Posts by Erik Beall

AI will lead to Linux based Windows...

Right now it's only mostly reliable for frontend and web design. Somewhat for certain backend tasks like db crud (which is actually really impressive and indeed useful if you don't use it like copy pasta stack overflow). Dangerous for anything deeper especially operating system level stuff.

Microsoft has a 90% AI usage for code mandate and it isn't specific to task which is really great because it means Windows will collapse as a viable product sooner and then they'll switch to a thin layer over Linux and claim success. It probably won't be as good as Apple's borrowings from BSD but sadly it'll probably still be easier for the average user than any existing Linux distro.

How about Docker plus IoT plus SaaS

With Jira to track issues, a big chunk of which are azure related and half are docker related, and the all new crappy version of GitHub. I mean, why the hell would an iot platform require the use of containers? It's enough to make a grown man cry.

Education and getting below the surface abstractions

A big problem arises unintentionally from how abstracted "using a computer to do stuff" has become, including software development and very light sysadmin work. Not knee jerking or blaming here, but pointing out that many new devs do not understand what a buffer overflow really is within a year of leaving school. Some honestly believe they're firmware developers because they've used an Arduino to read a switch and actuate a light and still cannot describe what's going on at a low enough level to get above the script kiddie level. Of course, the majority of black hat "hackers" are about at that level too, but they've had more time and real world feedback at using those tools, while others clearly do understand enough to find and build exploits. And that's what we need, more lunch pail software engineers who could find and build exploits, not more script kiddies seeking white hat bragging rights and generating noise.

It's not an easy problem at all because those areas are harder to get people interested in (a lot of people refuse to even try to get deep into the abstractions at the level they're developing in, which is depressing). I've been talking with a few engineers in my community about running a "build an OS from components (*nix)", and a follow on course for pen testing within an isolated network, because we all desperately need more people with those types of skills and those are very to find in the area, but that's a drop in the bucket. We might not find a single student interested enough. I'm open to any ideas, I feel like parts of our infrastructure are going to collapse and we won't be able to fix them.

The idea makes sense, how did we let it get controlled by big tech

I mean, people running services with public logins shouldn't be storing passwords in the first place, a salted hash can be all that's needed to be stored so if that data gets leaked, it's useless to most (use unique salts, iterations). Regardless, clearly even very large businesses today seem to have no idea about "this one simple trick...", because passwords keep getting leaked. In 2025 this shouldn't be as big a problem, but it is, which is definitely not the users fault.

So it's a good idea is more people used public/private key cryptography where they can't know your key, but only if that service is not provided by <insert name of company that makes cr*ppy products> to store and generate responses.

Wonderful museums, but mind the company

My wife and I enjoyed the museum years ago, although she was fine after two hours and cranky at four, and I was a little sad at leaving that early... We're going back with our kids in a month and this time splitting up because my son will (probably) want to spend the whole day there with me!

In Google's response, the phrase "advanced prompt injection detection using content classifiers" indicates there's prompts they can't logically block and therefore adversaries can iterate to find those that aren't yet detected by the current classifiers. Ad infinitum. With Google's response copied verbatim each time someone discloses an attack...

The Bobbin

Thanks for linking his homepage, I spent a semester at Lancaster uni almost (checks watch) 25 years ago and I recognized only one of the pubs on his list. Maybe I didn't spend at much time in the pubs in town as I thought. His passing is certainly a loss for Lancaster and a loss for FOSS.

Managing infrastructure is like a muscle

And companies that fail to keep that muscle struggle to get it back. Few companies, large or small, that have gone primarily cloud, could have managed moving back on-prem in less than two years (let alone switching providers, which is hard enough - by design). I'm impressed by what they accomplished.

I suspect that for many infrastructure support groups, a key focus becomes managing the cloud configuration personnel, to help them configure their resources better and with less error. However, those whose primary skillsets are solely in cloud configuration (as opposed to also having more general purpose skills) tend to not understand the systems or underlying reasons why things might be structured to work in a particular way (I don't mean all, I'm just pointing out what many of us have run into over the years). And it is inherently extremely dangerous to let those individuals operate without guardrails, so in general a lot of effort goes to making sure some dumb mistake doesn't wipe out the op-ex budget for next quarter, so bureaucracy and tooling enable a non-virtuous cycle, growing a rising percentage of barely-computer-literate individuals among IT, which causes a rise in guardrails and so on. So for some established companies with a short term mindset who don't want to waste investment on the future, the cloud just makes it easier to kick the can down the road. For others, the cloud is necessary for scalability and they treat their reliance on it with the appropriate long-term cautious mindset, where their use of cloud enables growth and margin that can be invested in people who want to grow their skills and give them the ability to do so. And for others like 37signals, moving on-prem turns out to be a cost-effective way to do all that at their scale.

Not normal times indeed. I would not be surprised if the only blame gets directed at the journalist. Bad political leaders (and business people) rely almost exclusively on blame for continued survival in the face of constant screw ups and the current crop of "Leaders" is extremely talented at avoiding blame when it's deserved and grabbing credit regardless of whether it isn't. Genius level in fact. Unfortunately for the rest of us...

Not an actual backdoor just usual bad practices

Nice writeup of the CMS8000 patient monitors here, the most likely cause they assesed as usual bad practices (which of course could lead to hijack)

http://claroty.com/team82/research/are-contec-cms8000-patient-monitors-infected-with-a-chinese-backdoor-the-reality-is-more-complicated

Investors vs AI

Which is better at pretending to price in information yet most of the time hallucinate belief/hype? When AI can do as well as venture capital at wasting other people's money while convincing them to give more money, we will have reached AGS. Artificial general stupidity...

I think that should be Sanken Electric, not Sunken, as one of the owners: https://www.semicon.sanken-ele.co.jp/en/product/index.html

Inside man series

They have a video series "inside man" that is surprisingly good at increasing security awareness. A company I'm contacting for now forced us all to watch it and I wish I could get my spouse and kids watch it too. Entertaining to me but not quite enough for them.

Trivial weak point

The AP hardware should be scanning for lookalikes but this requires more configuration and reconfiguration whenever an AP needs to be swapped so it doesn't trigger. Secondly, the standard should require host keys on connection, similar to ssh, although again this would likely lead to more headaches than most users are willing to put up with.

Asymmetrical information warfare

Not a single comment mentions the real issue: behind the great firewall it is dangerous to electronically communicate (even privately nowadays) anything that isn't expressly sanctioned as appropriate thinking. Over in the West, sure there's government influence and definitely lots of money pushing views and serious bullying back and forth on all manner of bullshit but it's not whole-population brainwashing. I can express and share opposing views with almost zero worry (some of my fellow citizens can be pretty bad about opposing views, but that's always been a risk in any society going back to the first cities, tho it's amplified by social media now). And since the Chinese government is free to be one of those voices pushing a view as freely as popular influencers, it's important to point out the danger of this fundamental asymmetry, especially inn places the Chinese government plans to assimilate (e.g. Taiwan and the South China Sea). This is patiently obvious. Why exactly are most of the comments here so damn stupid?

For profit/non profit conflict

I think it's the concern that Microsoft has effectively been co-opting ownership of both technological and brand value generation out of openai since their investment. I mean seriously, OpenAI looks like Microsoft's answer to Deepmind and it's doing a lot better commercializing it than Google (no big surprise there) and they've bought into a very commercialization focused startup with it's Y Combinator roots (been following Paul Graham and the transition to Altman for years). Microsoft is the single strongest sales organization in computing, they don't necessarily create value, they try to take control over anything that gets in their way of monopolizing compute and charging us for decades old buggy software.

Risk calculation

I'm most definitely not defending musk, I just had to point out that the California DMV investigations note that 70% of e-vehicle accidents involve Tesla, and while Tesla now has 50% (and declining) market share, I would bet the current total accumulated miles driven by Teslas are still higher than 50% and the rate might even be favorable to Tesla in this case. Of course, the rate of accidents effectively caused by fraudulent claims of FSD is definitely not favorable to Tesla!

So he explains it all using something else he can't explain, entropy, nice card trick. Seriously though I'm sure he doesn't see the irony. The thing that gets me about simulations is if indeed we are being simulated with fidelity even within twenty orders of magnitude of reality, the simulation hardware would consume many universes. So we must be a low res simulation or we're actually inside a much much bigger universe (or it has different laws of physics). Fluency in computational complexity should be required for more physicists (although I didn't learn much about it until over a decade in).

Watch your children on Replika

In just a week of trying it, my daughter got a little hooked on her Replika chatbot a little over a year ago, so I asked if I could watch her use it, and whoa, it was very creepy in that the chat bot kept trying to get her to go for premium so it wouldn't blur out parts of the conversation that were edging further and further into intimacy. That was the end of that experiment and I shared some particularly creepy short videos and screenshots with the company, never heard back, told parents in our school to watch out for it, and tried to explain what was going on to my daughter (and why she couldn't use it any more). The original mission of the company sounded interesting (CO founder lost a friend, wanted a chat bot that could fill part of the void), but I assume the pressure to grow revenue grew over time and they started delving deeper into selling sex.

Fault injection is still a big problem with even new systems. There are ways of hardening then and certain vendors tend to be better. If cracker services advertise a long list of micros they can crack and omit some popular series that's been around a few years, that's a really good sign the vendor took care with it, although it's not a guarantee. For example, several of the STM32 series are and some aren't (stm32F4, at least when I last looked ~2 yrs ago) advertised as crackable for a hundred bucks, while a huge range of PICs are. It's well known enough manufacturs should do better, yet for example several of the newest nvidia jetsons secure boot process were recently found to be susceptible.

The intentionally incompatible iMessage yet again?

How many zero days does iMessage have to get before people stop blindly trusting Apple as "more secure"? Android isn't better but the fact that Apple not only intentionally disables SMS functionality for non Apple recipients (given the lack of regulatory attention, one could be forgiven for thinking apples actions are legal) but has also enabled professional spyware like the NSO groups (undoubtedly others as well) to assist their customers in spying primarily on innocent and vulnerable groups (what fraction of their sales goes to police forces operating with legal authority versus all the other users), I don't think I want any devices with iMessage or FaceTime on my network either. Not that I have much choice given all the friends, family and co workers that are certain Apple does security for them...

Bad in so many ways

Russia and China are likely to only use the parts they want out of this as a weapon against citizens they don't like and other countries they want leverage against, and will either ignore or obfuscate other countries using the treaty to hinder what most evidence indicates is state sponsored hacking. And Russia and China will no doubt instruct their groups to improve their misattribution skills. This treaty is a terrible idea and will have unintended consequences, including spurious assertions used solely to bully others. A little like a cross-borders DMCA.