* Posts by Max Pyat

45 publicly visible posts • joined 27 Feb 2021

Chinese government website security is often worryingly bad, say Chinese researchers

Max Pyat

Re: In other news


UK inertia on LLMs and copyright is 'de facto endorsement'

Max Pyat

Re: "A committee of UK legislators"

Exactly, and you might have bought the books with some of the money you made renting the child out to a chimney sweep

AWS customer faces staggering charges over S3 bucket misfire

Max Pyat

You've failed to understand the story

Please read it again more slowly

Max Pyat

Re: This is just one example

Tell me you flunked reading comprehension without telling me you flunked reading comprehension...

Malicious xz backdoor reveals fragility of open source

Max Pyat

Re: “… reveals fragility of open source”

Moral hazard is a good term.

Part of the moral-hazard, in my view, is the use of open source by large commercial undertakings without adequate contribution back to the developers and community.

The commercial use of the tools vastly increases the motivation of malign actors to compromise the software, and therefore the appropriate defensive resources that should be applied. If the commercial users don't contribute to the securing of the tools, still via open-source development, they are in fact doing worse than free-riding, since they attract attacks to the entire community without the entire community getting appropriate additional benefit.

You're not imagining things – USB memory sticks are getting worse

Max Pyat

They are already responsible:

When you buy something, your contract is with the retailer. Not with the manufacturer. So you're entitled to redress from the retailer


The retailer in turn can take action against its suppliers.

This is not in any way new and has a good logical and practical basis

Zuckerberg wants to build artificial general intelligence with 350K Nvidia H100 GPUs

Max Pyat

Re: wants to build artificial general intelligence with 350K Nvidia H100 GPUs

A great analogy

More X subscription tiers could spell doom for free access as biz bleeds cash

Max Pyat

Re: Personally, I don't pay for ads.

I agree, but it's not such an uncommon model or novel model.

You pay lots of money for a cinema ticket, but then get a whole bunch of advertisements (including recruitment ads for army, navy and RAF last time I was there)

Same with newspapers and magazine. This only jumped out to me after I was complaining that the v expensive FT online offering still has embedded advertisements. Print has always been so!

Web Summit CEO's comments on Israeli conflict 'war crimes' sparks boycott

Max Pyat

You're missing the point

Having slammed brakes on hiring, Google says it no longer needs quite so many recruiters

Max Pyat

Re: Poor targeting

Or if those hires, had they not been hired, would have gone on to be serial killers or new "hitlers". Can the world survive another 6000 serial killers / hitlers every year?

(Aren't post hoc rationalisations great)

UK rejoins the EU's €100B Horizon sci-tech funding program

Max Pyat

Re: Indeed

Someone just "discovered" reversion to the mean (and needs to look up what a "controlled experiment " actually is)

Power grids tremble as electric vehicle growth set to accelerate 19% next year

Max Pyat

Re: For many of us, hybrids make more sense than BEVs

There's not much point in you posting when you clearly know about as much about the topic as Alex Jones.

A bit less emotion please and a bit more paying heed to engineering and physics.

Max Pyat

Re: For many of us, hybrids make more sense than BEVs

You clearly don't work in the utility industry.

As someone who does work in the sector, let me reassure you that it's not nearly so bad as you imagine to upgrade. Significant investment, for sure, but entirely doable. No need for hand wringing and panic.

To pick up on your examples.

Regarding overhead lines, Have you heard of HTLS? Having established wayleaves for the route is massive vs a new build.

Underground cables: Ancient overloading cables will have to be dug up and replaced anyway, at which point they can be uprated. Directional drilling has also revolutionised cable building.

Modern substations are also a fraction of the size of old ones as they can move to GIS from the old air insulated gear that will often be there.

Finally, all transmission and distribution systems are designed with redundancy and feeding options to allow maintenance to be done. There is disruption, but it's manageable

What would sustainable security even look like?

Max Pyat

Re: Nobody is legally responsible, oops

This is tripe,

You're just handwaving your way through a series of "arguments" until you seem to have validated your assumptions to your satisfaction.

Please inform yourself more widely on how liability works in other more developed industries that have dealt with more complex issues before returning to the topic.

Max Pyat

Re: Nobody is legally responsible, oops

This is nonsense that just betrays a myopic ignorance of the wider world.

Your last paragraph makes no sense. Of course a warship can become vulnerable years after it was launched. And you know what?: if it is discovered that the steel used is vulnerable to a new shaped charge penetrator, the navy doesn't get the chance to do remote updates over the Internet.

Seriously: get good or go home.

Ex-Twitter employees owed half a billion in severance, says lawsuit

Max Pyat

Re: Nearly 600% reduction in staff and...

Not how percentages work...

Rocky Linux details the loopholes that will help its RHEL rebuild live on

Max Pyat

Re: Licence

This was my first thought

Although I'm still unconvinced that Red Hat's actions don't violate the GPL.

Rocky Linux claims to have found 'path forward' from CentOS source purge

Max Pyat

Reads that way to me!

Max Pyat

SuSE is only obliged to provide source to the recipients of binaries.

The issue is that they cannot stop the recipient of GPL code from from distributing the source code onwards. If they haven't tried to do that, nobody has any grounds to complain.

Max Pyat

Re: Ignoring the big issue

If you want to stop Red Hat's shithousery you don't need to relicense everything. Just get a solid chunk of hard to replace code into essential projects.

Red Hat strikes a crushing blow against RHEL downstreams

Max Pyat

Re: GPL violation

Per the GPL, RedHat doesn't get to distribute the binaries in the first place unless source is provided to the recipient, and access to that source cannot encumber the recipient from onward distribution of that source (so long as that onward distribution is also GPL compliant).

If they aren't honouring the GPL, then they cannot ship the software. It's not about the recipient giving up rights, it's about the licensing restrictions imposed via the GPL by the authors/copyright holders

One person's trash is another's 'trashware' – the art of refurbing old computers

Max Pyat

Sort of in the same vein, you find GNU/Linux (or more broadly free-unix) in more and more places.

Like I discovered that my kobo ebook readers are actually running Linux under the hood. A quick addition of koreader and now I can even ssh into my ebook reader.

Android is the same.

Home routers too (I installed openwrt on my most recent one, but the stock firmware was in any case a customised version of one of the linux-router projects)

Apple systems are based on BSD, etc.,

And lots of this stuff is just in there doing a job, and not being noticed.

Meta tells staff to return to office three days a week

Max Pyat

More victims of fake crypto investor scam speak to The Register

Max Pyat

Scammers scamming scammers...

Given everyone who was scammed was working on cryptocurrency and web3 projects, I have limited sympathy, and they certainly weren't the best or brightest or most ethical to start with.

Funny too that one of the scammers, "Moreno" has named himself after an anagram of one of the crypto currencies most suited to illegal transactions: Monero.

Trust, not tech, is holding back a safer internet

Max Pyat

Re: Trust the government / security services / police?

I'm presuming then that in your schema, everyone involved in the fighting of WW2 was/is a criminal?: Given that armed forces on all sides prosecuted attacks that killed civilians both directly and indirectly.

By your calculus, it would always be illegitimate for example to try and stop the Holocaust and death-camps if doing so involved attacking a single civilian (even if your enemies had no such reservations about targeting the civilian population on your side).

Your "analysis" of the Jean Charles de Menezes murder is pitiful. In particular how having spent two paragraphs on a spiel that even an entirely just cause can't "justify attacks on civilians", you then take a rather specious cause "fear of further bomb attacks" (fear!) and use it to justify the murder of a civilian by incompetent and negligent security officers (and the failure of that system to hold itself to account).

And no, security forces don't get to just say "we're human, we make mistakes". Anyone making that argument needs to be sacked (no hyperbole, they are not fit for the job). In a HV substation, if a technician throws a switch and kills a colleague, he can't say "I'm human, I made a mistake". Nor can his management. There has to be a full analysis of the entire system of controls that failed and allowed that to happen.

Only non-technicals/"civvies" will say stuff like "these things happen"/"he's only human"/etc.,etc.,

The Twitpocalypse may have begun, as datacenter migration reportedly founders

Max Pyat

Re: Hmmm...

I'm sure they weren't just ordered to change jobs (of course that wouldn't work on its own, but Musk isn't that stupid)

They were probably also told to change their email sig, their profile updated in the corporate directory, and maybe given a new T-shirt with the job title on it.

Native Americans urge Apache Software Foundation to ditch name

Max Pyat

Re: Bit ridiculous

That's fine, of course.

But you don't necessarily get to tell other people how they are supposed to feel or react. If they object, then that's fine and I don't see why not to respect that.

Adobe will use your work to train its AI algorithms unless you opt out

Max Pyat

Re: Sounds like M$'s Github Copilot all over again then?

In principle various open source licenses would cover this, e.g. that AI generated code based on GPL must also be GPL, and if you'd published under GPL it would be a "good thing" for GPL code to spread in that way...

However as Ken Hagan points out, wealthy entities will ignore that as much as they can, and will be almost impossible to hold to account. Layers of AI tech will further obfuscate what's actually happening.

Datacenters in Ireland draw more power than all rural homes put together

Max Pyat

Re: gotta be the crypto mining

I think their point was that Ireland was at least probably a better place for crypto mining than the UK.

Max Pyat

Re: So 35% of elec is residential

It's actually not "hand waving bollocks"

This has been a very active topic of discussion in the industry (datacentre, EirGrid, ESB Networks, and generators) for well over 5 years. The growth and magnitude has been and continues to be/become very difficult to manage. It has major knock on effects on the energy system and on other industries too (as getting grid connections has become much more difficult).

What you're seeing here is that discussion protruding into general consumption media.

Max Pyat

Re: So 35% of elec is residential

There's also a feature that the datacentre development has made grid capacity for other businesses much harder to obtain (that ranging from smaller businesses like creameries, food production, through to pharma/biotech etc., hotels, large residential builds, electric transport infrastructure (EV charging, elec rail)). At distribution level, 20-30 years of projected capacity was devoured in just 2 or 3.

Just getting a grid connection has become much more difficult because of the data-centre build-out (And the data-centres are per MW relatively low on jobs and other knock-on benefits)

Also worth noting is that while the datacentre secures a grid connection at the start, its energy use typically ramps from 0 to full capacity over a period of several years. My understanding is that each server hall within the centre is first fitted out with resistive loads at full consumption so that the auxillary and cooling systems can be tested, then the heaters are removed, and the hall is progressively filled with servers at a fairly linear rate until fully occupied in (IIRC) 5 years or so.

This means that any projects completed within the last year or two are only contributing a fraction of the consumption that they will eventually contribute.

Top Chinese Uni fears Middle Kingdom way behind on tech – and US sanctions make catching up hard

Max Pyat

Re: Cliffnotes

His is literally what every sucessful modern economy has done. US being an object lesson having wholesale stolen IP from UK and elsewhere during industrial revolution

The western economies built up in 20th century were often facilitated in this (Korea, Japan, Germany) by US as part of effort to form a bulwark against Communism, rather than having to "steal", but dynamic the same

UK.gov threatens to make adults give credit card details for access to Facebook or TikTok

Max Pyat

Re: Idiocy

Revolute is one,

Im reasonably happy with them overall

Web3: The next generation of the web is here… apparently

Max Pyat

Re: Legal opinion

Of course you can get the legal opinion, however that does not remove liability should a court look at the question later and form a different legal opinion

Email blocklisting: A Christmas gift from Microsoft that Linode can't seem to return

Max Pyat

Re: Bully boy tactics

setting a default browser is a "standard practice" too.

However, once you reach a certain scale, there are competition law restrictions on what you can and can't do. This certainly has a market-abuse smell about it.

US-China chip cold war? It's only helping the Middle Kingdom, silicon makers warn

Max Pyat

Re: At last some common sense -- but will politicians listen?

Except they aren't going it alone. They're working hard on building up links in Africa and elsewhere.

Meanwhile, outside countries just see the US imposing sanctions and punishing countries for essentially "getting above their station". From a third country point of view, US/UK looks a lot more threatening (and in fairness, a lot more unstable and unreliable: Iran Nuclear Deal anyone?) than China.

Max Pyat

Re: Sanctions

References to Hermit Kingdom like this are pure markers of racism and ignorance.

You're also rather missing the point that China is showing no intention of isolating itself from the world, even if it does end up being cold-shouldered by the US. They are working hard on building relations across Africa and of course with a range of countries that the US has been strong-arming.

What one can easily imagine happening next is that you'll have Chinese engineers and other workers operating at large scale in countries that the US would traditionally have considered it had carte blanche to invade/bomb. Except that will get trickier if such actions are likely to involve significant loss of Chinese life.

It's the same reason you had British and American soldiers in Germany in cold war, and why they brought their families. So that if Soviet tanks ever did roll across the border, No. 10 and the White House wouldn't have to justify intervention purely on the basis of "our friends in Germany" but also "our troops, their wives and children are in harm's way"

Max Pyat

Re: Sanctions

Your comment comes across as a heady mixture of ignorance and thinly veiled racism.

Why are you getting so insecure? Even if you are, you'd be better to try and conceal it as it rather gives the impression you've formed the opinion that the "West" is "losing" to China as things stand.

Academics horrified that administration of Turing student exchange scheme outsourced to Capita

Max Pyat

Re: How do they do it?

Did you read the document you linked?

It is almost impossible to apply and leaves you open to challenge due to subjectivities.

I've worked in large scale procurement and it's incredibly hard to use bad past performance to exclude vendors. In particular, the assessment is always, IME, based only on what you receive as part of the process so you've to be super careful and clever if youre going to exclude on past failures.

Three pragmatic approaches I've used:

1) BEFORE you tender: bring the supplier in for repeated bollockings on basis of their current poor performance. Make it incredibly uncomfortable to be your supplier. Verbally, and as clearly as you dare, leave them in no doubt that if you seem pissed off now it's nothing to what you'll be like if they wander back in to sell you more. Make the individual agents of company believe that you'll hold it against them personally in future; even if they turn up representing a different company in the future.

2) Again, BEFORE you tender, get the supplier black listed because of their performance or because an investigation is ongoing. Hard, and might not stick when you actually launch tender, but good if it works.

3) Most by the book, but hard: Set up the assessment criteria to heavily weight what the bad supplier is bad at. Hope that they don't manage to spoof their way through it

Fundamentally, it's hard to punish your current suppliers for their failures in next tender. But it's almost impossible to punish them for failures serving other customers (e.g. for DfE to punish Capita because they made a balls of MoD contracts). Some of it is regs, but it's also the asymmetry. They know directly the scenario, you (e.g. in DfE) have indirect hearsay, and beyond that end up relying on the submissions of your vendors (read the linked doc!)

When I've intimidated/deterred a supplier to f*** off, it's only ever temporary. When/if they turn up again in 4 years they will explain that they've been on a big quality/improvement drive and are now so much better. And you have to give them a fair shot

When software depends on a project thanklessly maintained by a random guy in Nebraska, is open source sustainable?

Max Pyat

I think the risk assessment comment is almost the key one.

The scenario painted is of companies that find handy open source projects, and then build critical infrastructure on top of that: paying nothing and assuming the project will be there forever and will deliver the bugfixes and features the companies need.

This might well be the case, but if so the fault is entirely with the companies using the software: they need to assess and manage the risks. If you're buying from a commercial vendor, you put clauses into your contracts. If you're looking at an open source project, there are ways to do that too.

On the positive side: the article highlights just how little money it would take to bank-roll some of these projects.

Max Pyat

Re: "somebody else will step forward and carry the torch"

And it can almost certainly still be picked up and maintained if it "becomes relevant" or "starts to matter"

This whole thing is an ill conceived discussion. The issue is about businesses managing their risks.

Max Pyat

Re: "Fix it"...?

I think it would be more appropriate to say you need to know enough to manage the risks. So if you're using a spreadsheet package, you need to understand where you use it in your business, what the dependencies are, what the impacts of outage are, and so on.

At that point you need to manage the risk: if it's a proprietary package, that means reviewing the supplier, including their financials, code-escrow, and so on; if it's open-source, then it could mean hiring a developer yourself, or it could mean getting a commercial support contract outside your firm: that might even be bought from the core dev-team.

1Password has none, KeePass has none... So why are there seven embedded trackers in the LastPass Android app?

Max Pyat

Re: "Only problem was keeping all my devices in synch"

Yes, lots of options.

I have a git repository on my local network, and keep the encrypted keepass file in that.

Then when I'm at home with phone, I can run a one liner in termux to synchronise the phone's git repository with the local server. Ditto for laptop and desktop.

The restriction is that you really should only edit on one device, as there's no way (obviously) to merge changes made in parallel via the version control system given it's a binary file. But on flip side, I don't move file to uncontrolled cloud services.

Seagate UK customer stung by VAT on replacement drive shipped via the Netherlands

Max Pyat

Re: Should not have Netherlands VAT ...

Not quite, and in fairness, Seagate make it all rather clear:

"In addition, while it is correct that the customer is responsible despite the warranty, the customer will be entitled for a VAT relief. If they declare the replacement as outward processing relief at export. If the customer fails to do so, then yes, it is up to the customer to pay for the VAT, and this is a Brexit consequence: VAT is charged when products are crossing the border."

So all that's required is for the customer to prepare export documentation and file it appropriately with HMRC or Customs & Excise or whoever it is these days in order to secure a VAT relief that can be applied against the import of the replacement (or repaired) HDD when it comes into the UK later on. There's probably not much more than a couple of days administrative work required on this (between reading into the processes, documenting it, etc.,), plus whatever administrative checks are needed at the border to make sure that it's all legit.

And one should not forget the most important thing: these are proper UK regulations vital to taking back control. This should not be confused with awful EU red-tape that presumably was in the background of the old system where Hard Drives would shoot back and forth without any proper UK control on what was happening.

Max Pyat

Re: Should not have Netherlands VAT ...

I think as Seagate explained, the owner of the drive needed to declare the export of the drive from the UK as a warranty return. This would have given some sort of credit to the owner, which they could then use to re-import the drive (or its replacement) VAT-free when it was sent back to the UK. I've no idea what the paperwork for this would look like, but the logic is reasonably clear. Additionally, it would be important to be able to verify that the returned drive basically matched the one sent to Seagate (i.e. that someone didn't "warranty return" a 40MB ancient HDD, and then get sent a 1TB SSD by return). Not sure how customs check that, but they'll be building up the systems already if they haven't already.

Ultimately it's not a big deal. A few hours of paperwork and checks (or a couple of days maximum) would be all it would take in terms of actual administrative work, and maybe a couple of weeks of additional transit time. Is that really a problem? It's really just a matter of UK rules and regulations, and seems like a small price to pay.

If the owner of the drive failed to declare it on exit of the country, then there's really nothing that Seagate (or the Netherlands) can do. The UK has "taken back control", so it's not appropriate for them to even comment on the matter. As HRH said "it's none of their damn beeswax".