had bandwidth limits, and could support automatic cutoffs if I wanted them. I was thinking that I had a reasonable connection rate, never got near a bandwidth where they'd reduce my speeds, and therefore wouldn't mind letting others in WiFi range use it if they needed to move some data. Then I considered what would happen if the police showed up for information on a user, which I wouldn't have, and decided that my technical knowledge meant the lack of logs proved I was erasing them. So I didn't. Still, my idea to do it was basically altruistic.

Re: pwned by default

Not exactly. Just unpickling one can't run code. It can produce an object that is runnable. It should be treated like anything that can be executed, but not like something which automatically executes. It's one level below a document which can run data just by opening it.

I'm not seeing it in the article. It runs in a sandbox, perhaps though I'm guessing, but the problem with malicious code is that it's run in the first place. It's not hard to put untrusted pickles in a sandbox, but if you don't or they can do whatever they want to do from in there, it hasn't fixed anything. The best way to handle this is to create a restricted language which can be serialized and runs only in an interpreter which has no OS access. It only does math and has no hooks elsewhere. That would work, but nobody would end up using it because people who so far don't have any problem unpickling random things and running them aren't going to go to extra effort for provable security, especially if it means not using one of the libraries they're used to.

Re: pwned by default

This is correct. Pickles are just serialized objects. And that means basically any object. If you pickle a function, then it unpickles into runnable code. If you're not careful what you do with it, you could run it. For ML models, this can end up being the intent; you just load your preprocessor, run it, then run the model. If the attacker submits a preprocessor function which does other things, you don't know what it's going to do and should protect yourself or not run it at all. The same issue occurs everywhere where you can serialize something which can execute. Unless you're careful about using it later, you could end up executing something malicious.

Re: A little idea

I did read that. I didn't care. It needs to read real phone numbers to learn what a phone number's like? Two solutions. First, replace all phone numbers with a tag indicating it's a phone number, but without the content. If you're afraid that your code is so bad that it will read a single [phone_number] over and over and weight it too heavily, append a random number so it will see them as different. Second option: don't bother. Why does the AI need to know about phone numbers? It shouldn't be printing them. Phone numbers should only be printed if they go to people who are supposed to be contacted, which means they should be provided manually. Otherwise, it's actually doing a worse job at its task because it is including not just information which is irrelevant, but information which is actively wrong. I think those are reasonable options for handling the phone number problem.

Re: Bottom line.

In general, developers know what is possible better than do the marketing and management sides. Not always, but when the product is technical, yes. For the same reason, if your product was carpentry, you might want to include the people who know whether something's feasible or easy to build when deciding what products to advertise or which contracts to use. If your product had legal consequences, you might want to have the lawyers review what you were planning before you publicize it. The expertise in actually building the thing needs to be consulted before making management decisions, with the management responsible for coordinating actions afterward.

Take a program someone suggested I write a while ago. They had seen that passwords were a problem, both simple-to-guess ones and reused ones. They thought it would be a great idea to write a program which could go through a network, check the passwords in use for strength, verify that they weren't reused on other services, etc. They thought this was a relatively easy thing to do and they could sell it to lots of places if we could just write it up quickly. Since I was interested in security and could write code, how would I like to be the lead [only] developer on the project? Fortunately, they hadn't already marketed this, because they found it a little disheartening when I described how salting and hashing meant it was basically impossible to do the first thing on any proper system, that salting and hashing were more important fixes than verification on any improper system, and that checking against other services would be at best a profound breach of privacy. If they had tried to promise things before, they would have been stuck with a promise to produce an impossible project.

Re: Yes/No/Cancel

"Better still would be to ban modal dialogs outright, and force designers to come up with a UI that doesn’t need them to interrupt you to ask stupid questions in the first place…"

Please no. What you get when you do that too much is a bunch of important questions or information hidden away. Modals are really useful in the case of warnings. I was using a new program recently and ran the export function. Fortunately, I got a modal informing me that, unless the program was mistaken, I was about to export a project file which contained several subregions that hadn't been attached anywhere, so basically I'd get a mostly blank result. Did I really want that? If modals were forbidden, where would that information show up? Probably a tiny button on the toolbar next to all the other tiny buttons saying something about warnings. Given that the export phase of this could take an hour and that testing the result is long and I might skip it, I'm quite glad it warned me before I exported. You might point out that, now I know about this, I won't do it again and I don't need the warning, but I kept it turned on because I might do that again by mistake and it always helps to get told about it.

Re: when to use the word "fewer" instead of the word "less"

Greater, probably, if they're using something abstract. Of course, if we analyze this too much we'll find out that "more" works just fine for both situations where the number increases and that "less" could serve for both where it decreases if we surpressed our doesn't-look-right instinct for a month or two.

Re: There one law for Apple and ...

I would agree with this sentiment if it actually held true. The problem is that there are relatively few Apple apologists here. The comments I'm seeing mostly either fall into the categories "Apple should have opened this more" or "Apple isn't going to open this more". How are either of those supportive of Apple's move? The "Apple won't open it more" people haven't said they're keeping things closed for our benefit, which is the most obvious Apple apology you could come up with. In fact, the most supportive comment I've seen so far basically says Apple won't bother because it won't add many customers, which seems only slightly supportive of their move.

Re: Serious questions

"1. Why would anyone spend the kind of money necessary to buy one of the M1 Macs and then nuke the warranty by erasing the drive and installing a Linux?"

They might like Mac OS for some things, need native Linux for others, and want to have the ability to use one machine to do them both. If it turns out to be impossible, they'll deal with it then. Might as well try first before giving up.

"2. Related to above... given the limited disk [...] is there a way to create a separate Linux partition and install a bootloader of some type so that users could dual-boot Linux and macOS?"

Probably. If they can get Linux booting, they can also port a different boot system which can present a menu and launch each OS. More work certainly, but not more difficult work unless Mac OS has been written to break it deliberately.

"3. Wouldn't it be better to run a Linux in a VM?"

I wonder how well the VM hosts will work. If they're emulating X64 Linux, it will slow down quite a lot (Rosetta 2 isn't going to convert the entire VM to ARM-native) and stop working when Apple pulls Rosetta. Given they are already pulling it for unspecified reasons, it likely doesn't have a long life. If the VM hosts are now going to run ARM builds, that's nicer but most of them were not able to run them at all previously so expect bugs for a long time. Also, there are cases where native performance or access to hardware is necessary, and some may prefer to avoid a VM for that reason.

"4. What will they do when Apple changes the (undocumented) boot system, which I'm absolutely certain they will?"

Shout in annoyance. Then some of them will start reverse-engineering the new one and the others will curse Apple and run Linux on something else. Eventually, if Apple does it enough, there will be relatively few people willing to put up with it anymore and the prospect of actually running Linux on an ARM Mac might die. It mostly depends how often Apple does that.

Well, on the bright side, we basically just did. Some rich person was willing to buy something worthless for a bunch of cash. The sale would incur taxes. Then the auction house paid the artist a chunk of that. That is his income, so it too gets taxed. The auction house took another chunk as revenue, which increases their profit. So they'll be taxed on that profit soon. And, if the rich person decides to sell again, that's a capital gain and gets taxed as well. I mean it's still really pointless that anyone wanted it, but we did get tax revenue from it.

Re: It just goes to show ...

"Except the seller will have to pay taxes on it, and the transaction is a matter of public record, which kind of defeats two of the main purposes of money laundering."

What? Those are the exact purposes of money laundering. The problem faced by criminals wishing to launder money is that they have some, but they don't have an explanation of how they came by it. If they make a purchase with it, the tax authorities will become curious how they managed that and why none of the money came to the government. The criminal therefore can't buy the expensive stuff they want.

Laundering that money means it is now known to the legal system and can be used without triggering alarms. In order to do that, they do have to pay taxes on it, but they also have to have an explanation for the tax man. If they claimed they just got paid millions by a friend, the tax authorities are going to be suspicious and investigate it. So in order to launder money correctly, a criminal wants a transaction that looks completely legitimate and passes a tax audit. Taxes and public record are required features of the system.

Re: What is this

But you don't own the copyright. What you own is a number which identifies you as an owner of a right to a file which others have a right to, but your right has a serial number and you can sell it. It does not mean you have the ability to deny access to others. Most resources with an NFT attached are already available publicly by design.

Re: I Have This Rock

Here's what you do:

1. Keep doing the same thing you were going to do with the rock. People don't want old-fashioned physical things they might do something with. You're going for digital.

2. After taking the photos, keep them. These are what you will sell.

3. Download SQLite. Your computer can handle that.

4. Run the following query: "CREATE TABLE ROCKCHAIN (photoname text, owner text);".

5. Get your photos auctioned. Publish them first so that everyone can see or copy them for free.

6. When each photo sells, update your database table.

7. When all photos have sold, hash the database and publish the hash.

8. Yes, that's not a blockchain, but nobody cares really. As a bonus, you can also publish a blob of text that says something about a blockchain and people will give up and assume you did it right.

9. Enjoy the cash.

Re: Say what you will...

Nothing's wrong with the art. He may be quite a good artist. He's also a smart artist; he realized that if he put existing art in a grid, someone would pay him millions for that. All credit goes to him. The person I don't understand is the one who chose to buy it.

Re: Outrageous!

I don't see anyone getting really angry here. I mostly see people laughing, saying the buyers are wasting their money, etc. You can do lots of things I think are stupid without incurring my outrage, and it looks like most comments here agree.

Re: Dumber than a rock?

I'm not sure about this one, but in most of the other NFTs sold recently, they don't own the copyright, they may not be the only owner of a token for it (the number is public though), and the image they "own" is also available for free. But they're one of the few people with a signature saying it's theirs, and that is what counts. It reminds me of the people who take money in order to name a celestial object or even assert ownership over it, but all that actually happens is that the new name or ownership claim is entered into a database unrecognized by anyone else. The only smart thing to do in this environment is to find some junk and see if someone will be convinced that, since there's only one of it, it must be a valuable investment and they're more than happy to hand you a pile of cash for it.

Re: What is this

A relatively good point, but the original Mona Lisa is valuable both for its artistic value and for the fact that museums get people to come look at it and pay for the privilege. Since an exact copy of this image and most of the other NFT-backed data is available for free, there's no value as an exhibit. The owners of the tokens have to hope that others will continue to care about the ownership rights to something they can get for free. But then again, I would never want to purchase the original Mona Lisa, even if I had infinite money available, so I'm the wrong person to argue for this.

Re: @bombastic bob - Says it all

I'm not following your disagreement. If you use a GPL3 library somewhere, they have to be able to replace it somehow. If you make the system such that, if they put a file in that is not identical, it breaks, then you have not complied with that requirement. Therefore, you must accept a version of the library which does not break the system. If they supply a modified version which crashes itself, that's not your problem, but if the one they provide runs, then you must accept it.

Which means that the library could be replaced by one giving the user effective access to the system with the privileges of the original library. This is one reason I'm all in favor of people using GPL3 libraries, because I can write a replacement and use it to gain relatively unrestricted access to the underlying system. I like doing that. I got a library to open a network port and run a telnet server to a root shell, for example. The manufacturer I described above is not as keen on my doing that for reasons I've explained.

Now theoretically, the manufacturer could take steps to prevent a replaced library doing anything by isolating it in an environment without privileges. So if a company really wanted to, they could do that. However, that takes a lot of work and slows down the program as it sends data in and out of a sandbox for the GPL3 stuff. That's why few companies ever do it. They either just don't use the GPL3 libraries at all or they use them without giving access and thumb their nose at those of us who know they're violating the license.

Re: Sanctions are messy, politics is worse.

Some of your facts are not exactly correct.

"a) a "Crime" that is only such because America has unilaterally decided it is, followed after some delay by its Allies."

In a way, but this is not unusual. It is not a crime for you to do business with Iran if you're outside the U.S., but if you are in the U.S., then it is. This is acceptable because the U.S.'s laws are set by politicians, and voters can replace those politicians if they disagree. You could therefore make it not a crime anymore by voting in others. Huawei is involved because they were selling their plan to a bank which operates in the U.S. and therefore chooses to follow U.S. laws.

"b) a Person being held directly responsible for that "crime" rather than the Corporate Entity itself."

This isn't the case. The reason Meng (and it's Meng, not Meg) is being charged is that there was a person making the claims to the bank which the U.S. claims are fraudulent, and it was her. The company may have directed her to do it, but she actually stood up and said the things which would be a crime if proven.

"There seems to be very little requirement to prove intent or harm by Meg herself"

The courts in Canada and the U.S. have been trying to do that. They have already had to deal with questions of intent, and her lawyers have tried to prove that she didn't have ill intent. They have so far failed to do that and are therefore more likely to get the request denied by pointing to procedural problems.

"and very little to be gained by holding her responsible for the actions of her company, which has already had its business model crushed by Sanctions itself."

The former part has already been contested above, and the latter part is unrelated. The sanctions against Huawei in particular are related to a different allegation, and one which in my opinion is much weaker. The point of the fraud case is to prevent fraud. The point of the sanction on Huawei is either to protect Americans from dangerous Huawei equipment (if you believe the drafters) or to gain an advantage in a trade war (what I think). Therefore, the fraud case can be legitimate while the sanctions could be unwarranted.

Re: Speed means nothing

"Is browser speed significant when all you are trying to do is click on all the squares with a mosquito in them?"

Of course. You see, if you run the captcha system and slow it down or even break it from time to time when it runs on the browsers you don't make, then you either drive people to your browser where you can collect all their data or at least you get more captchas done which means more free training for the AI department. Just be careful not to break it too much so you remain the primary captcha provider for lots of sites which have an email address field you can scrape.