Posts by doublelayer 9408 publicly visible posts • joined 22 Feb 2018
I'm sure there is, among people like you who insist on believing that they're conscious, intelligent entities when they're not. Among those who have spent at least five minutes understanding how they work, that interpretation is recognized as nonsense.
That's what I advise against. Confuse the text enough and you'll confuse students. I had one professor who did that. Not deliberately, he was just terrible at making himself understood. It would make it harder to cheat. You'd also get your homework back with an odd patchwork: 23 problems with a perfect score and 2 zeros because you solved some other problem. What you solved was clear enough, but evidently it's not what he asked for so no credit. Sometimes, you couldn't even figure out what he wanted even knowing that whatever you thought it was wasn't right. After a bit of this, I compared results with classmates, and about ten of us had all done the same wrong thing and gotten penalized for it.
You can rewrite the questions over and over until pasting them into common LLMs make them spit out a wrong answer. The problem is that, at the very best, you've added a reading comprehension task of indefinite difficulty to every assignment you leave them. More likely, you think you've done that but there are now errors in your phrasing that you don't know about.* That is unfair to students and it is your fault.
* Imagine, for example, being required to manually obfuscate code to make it harder to read. There's software that can do that automatically, but you don't have that. Your tools are a text editor a compiler, and manual testing. How much could you do to the file and be confident that you definitely didn't change the behavior of the resulting program in the slightest? The same is true when you're rephrasing text. It's just a lot harder to see because it all still looks fine. Assignments are just code that gets interpreted by a more flexible compiler.
Wouldn't it have been simpler to give each student one unchopped bar and only cut two of the bars into five segments? Also, if it was easy to chop the bars into equal fifths, then it shouldn't have been too hard to cut 2/5 segments from the bars and hand those to all but one of the students, the remaining one receiving the remaining fifths.
I'm guessing you had access to plenty of tools that could divide when you needed it, and that you did plenty of short division, the unofficial version they don't teach students but is useful for knowing whether your calculator result is logical. It's not that everything students are taught will be used in exactly the same form forever, but that they need to learn it in order to have the basic skills. For example, the stereotypical problem for computer programming students is writing sorting algorithms. In practice, most professional programmers won't write a sort; they already have one in the libraries they're using. Those who do aren't going to need to know about ten different ways they could sort, because most of those are more inefficient than something else, so they're likely to use quick sort, merge sort, or radix sort, and they rarely have to even choose among those because which one you use is directly related to your resource availability and data format. Only in particularly weird cases will they write something nonstandard. Students aren't taught to write and analyze sorting algorithms because they'll need to write and analyze sorting algorithms. They're taught it so they know how to write programs in general, and more importantly because they will need to analyze the performance of things that haven't already been subject to decades of research to improve them. The sorts are there as an example that demonstrates technique.
Adherents of LLMs seem to think that education cares about the product of the students' effort. It doesn't. It cares only about how they learn, and their work is used to make them learn things and check whether they have.
The problem is not with tests. It's not too hard to prevent cheating on things where you control the environment. The problem is that not all courses can do all their evaluations in the form of tests which, at their longest, might be composed of five-hour chunks. Sometimes, a student needs to do something that takes longer than that, meaning you have to let them do it somewhere else. If they're doing a research paper, then they need access to research materials, time to read all of them and figure out which bits are actually important, time and tools to do new analysis based on their research, tools which will include computers most or all of the time, and just writing the resulting paper will take longer than they get as a tester. I think your focus on mathematics and related courses may have caused you to think that what works to test students there will work for other subjects when it often doesn't.
The course evaluations probably aren't trash. How well an LLM can do on a course is very closely correlated to how well a student copying off the internet can do. There are a lot of courses where doing the work properly requires thinking but it is thinking that plenty of students have already done. As an example, consider computer programming classes. The solutions to these are very much not multiple choice, but while they're introductory courses, there are only so many simple problems that can be set to teach the basics. The answer to "write a function in C++ which takes a two-dimensional array of integers and determine whether it's a valid Sudoku board" is not a simple one, but it's one which you can find online if you want to copy. The LLM can too, so chances are its version will be just fine.
To prevent that, someone would need to come up with truly novel questions that are equally doable with the limited knowledge students of that level of experience have. It is not easy. Most attempts are likely to merely scramble the question in such a way that the LLM has trouble parsing it. So let's do that, problem solved. Not really, because by making things more verbose, we run the risk of confusing students as well and foiling our attempts to teach those who are trying to do the work.
Computer programming is just one example. The same applies to most things involving essays. A student in secondary school writing an essay explaining the effects of the Munich Agreement isn't likely to come up with anything that historians didn't already consider, but that's not the point and their grade is not and shouldn't be based on originality. Designing a curriculum that an LLM can't pass is similar to designing a curriculum where a student can't cheat. You probably can't, and if you manage it, you've probably lost plenty in order to achieve it.
However, since we're talking about IT specifically, there are a lot of things that can't be tested in the time they generally let you close students in a room without letting them out and a lot of things that would never be done in that environment. If they're to write some relatively complicated code, then they will need more than a few hours and it's totally fine if they want to use a man page to get a function's specification or a web search to figure out what Clang meant when it emitted its cryptic error*. Most of the time, using an LLM to write it for you would be the same as asking your friend who already knows this stuff to do so; it might work, but you won't learn by doing it and it's therefore worth forbidding.
* Yes, theoretically they might eventually need to write code without access to the internet, meaning they can't get help understanding some of those. However, most of the time, they will have access. If the company's network is down, they can use their phone to check something like that. Also, the point of letting them now is to give them the knowledge so that, when they actually don't have access, the chance is good they'll understand it because they've encountered something like it before.
I think you have misunderstood what they are saying and misapplied that to this situation. This situation is not about cryptography, and the ease of cryptography has nothing to do with the problems involved.
Cryptography itself has to be simple to use or people won't use it. I'm all for teaching everyone in the world about cryptography so they can use better systems, but that wouldn't be feasible and many of the people you could get into your educational centers are going to ignore you because they are the type who don't understand why they have to care about security and intend to ignore this whenever it conflicts with convenience. For people who know and care, there are many systems where the cryptographic mechanisms are conveniently configurable and can be used to create communication channels that have the amount of security they're looking for. For those who care but don't know, there are a lot of resources online to teach them how this stuff works, though some of that might benefit by having less technical versions. For those who don't care and don't know, that's why cryptography has to be built in with little or no user interaction required, because they will not try to do anything about it.
And all of this is completely irrelevant to this situation. Nothing here became possible due to a problem with cryptography. The cryptography in Signal, as far as we know, did exactly what it was intended to do: it encrypted the traffic between participants so that only those invited to the calls could read what was being sent. That's what cryptography is for, and had we made it more manual, they would have either done the same thing manually or they would have sent the same traffic unencrypted which would have been even worse. What is happening here is not a technological problem at all. The two problems involved are:
1. Sending data to the wrong person because they manually mislabeled that person.
2. Sending data to the right person, as in the person they intended to send it to, but someone they really shouldn't have informed.
Technology could try to fix problem 1, but it would have nothing to do with cryptography and might have more downsides than benefits. Technology cannot fix problem 2. Existing human systems can try to fix problem 2, and they did. The person trying to inform people who didn't need to know about military actions was aware that they didn't need to know. He was aware that the systems in use were intended to prevent that data being shared. And that is why he bypassed them. He intended this outcome, and cryptography could not have changed his mind or prevented him from doing what he did.
"Why would it be a single licensing charge? An ongoing monthly royalty payment for any creator whose works have been used for training would be a far fairer method. And the creator should be able to set whatever fee they wish, or have their works removed from the training data."
You have to recognize the difference between something that would be fair and what these people are trying to do. A lot of things would be fair: the company is forbidden from using your content without your permission, you can set any price you like, they have to have ongoing permission, you can withdraw permission. None of those things are planned or will happen with this method because they are hoping that AI companies will voluntarily sign on to this plan. AI companies, meanwhile, are using the system of being allowed to use anything they want without anyone's permission or a requirement to pay for it. They don't want to accept any reduction in that and will only voluntarily do so if it is cheap and results in a decrease in legal risk to them.
The reason it will be a single payment is that, if it was ongoing, AI companies wouldn't agree to pay for it. They also wouldn't agree to removing it at any time because they can't remove it from their models after creation and because they have no interest in maintaining the systems necessary to find and remove it from ongoing training data at your request. The reason it will be a non-negotiated payment is that it would take forever to negotiate with each person in a group of millions for how much they want for an individual page, and because paying a fairly-negotiated amount would be more money than they have. The organization trying to sell all this content to them will either request these things and never get anyone to agree, or they will negotiate all at once for one tiny value because it means they don't end up a complete failure.
This is why this suggested method is bad. It will not achieve any of the things we need, nor are they necessary to remedy the illegal actions of AI companies. Existing copyright laws already implement all of this; it's illegal for the content to be used without permission and compensation and negotiations for those would have to be individual. All we need to make your preferences (which are also mine) happen is for courts to confirm that AI companies are not exempt from copyright law and punish them for their illegal actions. A licensing organization will not help this happen, and they will not try to organize something that makes you happy. They will try to organize something that makes them happy which will be more advantageous to the AI companies than it would be to you.
I do think the first problem they'd run into is getting any AI company to accept that they need to pay for the data they think they can have for free. However, if they somehow managed it, I do think payments are a problem because, unlike the systems you mention, there is a very different scale involved. In three of the four options you list, the payments are amalgamated over time. For example, if I put an ad network on a site of mine, they add up all the ad views for all the pages of my site over a month, then send the payment for those views to me. Meanwhile, any company who paid for this would be using a pay-once for unlimited usage policy because it is required by the system they create; they can't count the number of uses of any document because who knows what even happened to it after the training process got it. A single licensing charge divided by everyone who had documents in the set is going to produce very small amounts that aren't going to recur. That is not convenient to pay. They could be honest and find a way to pay it anyway. I'm predicting that the people who have access to the lump sum are going to realize the personal benefits of not doing that.
I value my product at more than that too, but I can guarantee you that if you signed up for this service, they would negotiate for access to everybody at once and they would negotiate for a value that would end up being pennies for each participant. If they tried to negotiate for individual pieces, the negotiation would never end because of how many individual pages there are in that set and how little any AI company wants to actually decide which ones they care about. If they tried to negotiate a high price for everyone, nobody would agree to pay them. Therefore, expect that that's all the payments would be worth if you agreed to be represented by this bad idea.
The point of the lawsuit settlements is that they often get settled with what looks like a large financial amount, but that amount is small per participant and participants don't get all of it. For example, you might see a settlement of ten million $local_currency_units, which, when divided by the 400k participants would give everyone 25. That isn't a large amount for what could be a large offense, but they won't get that much anyway because in practice, it actually goes like this:
Settlement amount: 10M
Lawyer's fees: 8.3M
Processor's fees: 200k
Cost of posting notices to 100k people: 50k
Remaining amount: 1.45M
Remaining amount per person: 3.625
Expenses for delivering payment of that size, per participant: 1.439
Actual amount received per participant: 2.18, sometimes in some inconvenient form like a discount voucher
I think what they were saying is that this license won't work even if the AI companies accepted it. And they would be right. Their financial objection is not the only reason it won't work. I think they won't even get to the stage where that would be the problem. However, if they did somehow get to that stage, it would be the problem. Distributing payments that amount to a few pennies to millions of people is so expensive that it's not worth doing, especially when the people in charge of it realize that if they try, nobody really gets anything, and if they don't, nobody really gets anything except them who get something spendable. See also the settlements reached in most group or class action lawsuits.
As far as I can tell, the system works like this:
1. This group, or someone else, gets the lucky position of the only licenser who the AI companies will deal with.
2. If you use their license, then they negotiate the price for access to your content. That price will be very low, and they will keep most of it.
3. If you didn't use their license, then clearly you weren't interested in getting funding, so no payment. Your data still gets used.
They seem to have no idea how they'd make AI companies comply with their license when they ignore much clearer rules about not using things they don't have the rights to. Neither do the nonprofits appear to have any mechanism for detecting misuse. My guess is that they're hoping to get a large group of signatories so they can try to negotiate with AI companies in bulk, but if that turns out to be true, I expect that they will fail badly and we will never hear of them again.
If they are routed in an internal network or even a separate internet that only some places connect to, then the addresses don't have to be globally unique for the regular internet that they're explicitly not a part of. Of course, they may use their massive ranges for that purpose, but it doesn't change either part of my statement: they don't need ownership of them to do it, and releasing them wouldn't fix our annoying ability to use more IPV4 addresses than we have available.
By the way, if you have a citation for them being in use, I'd appreciate reading it. I wouldn't find it surprising if they didn't, in fact, have a need for 13 /8s and several smaller blocks, but they were given them, and giving them back is work that they don't see a reason to do.
It's really hard to answer because a lot of surveys do things like looking at an address and see if it responds, which means that a firewall that restricts what it will respond to may show it as unused when there is a system using it but you can't see it. We do have plenty of empty space in IPV4, for example all the addresses the US military has and doesn't use which could be taken off them and used to cover about 15% of India's population, but I don't know how to take stuff off the US military without them getting annoyed and they have a lot more ways of making their annoyance my problem than I have of doing the reverse.
Fortunately, very few things I've ever seen have 5 GHz only, so in your case, you can always continue to use 2.4 GHz. I also want the option because I've lived in places where there was far too much noise on 2.4 GHz. Not much of a problem as I simply disabled it for my network, forcing everything onto the much more functional 5 GHz space, but for the occasional cheap device that didn't support that, it was a pain.
The bare minimum is a /64, and that would be fine for a lot of people. I see no problem in ISPs handing out a /60 instead of a /56 unless requested otherwise. So you can only create 16 subnets containing as many addresses as you could ever use with their default, unless you choose to allocate addresses using a different method in which case you can divide up that space in any way you want? I think most users will survive that. Unless they forbid large enterprises from having more than a /60, I don't think there is any problem with the policy.
"Is it true that UEFI secure boot standard means that an American company has the final say over what is allowed to boot on any PC with it enabled?"
Depending on how you want to look at it, you could claim that, but it is not the clearest or truest way to describe the situation. Lots of open source bootloaders have signatures allowing them to boot, and those are not checked against some database when they're tried. If the companies that can sign them all decided they'd never sign something again, all those things would continue to boot as normal and any other system would just have to include any one of them as a first stage to work without difficulty.
"And that there is a lot of pressure for hardware to prevent people from turning it off?"
That one is much easier: no, there isn't. Several manufacturers turn it off by default. Those who have it on by default still provide a simple switch in BIOS settings that turns it off. If the situation I described happened and you wanted to boot something that wasn't signed, you can turn it off in about ten seconds and go on your way.
Most of this is not Chinese government managed, and at least some of it is specifically opposed by them. There are plenty of people in China who have access to the money needed to fund and manage a criminal enterprise like this, and there's been some agglomeration from historical successes, but scam networks are international. Even if China did have the ability to cut off all Chinese nationals running such things, it wouldn't stop the many others who would take over the infrastructure they've already set up and continue to grow it. China doesn't have many tools that can't already be used by our own countries, which mostly involves doing police work until you find where they've set up a facility and convincing the host country, which is almost never China, to go in and shut it down, then repeating hopefully fast enough that it costs them more to make a new one than they gain from it.
Perhaps you didn't notice it from the article, but it isn't legal in the US. That is why the US is trying to stop them. The problem, which is a problem in a lot of countries, is that there are a lot of protection laws that don't get enforced. That goes for the EU as well; I'm still waiting for any meaningful enforcement of GDPR, for example. The FTC occasionally pursues actions, halfheartedly, on a few large companies, but that doesn't really count either especially as most of these get dropped and forgotten about before any consequences arise.
I listen to politicians directly all the time. Most of the time, if they know I'm listening, they make sure to all sound the same. Lots of agreements that they care about everything I care about. Not much detail about how they're going to fix any of those things. For example, most politicians explain that personal privacy is, of course, very important, because we don't want to be like those dictatorships that spy on everything. This is regardless of party and, in fact, regardless of country. In addition to watching what they say to you, I suggest you watch two more important things. One is what they say when they're directing their statements at somebody else, where they often show that they'll be willing to say something completely different. Sometimes, this is basically just the same thing and they're doing their best never to be clear about what they want but always to sound as if they are in agreement. Other times, they show their true beliefs and are clearer about what they're willing to do, things they didn't announce when they thought I'd be listening because they knew I and many others would see them as problems. For example, when that politician that was all against government surveillance starts adding the "unless" to the statement. It applies to you, but not to some group that obviously deserves the oversight.
The most important thing, and what we all get to see right now, is what they do when they've got power. Not what they say they're doing, but what they're actually doing. Continuing with the analogy, all the politicians who made pro-privacy statements and went on to vote for more powers of surveillance. I take it back, it can be somewhat instructive to link what they say they're doing to the actions they take to demonstrate how badly those things line up. This is the best way to know what a politician intends. It's unfortunate that to know that for sure, you have to give them at least some power to take actions. I have a feeling the statements you would quote from politicians you like would sound pretty good to me unless we're very far apart politically, but I could find other statements they made that aren't as nice, and their actions may not faithfully agree with either set of statements. Their actions outweigh any and all statements they make. That's why I watch them.
It only makes sense to me if there is a large source of green energy without the transmission capacity to send it where it's needed. For example, if there is a large wind farm and the wind is blowing hard, but the transmission lines can't take that much power from it, then generating hydrogen from what remains in order to store it might make sense. That's not the only way to use excess power as a power reservoir, so depending on how efficient it is in comparison, even that might not be a good thing to do with it.
You should be able to and you should do it, but in my experience, neither of those shoulds are done frequently enough that you can count on it. It is far too easy for bugs to slip through code review. It's still worth doing it, because sometimes a bug that the writer of the code can't see for the life of them jumps out immediately to a reviewer, but it doesn't always happen. Meanwhile, a lot of people with experience are used to reviewing code written by someone who has already eliminated the obvious bugs because those wouldn't have run right, experience that isn't helpful when they're reviewing code that could have any size of bug in it. There are also plenty of people who don't review code as thoroughly as they need to because they prefer speed. I admit that most of these negatives would probably be correlated with people who don't care that the LLM produces wrong results, but there may be some people who realize they're not going to do the testing necessary to confirm that the output wasn't riddled with bugs.
It would, which is why I called the LLM version "unacceptable". It's far from new though. Lots of companies have had the help bot where you type your question, it runs some algorithm against the FAQs, and sends you to one that often has nothing to do with your problem. Maybe the LLM can more accurately connect queries to canned answers.
Meanwhile, by having an LLM hallucinate a support result, I hope they have demonstrated the randomness of these models to their customers. Were this a normal business, that would just show that the company is lazy in a way that can ruin your experience. But this company isn't normal, it's one that uses AI to help with programming. I hope the customers are now thinking the obvious question: if it messes up this badly with a simple support question, what is it doing to the code I give it?
I'll take the other side of that and bet on 2. Customer says they're receiving a message, is this correct? Most of the time, the answer to that is yes. Throw that question at a bot told to never say it doesn't know the answer and to pick the most likely result, you'll often get the answer yes. Similar with consumption limits. Tons of services have those. This service probably has them too, just on different aspects, so the bot has some data from its training data saying that there is indeed a limit. Parrot that back with incorrect context and you've got a plausible reply that's completely wrong. Which is why LLM support is pretty much unacceptable unless it's a voluntary opt in with warnings in front of it, in which case is it really worth building.
Bluetooth is packetized on 2.4 GHz. That gives you lots of problems. You're going to have to work very hard to connect over distances of 3 km just because the signal is likely to be attenuated by everything in between. You can turn your transmit power up very high if you want, but the light controller won't. Normal Bluetooth connections use collision avoidance so it's not hard to identify the signal you're interacting with, but it isn't trying to avoid collisions with something 2 km away. If you're able to receive your signal at that distance, you have to manually tell it apart from all the other signals between you and it, and you have to do this for every packet it sends. It's not just Bluetooth devices that will interfere. 2.4 GHz WiFi and any other use of the unlicensed band is possible.
Even if you can fix both of these problems, you still have to have someone with relative physical proximity wherever you want to attack, and it's not clear how much control you may have over the box if you succeed. If anyone knows that you're likely to do it, they can detect a signal that's much more powerful than it would be on 2.4 GHz and identify that you're doing it and where you are.
What's your proposal? Because it seems the IT people didn't do anything from scratch. They formed an organization to assign codes to things, the same way that biologists created the International Commission on Zoological Nomenclature. The two organizations issued codes governing how things could be assigned, then outsourced the process of actually assigning those codes to the people who do it. The two processes seem to work in very similar ways.
Depending on scale, that can be true, but I've frequently experienced the opposite. Colos near me have relatively high base prices for having a single server in them. Even ignoring the cost of the server and costs to manually go repair it, just having the space there could pay for several VMs. How cost-efficient the approach is tends to depend on how powerful a server you would install in the colo if you could. If it's something massively expensive, then buying it and renting space to store it will probably be less expensive than renting the equivalent VM. Many small businesses or projects don't have that requirement and can work just fine on smaller VMs. When I've done the numbers, it often ends up being more efficient, sometimes substantially so, to rent those from some cloud provider rather than obtain a basic server and find a place it can operate.
I assume the plan would look like identifying the specific buyer who resold them, then asking Nvidia to sue them over breach of contract. However, that might be too much logic in the first place, and it won't work if the buyer did something as simple as lying. "Bought 500 H800s, shipped to cryptomining operation Kazakhstan, all present there as expected." That is if DeepSeek didn't get them when they were legally permitted. There's not a lot that can be practically done to keep equipment from being operated wherever it is sent short of internet-enforced locks.
The premises I don't support are:
1. Every CVE has a country of origin, from the statement "Does anyone know the percentage figures for CVE country of origin?". No, they don't. Not all Microsoft employees are in Redmond. Not all Linux contributors are in San Francisco.
2. The value of the database is to the companies that generated vulnerabilities, from the statement "Why should the rest of the world pay to track CVE for America's buggy software?". No, it isn't. It is almost entirely to the people who experience the negative consequences of them. Companies that generated buggy software and don't want to go to the expense of fixing it would often prefer not to have CVEs filed.
3. It also uses a similar bad logic as Trump's tariff system, from the statement "Microsoft/American SW companies in general make a lot of money out of the rest of the world,". Yes, they do, but there's a reason for that which is under the control of the customers in whatever country they are in, contributes to many countries in which there are people working on that software, and is also irrelevant to the tracking of vulnerabilities.
As I said, though, anyone who thinks these are good premises could reply to my original comment or in fact to this one and tell me why those premises are valid after all. If you think you can track a vulnerability to a country, you can tell me I'm an idiot and how you do it. If you think the people generating the bug benefit from having it tracked more than those fixing it, you could explain why. Having this opinion and stating it is exactly what stating a devil's advocate position is intended to do. It promotes discussion of the validity of a position. My opinion is that there is no validity in that point of view.
I don't think I did. From my perspective, the point of devil's advocate is to state a contrary position to evaluate its correctness. I evaluated it, and in my opinion, it doesn't have any, mostly because it is based on incorrect premises but also because it arrives at a bad conclusion from its premises. I stated my reasoning. Someone who thought the position had value could argue differently.
As stupid as the original comment was, that suggestion isn't going to help. A vulnerability affects people in all countries, and it can be generated in any country. When a vulnerability is detected in the Linux kernel (no, they're not all in Windows), should we track the vuln to the person who wrote the offending line and identify their country? Should we also include the countries of anyone who reviewed the commit? Or do we just assign it to the US because that's where the Linux foundation is? The benefit of the CVE database is having a common location for people reporting vulnerabilities, people looking for vulnerabilities, and people fixing vulnerabilities, all of which happen globally. Attempting to assign blame with some ill logic of a nation responsible for most or all software problems does not reflect its global utility.
If no country had agreed to spend money on it, I'd think that the US continuing to fund it would be completely justified. Its utility to the US is sufficient, and its benefit to others is both virtually free, helps the US as well because of the network effect*, and can be considered a diplomatic benefit. That does not change the fact that plenty of others, including countries and companies, do benefit from it and could help by contributing to its relatively cheap availability.
* One of the reasons that the CVE database is so useful is that there isn't really a question of whether to report something to it. One alternative suggestion has been to just let a bunch of others run their own databases, which will be a problem because each one will have a subset of issues because reporters of vulnerabilities may not file with every one in existence**. Even when they do, the vulnerabilities will have different IDs, meaning that people can be working on solutions to GVID-2919 and IVTS-4815 and not realize that they're actually solving the same problem. It would also make it much harder to find out whether something is subject to a vulnerability when you have lots of possible communication problems.
** You are a security reporter and you've just found a bug in an open source library. Which countries and companies do you write a report to, in their own custom format, and then follow up with to make sure they received it, and then put yourself at their disposal for free work clarifying it and providing proof of concept exploits or other information? If the answer is twenty different ones or, because there are twenty different ones, your favorite/the first one picked at random from them all, it's not great compared to now when there are only a few and the CVE database is clearly the most common.
I don't think they were intending the plane to arrive at the other coast before turning back in their example. However, you could cross the Bering strait, which would make the Pacific Ocean an option if you need to make a trans-oceanic flight in that time. True, it's mostly cheating by doing the flying over land to make the ocean bit as fast as possible, but you can manage it.
I think it'll be designed so that you can only destroy funds, not create them, by doing that. You would have to transfer some money onto the device first. Once you pay the shop with it, the shop syncs those funds back to the ledger and you have transferred them. Your bank account was already debited when you put those funds on the phone in the first place.
However, you should easily be able to permanently lose money that way. Transfer some funds to the phone because you'll be out of coverage area for a bit. Drop the phone and break it. You probably aren't getting that cash back. The best solution I can think of is having all transferred money expire after some time, so if you don't use it within a week (ideally a configurable time), it returns to your main account. That would solve the problem of losing the funds, but it also makes offline transfers harder if both sides stay offline for longer periods.
The CVE database contains vulnerabilities for software written anywhere, including a lot of open source code. It is used everywhere to track and manage information about what is vulnerable and how to respond to those ulnerabilities. The US is not the only country that benefits from it, nor is it the only country that is responsible for the existence of vulnerabilities, as you know perfectly well. As my comment states, there are plenty of reasons why the US would benefit by continuing to fund it. However, your picture of a uniquely American problem is weird in its obvious inaccuracy.
They do. China already has a vulnerability database designed like the CVE system with strict laws mandating reports basically as soon as you think that maybe something might be exploitable. The main difference is that it's basically unavailable outside China and they do gather and hide vulnerabilities when they feel like it.
I think the reason is connected to the animosity between the current administration and CISA. They're having their budget cut significantly, a lot of their staff fired, frequent condemnation from their boss, and suggestions that the entire institution be dismantled. The CVE database isn't being cut because someone knows what it is and has a problem with it. It's being canceled because the parent of the contract is being smashed with a hammer and the damage is rippling down.
"I agree a lot of the anger from around the world at the economic moves is like children upset because Daddy has said time to get a job and make your own way in the world, I'm cutting your allowance."
I'm not sure whom you're agreeing with there, but if it was me as you pushed a reply button on my post, I don't think that. Any time funding for anything is cut, the people who used to receive it tend to react negatively, and if we anthropomorphize it a bit, the attitude isn't exactly wrong. However, if we're doing that to the recipient, we need to do it to the source of the funds as well. Using that analogy, not all of these are a parent cutting off an allowance. Sometimes, it's a person refusing to pay for things they needed and reacting badly to the loss of the thing they just cut.
Some things don't need government funding anymore, and the recipients will almost never acknowledge this and concede to ending the funding. Other things are not profit-making enterprises and provide a public benefit. For example, it's almost impossible to make money off a vulnerability database and have that database remain useful. Probably the closest you could get is charging people to access it and using the funds obtained from doing so to manage it while receiving reports for free. That destroys a lot of the benefit of tracking these things, since many groups will decide they can track things just fine without paying you and reporters may decide that there's little reason to spend the time sending reports to yet another database company that they can't read anyway. This mostly doesn't work as a for-profit operation. So our remaining options are 1) it's not worth doing because it doesn't provide enough benefit, 2) it's something private companies or someone else should pay for and we don't get enough benefit to try to facilitate it happening, 3) others could pay for it and it's important enough that we should try to make it happen, or 4) it's useful enough that funding it directly is worthwhile. I think the CVE database is either 3 or 4. The problem is that option 3 involves work, whereas option 2 is the lazy option which they've gone with instead.
There are lots of things governments spend on which they could cut, either entirely or significantly. To determine what they are, knowledgeable people need to review them, determine what benefit they provide, determine whether there is a different feasible way that benefit could be obtained, look for inefficiencies that could be removed, and create and execute a plan of action. That is a slow and boring process. Many governments have historically skipped it and just paid for something over and over again without trying to improve, and that causes problems. Skipping it the other way and just cutting things at random is at least as bad, and in practice, it's often much worse as there was a reason the things got added in the first place. That clear and organized efficiency process is not happening in the US today, so they will not get the benefit available from doing it.
In addition to that, there's a much easier solution if the bill needs to be smaller. Once the thing has been built, you now have a great way to suggest that maybe someone else should be paying for this. Go to some cloud companies and ask them if they'd kick in some donations. Set up a cybersecurity initiative between countries, they tend to announce one of those every few years, and get that consortium to fund it. It's much easier to convince others to pay for something when it's sharing in the costs of something they benefit from, something that's existed for years, and something they don't want to lose than it is to convince them to pick it up after it's been dropped in the bin. The primary reason you would cancel the contract is that you've decided the thing is not worth running.
Except that the contracts involve make it difficult or impossible to do that as well as what this argument is about. This is because of two terms in the contracts:
1. You can't be Google certified unless there are Google apps. That means you can't have Play Services without all the other Google apps. If you don't have Play Services, a lot of things won't run. A manufacturer could be happy to pay for Play Services because that will make their devices more easily sold, but they have to take all the other software with it whether they want to or not. That's what this case is about.
2. But sometimes, AOSP is all you want. Play Services is either unimportant, or for some cases, you're happier not to have it. So no problem, right? Wrong. Because the contract says that if you build an AOSP device, you can't build another with Google services. This makes companies pick between sticking Google software on every phone they make or not being allowed to make any. No having two choices for the customers. So although AOSP is technically an option, it is limited by very similar contractual restrictions.
When Samsung licenses their apps to other manufacturers and requires them to install them in order to use the Samsung-written OS which is one of two options covering almost all smartphones, then yes.
In other words, no, and if you think they're remotely comparable, you don't understand what this is.
Yahoo has a particularly strong market position in Japan compared to most other countries. They invested in several Japanese ventures when other companies didn't, and hence they're much stronger there even as they were replaced by Google in many other countries.
That's the same bad argument that people used when Apple was trying to slip out of their arguments about market dominance. Well, this is Germany, we only have 38% market share, so surely we couldn't dominate anything here. It doesn't work in either case. Those minority market positions are perfectly high enough for the regulators to have the authority, especially in a market that only has two realistic options.
Also, did you miss the threats of massive fines against Google and, yes, Apple, about app distribution? Apple is being investigated, just not for this since they don't license IOS to other manufacturers.
Some of those things, for example the anticompetitive actions toward Yahoo, may be severe enough that they do get a penalty. However, a lot of these things weren't already illegal, they've just been ruled illegal. If you shoplift, you already know that's not allowed. If you do something that wasn't explicitly allowed or prohibited, then we decide that it should be prohibited, then that doesn't make them retroactively illegal. Don't do them again, you might even have to reverse your action, but you aren't punished for doing something that was allowed when you did it.
It's been suggested many times. Politics moves slowly, and it hasn't been passed. There are some regulations that do prohibit governments who signed on from paying ransoms themselves, but to make it criminal for a private company to pay, you have to pass that law, and none of the major countries involved have bothered to do it.
If they tried, I expect that companies that provide cyber insurance would try to prevent it. Insurance likes to pay the ransom often because it isn't an open-ended charge. They cover a single, known payment rather than getting into a fight over how much of the unknown recovery costs and losses from interruption their policy covers. Since that is more complicated, they'd probably not cover much at all, which means fewer customers for their product. So they stand to lose if that law is ever passed. However, from my knowledge, the lack of the law isn't down to the machinations of big insurance since nobody's tried very hard to start the process and the companies would respond to that.
I think banning ransom payments would be the best possible thing to reduce ransomware. It won't eliminate it, but it will deal it a major disadvantage that no other proposed policy is likely to accomplish. Now all I have to do is get several politicians to agree with that and enact it, then shepherd it through the process where it's very easy to just forget something and leave it unfinished.
I think you'd have to put a lot of thought into making sure the attackers found them. If they did find them and believe them, it probably would help, but they're looking for the insurance documents because that's directly related to how much money they could get. They'll probably also be looking for the real financials to determine how much more than the insurance amount they could squeeze out, and the real financials can't include these fictional debts. You need to make arrangements to try to ensure that any attacker with drive access finds the fake finances before they find the real ones, even when they can watch user activity and determine which set of data, the real one unless you're running a professional fraud empire, is being edited most frequently. It probably would work, but if you're putting in that much effort to make it happen, you're probably better served by putting that effort toward security, incident response, or more backups.
You have a few missing exponents there. It's not 3600 grams of sodium. Eating that much in a day would get you entry into a very rare club of people who died from salt poisoning before you swallowed down five percent of that. It's 3600 milligrams of sodium. That much sodium is not healthy but it's not that far off the average daily intake in countries like the US and UK.* Of course, that's probably not all the food he is eating in a day, so his intake would presumably be higher than that.
* The UK's average is slightly higher than the US. You can use this survey but keep in mind that their figures are for NaCl, not Na+ which is what the other figures refer to, so you have to do some calculation to compare them. Either way, excess sodium consumption is a public health concern.
I don't think synthetic emails are going to help much, but I prefer it to any other method. I have sent messages like that, though when they're one sentence long, they're most often SMS or comparable chat rather than email. If we already scheduled the tennis game, then I might send something like you suggested, but if we were discussing playing tennis, switched to something else, and now I am suggesting a time, my message might look like that. I think the bigger problem is when they try to synthesize any email where summarization might be desired, because no matter how the scheduling suggestion is phrased, nobody will ever need a summary of one sentence. I don't think they're going to get great results when that process is churning out paragraphs.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
