Posts by doublelayer

Re: I disagree with this statement

I still disagree, with the clearest reason being this sentence:

"When this ends up creating a potentially more insecure binary, it's a problem with all this rust stuff."

Not at all. When this ends up creating a potentially more insecure binary, it's a problem with this particular piece of code. If it was part of Rust, it would impact everything else, but if it was a bug in that one rewrite, then it's as much a problem with all the Rust stuff as sudo's insecure config file vulnerability was a problem with everything written in C (which it isn't, in case a C fan was not sure what I am saying).

If someone badly rewrites something in a language, it does not make the language or the others using it at fault. When we compare the C version of sudo with this Rust reimplementation, it's also not so clear that the rewrite was bad. Yes, the Rust version has vulnerabilities, but so does the C version, and so far, the Rust one has not had one that allows a unprivileged user shell to turn into a root one whereas C sudo has. I think I can sympathize with the negative reaction to something that has been hyped too much, and Rust has received enough hype to be annoying. When that annoyance turns into hyping any problem with the new thing more severely than the original hype, especially with inaccurate statements meant to make a problem seem worse or more unusual than it actually is, then we have another problem.

Re: Networking students need an explanation of the internet that can fit in their heads

Funny, most of the copies I find online don't write it like that, because writing it like that is weird. Here's one:

"government of the people, by the people, for the people, shall not perish from the earth." is how they are using capitals. That's how all the search results on the first page are using capitals. That's also how most things are transcribed. To use a less US example, if we look at the famous Churchill speech, we can see that it's generally transcribed "That is the will of Parliament and the nation.", because Parliament is being referred to as a proper noun and "the nation" is a specific instance of a noun that's not a proper one.

The internet is the instance of internet we're referring to, mostly because those smaller other internets are not ones we interact with. The original comment clearly understands that there is more than one, but misunderstands what makes a noun a proper one. If there's only one instance of something, or if there's only one instance you choose to care about, that does not make nouns proper by default.

Re: And none of them would be legal in EU

I'll tell you where I live. I live in a world where I thought GDPR was going to make lots of abuses illegal because the law said it and there were nice large penalties, large enough to keep things in line. I lived in a world where I let my optimism run wild. And I live in the world you have to live in where there has been almost no effect from what looked like a revolutionary privacy law. Where it's rarely enforced, and when it is it's against companies that did relatively little compared to the obvious abuses of larger tech companies. Where despite the law's ineffectiveness, politicians from the same countries that passed it are trying to weaken it. I need more than the confident assertions from someone to actually believe that these things get enforced. You disliked my "pseudo examples", which I wasn't really writing as examples, but I note you mentioned not a single piece of legislation that would stop these, not a single enforcement body, not a single example of these things not being available. If specificity is your objection, then why don't you cite the reasons for your confidence, since you must have them if you're not making assumptions.

Re: Hmm

I am fortunate enough that I have never encountered someone who did this severely. Most who I have found need to say something but don't get too unhappy if their changes don't get made. Unfortunately, I know at least one person who had to deal with someone who demanded so many changes that they went to the extent of deliberately including things for the critic to complain about because they would otherwise send round after round of mandatory feedback and force all the team members to stay late into the evening to implement those changes before deadlines. It did not do that person's mental health any good, and of course introducing deliberate confusion or errors into drafts could have had all sorts of other problematic results.

Re: Handwave handwave, distraction distraction.

The problem is that anyone is able to look up the website that tells you how to jump through any set of hoops that involves clicking through screens. Most don't bother to because they have no reason, but those people who are willing to justify any loss of features or right to do what I want with the thing I bought in the name of security will often decide that, if it is possible for a child to manage it which it always is, that it's too easy. This works very well with the people who have a different incentive to block me from having that access.

I am worried that whatever Google's method is, it won't involve another security warning, because the method we have now already has two of those so why would a third make any difference? If it involves setting something in your Google account, getting a code from your manufacturer, or any of the many other things they've already used to lock features behind doors that may or may not agree to open for me, it will still be unacceptable.

Re: Why is the register focused mostly on how VLC is gratis?

Who says they are? For example, when they quote others as saying that Kempf is the "the one who kept VLC free", they don't mean free of charge; the things he prevented wouldn't have introduced a purchase price. I admit that they also don't mean the version of free you're talking about, because you can still have a piece of software under GPL2+ that comes with unwanted additions. But not only has he maintained the code under its original license and kept it up to date and very full-featured, he has kept it free of plenty of things that could have helped him while harming users, for which we are grateful.

Is it possible your view on the article says more about your biases and preferences than anything the article actually had an opinion on?

Re: Fight fire with fire?

If we calculate the way that people often do when there hasn't been a recent disaster, we can answer that question. It would go something like this:

The closure of Gatwick cost £50M. That has not happened again in seven years. If we only put teams at the busiest 40 airports, that's £179k per airport per year, which for a 24-hour service means an expected hourly benefit of £20.38. If it costs more than £20.38 per hour to hire staff and equipment, then it's not worth doing it.

Which is not the right way to do this calculation since it's not considering actual risk. It's a very common way to calculate it because it is much easier than calculating actual risk and the people doing it feel like they're being cautious because their calculation assumes that the disaster will happen right now when they know the next one is likely quite a way off. If the next version of this is likely to be a lot worse or if the chances of having it are higher, then the benefit goes up and the comparison changes. However, the "can we afford not to" approach is not any better. It prevents the important work of considering approaches that might work better, be more efficient, and whether we need to do this in the first place. Lots of bad policies have gone into place because a problem was scary enough that it escaped the "not my problem right now" period into the "we must do something, this is something" one.

Not only do we not have a good estimate of risk here, we have no idea what it would take or if it is even possible to build a team as described. How feasible is a drone chase squad? How hard is it for attackers to send up a lot more drones so the chasing team can't chase them all? How hard to speed up their drones so the chasing ones can't catch them? How good is the information they would use to try this. When the chasing drones catch up to the interfering drones, what can they actually do to them to stop them being around; they generally aren't equipped with high-strength butterfly nets or machine guns, and neither could be feasibly attached to anything even slightly cheap. A cool-sounding solution doesn't mean that it works or is achievable.

Re: How dare you nick that before us!

That is a possibility, but it assumes facts not in evidence, namely that China had any intention to arrest the person concerned. We don't have any information about whether they knew about, cared about, or had any plans to deal with the crimes alleged in the US indictment. One other assumption you appear to have made is that China was highly represented in the set of victims, whereas many of the scam operations specialize in other countries, especially English-speaking ones. Not all of them, and China has historically cared and done more about those that either targeted Chinese consumers or used kidnapped Chinese citizens, but plenty of them use kidnapped citizens from elsewhere and target other countries, both because they may have more money to steal and because those countries have less ability to get the camps shut down.

But both of those assumptions, while they rely on things the article didn't say, could well be true. China could ask the US to share the cash with victims they have identified there and that does sometimes work, but they may assume that the US will refuse and are preemptively complaining. They may have other reasons for complaining which are less public-spirited though, or it could be a default technique to blame whoever you're unhappy with for whatever thing recently happened.

Re: Workshy Layabouts

Tax credits are certainly nothing new, being a rather old way of handing money from the government to someone else, whether directly or indirectly. That still involves handing them money. Even in the most limited sense where they cannot be transferred and only count against tax due, it still means the recipients of a tax credit doesn't have to pay tax when everyone else does. In all variations, it is a benefit to the recipient at the cost of the government.

Do you really expect this is going to be something admins have to bother themselves with? There are plenty of Windows changes that admins have a reason to care about but this, while I don't think there's any particular benefit to it, also doesn't seem to have any particular downside. Will the fact that 3% of laptops make a vibration when you move a window be such a big problem that it becomes an IT task to stop it?

Re: Really ?

Not a salary. That would be too easy to plan for financially. They will get a random amount every month depending on what the software did, which was decided by the software, and since you already agreed to run the software, you agreed to pay for the usage and you got the "benefit" of the usage, so you can't question that bill. I wonder if I can get that deal instead of my salary. Yes, I know I didn't do anything correctly today, but you have consumed 48515931 of my thought cycles and therefore you owe me half the company.

Re: KANOTIX is a Linux distribution

How does read-only RAM work? There is such a thing as RAM-resident malware. Of course, it won't persist past a restart, but it can grab things from the session, including your access to wherever you're storing or processing things you intend to keep after the session. Nothing kills interest in something quite as thoroughly or quickly as someone claiming it's impervious to attack.

Re: I wonder why they wiped his drives

When you're being investigated for a crime, the investigators will want all of your backups to make sure they are indeed all backups rather than decoys, one of which contains the evidence they're looking for. If they succeed at getting all of them, then what happens to one copy is what happens to all copies. If they don't, it means you've hidden evidence from them which can be a separate crime. Do you see now why it's a question worth asking?

Although I do agree with you in the limited sense that the lack of backups is one reason I don't believe this particular criminal actually had any cryptocurrency. I have other reasons to think that too. That doesn't change the general case being a question we should have better answers to.

Re: By the time all this is over

The difference between deflationary and inflationary economic disasters is often a factor of what the government or central bank does in response, and we don't know what they will do and they probably don't either. Partially, that's because they don't have much control either since they take a look at what's happening, guess what it's going to do, and try to take an action to make it less bad which has the chance to succeed or just roll over to more bad but in the other direction. Support either to the investors who are losing money on the bad debts or to individuals whose savings were partially invested with those investors could easily cause inflation, whereas no support could cause a worse deflation problem. Managing the level of support that is enough to prevent the crisis getting worse but not so much that inflation is caused is very difficult even if the people doing it were knowledgeable and trustworthy.

Re: Wow, this is going quick

Indeed? Would you please name one? Since you have so many targets, pick one that was as bad or worse. I don't doubt that there are more, and I would like to see them punished as well, but your statement suggests two things I think you'd have a hard time defending: that this is happening frequently and in plain sight, when in fact fraudulent companies including Theranos go to great extents to hide it, and that the response was unfairly harsh on Holmes, when the appropriate response would be to similarly punish anyone else who was doing anything similar.

Re: Grammar pedant here

Because "architect" as a verb has been a synonym of "design" for many more decades than computers have existed, partially because the noun "architect" has referred to people who design things other than buildings. Its use in software design might be to distinguish fundamental large-scale design decisions which need to be made at the beginning of any large project from the many other design decisions that are relevant to parts or can be added on as features, which when you think about it, isn't that bad an analogy to the architecture you were contrasting it with. You can't invent new rules of English or abolish synonyms, no matter how much you want to defend the honor of architects.

I totally expect they've done the calculations and are correct, especially with Macs. However, remember that these are exactly the same finance people who are getting blamed repeatedly throughout this comment section for failing to calculate the costs of the last version. Sometimes, financial decisions are not made with the complete sets of calculations you expect which often leads to having to do similar calculations later on to clean up the mess caused the first time.

In my experience, this especially applies to cloud versus non-cloud, where a lot of the decision gets made by IT and engineering and finance doesn't directly contribute to it at the start. It doesn't matter which decision they make; I've seen bad choices in both directions. Usually, finance does come in later and ask or demand for prices to drop, but they don't know or care what the choice was or try to figure out which approach is better. Maybe if finance had more tech knowledge and the other teams had more attention to financial success, but in my experience, they don't, there's often a lot of compartmentalization between the teams, and everyone wants the easiest solution for whatever they're doing, which leads to little or not-so-little problems.

Re: Remember

Your point being that you can buy boxes with GPUs in them? Because if they can do their research on one of those, great, although depending on how long they need it, renting a similar cloud machine would probably still be cheaper. The problem being that most of the kinds of things they're running can't be run on one of those. Depending on the work, they'll either need a very large number of those or they'll need something completely different, for example something with a lot more CPU power since that is only optimized for GPU.

Or, if they're using GPUs, they might want faster performance on those. That box is as cheap as it is because it doesn't use typical VRAM with its GPUs. In order to be able to fit large models in the RAM, they've gone for cheaper but much slower LPDDR5 shared with the CPU than what you'd find on a normal GPU or on their other accelerators. The cluster I had access to had a lot of real GPUs and was no doubt very expensive to create and operate. It only made sense because the cost could be shared among the biology, physics, and astronomy departments as well as little extra users like me, and people still had to queue and negotiate for sufficient access. A $4000 box with nice GPU performance numbers if you use Nvidia's marketing with numbers for FP4 performance which most research cannot use is really not the same thing.

Re: What about username?

The username is going to be stored in cleartext because they use that to identify you. If you want to have more random data, stick it onto your password to make it longer*, because that's the part that gets hashed if they're doing it correctly. Admittedly, I do kind of do this by using separate emails for different sites, but that's for spam detection and prevention, not account security.

* If they have a maximum password length, then you have a bit better of an argument and a reason to worry about what they're doing with the password you give them.

Re: Stored or not stored?

"Always relying on the law to determine right or wrong is trite logic that fails hard - as there's a lot of laws that are immoral - but magically those laws are moral because the law says so."

Read the comments again until you understand that I did not say that. There's a difference between legal and moral, and my point is that, no matter whether you think something is moral, if the law says it's a crime, you have to change the law to make it not one. If you keep using logic that you think it's moral thus it's allowed, you're going to get very surprised when you lose in court. The rest of us will either try to get the law changed or will work within it.

The arguments so far that it is moral have been...well they haven't really been arguments. You just say it. The closest things to arguments we got were that it's easy, so you might as well make it not an offense, which is a really stupid attempt. Your new one is about whether certain things count as an offense in the UK which is mostly unimportant because you have clearly stated that commercial violation of copyright is, and the people the article is talking about are very commercial indeed. This thread has clearly outlived its usefulness, but I suggest thinking about your arguments next time you want to convince people; I'm much closer to your view than you recognize, but you've used and defended a lot of clearly bad arguments which don't respond to any of my points but appear to have been picked out of a bag of cliches.

Re: Solution for low salaries in gov IT

And that life cycle is still a little shorter than Windows 10's. It was released in June 2014, a month before Windows 10 was. It entered extended support in July 2024, 15 months before Windows 10 did. It runs out of extended support in June 2028, anywhere from a year and a half to three years before Windows 10 depending on what version you're prepared to use. Everything needs either somewhat regular attention to updates*, a rigorous plan for how you're going to deal with very old stuff, or a willingness to take the risk of very old stuff. Unfortunately, a lot of people decide to go with option 3 but their reasons are bad and selfish**.

* The benefit of many open source operating systems and distros is that the attention to updates is often somewhat easy and free, but you still have to do it. Linux being free doesn't help you if you never tried running on anything after a 2.6 kernel, because 2.6 isn't supported anymore.

** Often, the reasons include things like finance not wanting to spend money on maintenance or IT not wanting to do the work to update it. Whether the users, customers, business, or whatever this thing makes possible are at risk is often treated as a much smaller factor than it should be. And yes, I do think IT is sometimes to blame. Certainly not always, as I have met many admins who know exactly how important a system is, what will go wrong if it fails, and fight a lopsided battle to make that happen. Unfortunately, I've found lots of people who don't like change or work and happily ignore it until something breaks and they don't know what to do.

Those are all true without necessarily having any effect on his qualifications for the post. So he has a lot of hours in the air, great, we will assume that this means he is a well-qualified pilot, although theoretically there are ways you could get lots of hours without having that. Being a pilot is not sufficient or even necessary for administering NASA. If someone else was chosen on the only basis of being a seasoned air force pilot, that would not be very helpful. The astronaut part is even less convincing because he did not have any of the things that distinguish actual astronauts. He paid for an interesting experience. That's no recommendation at all.

NASA has a lot of complicated responsibilities. Even if we ignore the building space stuff part on the theory that private companies, and given his friendships I think we know which, will be doing all of that, they still have lots of oversight and management of that technology and equipment to do. No, managing a business of building someone else's payment systems into someone else's point of sale hardware, no matter how successfully, is not automatically experience in managing extremely safety-critical equipment with extremely specific and rigorous certification procedures. If we assume that the private companies will handle all of that, then we're left with an organization whose primary mission is scientific, whatever their funders decide to say, since they're in the business of deciding which expensive hardware to send and exactly what they hope to get for doing it. If they want to have a village on the moon (good luck), there's a lot of knowledge gathering required unless they want to have a dead village and a contaminated moon.

None of this is an indictment of Isaacman's capabilities, but nor is any of it support for them. His statements are somewhat encouraging, because I would rather have more space research than a doomed attempt to get a human somewhere for more bragging rights (we stopped manned lunar missions, not because we had to, but because we could accomplish more with less). That may be as good as we can get. But no matter how many hours he has in the air, it's not going to make a difference to the important part of the job because never will his responsibilities require him to personally pilot a fighter to obtain a goal.

Re: Agree with nobody

There are a lot of problems with AI that could be fixed by having the makers of the AI pay for the costs. They are very good at making sure they never have to, and as things go, this is one of the easiest ones for them to get out of. When a user decides to give Perplexity permission to spend their money, they're choosing to run software and take the risk of getting bad purchases. They take the financial cost before the return is processed. Therefore, the cost is on them. If we compare to stealing copyrighted data or even burdening servers with floods of requests, the AI company is much less culpable.

Since they have never been punished for doing illegal things in the first case or legal but harmful things in the second, there's almost no chance they'll get anything for not being great purchasing bots. Instead, the costs will likely be put on all Amazon customers, eventually all customers of anything Perplexity can buy from, as they change their return policies. Free returns was one of those things that was nice as long as most people weren't unreasonably overusing it, but like anything with a large shared potential cost, it won't last forever when it gets too expensive.