Posts by doublelayer

Re: WTF - Password length limits?

It is my automatic fear as well. I have a feeling that many sites with a limit are properly hashing them, rather than storing in plain text or symmetrically encrypting them, but there is no way to know that. We also know that many bad sites do one of those things. The other clue that makes me assume that is if they say that some characters are not allowed in a password. If it's non-ASCII characters, then fair enough I am willing to assume that the developer was worried about Unicode encoding and probably didn't have to. If it's trailing or leading whitespace or unprintable characters, I can understand that. If it's ', ", ?, or *, I'm concerned now.

Re: Schrodinger's password

Or until it breaks. There was a site I used. It stored financial data, so I wanted a good password on that. At one point, they simply changed their length limit without telling anyone, but they didn't change it on the login page. While new accounts could not be registered with a password longer than twenty characters, my longer one could still be used to log in. So naturally, I didn't notice that they had done this until some time later when someone put the same limit on the login page's password field. Even now, I don't know if that was intentional or not because their page does not say "maximum of twenty characters" it just stops accepting new characters when you've typed twenty.

Re: Variable length representation

I think it represents that I have 1234567890 of something. Maybe that's a number of people, and I want to know how many would be in a certain group. Maybe it's a number of liters of a material and I'm trying to divide it among multiple containers. The answer to any division with that as the dividend does not vary based on the units involved. Whether I choose to do the calculation that way probably does depend on the units, which is when you would want a calculator to actually calculate using the number you entered.

Your answer ends up simplifying to "you shouldn't need more than 24 bits (7.224 digits) of precision". Sometimes, you do, as I demonstrated with a 10-digit number. Sometimes, just going to double precision isn't good enough. You can solve this by just increasing the precision over and over again or by using something other than floating point to do the calculations. People who use calculators expect and rightly so that you have done this for them. They don't care how you divide the number. They care whether the result is right. If you use 32-bit floats and excuse the incorrect results as the user was calculating the wrong things, you're making a bad product.

Re: Variable length representation

"If going from single to double precision makes a difference…..then you are running your calculations in a numerically unstable way. Fix that."

Sorry, I'm one of those young stupid people. Maybe you can help me fix this:

1234567890.0/10.0 = 123456792

Hmm. That's not the answer generated by my brain, and I've run it passed an 80-year-old person so my brain is probably right. Why did that happen? Maybe the compiler can help make it clear. If I don't put on the .0s, Clang helpfully tells me this:

warning: implicit conversion from 'int' to 'float' changes value from 1234567890 to 1234567936

Well, that's a lot closer to the number, although we still have the 92 instead of the 93.6 at the end. I'm sure the proper analysis would have fixed that. Sometimes, a number is more precise than a 32-bit float. That ten-digit number is not ridiculously high for calculations. The calculation I used to demonstrate this is trivial to do mentally, but a very similar one could be entirely doable with paper and pencil but people don't want to. A user of a calculator who expects it to be able to divide a ten-digit number should not be told that their calculation is the problem and they deserve the wrong answer.

This is a bad idea. Open source exists for many good reasons, including the deduplication of effort so that wheels don't have to be reinvented and so that, if one person stops working on it, it doesn't prevent the rest of the world from continuing on. Trying to prevent people from doing things for free would probably not be possible and would, if you got it, create a lot more problems than it fixes. Nobody needs to work for free. Everyone is free to decide whether they are willing to do so or not, and crucially, when they draw that line. Users of the software should respond to this by doing things (paying) to ensure the continued availability of stuff they rely on, and if they don't, they will only have themselves to blame when problems arise.

Re: Sure, but I have a question:

Probably nothing prevents them. I'm not sure which direction they would try to influence the software in. I could see them trying something bad if, for example, Signal received funding as an open source program. That could be a challenge if this was a general FOSS fund for anything considered open source, but such a general fund seems incredibly unlikely and, if it happened, there are lots of other problems that would probably come up first. If it's specifically for software which the government uses, then there's less of a risk. If government gets its database bugs fixed faster than someone else, that's not a major concern as those bugs likely affect lots of other people anyway. Everywhere in the government that relies on open source cryptographic software also knows why you can't put a back door in it, so I'm not sure politicians will be any more dangerous when funding it than they can be on their own.

Legal: none, unless they signed a specific contract in exchange for the funding. If it's just a donation, none at all.

Moral: In my opinion, spending their donations on something related to the project, meaning that if the developer spends it, they continue to work on the project at least a bit more. That's what I have done, anyway, trying to respect the fact that the donation was received not as a gift, but as support for something. But moral requirements will only ever be an opinion and everyone will have different ones.

It is important not to take a moral opinion and make it a legal requirement. It is why I disagree with people trying to mandate payment for open source, and it is also why I disagree with people trying to force developers of open source to do certain things. A good developer will fix a lot of bugs just because they are bugs, but that doesn't mean that they are now responsible for fixing any bug a user finds. A company can get their changes done faster by a) paying the existing programmers to do it, b) paying one of their employees to do it and upstreaming the code, or c) having some kind of bounty for whoever adds this thing. If they don't think it's going to happen already, they should do one of those things, and if they choose option A which is one of the fastest ways to do it, the programmers can and probably should add some extra maintenance cost to the cost charged.

That seems like a good place to do that when you're starting to try to use Teams properly. You already have a team, it already has people on it, when you click on it, there is a chat window, so surely that's where chats should happen. It's a mess. Not that Slack is better. It's just a different collection of annoyances. If pressed, I'd have to take Teams, but neither of them is winning any awards with me.

Re: Cost to launch a Starlink satellite

I don't have any reason to distrust your numbers. Nor do I really care enough to do the complete analysis. I did look up a few of them, though. For instance, your 100 Gb/s figure for Hughesnet satellites appears to be correct, but North America is also served by Viasat, which has Viasat 1 (130 Gb/s), Viasat 2 (260 Gb/s) and Viasat 3 (1 Tbps). The bandwidth difference is lower than you describe. Most of this is irrelevant to me, and not just because I'm not a customer. The capacity is not the largest issue, and much of the capacity that we're comparing it with would include wired and fixed wireless network capacity which varies based on the user's location.

As for the equipment prices, I've now done some searches and still don't have an answer. The latest information on production prices I found was from 2021 when SpaceX claimed they cost $1500 US to make, having saved some money by mass production and some more by removing the automatic position adjustment. Meanwhile, I see that they can be bought in the US for $300 or $500 depending on location. In order to think that they're not selling these below cost, I have to assume that they've made another 80% manufacturing saving in the past three years, or two if we're considering time between those two news articles. I can't prove either way whether they have.

The business model of selling something below cost and making it up on the subscription works better with a contract but it does not require one, especially when you have a large sunk cost to keep people wanting to spend. A business model of using Starlink availability to discourage the availability of competitive wired service is also a plausible way to make good profits in the long term. From a business perspective, it's actually quite a smart plan. Again, I can't prove whether it's actually their plan, but it would make sense if it were. That wouldn't require running a big loss. I expect that, even if they are selling the terminals below cost, almost all the people who buy it do continue to make monthly payments long enough to pay it off. I wouldn't guess what their accounting looks like, but a small profit or a small loss seems like the most likely result of Starlink service, and I have reason to think the profit will grow in the future.

Re: Cost to launch a Starlink satellite

I don't think they're making a huge loss, but part of the reason I think the situation may be different than you describe is related to statements you've made that have been contradicted before. For example:

"The cost of terminals is covered by the up-front fees.": I've heard, from Musk and from users, that these are sold below cost to be made up later, at least for individuals. I don't know which is true. That they would be is quite logical, because there are many people who would balk at an even higher up front cost who might be willing to pay more per month.

"To give SpaceX money you have to buy out an existing investor because the number of investors is limited. You must also qualify as being both rich and financially competent.": I'm not sure why you would have to be financially competent. I think rich would probably suffice. Few investors would have a problem selling me their shares if I came to them and said "I have no clue whether this is a good investment, but your stake is valued at $100 million and I am willing to give you $1 billion for it"*. Many investors who were rich and supposedly competent have regretted choosing to invest in Twitter, but that hasn't stopped Musk from doing what he likes with it.

This doesn't mean I think they're making a loss, but that without more complete information, I am not certain that they are making a profit. There are many reasons why they might not, for example trying to strengthen their position in the satellite and rural internet market, thereby limiting their competitors. That's a popular tactic for a startup business, with the next step being increasing the prices when people are considered likely to continue paying for a service they have become used to and don't have a good replacement for. See also basically every delivery app that got popular in the last decade. I don't know how much of the true business model is shared with investors, and I'm pretty sure most of that is not shared with the public.

* Okay, there are tax reasons or if they think a > 1000% growth is likely, but you get the idea.

Re: Just for curious...

We probably won't know. It is likely that Starlink's profits will grow as they add more regions. There has been proven demand in many parts of Africa that they don't serve, so that will probably help them if they can add those regions. They're also clearly banking on the connection to phones being profitable, although I doubt it will end up being popular because I expect it to cost a large amount, only allow you to send a few text messages, or both, and I doubt many people will buy that.

In the US, Starlink may be able to sustain their profits by joining other ISPs to prevent the FCC from trying to improve the state of rural broadband. Starlink stands to gain even more than other companies because those ISPs can continue to collect their subsidies, but Starlink can provide service that people want to buy if they can afford it. While Starlink is not very competitive if you have fast wired internet, there are lots of places that don't have that. If they can prevent wires from being installed and keep expanding into those regions, it could make them plenty of money. I'm less convinced that it's making them that much money now, Musk's claims notwithstanding.

Re: Really?

My point was that the change isn't a switch on the web UI. It's not a line in a config file. In many cases, it's a kernel code change, which isn't that many lines of code but still requires recompiling the kernel and pushing out that update. Most devices that ISPs provide don't get new kernels from them. New kernels come from the manufacturer who has forgotten all about these boxes years ago. In many cases, the update files don't even change the kernel, just the configs and libraries, making applying kernel updates a more involved process.

There are some other devices which have separate hardware for routing which may have that rule coded in, and in that case, the change is bigger. Again, not that many lines of code to remove the logic, but a lot of stages required to get someone to make that change and get it installed on all the equipment in which that hardware exists. If you think ISPs have the ability to simply make any change of this magnitude, I'm surprised to see you constantly annoyed at IPV6; all they'd have to do is push a kernel version with the existing IPV6 support turned on, after all. That is a lot of work too, but at least a lot of it has already been done. When my ISP didn't offer IPV6, their hardware (optional) had the support. They just didn't give out addresses. Now, they do support it and most modern routers, including their pre-switch hardware, will just connect and use that.

Re: Elephant

They quoted /8 a month, so that would make it 1.33 years. That is unless some countries would like to stop doing CGNAT as ridiculously as some have had to, in which case you could use those in about a week. Most likely, even if we could turn on the whole block, countries that have 1 IP address per 300 people won't get very many of them. If we do all the work of enabling those, I'm sure the cloud providers will happily buy up the blocks and rent them back to everyone with cloud resources.

Re: Really?

A lot of that equipment has not gotten security updates in a very long time. The only reason it's not as big an issue as it could be is that there's a lot of different equipment, so vulnerabilities can't give you access to all of it in one go and a lot of it hasn't been penetration tested enough to find them. Lots of botnets have used some subset of those routers to propagate. While ISPs can theoretically update the ones they provided, they quite often don't, might not really be able to because all they have is remote access to the configuration, not the code, and can't manage some relatively simple things without breaking their users and are therefore conservative with any changes they do make.

Adding either the 240/4 block or IPV6 support requires significant changes to a low-level part of the box. No, an ISP is not going to do that to the equipment they've already sent out unless they have a true monoculture and only have to do it once. They're probably not going to do it to the hardware they own which can't handle those ranges either, even though they don't have to send someone into their customers' houses if they mess that one up. The major difference between 240/4 and IPV6 is that a lot of their equipment will support IPV6 as it is replaced for other reasons, but most of that doesn't support 240/4 either because it was reserved for future use and discarded for speed. Adding either is hard, but IPV6 is easier, more likely to work, and more useful into the future.

Re: If an Icom IC-V82

Since few cheap radios will have their own encryption anyway since it's not allowed on amateur bands, I would probably try to bolt it on. In that case, it wouldn't really matter whether they were digital or not as long as I could patch into the audio connection. However, that sounds like more work than they were doing. Maybe they just didn't think it through or valued being able to receive signals from any radio over keeping their signals encrypted. For the same reason, if I was using pagers, they would only send encrypted messages, but that's probably not what they were doing either.

Re: This is a common problem

I've said this before, but it's worth repeating. That will just annoy people who do an "rm -r" and it gets turned into an "rm -i -r" that warns on every file in the directory. To get around that, they'll do an "rm -rf" which stops that. This has two bad consequences: they're not going to see the things normal rm would warn about because they put in a -f, and they're now starting to build -f into their instinctual use of rm.

Re: Ouch!!!

There probably was one, but those boxes often lack important details. If you see a box that says "Are you sure?" with the title "Confirm deletion", then you'll probably click yes unless you really accidentally pressed the delete button. It doesn't say what it is deleting, just that it's deleting something. Even boxes that specifically name the thing will get some click through, but it doesn't help when lots of confirmation boxes are very low on detail.

Re: Cartel Is in Full Operation

All the 2020-era machines already support Windows 11. So the last refresh already makes another refresh unnecessary. I have seen some companies who refresh their computers every 4-6 years, and this is probably what Dell is thinking about. When I have seen that, it has always seemed wasteful and pointless to me, especially as many places I've worked use the slightly longer period of "until it catches fire or there are bits hanging off". I prefer that one most of the time, though it can be taken a little too far.

Re: Five year old PCs need replacing :o

If you're actually using the AI, lots of retraining. Training that sounds like "after it wrote the email for you, read it over. If by some miracle it actually looks like something useful, read it again. If it still does, show everyone. Either one of them will see the big problem in it or we can all witness that an LLM managed to do something accurate for once".

But if it's just Windows 11, not so much. There are always users who need retraining when an icon moves, but that's not everyone. I've run Windows 11 for years now on corporate and personal machines and, although there are some differences between it and Windows 10, it's not anything so massive that users en masse will be confused on how to use a computer.

Whether a model is too large to feasibly open source doesn't change how this works. There is no requirement that they be open source. I have some large software which is free, but it's not open source. It's still useful. Large models which are distributed under generous terms can be very similar. The problem is that one of the freedoms provided by open source is missing: the freedom to know what is in the program you're running. The FSF refers to this as "freedom to study how the program works", so I disagree that all four freedoms are there. So far, only one seems present. Without the training data, the prompts the model is based on, the ways it was trained, etc you have a black box, very similar to what I have in the binaries that I'm allowed to use but I don't know what's in them.

In practice, open sourcing a model could be so hard that it's not worth doing. Retraining it to confirm that the binary you have matches the source data, or at least to make a binary that does for you to do later, may be infeasible. Neither of those realities changes what it means to be open source. This should be evident when we compare it to a small model. If a writer of a small model with a gigabyte or two of training data refuses to let me see, let alone modify and retrain, that training data, it is not open source and, as far as I can tell, they might have all sorts of extra unadvertised stuff in there.

Without this, the freedom to modify is restricted. Yes, I can use other methods to change how the model works. You can argue that some of those count as modifying. Several of them are more akin to building a system around the program, the way that if I call a binary from my program, my program isn't a modification of that software, just a user of it. However, I can't modify everything. My ability has been constrained, and not necessarily by my access to resources to use. It has been constrained by the unavailability of the source to this program.

That is a major problem for large models, and it makes it harder to open source them. For that matter, it makes it harder to legally make them at all. This does not change the definitions of open source in the slightest and there are very close parallels in other open source code. For example, there are lots of databases that have been painstakingly written by companies that are useful in a variety of programs. One such type is linguistic data. Open sourcing that is really hard because it took a long time to make it, so you usually have to license it for very narrow uses with very restrictive license terms. I wouldn't get to claim that my software is entirely open source, but just not those databases you need to run it. At best, I can say that my software is open source but won't work, as well or at all, without these closed source libraries. That is what I would do, and people would deal with that if they wanted to run using that more expensive data. I wouldn't lie and claim to be open source anyway.

For smaller models, it is easily achievable. I recently dealt with a model which I thought was badly trained and generating bad results. So I obtained the training data, which came to about 20 GB and was permissively licensed, modified some parameters, and retrained in a different way. I can't do that without the training data. That model was actually open source. For the headline models such as the LLMs or those that generate images or video, 20 GB is tiny as training data goes. For my model, which extracted data from images, it was actually quite large. This makes no difference to the definition. If it is open and it has 100 TB of training data, then if I bother to get that many disks and that much network bandwidth, I have to be able to get and run on that training data. It makes distributing that a lot harder, which is another reason they'll probably choose not to do it, but it doesn't change what is required to have an open model.

It depends how large a model is. Lots of small models can be retrained from the training data by one person. However, I think that is unimportant. Whether people choose to train or not, you still need the training data or they don't have all of the stuff that goes into a model. Trying to call something open when something that crucial is over is similar to this argument about open source software:

Faux-open guy: It's open source.

Me: I couldn't compile and run it.

FO guy: But you didn't, did you? You downloaded the binary release and went with that.

Me: But if I had downloaded the source, it wouldn't have built the entire application, just a couple libraries that connect to the rest of it.

FO guy: But if you had the rest of the source, it's large and it would take hours to compile, so you don't need that. It's open source.

No, it's not. The model without training data is not open either. It's just a free as in beer model. I can bolt stuff on to a closed-source free model just as much as I can to one they've called open.

It's not pointless. Lots of models have training data available. I have several right here. True, none of them are LLMs. The ones I have are more narrow ones that can recognize interesting information from images or model specific actions, but if I want, I can download the training data and the configuration used to train the model, fire up my GPU, and a few short days or weeks later I'll have built my own copy of their model. Releasing the data is easily done as long as you have permission to it, which may be one of the reasons why some people who want to call themselves open don't want to.

Re: Chat GPT Apples

People with autism do not work the way you're trying to argue they do. If the program meant that you took two away, leaving three, and then something happened to the three, leaving two, then it would say so. If it was swamped by the possible ambiguities because the problem didn't include the sentence "No other actions occurred on the apples concurrent to the taking away process", then it would have rejected the question for ambiguity and not given an answer. It got the calculation wrong. Stop trying to come up with arguments, incorrectly suggesting that a class of people is incapable of simple arithmetic, to justify that.

Re: Chat GPT Apples

They said the ambiguity was intentional. The calculation error, however, was not related. Autism may or may not mean that ambiguous questions get questioned or rejected more, but it doesn't make arithmetic errors the fault of the question asker. If it only considered the meaning "take away" = "I have that subset", then it could just have answered 2. When it also considered the meaning "take away" = "I don't have that subset", it does have to answer 3 to that branch or be wrong. It was wrong.

Incidentally, there is another interpretation of the question. I have five apples. I take two away. At the end, I have five apples. Two of them are with me, and three of them are back there where all five used to be. I didn't give away or throw away, so I never said that I would cease to have either subset.

Re: Shutting down the web sites is not the answer

Depending on the location, it can be more severe than that. Usually, it's written to "if they would not have committed the crime without the actions by law enforcement". The US can be one of the stronger countries for it, where entrapment has been redefined to "if their lawyer can argue that they would not have done this without the police involvement". That's not a guarantee that that would work, but almost certainly, most of the people arrested for using the fake site would try the argument.

Re: Repeal the de minimis provision

I am not an expert, and you suggest that you know a lot more than I do, but I'm not sure all the problems you've named are related to the provision they're talking about. For one thing, how much the UPU says shipping a box should cost seems wholly unrelated to whether customs will scrutinize the box. You could remove China from the list of countries whose shipping gets subsidized without affecting this provision at all. I think doing that makes sense, but by bringing it up, you have slightly harmed your other points because that seems unrelated.

The other problem with your description is that many of the things that we want to buy from China don't come in bulk in a container because not that many of them are made. If they are custom design or low-volume items, then they won't bother to have a local distributor or warehouse, make enough that they can have local supplies wherever their customers might be, etc. They might, but probably won't, do that for the United States in the hope that hundreds of millions of customers might make it realistic. That's definitely not going to happen in small countries, which will find it almost impossible to buy the things in the first place. We have to balance that against the problems of dangerous or counterfeit goods sent one at a time, but I'm not sure that should always come on the side of making small shipments infeasible for everyone.