Posts by doublelayer

Re: Financialisation versus origination

Basically everything you said is wrong.

"Open Source has always been about free for personal use."

Most licenses, the ones that go back decades, specifically include the fact that you can sell the code, you can sell the use of the code, and various other clearly commercial rights. It's not new. They restrict how viable a commercial product can be, since you can't be the only one to sell the code, but they very clearly include it.

"Rather than taking an apprentice, they can publish "open source" project and let the public contribute. Then often if they like the work of some contributors they offer them work."

This has a right and wrong part:

Right: This is a way to get free work.

Wrong: There's any problem, legal or moral, with that. The only free work they get is from people who deliberately choose to do so. Nobody is making anyone do that. If nobody is interested in solving their problem, they don't get their problem fixed. They can hope that someone comes along and takes a liking to their code and they can snap that person up, but if that's their plan, it's not going to work too well.

Re: Isn't there an obvious flaw?

Yes, that can happen, and it has for most of the big cases. Amazon forked Elastic's products and made OpenSearch. Terraform has been forked to make OpenTofu. Basically, the quick switch to proprietary is not necessarily going to bring the cash the companies want, but it is virtually guaranteed to cause chaos in the community of users and contributors who now have to decide which fork to use. In Elastic's case, they deliberately introduced breaking changes to try to prevent OpenSearch from being compatible with their version, which caused some extra chaos for both projects.

Re: If Only

No, people don't see that as non-free, as it's trivially accomplished by not having a contributor license agreement that reassigns copyright or gives unrestricted rights. Linux, for example, doesn't have the copyright to every part of the kernel, and therefore can't change the license without some difficult effort. This might lead to a backlash against CLAs. At one point, a CLA made some sense because it allowed a central project lead to control the project even if you, the part-time contributor, got bored and left. Now that the concern is that the central project lead will switch to proprietary, giving them that control seems less desirable.

Re: "proprietary gatekeeping wrapped in open washed clothing"

"Nobody paying attention will run along with this. This is just Big Capital pulling the wool over the unwary."

The concern is that it will spread. When someone announces something open source, there's no way of knowing whether it's about to change license or not. If there's any corporate structure, then someone could buy or otherwise gain control of it and completely change the terms. If people start to avoid anything that looks too much like a company making open source software, you run the risk that larger open source projects get fewer users and developers. While it's always been possible for open source software to die, it usually happened by a slow loss in continued updates rather than an overnight switch to proprietary.

Re: So what about all the students reading books to write papers?

The argument is that reading a book as a human and processing the book in a process called "training" aren't the same thing. Thus, just because one is acceptable doesn't mean the other is. It gets philosophical when we start to ask what the model is really doing with the text it is ingesting, but it should be clear that I can't use whatever copyrighted information I want just by calling whatever my program is doing training.

Re: Rome or Vatican?

Of those states, one of them is not just a city, but a city and surrounding area including several islands without urbanization yet. It is a state that only has one real city in it, but not a state that's entirely enclosed in a city. Another is a state that is entirely enclosed in a city, but that city is not enclosed in another city, which is what they were talking about. So there is only one state that fulfills their criteria.

Re: For best results, use a password generator that can give you a long, random string"

"The most fundamental rule that is not being imparted is:

a password is not to give you access -- it's to deny access to others, so don't make it obvious.

But I've never seen that stated plainly in any password policy I've seen over two decades of consulting."

I didn't think we had to, since that seems rather intrinsic in a definition of a password. I think users know what a password is for. They either don't care as much about the desire to make it secure or don't understand how password security works, and the latter is a point on which we can help, but I think they understand why they've got one.

And you assume that they're providing their customers' passwords why? Did you read that in the article? Did you read that in their statement? Does it make any sense whatsoever, given how password managers work?

They didn't.

Re: What about sites that force you to make it easier?

I usually assume the worst with sites like this. One reason this could happen is that someone copied and pasted some validity checking code for no reason, but the most plausible reason I can come up with is that the password is stored raw in a database and they're worried that some characters will mess up an SQL statement, meaning the service is vulnerable to SQL injection and has my passwords in plain text. Maybe that's not true, but if I see those requirements, I assume that they hold and act accordingly.

Re: Streaming Passwords

This is true in my case. If I expect that I will have to enter a password on something with an annoying input device, the password is likely to look something like hzycdkbkfamxptdjdl. Length makes it secure, but by having no characters that aren't on the lowercase keyboard, I don't have to keep switching layers to enter it. This is, of course, if I have the luxury of encrypting it and looking it up only when needed. I imagine that people who have to enter it frequently or share it with others don't bother with that either.

I'm not sure it's as simple as email addresses rather than an internal communication system, but either way, that's a good target for investigators to go after.

Re: You write this as if

They are a business in most respects, other than having a corporate entity that pays tax, but nearly everything else they do is done like a business. That doesn't prevent them being scum, and they certainly are.

Re: Who benefits if this changes

I don't think it works that way because 401K accounts aren't a pension which pays out specific amounts. They are tax-advantaged individual investment accounts. An employee who contributes a certain amount can invest and withdraw from that money subject to certain legal requirements, and someone who put less into it simply has less to work with. Since there is no common pot, the forfeited funds can't be put in one unless they stop using 401K accounts altogether.

Re: Two questions for the price of one

Just because something's been reorganized and turned into floats doesn't mean the original data is not there. If things were that simple, I could eliminate piracy and copyright in one plan by making a suitably annoying obfuscation system. The way you can determine that the data is still there is when models like that start to reiterate the training data verbatim. They have been known to do so, sometimes on their own and more often when prompted with a starting point. They have to do some calculations to reconstitute the original work, but it's in there.

"Isn't the copyright holder reimbursed when the trainer buys the book in the first place?"

So far, no, because they didn't buy the book. They found illegal copies online and used those for free.

Even if they started buying individual copies, buying a copy of the book doesn't necessarily let you do whatever you want with it. For a very simple example, if I buy a copy of a book, I don't get to start printing and selling my own copies and saying that the author got their compensation when I bought the first copy. There are limitations on the use of the content of the books, and it is not clear whether AI training qualifies. I think it should not, but the law doesn't clearly answer either way.

Re: Is it legal? Who cares. *Should* it be legal is the question to debate

True, we should be discussing that, but it's likely not to happen until some court has decided what the current law says. Once a decision has been made, lobbyists for AI companies and publishers will start to try to change the law to better serve their companies, and we can start having that conversation, not that our views will be at all important to the politicians making the final decision.

In the spirit of having that conversation, I'm on the side of copyright here. I don't think the benefits of more articulate programs outweigh the costs of effectively telling anyone that, if their program is large enough, they can use anyone's copyrighted information in any way they please. We all know that this power would only be available to companies that are large enough; if I ran a copy of the Windows source code through as training data, Microsoft would not agree that it's acceptable, even as their friends at OpenAI effectively do the same to lots of others.

Re: Two questions for the price of one

That's not the argument at all. This is not about temporarily copying the text into buffers during processing. It's about two other copies:

1. The copy in the training data, which is not temporary because it's kept around for months to train models on, if not forever so it's available for subsequent models.

2. The storage of the processed work, which in many cases includes most or all of the work, just sliced into pieces, in the final model.

The copyright holders are claiming that point 1 is a violation of their rights because the companies did not get permission to obtain the work at all, and that point 2 is also a violation because it involves the storage and reproduction of their work. There are arguments that the second is not a violation which I don't find convincing, but either of those can be a problem for those who use copyrighted material as training data.

Re: IP is an industry

Whether it is valuable is not important. It could be valuable, and thus we find it useful to protect it. If it's crap, then nobody will buy it and its protected value will still be low. If it is not, the people who put in the effort which resulted in it not being crap deserve to benefit from that effort.

And yes, there will be an IP litigation industry, just as there is an industry for any profession, including ones that rely on negative aspects of our world. There is a toxic waste disposal industry, a fraud prevention industry, a repair of electronics after their manufacturer has dropped support industry, and an IP litigation industry. If we had less toxic waste, fraud, premature obsolescence, and copyright and patent violations, then we would need less of those things.

Re: Two questions for the price of one

"If it were instead a breach of contract with such a stiff penalty, that would seem to open the door for very onerous EULAs."

I don't see that as any stronger than an open source license. It's still based on the copyright rights to the content, and rather than applying a license to modifications you make, it limits your ability to store it on a different system. Not to mention that most of the ways you could store it on a system that would actually incur their investigations would themselves be copyright infringement, and they would go after that instead. While their term technically means that scanning it is not allowed, they're unlikely to do anything to someone who did for their own use unless that person also published, sold, or made a commercial derived work from those scans.

Re: Support for a federal law? Eh? It already exists.

If a child learns enough to use ADB to disable that overlay, they're likely to know plenty of other ways to do whatever they want on that or other computers. ADB use is not that common for kids, or for that matter adults, and if they're going to do it, it requires another computer on which they could probably do whatever the phone is blocked from doing. This is really not a realistic concern for how such a feature could be disabled, and if this is really concerning to you, you might suggest that the provider of the overlay blocks the ability to change developer settings, therefore preventing the child from authorizing a computer for ADB control in the first place.

This is not a convincing argument for why the device needs to have special software baked in for parenting reasons. No desktop computer has it either. Even if you're the kind of parent who builds a customized Linux image that has very specific permissions set up, it wouldn't prevent some child from theoretically finding an exploit that allows them to escalate their permissions and disable your work, but that this is possible doesn't justify requiring someone else to write it for you.

Re: So whats the balance?

"I can no longer trust that a lost iPhone is secure cos somebody can replace the magic-security-pixie / fingerprint reader"

That's not how that works. Here's what would happen:

1. You lose your phone or I steal it from you.

2. I take it apart to replace the fingerprint reader with one that I've designed at great expense to work the same way the Apple-developed one does but always accept my fingerprint. Somehow I manage this even though the part is not open and so making that would require difficult and expensive reverse-engineering.

3. I put the phone back together, never having turned it off.

4. I scan my fingerprint on my compromised reader. Nothing happens, because the reader is not hot-swap capable. The phone won't read from it unless the sensor is present at boot.

5. I restart the phone to pick up the new reader. The phone restarts and demands the passcode, since without an active session, biometrics can't decrypt the phone. My reader won't be able to get through that.

In short, your scare story is completely invalid. Not to mention that there are several other ways to design a phone that would prevent a sensor swap from breaking encryption. For example, you could put the encryption key in the sensor, and then swapping the sensor locks the data away since it doesn't have the key. Users who need to replace the sensor can decrypt with their code before swapping in another sensor and re-encrypting with that. There are lots of options other than preventing the sensors from working.

All supercomputers these days are clusters. This means that Moore's considerations don't really apply to how high the benchmark numbers can go. If you want to have a more powerful supercomputer than the top ones, you could just add more nodes to one of them. While it's not completely simple and linear, you are not limited to the performance of a single system. While that has always been possible, the software for treating a cluster as one machine has been improving a lot faster nowadays than it did in the 1990s.

Re: Snaps are good for Enterprise

It's not about .deb and .rpm and the other ones, since those are not the only archives for Linux package managers out there. It's about what's in them. Here's a simple answer: I'll build a piece of software on my local box which has updated dependencies, and put the binaries in a .deb and .rpm file for you. You can just install that. If your system is like mine, it will work. If it's not but all the packages are new, you're probably going to be fine. If it's older, it will fail to install or run depending on your package manager and the flags you gave it when it decides that the version of your libraries is wrong for the software. Maybe those older libraries could run it, but my binary doesn't properly find them. Maybe they're actually lacking features that I made use of. Either way, it won't run.

Bringing your dependencies with your binary is a pretty old concept, and these packaging tools exist to make that work like traditional package managers have, without requiring package managers to manage the isolation.

Re: You can't use gzip/tar?

I have experienced the problem of binaries refusing to run because I don't have a version of Glibc new enough for their tastes. I've experienced sites where there are eight different Linux packages for the same program for different distros, which is fine when I'm using something common, but not too helpful otherwise. I have experienced the problem of recompiling my software on something old so that it won't have that problem when someone who is still using an older distro tries to run it. This may not be a problem you've ever had, but it is a problem that shows up from time to time. If we want desktop Linux to appeal to other users, it is helpful for us to try to solve it, because it makes it much easier for software to exist for all of Linux, not just the developer's favorite distro and anyone else who wants to build it themselves (I don't mind that, but a normal user would).

"My distro(s) already have a package manager(s). So why do I need(?) another one?"

The reason these tools have been developed isn't hard to understand: distros that don't update every package immediately versus software that does update its dependencies immediately, but you want to run the latest version of that program on your older distro. If you don't want to do that, because you either have a distro that updates every package every time a new version comes out or you are comfortable using the old version of something that updates frequently, then you can cheerfully ignore this tool. Otherwise, that's why a second way of distributing the software makes this possible.

Re: B0ll0cks!

The sites don't need to know the country, and existing VPNs that redirect traffic through a different country are perfectly legal. Sites sometimes make decisions on what to show based on the country the IP address is in, but nothing makes it illegal to lie to them about it.