Posts by doublelayer

Re: Money Laundering

"money laundering is the act of obscuring or obfuscating the destination or source of money."

No, quite the opposite. Money laundering is the act of providing incorrect information about the source or destination of money and specifically applies when that money is, directly or indirectly, from a criminal source. As the Crown Prosecution Service describes it:

Money laundering is defined in the POCA as “the process by which the proceeds of crime are converted into assets which appear to have a legitimate origin, so that they can be retained permanently or recycled into further criminal enterprises”.

You have it backwards. There are many situations where a business transferring funds to someone they don't know is entirely legitimate. For example, if a business buys items from people for cash, they do not have an obligation to identify those people before paying them. They can claim that as an expense on their records. Sadly, paying a ransom is similarly allowed, hence why the UK police haven't descended on anyone who has and extracted massive fines.

Re: junk like the Celeron

Why is having a massive profit margin dishonest marketing? Annoying I get. Choosing to buy someone else's product that's reasonably priced, definitely. But if the answer is that their product is actually better, they can make it cheaply, and they're choosing not to let you buy it cheaply, that's just normal. The same reason that I would probably have accepted a lower salary when my current employer hired me, but they offered a certain number and I accepted it or even negotiated it up. It's how everything works and they aren't lying when they say that this is how much you have to pay to get one of these things.

Re: It's the bug bounty

In addition to the points others have raised, there are two theories for why paying works better than just having an unpaid reporting mechanism, one of which I believe and the other I don't.

The good reason: it convinces people to look for security problems. There are people who will work actively to try to find a problem if they can get paid, whereas if they're working for free, you may only get reports they stumble on by accident. It can be quite cheap, because if they don't find anything, you don't have to pay them. I have not tested this, but I certainly have seen more reports sent when payment was offered, even if many of them were crap.

The less convincing reason: fears that the bad guys will pay for a vulnerability, so profit-oriented people will sell it to them unless they can make money by reporting it. I don't buy this. All of the parts of that are true, but I don't think bug bounty programs make a difference to any one of them. A criminal group will spend more for a good vulnerability than any bug bounty program will pay out. Most people who find one would be unwilling to sell to criminals because they don't like criminals. Most who would be willing don't know how to find them. Those who are willing and able have other reasons to choose not to, such as not having a reliable way of trading their vulnerability for cash when, if they send the details up front, the criminals don't have to pay because they have the vuln now, and if they don't send enough details, the criminals don't pay because they're not sure the thing is real. Someone who can get through all of those hoops will probably not bother trying to see if the company will outbid here.

Re: Enlighten Us !

You won't be able to determine the security of software based on location of the developer. Your country, as well as every other, contains evil people who will intentionally subvert security procedures and incompetent people who will break things by accident. This is why you have to analyze what you're running to some extent, which is indeed difficult. If they decide that doing that with open source software is too hard, they can write everything they run themselves, which will be expensive and means a lot of things they'd get by default with open source they will have to pay for, but maybe it will provide better results. Alternatively, they can use the fact that lots of people should be analyzing open source software when they're running it to distribute the costs of doing this across many organizations running the same stuff, which does happen some of the time already. Alternatively, they can do what most institutions have done so far, they can just not bother to analyze what they're running and hope for the best. Hoping to do it based on nationality guarantees that you'll get bad results while some clueless person thinks they've figured it out.

Re: Detector triggered...

I'm less confident about this, mostly because this is a very public apology. Those will have been written and rewritten about a dozen times before they're released. LLMs could have been used, but you could get the same effect by just shopping around the statement to anyone trying to make sure it contains the right amount of contrition, explanation, and buck-passing. I also have a filter which works most of the time when the human-written text was written in one go and at most self-edited. I wouldn't have confidence in my filter on stuff written by a group of humans who are trying not to anger anyone.

Re: Sell a usb stick?

Why would you pay for that? I think the optical media by mail service was mostly for people who didn't have a network connection fast enough to download those quickly, but most users can now download a normal distribution overnight or this monster in a couple days, and many can shorten that to a normal one in half an hour and this in four. Most users who would have trouble creating the USB disk themselves would also have trouble using Linux or knowing it existed. What would the convenience element be here compared to just downloading and writing it to a disk you already have?

Re: "People moan because it wasn't the open source license they like"

The problem is that, to know whether something is open source, we need a clear definition of what that means. The OSI is not the only place that has a definition, nor do they really get a monopoly on the term. However, I tend not to accept someone else's idea of what it means unless they can provide their own unambiguous definition and apply it consistently. Often, when someone does that, I don't find their alternate definition as convincing or persuasive as the OSI's, which I mostly agree with. This is not for any reverence for the OSI itself. I never check whether the OSI has stamped their seal of approval on a license, and I disagree with them on a lot of things, notably their AI licensing thing which I think is completely wrong. The definition they're using, however, is pretty good.

Most of the faux-open licenses use vagueness to imply that it's basically the same and rely on "it doesn't affect you" to distract from problems. I have a problem with both of those things. A lot of them have their category of people who get extra restrictions if they use the software, a category based on vague conditions like "commercial use", or, in the case of the SSPL, "as part of a service". The licenses do this because the authors want to apply it to certain people, often cloud services. However, it's easy to argue that everything is part of a service unless it's running offline and only used by me personally and everything is commercial use if there's any possibility of money being involved, for example if there's a donation button on the site, even if nobody's ever clicked it. Even if it's only against AWS and Azure today, someone who wants cash could easily change their mind about those terms tomorrow. In all the cases I'm complaining about*, there is already a precedent for this because they just changed their licensing already, so changing their interpretation of "service" is a much smaller change which could cause problems for everyone. That is not a small difference from the AGPL.

* I do not object to someone who writes something from scratch and wants to license it under one of these from the start. I object when someone made their software open source then switches to it, mostly because they are taking the contributions of others to do it, and in some cases, preventing others from using their own contributions without forking.

Re: Proof-of-personhood

In almost all cases, the users' desire for anonymity is more important than other users' desire to know who everyone is or the frequent desire of companies to be able to sell that data. There are very few exceptions. Nothing you listed is among them.

Re: Succes

I think the only major office suite that doesn't (as far as I know) have support for it is Apple iWork. That's not a big surprise since iWork is very insistent on not liking any format except its own; it'll let you export to formats that other software can read, but it does make sure to complain about it if you routinely use it. When I used it, DOCX and XLSX were supported formats, but ODT and ODS were not.

Re: Now you know why LLMs are popular

No, they want to sell it. Some of them do a little hand waving to try to pretend that their model isn't biased, but as I said in my original comment, they've usually just made the bias results more random because removing bias is hard when the underlying technology is intentionally randomly generating results. VCs probably don't use AI to filter the companies they're investing in because they understand how fallible it is, but they're perfectly happy to sell it as useful to everyone else.

HR departments, meanwhile, adopt it because it saves time. Instead of doing their job, they shove all the candidates into the software. Are they trying to make sure that only some preferred group gets hired? No, they're trying to get their job done faster because it won't matter to them if they ignore a great candidate because the LLM didn't like the format of their resume. The bias in these programs is almost impossible to remove, and sadly the people who would have the best ability to reject it are the ones who benefit by using it (all the resumes reviewed in an hour, let's take the rest of the day off) and not the ones who suffer the consequences (having to work with the random choice the program spat out).

Definition from 18 USC § 1030(e)(2)

the term “protected computer” means a computer— (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; (B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States; or (C) that— (i) is part of a voting system; and (ii) (I) is used for the management, support, or administration of a Federal election; or (II) has moved in or otherwise affects interstate or foreign commerce;

As far as I can tell, it means any computer that is used by any business or government that operates across state lines, plus a couple more specific categories that are already included in that one. US law doesn't allow federal governments to deal with things like that that happen exclusively inside one state, so it can be simplified even further to "a computer the federal government is allowed to charge you with a crime about". None of this seems to be related to any real or notional protection, so there doesn't seem to be any such concept in the law as an "unprotected computer".

Re: Interesting

No, that wasn't it. It was a specific compiler whose included libraries were triggering something in the AV. Unsigned binaries coming out of GCC were just fine by it. Unfortunately, binaries from GCC wouldn't do what we needed; only that compiler was supported.

I think they were saying that you can't play many games on that spec to disagree with the previous commenter, and they were referring to the age of the PlayStation 4 which the previous commenter said was good enough for their uses. It sounds like you may be in closer agreement.

Re: Too much probing

He had a security clearance before it was unjustly taken away. You get at least as much probing to get that. I suppose that, by the time he had already done it for doing security work for the government, it didn't matter so might as well get the benefits. Such things often mean that the government, and especially the military, have trouble finding all the people they want to work there. That goes for most governments, but the US one complains frequently about how they don't have enough people to do the computer work they want.

The places I have worked have used all of these, plus SUSE, Fedora, and Arch (a little), and no one of them has used fewer than two. Sometimes, it can be nice to use a single distro on every machine, but it doesn't always work. Some machines don't change a lot, and they're often running Debian or RHEL so they don't need to be but there's still maintenance. Ubuntu has been a middle ground, now making changes moving it in a longer-term direction if you use LTS versions. Cent OS, Fedora, Ubuntu and you use all the versions, and Arch update faster, which may be useful for some situations where you want to be able to use newer tools that those older distros don't include because they weren't around at the time, and then you've used one and you want to deploy it, so instead of the existing older server images, you make a new one based on a newer version of something that'll get support and now that's one of your servers too. After a couple years of that, you don't have a monoculture anymore and it's less work in the short term to keep those running rather than migrate everything to one thing. Eventually, you have to make some maintenance decision, but that's how you get there.

Re: Norks

Hard currency is quite a big thing for North Korea. They want to import many things they don't have the capacity to make locally, but unlike Russia or other countries in that position, they don't have much they can export to earn the money to do it. If Russia wants some chips, they can sell some oil or minerals for cash and use that to buy the chips. North Korea finds stealing that money to work better because most of the things they make are either needed locally or made inefficiently compared to neighbors. For example, North Korea does make a lot of some agricultural goods, but China makes them much more efficiently, so China exports lots of those things and nobody buys North Korea's, which is actually fine because the North Koreans need to eat something and they don't import food.

So in reality, I think this is mostly about the money, and the backdoors they might install are also about going back and getting more money. Most of their major intrusions are the same thing. North Korea's known attacks are very heavily concentrated in three sectors: cryptocurrency companies, from which they steal money, banks (both retail and central), from which they steal money, and security companies, from which they steal exploits and use them on other people, again concentrated in those three areas.

Re: "RISC architecture is going to change everything"

You can do equally as much with three instructions and one register. We don't all do that because sometimes we're worried about more than what it is possible for our computer to do, but what it is efficient or feasible for our computers to do.

Re: Dihydrogen Monoxide

You can't include that one about a profitable industry in the US. That might outweigh anything else in the list. No, to really clinch it, you have to report that nearly a billion dollars per year is used to import DHMO products and Canada is a source of the raw substance and partially regulates the US's use of it. That should be enough.

Probably not at all, because these are not lawsuits. These are complaints sent to a different entity entirely, and from a court's perspective, the worst that can happen is an individual image is taken off a website you don't own. In reality, the worst that can happen is getting banned from a website because they don't want to deal with any more complaints or respond to cases where the complaints are untrue. In either example, though, it will probably not match the criteria written in anti-SLAPP laws, and you'd have to use less clear methods to try to respond to someone using these maliciously.

I wasn't one of the three so far, but if I had to guess, I'd guess that people disagree that that's a strength even sometimes, you didn't explain why you think it is one, so they think you're at least partially wrong.

From the not very nice translation that Google Translate made of the Uyghur readme/changelog, this editor seems to have a few features that many text editors you could localize either don't have or are specific to Uyghur including:

OCR: I don't have this in my text editors, though you could add it.

Convert between writing systems for Uyghur.

Save to Docx: Most text editors don't bother with this. Localizing LibreOffice and trying to add these features as add-ons would be more work than the average text editor localization.

Features specific to languages that Uyghur users may also know including Kyrgyz.

You probably could bolt these onto another editor, but I'm not sure they're small enough that that's an obviously better option.

Re: “…the risks (e.g. trauma etc.) are minimal.”

"But if you're researchers, social scientists, experimenting on people, the first thing you do is obtain informed consent."

I think you're simplifying the ethics review process to the point of inaccuracy. Testing on uninformed subjects is done frequently, whether that involves bringing in subjects, telling them you're testing one thing, then testing something else*1, or testing on the general public without telling them*2. The review process would not dismiss either type of request simply because the subjects weren't informed. They would ask questions to determine the ethical consequences of not informing the subjects up front, and they might refuse permission when it's too sensitive. If you think this study violates those ethics as well, you could argue for it and I think you'd probably have a point, but if you think it's as simple as "they weren't informed so it would obviously violate the ethics codes", you don't know the ethics codes.

*1: For example, the famous study where people were told to go to another building and watched to see if they'd ignore a person needing help on their way. The subjects were not informed that they'd be tested on that, since the purpose was to see if they'd go out of their way to help, and they weren't informed beforehand that they'd see a person in (simulated) distress.

*2: Many studies involve setting up a situation in a public space and watching what passersby do in response. It's very common.

Re: When was 2024?

You're both right. The data isn't very old, especially given how long it generally takes to create new data. How many people have jobs is often on at least a month's delay as it is, and information about how companies are changing the jobs their employees do is often delayed longer than that if it's explained at all, so the data they've used is probably the latest they have access to. However, if modern LLMs had actually taken over and replaced employees, it wouldn't show up in the last set of data from 2022-2023; the LLMs of that age were much worse, struggling to string a paragraph together.

We won't get the full story until some companies actually try replacing workers with LLMs for a while. Having seen them used, I'm not expecting large changes. While there are a lot of places using them, the quality is still a problem, meaning that companies using them and expecting quality usually need to spend about as much time testing, rerunning, and correcting LLM output as they did doing the thing from scratch in the first place. Various people I know or work with have arrived at different places on the spectrum of how much LLMs are used, and I do know someone who uses LLMs frequently and nonetheless produces good code (he does complain that he has to try five times and then correct manually to get workable code, so I don't know how efficient he is). I'm still waiting to see how badly it fails when a company decides to trust LLM output more readily.

Yes, and you could argue that merely adopting such a strategy is already forking the software since it is now diverging from what others used to contribute to and use in such a way that they may only choose one approach: paying or being allowed to use their own work in the way they want. These people have decided to add another level of stupid to the game, though. Most companies that do this have kept the trademarks and domains, so their version gets to keep name recognition. I must admit, I've never seen a company give those away before trying this before.

Re: Who is to blame?

Correct, and in that case, you've moved the endpoint. That can be helpful. If, however, someone got malware onto that endpoint, malware which either takes it online without you knowing or uses one of those ways Mordechai Guri is always making for getting data out of a computer that has no standard connections, then you have the same problem. Which is not relevant to the completely unrelated issue of adding a recipient who shouldn't be on the conversation, because whether they used one terminal or two, airgapped or not, is not anything we're talking about in this article or the comment thread you've replied to.

Re: Most inappropriate message

Appropriate in the sense of avoiding making customers angry, probably. Appropriate in the sense of proper user design, no, in my opinion. The problem is not the informality or even the command, but that it didn't tell the user what they did wrong or what they should do differently. In fact, I don't entirely understand what this even means. What my mind immediately jumped to is those times where what looks like a simple modal has an OK and a Cancel button, but I can't tell what differences to expect when selecting which one to press. I'm assuming your case was more complex than that, but since I don't know when it would appear, I would be wondering whether this was the equivalent of the abort/retry/fail situation where I was stuck in a loop until I terminated the program. If the users could do anything about the situation, then probably a better error message was possible.

31.72689469541619 ...

Less precise, please.