Posts by doublelayer

Re: It's not a witch hunt.

While true, that doesn't stop the concept from making sense. Utopia was coined to tell people that it was impossible, and the society described isn't very great, but it still works fine as a term for the theoretical pinnacle of society, at least when we talk about utopian opinion. Thus, just because the term meritocracy was created to demonize it doesn't mean that we can't use or adopt some concepts from it.

The book that coined the term had its own conceptions of how a meritocratic society could be created and what it might look like. It doesn't follow that anyone who praises the idea wants to see the society depicted, since few have read that book. Meanwhile, some people might want to try a society where capabilities and skills are more useful to success than wealth and connections, even though that will probably never change. As usual, if you take this or any other point about how society could be improved and stretch it to its extremes, you'll get something very unpleasant. It doesn't matter which attribute you choose to use: if you write a book with the premise that "The most [attribute] people rule the world with absolute authority", the end picture will either be utopian if you're naive or dystopian otherwise. A strawman argument of that nature can argue against literally anything you like, including positive things like democracy or freedom of any kind.

Re: It's not a witch hunt.

If you read my reply and think I've missed it, then I'm afraid it really has. Perhaps you could be so kind as to tell me what I missed? What I see in your comment are two points:

1. You would like open source developers to make new and unusual things, ignoring conventions if they feel like it.

2. You don't think anyone should tell them otherwise, since they're open source developers and I have no reason to give them instructions.

I disagree with point 1, unless their changes are there to add unusual features, because I think that changes without features just annoys the users. I agree on point 2 that they have the choice to do whatever they want, ignoring any suggestions I might provide them. I'll still state my opinion as you have done, but they have no reason to listen or follow.

Re: On the third hand

That was basically my point. Revolutionary UIs can pay off if they do revolutionary new things and the new interface is necessary to productively having those features. In most of the ones I've seen, the new conventions are just somebody taking all the stuff we have already and dumping it in different places. That's far less exciting. When I see the latter, I wonder what we could have had if that developer had focused on writing something that didn't already exist. They can do whatever they want, but it doesn't change my opinion on what helps and what doesn't.

Re: It's not a witch hunt.

Of course, they have the right to write whatever they want, no matter how strange. If they ask me what I think is best, though, I'll suggest that they write one of two things: something that's extremely revolutionary because they really think it's a significant improvement, or something that works in a comfortable way. Something that does something a little new but mixes up the UI for no reason could probably be better, in my opinion. That doesn't mean they have to care, but I still have my opinion just as they have theirs. A desktop that follows conventions is quick to pick up. One that tries something completely new might be worth the effort of learning the new controls. One that switched all the controls but doesn't do anything unusual is just annoying, which means they won't get to try many new things if users have ignored it.

Most of those things are problems that could exist in any payment system, and aren't particularly reliant on any peculiarity of India's. The only technical change suggested was this:

One key initiative could involve verifying that any new mobile number added to an account matches the account holder's name, thwarting scammers from gaining control by altering phone numbers," advised CloudSEK.

That change is not likely to help much. If India tracks ownership of phone numbers, scammers could buy cheap phones and have them registered as their mules while keeping control of the devices. The people who are changing phone numbers are those who decided to be willing accomplices, so this shouldn't be a problem. This suggestion would work better if the scam involved the victims changing their account phone numbers, but the article makes it clear that they are socially engineered out of their cash and the account details only apply to people who have time to set up the infrastructure beforehand.

The point that the system operates outside the money laundering law is a better possibility, although they didn't suggest what technical changes are required to fix that. Unfortunately, a lot of schemes like this manage to get around such legislation if the scammers simply wait a bit longer for the funds to clear before cashing them out or transferring them over borders. Scam rings that operate this in a variety of western countries, including but not limited to many large ones based in India, know this firsthand. If our banking systems, with all their anti-laundering facilities can't prevent that, then adding a delay to their system is unlikely to be sufficient to prevent it in India either. You'll need more, and I don't know what that would be.

"I always assume that most attackers are just some script looking for an uprotected target."

That's true, but most attackers know that some IPs will be blocked and will scan from a few endpoints. For example, they may run an initial scan from a cloud provider, but since many of those are subject to blocks or extra scrutiny, some of them will just try anything that didn't respond from a compromised host in a western country. Unfortunately, most operators of scripts that know enough to cause you any trouble at all already know about region blocking and go around it. There are certainly many people who are too stupid to manage that, but they're also generally too stupid to do your server any harm unless you have a glaring hole in your configuration.

"I can't see me selling much to China, Russia, half of Africa, plus assorted Eastern European and Middle Eastern countries."

I suppose that depends what your site is for. A lot of mine are simple informational sites, and while my visitors are rather limited in number anyway and concentrated near where I live, I do get people visiting from some of those countries. I have to assume that at least someone is interested in what I have to say. You may also get some visitors who live in a country you think is more likely to be interested but are traveling, and blocking them may make your site seem broken. It really comes down to what your site is for and what negative consequences would arise if you didn't block. For the ones I run, both personal ones and ones for employers*, I have not seen an attack that a blanket ban would have done much about. I'd have fewer failed attacks registered in my logs, but I'd still have plenty.

* I'm not a sysadmin, but I do work in security, so I get to see logs even if someone else runs the server.

Re: Ha ha ha ha... no

Not hard at all. Google simply bakes it into Chrome. This permits them to implement it as a MITM, but they won't because they're not that stupid. Instead, your browser will handle the TLS connection and their proxy will simply send the TCP or QUIC packets through for you. I guarantee you that that will be authenticated with your Google account, though. They won't need to break the encryption. Some scripts may still be able to determine your real IP, depending on how well Google blocks it.

As for interception, you're right there. Google won't break all the encryption, but they will certainly collect a ton of data about your browsing and Google's new motto should be "Google never deletes, even if it lies about deleting".

I'm sure it won't be long until those who typically block IPs quickly end up blocking Google's endpoint IPs. This will either be done as a block, as it sounds like you're doing with countries*, or it will be done one at a time by your automation that detects unwanted behavior from an IP and blocks it, since it will be easy enough for abusers to use this service so you can guarantee at least some of them will. It's not going to be hidden, so it will be as easy to block as blocking Tor exit nodes.

* I generally suggest against blocking entire countries, since you might have some visitors from there who can't easily get a new address, especially if they don't know why you've blocked them. Meanwhile, attackers from that country are smart enough to figure that out, and if they really want to attack you, they know how to and do use proxy services of various kinds. It's your system, though, so you're free to ignore this suggestion.

Re: Pardon my lack of trust

The difference is that DoH doesn't help Google directly, only indirectly by denying information to others. I can use it without sending my data to Google. This proxy system sounds a lot like the one Apple introduced. They claim to have a firewall between their managed ingress points and theoretically external egress endpoints, but we only have their word for it. My suggestion is the same: only use Apple's proxy if you trust an Apple-run VPN, and only use this proxy if you trust a Google-run VPN. I do not. I will not use it.

Re: So, very much like the wildly popular Raspberry Pi series.

We're not talking about expense. If we were, I could start talking about benchmark numbers for the different processors, the speed advantages of the SSD in this one, or so many other points of differentiation. Just talking about ports, a typical desktop setup will use ports on two sides of a modern Pi: power input and display output on one side, USB keyboard and mouse and possibly Ethernet on the other. Meanwhile, for this computer, literally all those things can be plugged in on the back unless the power port is somewhere else, as that wasn't mentioned. The USB ports on the side can be used for more temporary peripherals. That doesn't guarantee that you'd use that setup, as your keyboard and mouse would have to share the one USB on the back to get there, but even if you didn't, you're still using the same number of sides in the same arrangement as you would for a Pi. Only if you need multiple USB devices without a hub and VGA will you have cables on opposite ends of the box, just as if you want to plug something into the GPIO interface, you'd have cables on both sides of a Pi. Are they really so different?

Re: All together, one, two, three!

Can you wipe a simple disk in a standard X86 computer? As it happens, yes you can. I don't know about this box in particular, but there are only about a hundred devices out there with exactly the same spec but differently shaped boxes, and they mostly run Linux just fine, so I'm guessing it runs well.

Re: No need to worry

"Programming is a working-class job. Anyone with the right mindset can do it; you don't need formal qualifications,"

That was not my meaning, nor do I think it was yours. "Working class" is not a term that is much used in my country, since it's hopelessly vague about exactly what boundaries there are on it, even more than the still vague "middle class" etc. In addition, not all programming is comparable. I have three problems understanding the level of pay that workers in various countries can expect:

1. When we end up talking about some job, we're often rather nonspecific about what it is. I've split it into IT and programming, but someone who writes a few scripts and someone who writes the code that absolutely must run in a certain number of processor cycles and will cause something to blow up if it crashes are doing very different jobs and will be paid very differently.

2. This is more my problem as a foreigner, but I have trouble understanding what a certain number of pounds means as a lifestyle. Converting it into local currency only goes so far to giving a picture since the more expensive parts of life are usually the ones that vary most between locations, which makes comparisons more difficult.

3. When people have stated numbers, they have had some pretty massive ranges. In one article I remember, the article spoke of salaries ranging between £50-150k, which is a pretty wide range in itself, and then we got into a discussion of how much that was worth where salaries as low as £20k were added in. This effectively gave me a range from the 30th to the 99th percentile of individual income in the UK*, which doesn't really help me imagine what is realistic.

In the case of your example of the programmer and cleaner, I'd be curious to know how this worked out. Was the cleaner working a lot more time? Were cleaners in short supply in the area? What, specifically, was the programmer doing. The comparison suggests that they were working similar amounts, but since that wasn't stated, it could also be a cleaner working many hours compared to a contract programmer who only has one small contract at the moment. If that happened, while that might be reason to be unhappy, it wouldn't actually lead to the conclusion that cleaners are paid more for their work than programmers are. Since I don't know the details, I cannot possibly judge whether that's reflective of the country or not.

* Percentiles are for anyone with taxed income in the year. It was not specified how much work they did or whether they're in a household. Figures were from the 2020-2021 tax year from the UK's ONS.

Re: No need to worry

I didn't downvote, and I'm not in the UK, so I can't know exactly why they did. My idea of why they did involves something that might be a misconception, since I don't know what normal pay rates are for various jobs in the UK, and when they've been discussed before, the numbers were all over the place. One thing that I think might have contributed to it is IT versus programming. The previous comments were mostly talking about programming jobs, whereas the comments talking about the UK's mentioned IT. That disconnect could have gone unnoticed by someone who assumed they were saying that programming was a working class job and paid accordingly.

Whether that was intended or not, there's also an attitude by some people in the industry that they're not paid enough, even among some people who earn a lot more than others could expect to be. I am a programmer and my income is somewhat high compared to the average in my country. That doesn't make me capable of buying whatever I want or living in luxury, but it does mean that I have a lot more stability than some do. Occasionally, some colleague of mine will complain about the financial hardship they think they're going through, an argument I find unsympathetic since it is a level that many could not get to. Whether their underpaid or not, which is always possible, they're not experiencing the hardship of people who don't have a job like this. I don't know how many programmers in the UK this applies to, let alone other types of work in IT, but perhaps the person who pushed the downvote button was reacting to that assumption whether accurate or not.

Re: But the job market is booming....

I don't think they intended "save" to mean "put money in a box and do nothing with it". I think they meant it to mean to keep the money in something that should earn some return and a risk level that isn't concerning to you, rather than spending it. That way, you can avoid being that guy who has a well-paid job that most people couldn't dream of, loses it, and has to panic about paying necessary bills because they spent all their money on luxuries. Investing properly is saving, as long as your approach to investing isn't more like gambling and you keep saving the proceeds.

Re: Open platform

I'm sure they do. The ones I've seen have used the government's databases to check that the charity is valid, with the advantage that they make it easy to conduct ongoing checks. Instead of requiring every company to check government records each time, they can get a list of any charities that have been struck off in real time and, should the government's systems change, not every company that deals with charities needs to change their systems. Some of the third-party databases I've seen also handle abstracting out the international databases, meaning that if an international charity becomes involved, you don't have to deal with a foreign government's system and translation issues to know whether it's valid or not. Those third-party databases are not deciding on their own whether an organization deserves charitable status.

Re: Unfortunately this is how all of Hollywood operates

You may have it backwards: the inclusion of the line was for China's benefit, and they were pleased with its inclusion. It was China's neighbors that have a problem with it and Vietnam in particular which banned the film for including it. Countries don't much like China deciding to claim it owns the ocean that's next to them and not next to China.

Re: Personally, I don't pay for ads.

I don't much object to them. I can't provide you a complete list, but as a simple example, Ubuntu tends to recommend its commercial support package every time I log in. For example, on one box I have, it prints this to my terminal:

Get cloud support with Ubuntu Advantage Cloud Guest:

http://www.ubuntu.com/business/services/cloud

It also recommends extended support, a commercial product*, but that's because this is an old 18.04 VM that I haven't deleted yet. This is not the only one they have, nor the only phrasing of the message, just the one that I saw when I logged in today. It's also a server edition, not a desktop one. History has the example of the Amazon affiliate link in Ubuntu desktop. I'm focusing on Ubuntu because most of my personal boxes are Debian or derivatives, and as far as I know, plain Debian doesn't have any of these.

If I objected to this, I could do something about it. I really don't care that it's there. Nor do I much care about some of the similar things in Windows. If you want to consider the examples, though, there is a small starting point.

* Well, it would be free if I chose to enable it because this is a personal use VM and I don't have another one, but it's mostly of use to people using it in business and for them it is not free.

An article a few days ago explains some of this. The theory is that New Zealand is being used as a small test market for developed countries, with the Philippines serving as the test market for less developed countries. One contributor to that was that the Philippines has recently passed a law to track the owners of phones which might make user identification and extra tracking easier, although that is speculation. If Twitter likes the results, that will come to more countries.

Re: The struggle is real

I agree with you on some of your points, though I'd be careful about how absolute you think they are, as how easy or difficult it is to get someone started depends rather heavily on how crap the processes are. I have seen some advantages to interactions that happen in person which I don't think text chat or video meetings have equaled, but my anecdotal experience isn't enough to say that everyone experiences that. However, I must entirely disagree about this point:

"It's also worth noting that Roblox is taking what seems like a modest step, requiring employees to come in three days a week rather than five, which should make the pill easier to swallow."

Their modest step requires that everyone they either hired in a different place or permitted to move to a different place has to move to a new, expensive city. Just because they can work in their home on a couple days doesn't stop that move from being quite a big change for all those people. They have the right to do that, but I am not surprised at all that people see that as a rather onerous requirement. One might suggest that, if they were going to do this, maybe they shouldn't have allowed people to join from locations other than San Mateo in the first place. It's the same reason that, when I've talked to people offering jobs, they often state right in the first meeting where the job is and whether I'd have to move, because they know that a large subset of their market is unwilling to do that. These are the people who will not state important details like how much I'll be paid until everything else is done, and even they know that the location is so important to most applicants that they could be wasting a lot of time if they don't make sure of that.

Re: Precedent voor other VLOP's?

Sure, that's always an option for them, but most of those platforms are successful because they're very large, and they don't particularly want to cultivate a competitor that has unrestricted access to a market of half a billion relatively wealthy people. Apple's free to not sell iPhones in the EU if it doesn't like the USB-C requirement, but as it has demonstrated, it preferred to just adopt the port for everybody without risking those customers. The platforms covered under the VLOP provisions will probably do the same. They'll lobby for changes and see if they can find their way around the requirements. Amazon's already got their first attempt at that in the courts. When it all ends, they'll comply as much as they think they have to to keep out of trouble.

Re: If/when no more X in the EU ... how should Thierry Breton ... "tweet" / communicate?

From the article:

As The Register reported last week, His Muskiness had a rather public spat on the website with Thierry Breton, EU Commissioner for Internal Market, who was simply reminding social media platforms of their content moderation obligations under the law.

Re: Elmo just desperately needs the money.

Be careful what you wish for. The reason we have Vladimir Putin in charge in Russia was basically because people had a similar opinion about Boris Yeltsin*. More because they didn't think Yeltsin was going in the right direction rather than being actively dangerous, but I think they, and we, now know that Putin's relative efficiency has ended up being the worse outcome. Whenever the idea is to support one danger because the other one is worse, be very careful that that can't possibly change.

* Well, Putin was clearly going for power anyway, so even without that he stood a good chance of succeeding, but it probably would have been at least a few years later.

Re: How long

I do wonder at what point the supply of available phone numbers will become dangerously polluted. When I got my mobile number, it had previously belonged to somebody else. I don't know what happened to him, but I got a few calls asking for him when it was new but they accepted my statement that he didn't have the number anymore and went away. I've now had this number for many years, though. For anyone who is getting a new phone number now, I have to wonder how many people have used that number in the past and how many databases it is in. I imagine that spammers frequently pick up numbers and drop them when they've become burned, but I doubt that people who have databases are as good at purging that information. What are the odds that a randomly-allocated number will already be listed as a spammer's on at least some site and possibly also receiving messages about some account it was used to verify?

Re: Thanks for the belly laugh, I needed that

As I understand it, New Zealand is a popular market for testing things because it's kind of small, same level of economic activity and average wealth as other developed countries, and people speak English. The small size means it's easy to cancel unsuccessful experiments. The personal wealth means that you can judge what customers in similar countries, often the most interesting to profit-motivated companies, will do. The English means that you don't have to deal with any translation issues when producing scripts for customer service or even user feedback assuming you read it, since most of the companies doing this are based in an anglophone country. Musk is certainly not the first person to use New Zealand as the proxy for the rest of the developed world. Usually, when companies do that, they start with New Zealand, go on to either Australia or Canada, and then roll things out for the big US and UK markets. I'm not really sure why Ireland isn't as popular, but maybe it is and I just haven't seen the examples. Countries speaking other languages get included differently based on the company, with some of them including a lot of them from the start and some others treating them as unimportant ones that just get whatever everyone else gets.

Re: The career limiting spreadsheet...

"True but then that's the nature of Excel. A database can handle missing or extra columns as long as they are correctly named."

No, a database cannot handle most of the types of misconfiguration that would come from not agreeing on the schema first. Insert columns firstname and lastname into a table that has one name column. Your statement is rejected. Merge two tables containing ID numbers and pay information, but one of them specifies pay as an hourly amount and one as a yearly amount. Someone is going to get the wrong amount when the winning code retrieves data from that. Merge ID numbers from a database where they were integers and one where they were strings of digits. Probably anybody with an ID starting with 0 will have some problems. At best, if you're using one of the less structured NoSQL databases, you can keep around the custom fields when you imported something with extra data in it and still retrieve them later, but it still won't help when you want to search on it later. Databases do more checking of what you're doing, but that doesn't prevent you shooting yourself in the foot.

Re: I don't why she swallowed a fly

"We do now have the tools that give users more expressive power, I'm thinking here of the combination of Jupyter notebooks and Pandas."

In my experience, these create the same problems that Excel has, just in a slightly different form and only for programmers. That's the case because nonprogrammers generally don't know how to use Jupyter, and even if you can teach them, they'll only learn to run existing ones. But for programmers, effectively you've given them a way for anyone to have their quick and dirty scripts. All of us have some, and they often have some deficiencies like no documentation or a particular input format without which they won't work. This is why all my temporary scripts are on my computer and my backup directory, but not anywhere where my colleagues can get them. If I'm releasing them for anyone to use, they need to be higher quality. If other people need to run them, then I'd better get started on that.

In the one environment where Jupyter was used as a production tool, we had lots of scripts that were supposed to be run. One, for example, would take an input XML file and populate a database. As long as you read the code first, you would be fine. If you didn't and uploaded a file you didn't want to, it would not fail well. It was not idempotent and would cheerfully clobber the database if you uploaded the same file multiple times. It did not do validity checking on most of the data in there. It didn't even preread the file to make sure it all worked before it started firing off SQL statements, and it didn't even have the courtesy to do this stuff in a single transaction that could be rolled back. In short, it had all the same fragility of spreadsheets but in the form of code. A problem with the script or an edit made by someone who shouldn't have been editing could easily have broken things.

While the actual failures weren't so catastrophic, I do remember the time when I ran an analysis script which returned spurious data, only to be told that I shouldn't have run the 2.0 script, I should be running the 1.5 script (nothing said this, so I had gone with the latest from version numbers). Then, when the 1.5 script also produced incorrect results, they mentioned that I had to run a script in a different folder, also labeled as 1.5, which had been forked months ago and was now the canonical one. To be clear, the scripts I was running were in a directory called "analysis", and the script I was supposed to run was under a directory named something like "dev/colleague_username/temp". The colleague in question had left the company. Is this the fault of Jupyter's products? Clearly, no. It was the fault of the process that made running a script like that the expected procedure. The remedy is the same, though. The process, not the tool, is the problem. Changing the tool is probably necessary, but if the process didn't change, the problem probably will stay around afterward.