Posts by doublelayer

Re: Do the work, get paid, move on

They don't have to do it that way. They could easily pay actors the same way they pay many other people who do jobs, creative or not. Mine, for instance. I get paid to write some software. They don't pay me each time they run it. We negotiated how much they had to pay to get the software when I was hired. If they do that with an actor, no problem. The reason they don't is usually that they don't have enough money to do that, so they offer to continue paying the actor from money that comes in later instead of paying up front. You could also do software that way: I'll get paid less while writing it, then you give me a portion of the license fees.

Neither has any connection to the AI work. If they buy the software writing from me, they get that piece of software. They don't get other pieces of software I write. They don't even get fixes to that one unless I am still employed. When hiring an actor, you don't get rights to everything about them forever, you get the rights to the performance they just did for you. You want to keep showing that video of them following the script? Great. You want to use their picture in a big machine learning training thing? Get permission to do that or you don't get to.

Re: "this is expected and documented behavior inherent to how fork networks work"

I don't know how many people this applies to, but there are many who don't know much about Git and use it anyway. When someone first picks up the tool, it looks pretty easy. You add a file, you commit the changes, you push. The code goes up. When someone else has made changes, you pull. Great, I understand Git.

They think that right up until their first merge conflict. Oh, I can't just push while someone else might be doing the same thing. So they learn branches. I push to my branch, you push to your branch, then we merge them. Great, I understand Git.

They think that until they need to get code back. How do I find the code after someone's merged over it? None of my commands do that. So they learn some other ones that work with the history, and they learn some blunt tools for returning to the head. Great, I understand Git.

They think that until a branch merge conflict. Okay, it's time to learn rebase, and rebase isn't a simple command. But they read about it and do some experiments, but now, they know they don't understand Git, at least not fully.

I can't say I do either. I have a relatively good understanding of some of the internals. I know enough to know that you can't simply delete a commit and expect it to become invisible. I can describe some of the internal structures accurately, and I can sound confident when I do it as long as people only ask about the ones I've actually looked at. But since I have not written code inside Git, nor have I memorized every manual page in it, I do not know everything there is to know about Git. Nor am I the least knowledgeable person on my team. We know enough about Git that we get what we need and don't break things. That doesn't make us experts. And we're professional users. There are lots of beginners who know less because they've used it less.

Re: Java Business

"SUN could easily have transformed herself into a Software Business IF they had demanded, from 2003 onwards, moderate license fees for the Java Compiler, the VM, the JRE and so on. Think of 30 Euros per core per year."

Or they could find that people didn't want to and were getting rather tired of being charged. So they stop developing their software in Java, so their customers stop buying JRE licenses. Now they've lost some JDK and JRE licenses. This, in turn, means that the businesses get less value from the licenses they retain, and they start migrating away from Java-based tools. That could happen as well.

It should be rather obvious that it's a possibility if we consider other prices. Had it been €30k per core per year, that would happen almost immediately. Lower the prices and the number of customers you lose decreases and the time between the price change and the loss lengthens. You assume that €30/core/year would be low enough that people wouldn't switch, but Sun's assumptions could easily have been different based on better information about who they would be asking to pay and how much benefit they were already receiving. Pricing is hard, and it can be far too easy to assume that what you would be willing to pay will work for the rest of the market. Oracle is trying this today, but that's no more guarantee that it will work for them.

Sun also had to work around licensing issues meaning they couldn't just apply a unilateral change in terms to every customer overnight. They had to do that because, earlier on, they gave terms that caused people to use the language and they had to. Otherwise, a SaaS business that runs lots of servers and therefore would bear the license increase you describe themselves would have seen Java as too risky a solution and wouldn't use it in the first place. That means fewer developers being paid to learn Sun's language, fewer libraries being made available, which means fewer people choosing to start by learning Java, which means fewer people choosing it in new builds and more people choosing competitors, and all of that means fewer customers for any commercial products Sun did want people to buy. They chose to provide free access, not because they were convinced by an ideological point, but to quickly build up a customer base.

Re: Optimus optimism

I could think of things that I would do with one if I had it, but those things are not going to be important enough to justify anything near what the most basic of robots might cost. If I had one, I would likely consider automating some tasks that don't interest me, but it would take a lot of hours freed from such chores to equal the price of the machine and the, admittedly more enjoyable, hours programming it to do those things.

There's also a market problem. If I earn a normal amount of money, which I do, then a robot is likely to be out of my price range in any case. If I'm a very wealthy person, I can try hiring someone to do things that I want done and they're likely to make fewer and less damaging mistakes when starting. I'm not sure the first generations of humanoid robots will have enough demand to sell except to people who like having the latest expensive gadgets, and I don't think that's a big enough market to fund development of the second generation.

Re: Secure boot?

That doesn't necessarily preclude signing. Step 1 makes a file. Somehow, the output was corrupted during or after step 1. The file is then passed to step 2, which signs it. The result is a file that is properly signed, verifies just fine, and once the signed content is extracted, it's still invalid. Steps 1 and 2 don't even have to be separate processes, though they probably are.

That is calculable. Of course, depending on how you implement it, different numbers and methods would have to be used, but it isn't difficult to get approximate numbers.

For instance, this experiment took place in the US. The current US population is 335 million. We'll also use the same payment amount of this study, $1k per month or $12k per year. This makes a total annual payment of $4.020 trillion. You've asked to have this paid by the top 0.1%, which would be 335,000 people. This makes for an annual payment from them of $12 million if it were divided equally, which it probably wouldn't be. The wealth required to get you into the top 0.1% is $62 million (source). You would need a wealth tax on the order of 20% annually to get that much, and if you did it, it might work for a decade, depending on the return on investment we assume for the funds they retain.

If you try to implement that, expect several consequences, including lots of wealthy people trying to prevent you from doing that. You should also expect that people will search for or create loopholes to get out of it, because you can hire a lot of lawyers and accountants for less than 20% of a 0.1% level wealth. But also remember that it is not going to work forever even if you can get exactly what you asked for. You will need a plan for what you will do after that. Lowering the wealth cap is the most likely solution, but it too won't last very long.

Re: Where can I get more of that scam?

They could modify the picture on the identification documents instead, but if they did that, the picture would no longer match any other pictures of the victim that might be found online. I wouldn't search out pictures of people to check them against the documents, but if someone did, that might make it difficult to get away with an ID that's just had someone else's picture swapped in. Meanwhile, if they have good enough software that they can appear in a video as the person whose real face is on the ID, then that might be less likely to be caught by the employer before someone is hired. This is especially true for differences in age, because if I change out the picture on an identification document for someone aged 23 and they claim to have ten years professional experience and a birth date in line with that, it might be more obvious that they're not who they say they are.

Re: Josh Robbins of libertarian law group

I've found that "libertarian" usually translates to "those regulations I like and no others". So they'll probably argue here that they don't want people to lose the right to choose whether to accept a non-compete contract, a choice that should come with a compensatory increase in wages. The argument doesn't make a lot of sense in context, but if you find someone and get them to answer, I can pretty much guarantee that's what you'll hear. If you find someone who says they're a libertarian, however, there's a good chance they'll completely disagree with these guys on what is fair and what should be done to make that happen. That's why I don't call myself a libertarian; there are too many people who are using the term who I disagree with and using it would only confuse everything.

Re: tracking cookies?

I think some version of it, which might not be the same one they're using now, would use cookies set by other Google products as a way to bypass the check. If you identified yourself to Google and they could track you onto the page, then you're allowed through. Otherwise, do a test.

Re: @Doctor Syntax - If Russia gets away with destroying Ukraine :o

Hmm. What countries might be on the borders of Russia and recently joined NATO? Starts with F. What countries aren't on the border but would be if Russia takes Ukraine? Starts with R. What country has moved closer to NATO membership and is in the latter position? Starts with M.

Maybe, if you went with countries that joined in 2023 rather than ones that joined in 2009, you might have already figured this out.

Yes, they could have implemented a two-stage process where they still have a kernel-level program and it provides data out to something else. There might have been an efficiency drop by doing that, but it would probably be fine enough. The critical point, however, is that this change, while it might have prevented this problem, still involves their being code running at kernel level which, if it broke, would break the kernel. The attempts to blame Microsoft often take the form of explaining that CrowdStrike shouldn't have run anything at kernel level at all, which would not work, and then finding a reason why it's Microsoft's fault that they could, which it isn't.

Re: You know...

I don't agree. Whenever I've seen someone try that, they take a relatively basic approach, one which I don't think gets anywhere. Basically, they follow this plan:

1. Read something the killer wrote. If it's a manifesto, that. If it's not a manifesto, something they posted to social media. If they didn't post on social media, a message sent to someone picked at random.

2. Decide on some opinion that they seem to hold strongly. If this is an opinion you dislike, go to 3. If not, go to 4.

3. Breathless announcement: people who think [opinion] are killers. We should do something about that kind of person.

4. Is there another opinion, one you dislike this time? If so, go to 3. Otherwise, go to 5.

5. Wait for next killer.

Opinions that you can actually make that case about are pretty obvious, because such things often take the form of "I dislike [x] and would like to kill people who, in my mind at least, represent [x]". You don't need much to figure out that a person who says that is potentially murderous. Even then, you have a lot of people who may say that and never actually do anything. If you get any broader, your correlations will be worthless and lead to harmful stereotypes, for instance "The guy who killed people was a soldier, it is not the first time a soldier was responsible for a mass killing of innocent people, that means soldiers are killers". Simplistic to the point of inaccuracy and not something you can do anything about.

Re: The problem is operational

Often, it is considered the OS's job to execute the software provided, and if you've chosen to let that software run at kernel level because you want it to have access to everything, that means it can mess up the kernel. An operating system that allows you to install software at that level is not compatible with one that can prevent errors executed at that level from having deleterious effects.

So we move on to your next suggestion, which is more plausible, of automatic recovery. That one can work. Have a versioned filesystem, and whenever you have a kernel panic, rewind to an older version and boot that. Of course, if the panic happened because some hardware failure triggered a kernel bug, then you'll end up rewinding yourself to the earliest version available as it panics every time, and it might provide a method for an attacker to remove recent updates in order to reactivate a vulnerability, but in principle the idea would work and those additional dangers could be mitigated by other protections. We would have to figure out what those protections should be and design them, but your second suggestion is possible.

Re: The fault's with Microsoft

Basically, no. If I put in a program which works at kernel level, configure that program to start early in the boot process, and then do something in that process which takes down the kernel, having a Linux kernel instead of an NT kernel won't prevent that from crashing the system nor from making the recovery process annoying. There are some differences meaning that I might not have to run at kernel level for the same purposes, and then maybe my mistake will happen at a higher level and the boot will complete, but there is no guarantee that this will happen. Linux gives the user the ability to run software with very elevated permissions, enough to cause serious faults if that software is badly written.

Re: I’m shocked.

The US regulators didn't "cave in", they tried to block it repeatedly and a judge wouldn't let them block it indefinitely. That's why they're still appealing it. The EU agreed to the merger after getting some promises from Microsoft, promises that haven't yet been broken, but the US and UK regulators hung on for longer. While the UK eventually agreed to the merger, the US's regulator has never approved it and is still trying to retroactively disassemble the two.

Re: Did they actually look at what was being torrented?

Yes, the detection based on hashes alone would fail. They would have to download the file to check its content. There are several problems with the suggestion from the perspective of someone wanting to pirate and allow others to pirate without getting caught:

1. You can't do that with a torrent. Torrents only work when they can deliver identical, byte-for-byte copies. Deliver ones with additional noise that's different per user and all your seeds will stop being able to deliver the content anymore. You can do that if you're operating a central server that hosts the pirated content, but now you're incurring a lot more bandwidth usage to deliver the same number of copies.

2. The copyright owners can still download the file and identify that it's their music in there. Just having someone listen would be enough, and there are also pieces of software intended to detect similarity between audio files of different encodings or qualities which would instantly figure it out from a downloaded file.

At the end of the day, it wouldn't be effective enough to produce any notable change.

Re: Good riddance

I think there are several more problems with bidirectional links and they basically only worked in TBL's internal data system which had a, compared to the internet, very small scope of data to be catalogued. With anything too large, links tend to make sense only in one direction. If my project links to a library I used, that makes sense, because someone modifying my project might want to find the canonical source of the component. If the library links back to my project, it makes much less sense, because that library does not use my project, so at best it can be an example of something you can do with their library and it might not be a good one.

"I think there is a potential role for something between a link shortener and a URN: a service owned by an identifiable authority, with established criteria for cataloguing resources that could issue permanent "handles" for resources whose actual target could be transparently changed to match their present physical location."

I'm not sure when that would be more useful than a more efficient alternative. For instance, we could do that for scientific journal articles, which are relatively easy to name uniquely, and the trusted authority could index them and keep a database of the URLs where you can find the paper. Fine, but nothing prevents someone who operates the server it's pointing to from accidentally shutting it down and disconnecting access. Presumably, the cataloguing authority has to detect that and get the server to come back or find another source. In comparison, if they just copied the thing, then they just have to keep some disk space around and stay online themselves. Less administrative effort and therefore expense means they're more likely to do something like that. That applies as well, if not better, to something that's less organized than scientific papers, because unless the files are very big, the administrative effort of keeping track of their locations is likely higher than the disk space needed to store them.

I used to work in a corner of an office where the sensors weren't very good. They did not detect my normal movements and would switch off if I was the only one there. If they did this and I simply raised my arms and waved them, that wasn't enough movement to register from the corner, so they'd stay off. If I wanted them to go back on, I had to stand up and walk away from my desk, then walk back. While it was a good reminder when alone to stand up sometimes, there were other times when the thing I was debugging had gotten enough of my attention that I just lived with the darkness.

Re: Prospects

Which they can do just fine, but it also means that, if they choose to put the prices up, customers can leave them almost immediately. That is why a lot of places that actually do month-to-month contracts don't mess with the prices too often. They know that doing that will cause people to leave and that they often attract their customers with simple and stable prices because their customers are those who shopped around to find them and can shop around again if they don't like them.

Re: Why security reviews are so time and money-consuming :o

No, that's not it, or at least that's not the major reason. It's because security and vulnerabilities are such large sets that there's no simple formal method of defining something secure. Take the operation of opening a file and writing something to it. The OS doesn't make that insecure. While you might find a filesystem bug that makes that operation vulnerable or a bug in a kernel or process that can be invoked by doing so, those aren't that common. Yet there are still lots of possible vulnerabilities any time that is done, most of them intra-program. The file could be subject to a deserialization attack when it's read back in later. It could be used to use up some resources and provide a DoS method. It could be used to inhibit performance. If the program mishandles paths, it could be used in a directory traversal attack. There are some inter-program methods as well, or at least inter-process. None of these things are due to the platform and tend to be as available on any operating system, but they're down to practices during development of that application. Many of them won't apply just because of the way the program is designed. If you don't let the user name the created file, that excludes some classes of possible vulnerabilities right there. That's not a universal rule that the user must never supply file names, but one consideration among others when making implementation decisions.

A security review is supposed to identify risks like this, but only some of those are easily detected by an automated tool. Tools are improving, but there are still many that will be difficult or impossible to detect that way. Often, vulnerabilities in a piece of software are not carried over from its platform, but come from that software itself. Blaming the platform when bugs are found elsewhere is just going to let writers of insecure code off the hook.

Re: The more process you have the less agile you are.

And that's great right up until the point where that team doesn't want to do something, so they just don't. The typical example is documentation. I know a lot of developers who don't want to write it. I know a lot of companies that don't want to employ someone else to write it, and if they did, the developers don't want to tell those people the kind of stuff necessary to write it. I've seen both those groups use the line about valuing working software over documentation in the Agile Manifesto as an excuse for why their stump of a readme and error messages is enough documentation. It isn't.

There are a lot of good processes that come about organically from a team just trying to get something done, but sometimes, that team needs to get a very specific thing done, the kind of thing that no team just decides they want to do. Few or no people have gotten together with the dream that, if they put in some time, they could build a really nice web interface for forms and processes of a local bureaucracy, but someone eventually has to write the software that does that. The processes that work for one do not necessarily work well for the other, because the bureaucracy in question doesn't understand the technical reality of what they need, the devs don't understand the processes the code is supposed to deal with, the customer does not have the time or inclination to test a gazillion intermediate versions that don't do anything of use because not everything is connected up yet, and the local government has fixed budgets and timelines because they are required to do so. That can be resolved in a variety of ways, and in some of them, the more Agile approach is the better one. However, the completely Agile approach, where the customer's whim is sufficient to change things at the last minute and there will be lots of those because nobody planned out all the needed functionality at the start, is bound to create chaos when the scope has changed but the timelines have not.