Posts by doublelayer

Re: Evolution and power efficiency

I'll take you at your word that you know so many influential operators, because it doesn't really matter if you're telling the truth or not. You still appear to think that a call from you, and subsequently secondhand information as it is passed along, is enough to convince them to destroy expensive equipment and cause massive damage by disabling internet-based systems. It is not. We all know that. You'd have to have very good proof that something was using those cables for ill and couldn't be stopped without disabling them, and an actually intelligent AI would do as much as possible both to deny that proof to you and to have contingency plans for dealing with an internet problem.

Also, I'm not sure what cables your set of people can take down, but I don't think you happen to control people with access to every regional cable. If you cut off all the oceanic cables, there are still a lot of ground cables. For example, you still have the massive Asian ground network, with billions of devices on it, in which an AI can hide itself. How long are you willing to keep Asia disconnected? You can't disinfect the continent in a week, and if you keep it isolated for a long time, the AI will just have to innovate a new way of spreading without using the internet you've destroyed. For example, it can learn to talk with humans and start placing phone calls itself. At this point, we will need information on what our hypothetical AI wants to do with its power which we're trying to prevent, but it has a lot of options even if you're really much more powerful in global network control than any individual actually is.

Re: Evolution and power efficiency

Sure, turn off the entire internet and hope that you've done that before it spread to all continents. If the theoretical AI was any good at its job, it would be deployed in nearly every country before you knew it. It would also be deployed in multiple ways meaning that you can't just hunt for one signature to remove it from infected equipment.

One person or group also doesn't get to just turn off the internet. If I decided it was necessary and had some proof, I'd still have to go to a lot of people that I don't know and convince them to turn off the backbones. I have little chance of accomplishing that unless my evidence is very convincing indeed. Particularly powerful militaries could get a bit farther, but even the American military could only disable the North American ground cables and probably every undersea cable. International cables on other continents wouldn't be so easily targeted unless they wanted to run the risk of starting some wars. That is the point. Could you turn off the internet with enough effort? Yes, but it would have a lot of painful side-effects and people don't like them to the extent that they often avoid taking necessary precautions to avoid them.

Re: Evolution and power efficiency

"we can quite easily pull the plug."

I don't think AI is a major concern for now or the near future, but if I'm embracing the whole sci-fi idea of an actual autonomous entity, I think there is reason to question if we can actually pull the plug very easily. A program capable of having its own goals, understanding the world enough to have a chance at pursuing those goals, and capable of acting on the world enough to be a threat has various ways of surviving having the power pulled for the computer it started on. The simple example is designing its own malware to spread its existence across the internet to other computers. Now you have a lot more plugs that have to be pulled before it dies. If the program is smart enough to use humans to do the active parts, it could require someone to try to make the case that these computers are infected and need to be destroyed* even though, to their operators, they don't appear to be doing anything out of the ordinary. We don't have a great record of getting global agreement to do something to prevent a major disaster. Generally, we get some action but only enough to blunt the effects of the problem, not cut it off entirely. Still, I'm pretty confident that this can remain a fun thought exercise, not something we'll actually have to do.

* Destroying computers: the hardware probably wouldn't need to be scrapped unless the AI is good at designing new firmware and getting it to lock out attempts to replace it, but you can't just turn them off because the AI would come back when you turn them back on. They would need to be erased, and that requires manual rebuilding efforts. Worth doing if the alternative is a malevolent AI attack, but it can cause a lot of damage and people would rather not if they can get away with it, basically why people ever pay ransomware operators.

Re: What operating system ?

"Unless, as a user, you have made some dangerous changes to the default behaviour of your OS, just downloading an executable file does make it executable on your filesystem. You need to manually set the execution bit first"

I already addressed this. In this case, the file has been written to a USB device by a program running on an infected host. If that program were designed to write Linux-compatible malware, it is perfectly capable of setting the execute bit after the file is written. What you say is true of downloading an executable file from a malicious server, which is not what happens in this case, but even then it's a relatively weak protection. Windows, for example, will detect that you've just downloaded a new executable file and will give you a security warning before it is executed, and if the file is unsigned that security warning hides the run button so it's confusing to many users how to run it anyway, but we don't view that as a cast iron security mechanism, do we?

"Windows, on the other hand, will detect an inserted USB device, assume the device is honest when it declares what it is, and then go look for a driver for it, in some cases accepting a driver from the USB devices inbuilt firmware"

I may be wrong, but I see no evidence of this workflow. See the device, yes. Assume it's telling the truth, yes (although I'm not sure what other option you think it has, because that's nearly required for an open interface like USB). Retrieve drivers from the device, no. It can retrieve drivers from Windows Update, but that's checking Microsoft's servers for drivers it already knows about. I have seen drivers carried on a device before, but in every case, that's managed by having the device present a storage mode with the files stored on it and instructing the user to install them manually, something that will require administrative credentials and multiple security warning screens.

Re: What operating system ?

You are aware that autorun.inf was disabled by default fifteen years ago and disabled entirely about twelve years ago? Put an executable and an autorun.inf file on a drive and plug it in, and you'll see for yourself. Nothing happens anymore.

As for executables, executables are identifiable and runnable by GUI file managers on Linux, and extensions and the #! line are used to identify executable scripts of many types which can be used either to run malware written in that scripting language or to pull a binary from somewhere and run it automatically.

Re: What operating system ?

"And I am pointing out that unless you / your org is specifically targeted by someone with large amounts of resources, it's very unlikely that you will get infected with linux malware, compared to a general windows running org."

It depends what the attackers are after. For example, one common type of Linux malware is ransomware. That's for a simple reason: ransomware operators have figured out that going after businesses makes a much better pay day than targeting individuals. Businesses, especially large ones, are likely to have at least some and probably a lot of Linux servers which have access to important data. The attackers want those servers infected, which is why many Linux versions of ransomware exist. Another set where Linux is targeted are proxies or botnets, because there are many improperly-secured Linux devices, from servers to embedded devices, on the public internet. Put up a server with insecure authentication and see how quickly someone breaks into it; for that matter, if you have any Linux device with a public IP and don't know about the thousands of attacks it gets per hour, then you may want to check it already for successful attacks.

Meanwhile, if it's targeting individuals or something that's not likely to be assisted by accessing a server, the attackers likely did not try making their software. Malware that steals passwords, for example, is unlikely to have many Linux versions because it wants to run on users' systems, and there are a lot more of those on Windows than there are on Linux. The article isn't explicit about what kind of data this malware is intending to exfiltrate, but passwords, other authentication data, and documents are likely targets. Windows is the right place to get many of those, so unless the organization switches to Linux desktops, the Windows version will probably be considered the right way to get it. A lot of malware relies on user interaction to install, so it too would target desktops first, both because a user is more likely to execute a file on the machine in front of them instead of a remote server and because the users of servers are more likely to detect that something is amiss and not execute it.

Re: What operating system ?

Email attachment: simple. Attach a shell script or Perl, because most distributions have Perl installed at the start. You could also attach an ELF binary if you like the obfuscation it provides. Convince the user to run it. Basically the same as attaching any other kind of script, there's a bit of work involved in getting the user to get it executing, but it can install malware.

Just visiting a URL is more difficult, because you would need to identify a fault in the user's browser which is much harder as they're patching things frequently. Note, however, that the flaw you need to find is in the browser. Generally, Windows can't be infected by just visiting a URL either. Malicious URLs generally just download an infectious file and rely on the user to retrieve and execute that file. Malicious pages have various intra-browser ways of messing with users, such as convincing them to enter data on a form which is not the one the user thinks it is, injecting scripts into a page they're on from an advertisement, or providing them misleading download links pointing to that malware, but those things will work on any operating system.

Re: What operating system ?

"Why, after all these years, is Microsoft still so susceptible ?"

Let's go through the method of infection here. The way this malware becomes active is that somebody clicks on an executable which has been written to their drive, thus running it. Can you find me an operating system that won't run an executable when the user instructs it to? Before anyone suggests it, the executable bit on Unix filesystems will not protect anything, because the executable has been written by the malware which will set that bit. You can mark removable media as not executable, just as you can on Windows, but most systems don't bother doing it and are thus susceptible to people running programs they shouldn't.

I'm not sure what you want them to do. Licenses can't force everyone to make only what we want them to, even though I agree with your preferences. For example, the security argument. Yes, a lot of devices are improperly secured and insufficiently supported, creating security problems. An open source license will have a hard time mandating support of a commercial product when they're explicitly refusing to support their product. Legislators can make requirements on commercial products that license authors cannot. If someone does make a license that tries, people will understand how weak that license will be and will ignore it, and if many people decide to do it, it will likely be replaced by a manufacturer consortium with something under an even more permissive license.

That is, of course, if they don't just ignore it. A lot of licenses are being violated all the time with nobody doing anything to enforce them. If you put even more important things in a license, it will still not get enforced frequently, so that's another reason to try to get regulation from regulators who will have at least some budget for trying to regulate rather than hoping that somebody will eventually go after all the people who have GPL code somewhere and don't do anything to follow the license.

I was using this part:

The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

In most licenses that have been affected by this part, the meaning has been where you can run the program. However, since the open source definition has some equation of the program and its source, it equally applies to who may use the source. To forbid someone in AI from using the source, whether that means they are not allowed to run it or process its code somewhere. The field would be forbidden, which directly contradicts that part of the definition. You don't have to care about this; many licenses look sort of open without complying, but people who have strict preferences may object and refrain from supporting the license.

Adding a clause which says "No training of an AI system whatsoever" would violate the open source definition, but adding one that says "If you use this to train an AI, you must release the source to the AI" would be acceptable. I'd rather people didn't, because the more incompatible licenses that exist, the worse the tangles they can get into, and such a clause is not necessary for the producers of AI to face copyright charges. Still, if you want to make an open source license that effectively prohibits use as training data, you could do it that way.

Re: How far do you take it?

The problem is that the programs can't tell you where every line came from and don't copy every line verbatim from somewhere in the training data. That's why you have to assume that, if you put licensed code in, it could come back out at some point. For example, the relatively basic line given by the last comment would probably be modified in several ways:

1. Variable names switched to deal with local conditions. "array" switched to have some semantic meaning, "n" changed to some more useful condition, and "i" changed if this is in a context where a variable called i already exists.

2. Format changed to match other formats. Single-line for statement changed to use braces, indentation changed, internal spacing changed, if the condition that replaced n is long enough, the forstatement split across lines.

3. Changing this line to do something related but not identical. For example, instead of setting every location to 0, running some other initialization procedure.

Does making some or all of these changes make the line different enough that you no longer need to attribute? It's hard to tell, because it would probably depend on which license the original line was under (the program doesn't know) and how common the line is (in this case, even quoting that line would be so generic that it couldn't be copyrighted in itself, but more important lines could). The program will not figure this out. In some ways, I don't care about these small uses of code from licensed projects. However, the licenses exist for a reason, and when they copy larger parts of the code without following the licenses, it becomes a larger issue. The solution is to exclude data before training, because otherwise it's very difficult to prove whether it was involved in creating the output.

Re: Unique keys

The problem with that is that, without centralization, there is nothing that indicates uniqueness. What prevents me from making a new key every day, walking in with some identification, and having it verified? I could have a bunch of identification keys that all indicate me. In which case, how can I prove that one of those is me and the others are not, for example if someone else went in with a key and got it signed as me.

Re: What, no Task Manager?

My guess is that killing explorer.exe will probably fix it, which is why signing out would work and locking would not. They probably didn't suggest it because the average user probably doesn't know the weird stuff that happens when you kill explorer and forget to start another version of it, which I think is the only reason the task manager still has a "new process" button (actually, it looks like it's "run new task" and possibly has been for years). Logging out is something people at least see the button for, so it's more familiar.

Re: it would still mix up different cases and laws to invent entirely new ones.

What would the programming look like? It could load a page, not find supporting evidence, and come to the following conclusions:

1. The site is temporarily down.

2. The site is permanently down, but used to show this stuff.

3. The site contains the information, but it has a paywall.

4. The site contains the information, but you have to log in.

5. The site contains the information, but you have to click a few links to assemble it.

6. The site contains the information, but it is blocking bot access in some way.

This assumes, of course, that the program is capable of reading another site to confirm its facts. Since it made up the facts in the first place, how is it supposed to find the site that contains verification for stuff it just invented, whether or not that stuff is correct. It can't because it is going about things the wrong way.

In some ways, doing this in reverse could make more sense. A bot could take a query, chop it up in a variety of ways, and put those chunks through a search engine. Read a bunch of results from that, and describe the result to the user. This would probably be much better, but it too would not provide certainty. It might be better for the user to do the search themselves and have their brain interpret the results. In any case, that is not the way that GPT does it, so expecting it to back up its text is a fruitless hope; something might eventually do it, but the existing GPT systems never will be able to.

"I think there is some concrete skill that humans execute that makes it relatively less likely for us to confidently spout nonsense and then double down."

Simple. It's the "I don't know" quotient. Children are raised not knowing lots of things, and they say the magic phrase often. They hear others do so as well, so eventually they realize that there are things they don't understand and that, if they need to, they need to find someone who does. The people who never say that they don't know something are some of the most annoying, and they do exist.

These LMM chatbots don't work on knowledge, so they don't have a method of determining whether they know something. They just write text. If all humans operated on that system, you'd get a lot more text. You can try this with your friends. Find a topic they know little about, and ask them a question they won't know the answer to. They'll say that they don't know. Then ask them to guess how it could work and count all the inaccuracies in their response. Chatbots skip straight to the "guess how it could work" stage, and they have an additional handicap that they only know how language works, so they can guess things that a human would reject as implausible because of facts, not just unlikely combinations of words.

Re: It's not a GOLUM, either.

"how exactly is it "advertised? Or, rather, who is advertising it as what?"

A lot of the blame is due to the people who keep talking about it and running public experiments without knowing what it does, often without the simplest of controls. While they are to blame, I also blame OpenAI for not correcting things, though I don't really expect them to. It has received a lot of hype, and OpenAI never responds to that hype by pointing out its limitations. While that news also covers when it completely fails, as it will with this example, the number of "GPT will take away our jobs" articles suggest that it can do things which it really cannot.

Re: it would still mix up different cases and laws to invent entirely new ones.

We know why it does it. It hasn't been programmed to collect facts and only present those facts. Whether that would produce acceptable results, I don't know, but that is not what it does. It just looks for words that follow certain basic rules, such as being somewhat common in other sources and following some grammatical structure. The reason it is correct when it says "The capital of Spain is Madrid" is because that sentence is more common in training data than "The capital of Spain is Barcelona" or "The capital of Spain is byzoenqzvojqgy". If those sentences were more common, it would give you one of those instead.

GPT's designers are actually surprisingly good at putting in filters that make the model say it doesn't know something. Since they're bolting those onto a program that is designed always to print something, surprisingly good is not anywhere near good enough to trust the output. If you give the program some information to go on, such as informing it that there must be legal cases that prove the point, then it will be weighted to find some, and it only knows how to write something that looks like a legal reference, not how to find a real one.

Even ignoring all the unnecessary entertainment uses of a computer, there's a reason to stick with newer ones. Can you run a secure OS and modern browser on a computer from 2003? Yes, you can. Can you run one that requires little or no maintenance because the user is not familiar with technology and does not have someone who set it up on call? Not so easy. This group is providing computers to people who have little experience using them. They may not have had one before, and even for those who did, they certainly don't know how to debug a certificate error generated when a browser goes out of support and stops getting updated CA information. The group also doesn't want to give people computers that will be incapable of certain tasks that they might expect it to be capable of doing. If you used that machine from 2003 which probably has about 512 MB of memory, you'll find stuff that does not do well with that limitation. We would understand that and either know not to use it for that or how to get around that. The users getting these machines don't know either part of that.

Re: Can they do anything for my Microsoft Surface Tablet

I don't know about them all, but I've found at least a couple versions of the Surface to be pretty good at running Linux. It was easy to boot and everything had driver support the last time I did it. If software support is what interests you, you could try that. Alternatively, the hardware checks for Windows 11 can be bypassed, though no guarantees that they won't change this at some point.

Re: Last New Computer I Bought Was Bbout 11 Years Ago

My guess is that their device is one of those small desktops that was sold as a thin client but is capable of being a basic computer in its own right, and that they're RDPing into it either from a laptop, giving it portability that the original device doesn't have, or their main desktop, which is more powerful but this gives it a new environment and doesn't require moving peripherals.

Re: What about

Of course you don't have to throw them away, but it really wouldn't be suitable for their use case. You can do plenty of things with the old Macs running the latest version of Mac OS that's available for your use case or by installing some versions of Linux that still support the hardware (I'm guessing we're talking about the DDR2 limitation, meaning that 64-bit is still an option). They would be good enough to give to a child or elderly family member that you're willing to support. You may have to, because at some point those distros are going to get old and will be more difficult to upgrade, or the person will need more performance than the old machine can provide and you need to be there to tell them when they can do something and when they can't.

For users you don't have direct contact with, it's not as helpful to give them something that is likely to be insufficient or not easily updated in the near future. That's why organizations like this tend to be somewhat picky about the hardware they pass on. I've helped people use computers that are not really entirely useful anymore, but if it's the kind of machine where I would start by saying "You can still use it, but", then they don't want to be giving it to others. That's also true in my case; I will help someone use their own old computer for longer, but I won't give them a very ancient machine with the expectation that my support will prevent it from causing problems for them.

Re: This is in the past I assume?

Last time I tried it, it took a while to find the right place, but it wasn't inordinately difficult. Certainly not like my ISP which I quite like in general but canceling your service if, for example, you're moving still requires you to call and wait for an hour. I don't know how it has changed, nor geographic limitations, but maybe they're comparing the probably five screens you have to click through to cancel to the twenty different tripwires on multiple pages that can get you in.

Not in my experience. They will start bothering you as soon as your month is up, but it won't offer you a free trial anymore so all the nag screens for the trial will now be nag screens for immediately signing up. Eventually, I'm told, the trial comes back.

It depends how much stuff they want to pull. I don't know how much one API request can get you. If it's anything like their web interface, then my guess would be exactly one post because their interface seems designed to make me press about twenty buttons before I find the text I was looking for when DDG sent me there. That would be stupid, though, so let's assume it can pull an entire topic. If the company wants to pull, say, a billion topics, then the price to run the API requests would be $240k. You can write a pretty good scraper for $120k since it only has to work right now, not forever, leaving you the other half for buying resources on which to run it. It's at a level where it might be more worth it just to pay that bill (assuming that my estimates of a billion topics to retrieve and what an API request gets are accurate). However, you'd need a lot of people to request that dataset for those API requests to add up to much.

The other problem is that I used the billion figure as a somewhat rough guess for how much data there is on all of Reddit. I may be off by a bit, but probably not a lot as Wikipedia informs me they had about 3.9 billion posts in 2020. The big models have already either gathered most or all of Reddit's data or decided not to, so if they're just pulling updated information, they're probably running 5% of that. I'm sure the $12000 payment will be appreciated, but I doubt it will do much for the company. This is probably the better option for Reddit. If it turns out that my estimate on how many requests you need to get the lot is incorrect in the other direction, then the price for using the API gets much larger, whereas making a scraper will cost about the same and running it scales linearly from its already low level.

This is all true, but assuming the companies making AI models are really the targets, we're talking about companies whose primary business model is spending millions and waiting months for something to finish training. They can afford to have a bunch of servers pulling pages and scraping them if they decide the training data is useful, and the cost in time can be decreased by spending a bit more on lots of nodes doing the work. For the same reason, they can also justify buying the API credits to pull it themselves, depending on how many new posts they want to retrieve. The problem is that nobody else can, so Reddit appears to be building their entire business model on hoping that AI companies will be consistently interested in their data when most existing companies already have most of it and hoping that outweighs the unhappy users who make that content.

Re: As luck would have it....

If they chose to do so, they have a variety of marketing methods they could use:

The iPhone with sealed battery can use a flexible cell, meaning this one is technically higher capacity than that one.

The iPhone with sealed battery is waterproof, because the EU never said the other one had to be, so we didn't try to make it.

The iPhone with sealed battery can have the battery replaced for £79 at the Apple store, and the one with replaceable battery can be replaced for £99 at home.

Or the simplest option: The iPhone with sealed battery is the one we sell in your country, and if you want an iPhone, this is the one you can buy here. You can do whatever you want, but this is the iPhone you'll get unless you specifically find one we sold somewhere else.

That last tactic isn't exactly new. They've had country-specific iPhone models before, for example a model for China which has multiple SIM slots. Android manufacturers go much further. It's common for Samsung devices to have two different versions involving completely different processors, GPUs, and modems depending on the region, and it's not even the same regional split each time. The models look the same and are called the same thing. For example, you can get a Samsung Galaxy S22. If you got it in Europe (I don't know what counts as Europe for this purpose), it has a Samsung Exynos 2200 processor. If you get it outside Europe, it has a Qualcomm Snapdragon 8 gen 1 SoC. Why? I don't know, and Samsung didn't explain it. I bet it has an effect on software updates and supported features though. It indicates that phone manufacturers aren't above making regional variants and they could use this if they object enough to a regulation so they can ignore it where it doesn't apply.

Re: As luck would have it....

Most manufacturers will build just one model that meets all the requirements, but not all of them. If the EU has this regulation and nobody else does, they might get the model for those regulations and a different one will be produced for the Americas, Asia, Africa, and Oceania. The UK could easily get that one. If other large countries had this regulation, that probably wouldn't be as likely; agreement by the EU, US, China, and India would be enough to make manufacturers design in one way.

Re: No HDMI and only one USB port?

"is Wifi 6 (2x2 802.11ax) sufficient for 4k streams"

Yes, very much so if the rest of the network can handle it. In many cases, slow speeds on WiFi has more to do with congested networks behind the access point than the wireless part, though if your building is obstructing signals or your access points are ancient, this can change. However, I must disagree with this point:

"Also why include a wired USB hub, better to include a Bluetooth/WiFi enabled smart plug that a user could plug into the back of their monitor and seamlessly wireless stream to the paired device."

There will always be more room for debugging a WiFi connection than a cable. It's useful at times, but in many cases, the cable is the fast solution and works better for the user who doesn't need infinite mobility and would prefer a quick setup.

You may have your suspicions, but all the conversations are about the choice of interface, suggesting that Microsoft using an HTML-based frontend instead of the native Windows interface features they wrote is contradictory. The cloud guy appears to be the one who created an unfounded assumption, so while it is theoretically possible that Microsoft could make a cloud-based mail client, nothing suggests they have or the people talking about the interface decision would be talking about something unrelated (you can use native interfaces on cloud clients) and unimportant (who cares about interface policies if there's a privacy issue). It's important not to turn one thing into an assumption, often incorrect, about something else.

Re: Think of the users, and not just corporates

Maybe the AI will be attached to that feature they introduced about two years ago which started predicting my sentences, at least in English. It would generally recommend about three words to continue my sentence. I couldn't tell whether it was trained on other emails I sent or not, because it would accurately predict what I was going for when the sentence was pretty basic, but those sentences were also the ones I was most likely to have typed many times already. One reason I never found out is that the feature was disabled with prejudice within about five minutes, most of that spent looking for the right checkbox.

And the first guy appears to be wrong. The web app just means they used some HTML and JS frontend instead of native controls. That doesn't mean they're storing mail data or settings on their server and only providing a dumb client. Not that there can't be something invasive in that program, but from other comments, I see nothing indicating that it will require cloud accounts or even any cloud services to function.

Where that has been made illegal, it is because ISPs don't intend to use those to improve the quality of service, but to extract more money from their customers. They do this effectively by tricking them: yes, we will give you unlimited bandwidth, with speed only restricted for congestion, unless it's somebody who has paid us, in which case their competitors will run slowly. The way they explain this is "video constrained except from certain providers". That has two effects: in the short term, ISPs can try to negotiate extra payments from users to reverse the decision to break their service, and in the long term, they can try to sweat their infrastructure for a bit longer. One effect it doesn't have is improving the quality of service.