Posts by doublelayer

Re: Simplest solution

Cloud-hosted software as a service has entered the room.

Cloud-hosted software as a service has taken over the room.

Maybe everything you ever run is open source. Not everything I run is. Sometimes, the way to get people to write the code you want to run is to pay them for it, and I don't have the funds to finance the development process myself, but I can easily afford to buy licenses for stuff I want. I prefer to run that stuff on my own computer, but if they're required to hand me the source code in that case, they'll restrict it to running on their servers or whatever environment it takes to prevent me from accessing that code.

Proprietary software is not automatically evil.

Before you hand it to a criminal, it is not the proceeds of a crime. It is your money. You may read that law again, looking for the part where it defines any payment to a criminal as money laundering, but you won't find it. The rest of the chain, yes. Your end of it, no. In fact, the criminal hasn't done any money laundering until they try to obscure the source of that money. If they go out and say "I have some ransom money and I want to buy something with it", they've only committed the original offenses.

Your overeager interpretation is incorrect in several other ways. Yes, I can get £10k of cash and buy something with it anonymously. The bank will record that I withdrew it. The other bank will likely report that they deposited it. However, purchasing something expensive anonymously with cash is not illegal. Buying something with stolen cash is, and if I am a criminal, I might be charged with money laundering as well as whatever crime gave me the cash. The person I bought the expensive thing from is not required to verify my identity. If they too know that I am a criminal, they are guilty as well. If they do not know that, they are not guilty. Some institutions have a requirement to verify identities first, but not to verify the source of my cash. They too are not guilty, because they have complied with their requirement to have a record of the identity of the payer. Law enforcement may ask them for that information during the investigation, but even if it turns out I am a criminal, they were not supposed to identify that before allowing me to complete a purchase. Even more businesses are not required by law to verify identities and do it anyway.

Your page makes that clear (emphasis mine):

Criminal property (defined in POCA) constitutes or represents a person's benefit from criminal conduct where the alleged offender knows or suspects that the property in question represents such a benefit.

Re: OK, then let's focus on really strict security

No. The new owner could have a new certificate, but until my old one expires, it would work just as well if I could get some traffic sent my way. As far as the certificate authorities were concerned, the domain is mine until that certificate expires. That someone else owns and operates it now is not part of the certificate system, and they don't coordinate to cancel mine if someone else sets up a server. Maybe they would if they use the same authority that I used, although even then they might not bother, but if we used different ones, then there will just be two certs covering the same domain.

Re: Intentionally Be-bugging Computer Code

And also 3. time spent fixing bugs that were deliberately introduced is time not spent fixing bugs that were actually there. It shouldn't be hard for managers to recognize that time is finite. Shouldn't be, but sometimes I wonder.

Re: Four Fox Ache

Probably the same barriers there always are with a new fork. If a problem is detected in it, who do I think is going to fix it first? Who is going to fix it better? And do I worry that one of them is going to try to screw over the other, for example by making a fix and licensing it in such a way that the other fork can't adopt that fix and therefore delaying their fix?

This happens all the time. When Amazon forked ElasticSearch, Elastic quickly enough introduced a change intended to prevent libraries from working with Amazon's version. They're still fighting that one out, but as I don't use the products much anymore, I'm not up to date with developments there. If I was using these, I'd be worried about SCF's reliability because they might be more interested in making things harder for WP Engine than delivering the thing that the plugin was intended to do. I could use it easily, but I'd prefer not to and I'd be worried if I had to.

Re: you just need to ask AI to sum up the numbers

Probably true. I haven't checked the various competitors for how well their creators have hidden this fact. However, at least some of them have decided that making such elementary mistakes is a bad look and have done the same kind of preemptive parsing that there is in the Google search box to catch and complete arithmetic problems before they arrive at the LLM which can't handle them. It doesn't really change anything important; relying on an LLM to do calculations is a bad idea. However, the easiest ones will probably gradually get fixed. For most of us, this is actually a bad thing. The more simple calculations the LLMs can seem to do correctly, the more complex ones they will be given by idiots who will not check their work.

Re: "Ask me how I know."

Maybe not the lesson that you had in mind. I'm guessing that yours goes along the lines of "never have smart light bulbs". It's a lesson that I find very easy to use, because I still don't have a use for them and I have no difficulty getting to and operating a light switch.

However, if you are a person who needs (for example, not being able to easily get to or operate a switch due to a disability) or wants (for example, I don't know, but some people clearly do) smart bulbs, the lesson is not that you are wrong and need to change. The lesson is that a lot of the bulbs are bad and you probably want to research the options before buying them. I don't know which category Mr. Goodwins is in, but it sounds like he might be. Just because you aren't in either category doesn't mean that everyone is the same.

When you have people who insist on bad subject lines, sometimes you need it:

Re: Request

Alice, please consider this a high priority request. It is important.

-Bob

Hopefully, you only have one email with the subject line "Request". Even if you do, you may have to delve into your history to find it. But what happens if you have two of them. How do you figure out which one is the important request and which one isn't supposed to happen at all? You could guess based on which one looks more probable. You could contact Bob, but maybe Bob has left for the day which is why he asked you to do it. You could open the headers and see if there is a commonality you can use. If Bob replied all, then probably you could use the other recipients to find out.

Yes, it also causes problems, but sometimes it is necessary.

Re: One socket to rule them all

Keep them around for a while, knowing that at some point you'll need one of them. This should last until the third or fourth time when you think you've finally had the occasion where you're going to need them and you test all the cables to find the plug that fits and find that one of the following apply:

1. None of your plugs fit right, even though you've got about forty of them.

2. One of your plugs looks like it fits, and the voltage is wrong, so you cut the wires and used two of them to try to work, and it's not working because it turns out the plug doesn't connect fully, so now you have four pieces of cables instead of two intact ones.

3. One of your plugs fits, but you can't find any information about the voltage and polarity you need because either the manufacturer no longer exists or the manufacturer exists and has twenty different models all of which have different settings and they all look the same.

4. You found out what voltage was needed and you're powering the device, and you're feeling great until it starts to act wrong. This is probably an undercurrent, but who knows for sure.

Then recycle them.

Re: And I'd want to why?

You might have noticed that most of those things involve more than seeing someone read it. Theater. You could go to a table read, where you sit in a chair and watch someone read out something on a sheet of paper, but most people prefer to go see the actors move around sets. No sets in an AI-read video. That's out. Film and TV are the same thing, but nowadays you're not limited to sets they can build in a room because they can have the actors moving around in front of fake but realistic-looking things you couldn't see elsewhere. As before, none of that in the video. And radio does not involve watching someone read it. You just listen, although you may just listen to something including music or sound effects. News radio often has the advantage of being faster to receive than was a newspaper, and you can listen while looking elsewhere.

There are reasons for an audio or video to exist, but those reasons rely on benefits of the medium. As I explained in my comment, a video makes a lot of sense if I'm going to demonstrate something rather than just explain it, but the Zoom avatar is not going to demonstrate it for me, and if I used one of the AI models that can actually make a video showing it, I'll spend more time explaining what it should look like so the video is accurate than it would take to make it in person. The advantages that led to the things you mentioned are entirely unavailable for this.

Re: Attackers

It could work, but you'd have to find students who are good at providing that information without getting caught. With some time, effort, money, and some more time, you could do it. Or for really cheap you could send phishing messages to students and start probing from their taken over laptops.

Similarly, you could get a student to attend courses for a while, excel at their studies, and make a good impression on research professors. That student eventually gets invited onto a research team and does a great job, and then they get invited to work on something the host government cares a lot about and can start sending back the sensitive data. Or you could identify the professor involved by reading public information on websites and papers, look at other public information about them to craft a phishing message, and take a chance at getting access to their work right now. Undoubtedly both happen, but I'm expecting that the cheap option ends up being more popular.

Ah, so my Windows installation was not a real OS. But then I installed git for Windows, including its bash environment with all of those except emacs which I could also install, and now it is.

Is this really the level of argument you can go to? The name of the file list command is important?

Because "Ponzi scheme" is a more complicated concept than something weird related to money. There are lots of types of financial schemes that are not Ponzi schemes. There are a lot of dubious financial things that aren't fraud at all, just bad ideas for people who don't know what they're doing. There are things that people don't like, either because there are real ethical concerns or because those people don't understand them, which are not any of the above.

Using a term with a specific meaning for things that aren't related to that does not help explain what the problem is, whether you want to explain it to educate someone about what they should do or you want to change the regulations to prevent it from happening at all. Computer crime and things that aren't illegal but should be computer crime won't be fixed if I insist on calling it arson. Financial crime and things that aren't but should be won't be fixed if I insist on calling it a Ponzi scheme.

All the time. It isn't just "Alice suggested we redesign this and people smiled, so we're going to", but if the people concluded that this made more sense than Bob's proposal to change the training documents and leave the code alone, then the notes will say that. If the redesign the code suggestion came up first and was discussed for three minutes, and then the documentation proposal was made and discussed for twenty, and then people said that they thought the training solution was less helpful than the code one, will Copilot properly understand that two thirds of the meeting might have been necessary to decide against something but does not need to be brought up in the next steps email? I don't know, but I wouldn't want to count on it.

Often, they're referring to Tor hidden services. Not always, and when they talk about domains being seized it might not be, but quite often that is where the illegal markets are set up. If they're doing it correctly, there is no IP address you can enter to arrive there. You have to go through Tor and use the domain name, which is really a public key, to find and connect to the site. It gives people some of the tools required for anonymity, but if you're not careful, you can mess it up, and you also need to do more than just have a hidden service to not be found.

Re: Terminology

A ticket is a weird term, although that's hardly going to stop them given all the other weird terms that get used. However, it doesn't really work well for organizing them. A ticket containing a ticket of tickets is not a metaphor that's going to work very well. Of course, you could just have groups containing items or other groups, and if you want you could call the items tickets. If you're only going to have one word for everything in the system, who cares what that word is?

I think that most people, if presented with the search engine screen, would choose Google from brand recognition and inertia. Google is willing to spend billions to prevent that from happening. Either they know better than I do about what people will do with a choice, although those people can still go into the settings and get a choice screen with common engines listed, or the team that does this stuff has a massive budget and no oversight.

It partially has to do with the function name length, as well as anything else that might be on the line. For example, if line one reads

char *data = someFunction(

then there are people who would like the continuation line to be indented by 26 or 27 more spaces than that line. I am not one of those people, and in fact lining these up is annoying enough that I tend not to adhere to their style unless required, but I've seen people ask for it.

Re: Imagine

Not the known ones. It would have been quite simple for him to have had a bunch of them, some of which have been transacted over and over again while others stayed quiet. He could have earned no real money from any of his bitcoin or he could have cashed out quite a bit over the years, pretending to be an average miner or trader. We don't have enough information to prove which.

Re: I'm British...

So do many options involving the active voice, though I grant not the example I used.

I fixed the bug in the thing [in a commit two weeks ago].

These changes [but not this one] fix the bug in the thing.

I contend that this is not really a concern that has much relevance. If people are putting in commit messages that do not correspond to what the commit actually does, how they phrase it is not the problem. Anyone doing this is either deliberately dishonest or getting commits confused, and neither is going to be fixed by adding a subject picked from a short list to the sentence. I also wonder where my most typical form would fall. I tend to write commit messages in the active voice but without a subject ("fixes a bug in the thing"). Yes, those are fragments. It hasn't caused a problem so far and sticking "this" on the front won't help.

Re: Can bots be subscribers?

That is true, but a slow connection has to be really slow to make that happen. Most of the time, electronic payment takes a few API calls, none of which are particularly large. Latency can be more important than bandwidth, but neither is very important. The main way for a connection to be the limiting factor is if that connection is unreliable and is constantly dropping packets. Then you can expect the transactions to begin failing. Unlike many uses, most payment terminals would not have any problem processing payments much faster than the people can. Of course, if you posit a single 128 kbps line shared by fifty shops, it could encounter that problem, but that's probably not the kind of alternative that something along a major road has access to.

Re: It's 2024 ...

"unless that malware is either self-starting (in which case it'll become immediately obvious that something is wrong)"

Not necessarily. Time delays are really easy to build in. They can let you clean up your first exploit before things go wrong so the investigation takes longer or, if you put more time into it, you might be able to pretend that your sabotage is just a cascade of normal failures that happens at an inopportune time. If your aim is destruction rather than getting data, you can manage it even through an airgap that you can only bypass once.

Re: "Whatever x86 apps I threw at it just ran. Swiftly."

As I understand it, drivers are not emulated, but any other application is. So your drivers will need ARM versions, the same way that 64-bit drivers were required for 64-bit Windows. However, it's pretty different from Windows RT. You can take an application that doesn't hook directly into the kernel and run it under emulation. It shouldn't matter what that application contains, even if you hand-coded it in X86 or X64 assembly. So probably your custom driver systems are going to need an ARM driver to work, but you've still assumed too little compatibility.

Re: busybox linux

The post they replied to linked to this GitHub repository with instructions for building a minimal distro using mostly just busybox, but those instructions do indeed involve installing bash too. As far as I can tell, not for any reason other than preferring bash to busybox ash, which I certainly do.

It goes on to also demonstrate adding nix, xorg, and tools for WiFi, but those are optional. The bash step is not written separately so even if you stop at the first bootable thing, the system they specify has bash in it. You don't have to do that.

Re: Only 73.03 percent of rural premises in the UK have 4G coverage (from Three)

As a non-UK resident and someone unfamiliar with these companies, I would expect that, in addition to many negative consequences, that would actually happen. That wouldn't stop them from raising prices, canceling deals they no longer wanted to offer, or any number of other problems that arise when competition decreases. However, moving the equipment around to increase coverage is a relatively cheap thing that increases their potential customer base. Buying new equipment to serve rural locations is expensive. Moving equipment isn't, and it's often older equipment that they don't need in urban areas.

Or in other words, it doesn't work. Its failure to work is not because the technology is wrong. It's not because people can't use it or servers can't direct it. It's because those who would have to honor it are not and those who would make them are doing nothing. If they made an API that automatically filled the cookie selection boxes, that would help, but any company that wanted could still set whatever cookies they want. They could say that collection was a strictly necessary cookie. They could say that there was a mixup in their code that ended up setting the wrong cookies. They could set a cookie which was meant to indicate that data collection isn't desired but happens to work as a fingerprint anyway. The suggested API is little different from the do not track signal in that it has no technological enforcement of compliance, if such a thing is even possible, so without strong enforcement from somewhere else, it won't make a change. If you had strong enforcement from somewhere else, you could use the DNT setting, this API, or any similar indicator.

Re: People have many conflicting loyalties in life.

That is not entirely correct. Mozilla's guidelines are on modifications rather than binary source. If I take the source code for Firefox and compile it unmodified, it is Firefox. Mozilla is fine with this, and so would a court. To some extent, they're also fine with some modifications, though their preferences aren't entirely clear. Rebranding seems to happen when changes have been made to the binary, for example removing some advertising. Even in that case, they could easily say that they are using Firefox with some changes by the distribution and be fine from a trademark situation because they are. They choose not to because Mozilla would prefer they didn't, but they don't have a legal requirement to. Different rules might apply to trademarked logos, I'd have to check the license, but the name wouldn't be affected.

Re: Two seconds ?

The software is probably larger than it needs to be, either the camera runs a lot of software itself rather than just being a peripheral for the central computer, or the central computer's hardware polling is slow. This is a challenge I've had and seen others have when building larger embedded systems. In most cases, the question is whether to use embedded Linux or run your program on bare metal or with a small, often single-program OS. Using Linux gives you tons of advantages and lets you simplify a lot of necessary work. It also makes the system startup much slower. If you're lucky, you have a chip with good power management or a massive enough battery that you can suspend and be fine. If you're unlucky, you don't have that and must have the user wait through the boot cycle every time they want to use it.

People who work on this more professionally than I do will have other options they consider as well. There are a lot of types of embedded devices. This camera, for example, is probably not booting slowly by booting Linux, though the central console was the last time I saw an analysis of that. At least I really hope they don't need to run a full Linux kernel on a camera.

Re: Comparison

Once again, I don't want to know how this compares to random people. That information doesn't help me. I want to know if this tool can do this job when I want this job done. It doesn't matter whether only one person on the planet could do it or whether every child aged five could do it in their sleep. In this specific case, I know that there are lots of people who can do this, so while it might not be everyone on the street, I'm reasonably confident that I could find someone capable of doing it if I needed that.

And if I do want to compare it to random people, I have to do a better job of sampling to find out. A sample of people from one location is an insufficiently random sample in case, for instance, the location is right outside an office containing a bunch of statisticians. I would need to put more effort into my sampling. It is also insufficient because of the conditions of getting their answers. So if we do need that information that I currently don't care about, we still need to do more to get it.