Posts by doublelayer

Re: "for businesses with fewer than 10 employees."

The print as a function thing has confused me for years. I came to Python after a number of other languages where print was a function, so I never understood why it shouldn't be a function there either. It's the only imperative keyword, and without the parentheses, it still works exactly like a function would. Maybe someone who minds the change could explain why it's such a problem.

Re: Coders vs Developers

"How does SQL injection work with modern code?"

Nothing will ever stop you from submitting just one string. They don't parse to see if you're passing something that looks like a value and insist you parameterize it. This means that, if someone either doesn't know or doesn't think to parameterize, they can still build an expression as a string and that expression is still vulnerable. Most likely, you're just not seeing as much of it because the number of databases out there is massive and a lot of programmers were told not to build expressions that way and remembered it. Sadly, that doesn't mean everyone was taught that, so it still happens year after year.

Re: Wait, who sells them the weapons?

True, and it already works that way. However, if most countries and companies will not sell you the parts, it means the markup on those parts is pretty high, which means that there is an incentive for the person who is willing to break those sanctions and find the parts anyway. If I make chips that could be used in missiles for $10 apiece but refuse to sell them, and North Korea is willing to buy them for $60 each, then a company has a $50 per unit ability to cover any costs involved in getting them out of my control and into North Korea's. If they are general purpose chips, this can be pretty easy. If they're restricted technology that has to be obtained from one of a few people I'm willing to sell to, then it's harder, which increases the price even further.

The more cash North Korea has on them, the more their ability to pay those increased margins. You'd hope that, at some point, they would decide that more nuclear weapons they don't really need isn't worth the price, but if they thought that way, they probably would have stopped making them at least a decade ago. For other weapons systems, they have plenty of people who want to pay them to manufacture them. North Korea has been making and selling weapons as one of their major export industries for decades, and they've been making some advancements. Russia wants a bunch of cheap and modern missiles, and North Korea has a bunch of really cheap labor and factories built for missile manufacture, so if they can connect Russia's money and modern missile components, they can get them.

"The world is full of workers from the global south working, possibly undocumented, in the global north and sending remittances home."

The difference, as you well know, is that people sending remittances home to other countries are sending it to their families or friends. North Koreans abroad are working for their government and passing the money to them directly, and their families will get little or none of it (none by official policy, but they probably find some ways to sneak in a bit). We also know that North Korea's government budgets are a bit slanted toward the military expenditures and against everything else, in fact they've put a nice name on it. The people working in other countries are not individual agents taking a risk for economic reward. They are slaves held in check by actions North Korea has been using for decades: threatening and punishing families and friends for any infraction and closely monitoring everybody. There is a difference, and we all know it.

Re: A waste of time syndicating that here.

"You can take any regime down for less than $20m in a couple of months."

I'll take that recipe, please. How much more to put up a regime that I like, not a chaotic wasteland of suffering people?

I think they're more likely intended for North Korean agents who get cash so they can claim the cash as business income, not for the lucrative market of people who want lunch, but you have to give someone lunch or you can't convincingly claim to be a restaurant.

Re: Risk/Reward.

Thank you. I think I better understand what you're saying now. The reason why I was talking about the ease or difficulty in looking up a phone number is that it affects how I feel about having to give it to somebody. For example, I don't have a problem giving my phone number on a government form, nor do I know many who would. I was trying to find out a type of data that someone would provide easily but would complain a lot about providing to the government, which is central to the question you brought up. In my experience, people who readily give that information don't have a problem readily giving it to the government, and those who complain most vociferously when it's the government asking tend to complain when others ask for it as well, but this appears not to match your experience. Yes, there are people who are ridiculously conspiracy-minded whenever the government does anything and people who will give away any private information, but they tend to be different people, not one person doing both of them.

I have, and I've seen two categories that fit with the idea, but don't work with the question:

Group 1: Are happy to give out any piece of personal information, no matter how much I wince when they've done it. These are people who would post a live view out of their doorbell camera and, if I ask why, they will say something stupid like "it'll help make sure my house is safe". These people will definitely put lots of personal information on social media, but they'll also give it to the government. Point out that the police have extra access to that camera and they'll say "I have nothing to hide".

Group 2: Paranoid, kind of like me or even worse. They'll keep lots of data private. If they're asked for it, even when it has a purpose, they'll think for a while about whether they have to or if they can find a way around providing it. This applies to the government, but it also applies to social media.

What I don't see too much of is group 3, the one that happily puts data on social media but refuses to give it to the government. Now I have seen a similar group of people who are avid users of social media and weirdly panicky about the government doing ... something (if they explain it, it sounds crazy, so often they go for vague). But those people don't tend to dump tons of data up there, at least not intentionally, because they think the NSA is collecting it (which they probably are because hard drives are cheap) and using it against them (which they're definitely not doing because these people are not interesting). The question asked in the original comment relies on people being angry about giving a certain piece of information to the government but accepting giving the same piece to social media. General attitudes being more positive to social media than the government don't fit that question unless the information being provided is the same.

Re: Risk/Reward.

You're eventually going to have to explain the things instead of saying "whoosh". Because one of two things are going on here:

1. I'm an idiot, and I'm going to continue being annoying until you explain your meaning in simple words that my walnut-sized brain can understand, even though your original comment was rather clear already.

2. We actually do understand what you're saying, but our responses are not to your liking and you choose not to make meaningful response.

In many cases where I see "whoosh", it means that the original comment was sarcastic, and someone missed it. So If I try to interpret your comment in that way, then maybe you were saying that a phone number isn't sensitive information because phone directories exist, so it doesn't matter that people willingly post it on social media? That doesn't sound like what you were saying, but your comment didn't seem that sarcastic. Otherwise, their point about how public a phone number is is relevant to the discussion. You can tell us what you meant. My walnut is ready.

Sorry, but I'm not sure you read or understood my comment. For example, the "muh freedumb" thing you talked about: I didn't say anything about freedoms, lack of freedoms, or governmental overreach. Not one single thing. What I said was that I don't know what information people would be angry about giving to the government but happy about giving to Facebook. If you see an argument about freedoms in my comment, I'd be very curious to see what led you there, because I didn't intend it.

I asked for examples, and you've provided one. Let's consider it. I don't know people who would be angry to put their phone number on a government form, assuming they're not already angry about having to fill out the form itself. I know a lot of people who would not put it on social media, exactly for the reasons you say: it's public when they have it, it's not when the government has it, and the government already knows it. However, as data goes, this is one of the less sensitive pieces of it. I've had my phone number for many years now, and since I'm able to port it around to different providers, it's likely to be mine for the rest of my life. I've had plenty of places who I've given it to, either because they actually needed it to contact me or because they demanded it and I couldn't do what I wanted or needed to do without them having it. This includes various government services, and I didn't mind them having it. This means that, almost certainly, my phone number and name are associated in nearly any dataset that can be purchased and likely in plenty of free ones to be found online. I have little hope of my phone number remaining truly anonymous, so I must factor that into how sensitively I'm going to protect it. I still wouldn't hand it out to anyone who asks, but I don't protect it the way I do more sensitive pieces of information.

The kind of thing that I don't want to give to governments are things like passwords to online accounts, private keys, and the like. Mostly, they are things I don't have to, although various ones suggest collecting them from time to time. I would not give any of those to social media either, and I think that, although there are a few people who would be stupid enough to fill in the form "The password to your email account here", it's a rather small set compared to those who are willing to give their phone number except for authentication and communication, which is a small set compared to those who use the services at all. Maybe you think of phone numbers differently than I do, but if you agree about its sensitivity, is that your only example?

That might be convincing if I could think of anyone who actually would. Yes, I know that some people are stupid enough to put some kinds of semisensitive information in a form, but I don't think there are many, if any, who will put something like their passport number into a form just because there's a box for it. Probably the most sensitive thing I can see someone actually putting there is their mailing address, which I wouldn't do and will probably lead to spam, but it's not as bad as some things. What specific information do you think people will be angry about telling the government but willing to put into a Facebook form? I can't think of anything.

Re: No change

You learn who to say things to. I also work in security, and that's what I say to people who work in IT or programming. They assume that I'm also doing some kind of technology security, and if they know that I'm a programmer, they can draw the lines. Say that to someone who doesn't work in tech and they either don't get it or assume you're a security guard and try to figure out why a programmer is doing that. The term they use for the entire information or technology security area is "cybersecurity". We're lucky that shortening that to "cyber" hasn't entirely caught on. Now I could try to adopt something that's really no better and get everyone to call it "computer security", educate them on why we sometimes call it infosec and try to make them do that, or use the term they know. I often choose the low-effort method that still gets communication going.

Re: "Too old to be safe, too expensive in time and money to replace"

If you do that, you will certainly sometimes get the writers of the software to pay for damage caused while running their software, but you will also get a lot of something else: IT people raked over the coals and punished severely. Because if you're going to pin the blame on the writers, those writers are going to have a need to pin the blame on someone else, and there is usually something the administrators could have, and in many cases should have, done which makes it their fault. For example, maybe we blame a software writer if their code has a zero-day in it, but who gets the blame if the software had a vulnerability in it patched two months ago but the administrator didn't install the update? If you're willing to charge the programmers for any financial cost, are you willing to charge the administrator that could have but didn't install the update with the same thing? After all, if the coffee machine was not defective but the plumber installed the water line in such a way that it flooded the machine, heating the water, and collapsed in a wonderful fountain of steam, you would be blaming that plumber.

There are many situations where it's less clear, for example the programmers say the configuration was insecure, the administrators say the defaults were insecure, and they fight because neither wants to get stuck with the blame when it comes with that large a bill. So also budget for some lawyers to be involved, especially if the company who wrote the thing is large enough. They'll have a good incentive to make sure the court thinks it's your fault. Before you get too eager about finding someone who isn't you and blaming it all on them, think for a bit about whether it would be fair for someone to do the same to you. If it wouldn't, let's factor that in to the solution we propose.

What personnel? Because if you try to answer that question, you will instead start up the blame game. Is it the IT person's fault because they didn't put in some security method? Is it a finance person's fault because they didn't budget for it? Is it a manager's fault because they said not to bother because that's not a priority? Or do we track down the person whose password allowed the initial access and put it all on them? In reality, most situations can be blamed partially on all of those people: the manager said it wasn't a priority, but because the IT person explained it badly to them and because the finance person wouldn't pay for the staff or systems required, the finance person couldn't pay for that because the budget was set by senior management who didn't allocate anything because they didn't get told about the issue from the first manager, the IT person didn't build something out of the pieces available to them but because they weren't given the time, and the user entered their password on a phishing site, but wouldn't have done so if the IT people had put in a better email filter or more phishing training, and anyway that initial password wouldn't have allowed the attacker full access if the IT people had more inter-system security methods, which they didn't have because the finance person wouldn't pay for hardware, and they didn't build in software because the manager didn't give them enough time, because ...

No, it really wasn't. It was a a major failure of systemic accuracy. Integrity and accuracy are completely different aspects of a system and have different effects when lost.

Re: Freedoms?

No, you can have a closed OS. You start with either OS, and you don't flip any of the switches that open it up. You'll know them because they're the ones buried at least two levels deep in the settings where, if you try to flip them, you get a warning screen. Voila, closed OS for you. If you don't want to install something from outside the manufacturer's store, then don't install anything from outside the manufacturer's store. It's really quite easy.

Re: So why the controversy

Mostly because linking into GPL is something programmers choose to do. There are two important elements to this which I will take separately:

1. Programmers, not users. The SSPL comes into effect when you run the software on a computer if you use it for a certain purpose. The GPL does not care when you run it or why you did it. In fact, you are perfectly free to include the GPL software in your software as long as you don't distribute it, I.E. to use internally. You don't need to educate anyone putting the software to use on what the license means. You only need programmers that might modify or use it in their own software what it means. They have probably seen open source before, so they already understand what restrictions apply to them.

2. Choose to do, rather than find that they've done: If you choose a GPLed dependency, you know you did that. When you pick something off of GitHub, you know that you'll have to read the license because it can be something proprietary that you are not allowed to use, so you know when the terms apply. You can understand the conditions on what this applies to, because it's anything you're linking this with, so you know what you have to put under GPL if you go ahead. With SSPL, neither applies. You may not know whether you are in the set of users that have to put software under a certain source, especially because all you did was install it on a server. If you decide that you are one of the group that has to do that, you don't know what comprises all the software the SSPL is demanding, and it's mostly going to be unrelated stuff written by other people (which you couldn't put under the SSPL anyway). Unlike the programmer and their own code base, it's the user trying to list all the pieces of software that come under a nonspecific category, which the average nontechnical person, even a Linux user, has no hope of doing. Even the most familiar person will have to spend a long time sorting things in and out of the list.

Many of us who care put some importance on the Open Source Definition. The GPL meets this definition. The SSPL specifically violates this part of it:

9. License Must Not Restrict Other Software

The license must not place restrictions on other software that is distributed along with the licensed software. For example, the license must not insist that all other programs distributed on the same medium must be open source software.

It also violates, both in letter and in spirit, this part:

6. No Discrimination Against Fields of Endeavor

The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

This is what I care about and the reason why the SSPL is not open source.

Re: So why the controversy

The GPL requires you to distribute your modifications to the software under the same terms. The SSPL requires you to distribute basically every bit of software you run on the same computer under the same terms. The GPL can be complied with, you just might not want to. The SSPL is intentionally written to be essentially impossible to comply with. It's not just that your entire cloud service software stack has to be SSPL-licensed. That would be bad enough, but it is theoretically possible. The dependencies, the software you got from other sources, and depending on where someone tries to draw the line, system firmware, would have to be licensed as well. It is intentionally written so that buying the proprietary alternative is the only choice that is feasible.

Re: Guess they spotted their mistake

No, I don't expect people to understand that, especially when they react as if free speech is somehow a lesser thing. The freedoms available with free software are more than just not paying for the software. Yes, you can make me pay for a copy, but the freedoms that Stallman advocated for, and he was the one who popularized that phrase, mean that I am within my rights to give copies to anyone I like, I can do it for free, or I can charge them and not give you any of the money. That's a core part of the freedoms: the freedom to distribute. He often made the distinction to clear up the situation for people who understood it as "software for free" and got it mixed up with what we call "freeware" (I.E. here's a binary, you pay me nothing, what do you mean source code). Requiring people to buy it from you so you're compensated for the work is not what he was talking about there.

Re: "Software is only open source if the OSI says it is"

We need licenses that say "use this if you will keep it free but if you make money you must give us a percentage."

There are many and you can easily write another one. Don't be surprised when it doesn't count as open source. I'm not just referring to the OSI, because I don't see the OSI as a perfect judge of such things. I value their <a href="https://opensource.org/osd>definition</a> more highly, and I can evaluate by reading the license whether it meets the definition, kind of might meet the definition, or definitely doesn't meet the definition. The "pay us if you make money" bit is very contrary to parts 1 and 6 and can be and likely is contrary to parts 3, 7, and 8. Specific licenses, such as the SSPL, also are contrary to part 9, intentionally so so they can claim not to be proprietary.

This is important to me and may be to others. If you don't want to be free or open, don't be. There is nothing morally wrong with proprietary software. Many proprietary databases exist, and there is no harm in making your business on selling another one. Oracle seems to make plenty of money doing it. The reason I use an open database, most of the time anyway, is because I want to avoid having to deal with the licensing disaster. For instance, I have many Postgres installations. Sometimes, it's because I really want to use one of the many features that Postgres has and other databases don't, but sometimes, I just want a database where nobody will ask to audit my licenses or exactly what I'm using it for and if that's commercial or not. When I write code, I decide when I've done that whether I want to sell it, in which case I don't release it or I put restrictions on the license, or whether I'm comfortable giving it away with the knowledge that I will likely not be able to sell it. I can try to sell support, and that will work on larger projects, but it is not guaranteed. If you want to sell it, go and sell it. Just don't pretend you're not.

What I meant was if the phone needs to act as a phone, I.E. sending or receiving calls or SMS messages, which can't be done without a valid number. That is an obvious reason to use phones themselves. If you're just sending calls, VOIP services seem to work well enough, but if you're doing something that uses SMS 2FA and requires unique phone numbers, that could be one reason why you would need a bunch of SIMs and a bunch of devices capable of using one. This is only one possibility, and for the reasons in my first comment there's reason to wonder if they're actually doing it, but that would not work just with a network connection over USB.

That's the subject of most of the discussion in other threads, and for a lot of possible tasks, yes it really does seem inefficient. However, if there is a task that requires a phone, there can be a few reasons why this would be the most efficient option. The obvious reason is if you need to use cellular connections. If you need active phone numbers, you can't do that with a typical server, and the hardware that allows you to connect one SIM, let alone many SIMs, to something that's not a phone tends to be more expensive than just getting the motherboards out of the cheapest phones that aren't selling and using them. The theory is that Chinese dictatorship-linked tracking of phone numbers would make that difficult, but their repression might have some bugs that allow an organized criminal to get phone connections easier than we think.

The other option is that they're using some app that doesn't make it very easy to do anything outside the app. I'm imagining something that has no web interface available, no desktop access method, and actually secures the network communication so you can't inspect the traffic, reverse-engineer their protocol, and poke their API directly. The discussion has considered the ways you could virtualize Android, but in my experience, many of those are limited in some crucial ways, such as being easily detected by applications running in it, missing important system services, or just unstable in the first place. That could make buying cheap boards more reliable than trying to virtualize it, especially if they end up being as expensive as the server you're using. The article's quoted prices are about that of a mid-range desktop, so if you know a good Android VM, how many do you think you could run simultaneously on that machine before running out of CPU or RAM (I'm thinking RAM is probably the worse one, but it's also the cheaper one to fix). If you do know a good Android VM, I'd be interested to hear which one it is, because I've been relatively disappointed with the ones I've seen.

Re: Don't dignify the tabloids

"The "doctored" photo in question was a matter of minor touch-ups"

I have long considered that my not being a UK citizen gives me the opportunity to gladly not know anything about the royal family, including at times who is related to whom. Still, I have heard more about this photo than I'd like to and you are understating the degree of editing involved. A post by a person who enjoys analyzing photos, not someone who tracks the royal family, notes many edits involving all the people depicted and many parts of them. This isn't a minor edit for some aesthetic purpose. What actually was intended is something I don't have to care about, but understating it as "minor touch-ups" is no better than overstating it as "definitely indicates that she died in February" or any other unproven nonsense someone might be trying.

Re: IANAL

The question is not about common carrier. They are not common carriers, but they don't have to be. The protections of section 230 apply to "information service provider[s]". The distinction is that information service allows them to make the information public and show it to many people, including those who were not deliberately targeted. In order to prove this case, they'll have to do one of the following:

1. either prove or form a distinction between "information service provider" and something else,

2. demonstrate that the law itself contradicts some other law or right,

3. demonstrate that the platforms do not have to be deemed a publisher to have liability for this case.

I think they're kind of going for option 3, but I'm not their lawyer or a lawyer, so I can't say that for sure. They're already close to the already decided cases using 230 in a related way, so they'll have to have a new argument or they'll lose from that precedent.

Re: IANAL

Without 230 or something similar, there might be a lot less everything. If I could be sued for literally any comment someone chose to post, I might be a lot more cautious about letting people post anything that was slightly negative on one of my sites. If I write a post about a product existing and someone comments that the company's build quality, security practices, value for money, or anything else was bad, do I want to take the risk that the company concerned gets angry about that comment existing and try to threaten me into taking it down? We all know that some companies are that irritating and quick to use the threatening legal letter.

Yes, that would also significantly reduce the junk out there, including the really unpleasant junk. It is useful to know what the downsides are when considering it, however.

Re: IANAL

"where is TikTok?"

My best guess is that they're focusing on services this specific attacker used and he didn't use TikTok? It's a long list as it is, but maybe he did list all of those as places he found material that made him want to commit mass murder. That restriction is the only reason why TikTok couldn't fit into the list. Whether this suit will prove viable is a separate question.

Re: curl -fsSL someurl | sh

Not if that exe was basically running its own curl to get the real code. A lot of installers work that way, and although they're not my favorite, they think there is a reason because it lets people install the subset of components without, for example, including the translations and fonts for a bunch of languages the user doesn't want in the initial file. Malware can easily use a basic downloader which won't look dodgy until the specific sample has been reported, and it just downloads the more suspicious code and executes it from memory.

Installing this program on Linux (or anything else) will involve one of two things:

1. Downloading a binary from someone else's server and executing it.

2. Downloading a rather large chunk of code and compiling it.

And running it involves one more:

3. Downloading a model, either from their server or another one, and running it.

That's three methods to run malicious code if they are malicious. Saving the script and reading through it won't help you when this line from the real script

curl --fail --show-error --location --progress-bar -o $TEMP_DIR/ollama "https://ollama.com/download/ollama-linux-${ARCH}${VER_PARAM}"

Can download any binary. If they're doing something malicious, the malicious part would be in that file, not this script which I can read in a minute. If you don't trust them, you can try to build from source instead, but I somehow doubt you're reading every file to make sure you don't think anything in it is malicious.

Re: 2 years may not be long enough

"if they "infringed" upon the patent before you started selling anything that uses it, too bad, it's considered two entities arriving at the same conclusion independently of one another."

That's a recipe for invalidating a patent by watching for it to be filed then quickly making something crappy that can be argued to use the patent. I don't object to the idea, but that detail is open to a lot of abuse if the patent is real, so it may need some more tuning.