Posts by that one in the corner 5065 publicly visible posts • joined 9 Nov 2021
> The one that gets me is when you find and fix a long-standing bug in some code and wonder how in hell it managed to keep going in its original state for so many years!
You have to tread carefully around those sorts of bugs, just in case it turns out to be a Schroedinbug - and you have just observed that, unfixed, it can't possibly work. Which collapses its wave function and, through spooky action at a distance, every running copy of that program will suddenly stop working!
It was reading the water level in an octopus tank, measuring how excited the beastie was.
If an octopus can pick football teams it can manage shares easily[1].
[1] I'm pretty sure there were experiments done with using a monkey and, separately, an octopus to pick shares, which demonstrated that they were actually better than the average human trader, but trying to search on "octopus share picking" gets nowhere useful these days! Can we make it a rule that, when picking a stupid name for your company, you can't use names of real things?
(Icon - sort of looks like an octopus, hiding two of its arms so you can't see which stock names it is typing in)
When I saw GPIB (aka IEEE 488[1]) mentioned, I was sad that it they hadn't found a PET sitting there - or even a C64 with the plug-in adapter!
Maybe another On Call will turn up such a delight.
[1] also aka some European standard, an IEC something? Could Google, but that is cheating when it is old farts remembering stuff!
> I can see it being useful for bug reporting
ONLY, and I stress, *ONLY*, in the second or later comment, to prove that, yes, it really *is* reproducible on the client's system and/or "this is what we mean by 'the screen goes wobbly all over".
Not, by the Mercy of all the Gods of Egypt[1], used instead of a written description in the initial report!
[1] especially that crocodile-headed one, although being chewed by him would be more merciful than getting video-only bug reports.
"Hyped"? Well, that is an unusual word for it.
Getting a video, instead of the User being forced to type in a description of what they did, the commands and all the options. This is going to make bug triage so much more - interesting.
"Yes, I can see your screen shot[1], but you need to take it *before* pressing Return - I need to see the exact command you used, not just the last twenty rows of the 'bad output'."
"Can you *please* go through that process again, but please, please, don't type ahead of the dialogue boxes, you have to let them appear on screen so I can read the *exact* message and follow what your inputting. Yes, I know that is how you always do it and it is so much faster that way. Yes, I *know* this is the sixth time you've made a video of this[2]"
"Yes, that is a 'fun' font to use in the console, but, once more, is that an el or a one or a pipe character? Pipe, you know, shift-backslash; no, I don't know which key it is on your borrowed Norwegian keyboard."
Then That Important Person realises they can now just copy the hour long video meeting into the ticket "you can see the bug somewhere just after Fred points at Bert's bit of the presentation" - and who the bleep is Fred? Or Bert? You were the only one from our company at that meeting!
[1] tucked away in one corner, as clearly seeing your face is so much more important
[2] trust me, I *know*; and you snarling out your narration louder each time is making it such a joy
> traditional 4GL package
Much as "4GL" makes me grind my teeth in lieu of screaming rants about that name, have an upvote for an otherwise very sensible comment.
Hmm, Sculptor are very cagey (as in, no mention I can see) about pricing, which usually means it is way out of range for, say, just doing a scoring system for Free Flight model championships or anything similar.
Would be nice to have suggestions if anyone knows of a viable (i.e. affordable, even cheap, even Open Source!), non-cloud, program for that sort of small job (the sort of thing that assorted clubs may want to do). NOT Excel! Or anything else that presents itself as a spreadsheet "for familiarity and ease of use"!
It isn't going to be Space Lasers!
> Taking the process to the Moon might employ a Fresnel lens – a composite, flat or compact lens – of about 2.37 m2 to produce the required effect
I know, I know, "sharks with frikkin' Fresnel lenses on their heads" doesn't have the same ring to it.
But look at the other possibilities this raises! Big lasers are tricky - just *think* how big you could make a Fresnel Lens In Spaaace! I'm imagining an extruder being slowly whirled around a central pivot at the end of its Bowden tube, which is extended as the printed lens grows. After a day, the lens creates a bright but harmless spot on the surface, used to align the device in its artificial selenostationary powered orbit[1]. Slowly, the spot becomes brighter until the regolith melts.
Of course, every 29 (or so) days, the spot suddenly dims and goes out, only to reappear, brighter still[2] 29 days later.
The Dastardly Plot: the extruder was halted some while back, the lens having reached the optimum size for road building. But, just before The Diplomat's moonbuggy is due to set out on its historic journey at Lunar dawn, unbeknownst to all, The Villain (Colonel Sun?) has not only restarted the extruder but also engaged all five of its backups. During the night[3], they have been working away and have created The Snowflake[4] Lens Of Doom! Can Our Hero save The Diplomat and The Girl from the Lunar Daylight?
[1] hmm, powered is a problem - someone run the numbers: is a Selenostationary Solar Sailing Orbiter viable? Can it be its own Solar sail?
[2] assuming the extrusion device isn't itself dependent upon solar power: Solar Powered Selenostationary Solar Sailing Spider.
[3] ok, that settles it, they are on batteries (or a baby nuke?)
[4] six extruders all at once, you see; it allows the FX guys the chance to do something other than just make it a larger circle, which won't look any different to the audience.
> And best of all Google isn't going to help you.
But, but - that can only mean: it doesn't exist!
PS
I did try and you are absolutely correct; but just you wait until Friday, when Google has read your post, and by Sunday you'll be credited by Wikipedia with coining the phrase (one citation).
PPS
For a moment, I thought it was from the theme for Yosser and co, but of course not; not even the alternate version by The Pogues.
Altogether now:
"Conspired, colluded,"
"Aided (and) abetted"
I can see why they acted in a concert with a hit like that on their hands! Is it going on tour?
PS can we haz formatting for songs and poems that doesn't force one line per paragraph? I know that will only open the floodgates for extra verses of "Hallelujah" but that is a risk I'm willing to take.
This whole article is about attacks against Mixed Reality systems and has bugger all to do with anything you could sanely call "cognitive attacks"!
> Cognitive attacks go beyond just disrupting MR headsets and can also include actions like planting real-world objects to overwhelm displays, using physical objects to cause false alarms
No, that is not "going beyond" disrupting the MR system: like any other system, if you can feed it inputs that make it glitchy, it is being disrupted. Are we supposed to read "disrupt" as simply meaning cutting the wires, and everything else is "beyond" that?
> The core technical hypothesis of the program is that formal methods can be extended with cognitive guarantees and models to protect mixed reality users from cognitive attacks
You mean they are deploying software that HASN'T been subjected to formal methods? They have so long ago already given up on the idea of having robust avionics and fire control systems that they have to (re)introduce the concepts of formal methods just to get them applied to MR systems? Although, come to think of it, the current pushers of MR, AR and VR do strike one as never having heard of formal methods - barely heard of QA, some of them.
> In other words, DARPA wants to mathematically represent cognitive models of "human perception, action, memory and reasoning" and figure out how to build some form of universal protection against cognitive attacks
Ah, now that does sound like they are looking at something that deserves to be called "cognitive attacks"; maybe it will get juicy:
> "The ICS program ... as part of MR system development
Oh, nope, they are just talking about MR still. I was just getting excited at the prospect of dealing with some of the weirder ideas about using techniques from optical illusion and similar fields to befuddle the unaugmented human (think something between "dazzle ships" and trying to defictionalise the "fractal parrot"[1]).
So the "model of human cognition etc" can just be "keep to this framerate, don't rely on humans to remember anything ("whilst under stress?" "No, I mean - ok, let's go with that") and don't make the screen flash dark/bright at, ooh, 4Hz even if that *does* reflect the rate you are detecting bangs - and definitely not red!
> Given it is still early days for DARPA's ICS program, soldiers testing IVAS and other mixed reality devices won't be able to rely on cognitive security features anytime soon.
Given they have yet to solve the problem of lag and nausea in the first place, this is not a surprising result.
But, honestly, what is it they are actually asking for, under all the management speak? To start with, the use of formal methods to - guarantee that the frame rate is maintained to prevent lag? In other words, basic requirements of a Real Time system - "you have 10 milli seconds per frame: if you can't draw all the details in that time, skip them and update the display" instead of just doing *all* the work *every* time and just hope the nasty enemy hadn't put so many little walls onto the ground that you drop to 5 fps update[2]. BTW remember this is Mixed Reality, so you still get a view of the real world, which hopefully still manages a decent lag-free update.
> "Methods for developing protected MR systems will be developed by the ICS program before MR systems lacking protections are pervasive and essential,"
They are going to get some actual computer scientists, Old Geezers and others who actually *trained* in the Dork Arts to work on the MR headsets, not just gung-ho "visionaries" and tech-bros?
Well, if they *really* have to fling around such over the top language in order to get the grant money and the ability to hire the people they need, not just the ones they get, then, sigh, go with it. I guess at bottom it is no worse than any other grant proposal ("if you can just say the Rust compiler will investigate the effectiveness of Neural Nets, we can apply to this body as well - just keep Sheldon away from them, or he'll say we already know what the result of that investigation will be").
[1] David Langford, "BLIT" and "Different kinds of darkness" in particular.
[2] I am probably *very* out of date on game programming - which seems to be where the current crop of headset people are coming from (again) - but it seems that this "just do it all and fingers crossed" approach is what actually happens nowadays - which is why you get all these weird reviews about frame rates and "we got 182 fps from this GPU, but 184 from this one, so buy the latter". When the talk used[3] to be about games as Real Time and they either apologised and never ran or ran at 30fps, rock solid, didn't matter what extra cycles you threw at it, you got 30fps; the excess may be used to improve some shading or whatever.
[3] many moons ago and in discussions (we didn't have lectures about game writing back then) whilst marvelling at the latest hand-soldered MPU boards)
As others have said, it made it too easy for the boys in striped vests and domino masks.
There are numerous period pieces being shown on, eg, Talking Pictures TV (Freeview) where the getaway driver is shown listening to the police on a portable trannie, two flashes means tools down, keep quiet until the patrol goes past...
> It is ironical that non-elected EU apparatchiks were given the power to determine what people are allowed to see.
Presumably also ironical that non-elected Customs officers were given the power to determine what to charge on imports? That non-elected Constables were given the power to stop you going where you are not wanted? That non-elected DHS staff were given the power to determine how much benefits you can get?
In case you hadn't noticed, the elected people set the laws and the lots and lots of non-elected people then put those into practice. And all of their non-elected decisions can be challenged.
Or do you seriously find it "ironical" that the elected members of a parliament don't actually go out and check every xit, examine every parcel, patrol every street in person?
(Feeling a bit - well, triggered - by this, as I made the mistake of following the link to the Commision's posting of their letter and every single one of the replies to it, that were shown to me that time, were of morons basically making the same idiotic claim. Yes, I know, always try to keep oneself clear of xits but I wanted to check just how much of the letter was actually visible to those referring to it)
> . if you don't care about value for money, and only care about perceived crowns and the shiny badge affixed to a product... then you'll still buy nvidia anyway.
Or want to run some Cuda number-crunching during the daylight hours.
You don't have to stick with just one use for your computer.
You have shovelled and stirred absolutely everything into a humongous homogeneous pile of nadans, into which you dropped a soggy spongeful of prompt, then waited for it to seep through the layers, causing who knows how many buckets of weightings to overfill and join the flow, until finally the pathways at the edge are overcome and slough into the output trough.
Trying to add "guardrails" is just dropping sandbags onto places you have "the wrong stuff" seen unexpectedly oozing out of a crack - purely reactive and without any reason to believe, other than crossing your fingers and making a press release, that you've caught all the leaks by now.
An LLM has no logic built into it, no comprehensible control paths; it can not be bargained with, it can not be reasoned with, it doesn't feel pity or remorse or fear, and it absolutely will not stop until you are sick to death of it.
> While uses cases have yet to be fully articulated
If only people like IDC (and the bosses at HP, Lenovo Intel at al) could see beyond the Big Brand hype machines, like ChatGPT (which are all very much based on offering cloudy "solutions") to actually look at how smaller (much, much smaller) models are already being used. Anything TinyML can do, we can do bigger! And even if the actual models are cheap to run (won't need a new PC) then training can always eat up the cycles.
It is surely a lot easier for them to take ideas for use-cases from already working small-scale systems[1] and pump them up into something that won't *quite* run on your existing dreary old PC but will go like the wind on their "next gen", just a bit bigger, PC. After all, software bloat is already an industry standard!
Guess the real problem is that it would mean all these CEOs having to train themselves on published descriptions about people's projects and then have some ability to mix it all up and generate some answers to match the template "needs a bigger PC, but not so stupidly large the market will just laugh at us".
Hmm, training, public data, generating text, fitting a template - that just sounds so familiar, it is on the tip of my tongue...
[1] ok, this one isn't business-oriented[2], but there is still the whole home PC market to re-invigorate! We just set up a Pi Zero 2 to run the BirdNet model for our back garden - now I'd quite like something a bit bigger, not to run 24 hours a day, but which can pick the individuals out of recordings made on trips away from home - what was that bird we saw iat the local water park?
[2] nor is it guaranteed to have wide appeal at home; but it is just *our* latest use-case. The point is, there are lots of projects, so scatter the promotions[3] and something will resonate with each person.
[3] look, do you want a big, fancy, easy to do, hype marketing campaign around one thing or do you want to sell lots of "different" PCs at all sorts of price points?
Cut him a break - he is clearly[1] an avid Pokemon player and was just trying to trade a Secret Rare (maybe even an Ultra Rare, given it apparently is only seen in special communities, like the SDCC). All he wanted was a chance to visit all those Pokemon GO gyms in the PRC!
[1] well, this makes more sense than his believing he was an effective defector
> Stack Overflow developer survey placed the language third, behind HTML and JavaScript, but higher than SQL.
HTML is the top "programming language"? And presumably, all hand-written, not generated from some site layout tool or converted from Markdown by a Python script?
Why does that not sound quite right? What is wrong with picture?
All these questions, and others, will be answered on this week's episode of - SOap.
PS
> In its 2023 survey, Stack Overflow noted that Python placed first for respondents who were either not professional developers or were learning to code.
Clearly the sensible ones who have not yet been on SO long enough. Yet.
> As with any new technology, some are trying to use it in ways that were not intended, which is why we are implementing a range of guardrails and filters to make Bing Image Creator a positive and helpful experience for users."
"We have no records of anyone trying to subvert any previous Microsoft product and we had no idea that they might be naughty enough to try, which is why we never had any reason before now to start to think about implementing possible guardrails."
"Yes, you in the back? No, no, I have never heard the name 'Tay' before, unless you mean the river, the one with bridge, and that wonderfully lyrical poem."
> a worrying failure by Snap to adequately identify and assess the privacy risks to children and other users before launching 'My AI'," ... "We have been clear that organizations must consider the risks associated with AI, alongside the benefits.
Once again, a grand pronouncement that targets flavour of the day, "AI chatbots", and by doing so risks distracting from the general problem: EVERY system that gets people to type in loads of text is a privacy risk, for children, teenagers and, yes, even adults. From Snap "MyAi" to Register comments[1].
AI has nothing to do with it - except that it is, today, the easy way for companies to whip up a website to prompt for all that text input, if only because those flogging the software are hawking it around everywhere, at affordable starter prices.
A chatbot does promise to keep the user engaged for longer than waiting for a.n.other human to respond and prompt a reply back, but you don't need a costly to run AI for that: "Hmmm, tell me more" every few seconds works[2].
[1] wanna bet that there isn't a bit of software out there to help de-anonymise all these commentard names? Training an LLM over a user's comments (on any site) is probably more of a privacy risk, to more people, than waiting for someone to dox themselves to Snap.
[2] yes, Eliza. Again.
> But it's rare for the account to be more than a few dollars in credit, anyway.
Radio 4 over the weekend: many people have a hundred or more quid credit at the energy supplier (especially at this time of year, before the winter chills set in).
One chap, over £1500 (IIRC) in credit (they did not say how large or what type of property) wanted to reduce that by a few hundred and was getting the run around.
> To watch the babysitter?
With a device whose USP (over a far cheaper teddycam) is to monitor breathing, room temperature and humidity?
Teddycam alone could monitor the most obvious reason for heavy breathing, increased warmth and humidity, so they are worried about - something else? A sudden chill, babysitter's breath held in horror, blood dripping from the walls? Or babysitter crawling on the ceiling, breath coming in rasping gasps, water running from her suddenly ankle-length black hair?
Does the Miku camera setup allow auto-dial alerts to Fathers Merrin, Carras and Dyer?[1]
[1] why do I know think of the three of them living in a parochial house together?
> So go fsck yourself AVM, I'll keep using IPSec.
Have you tried asking them about it, before suggesting they do the anatomically improbable?
The Fritz!Box kit and AVM have a pretty good rep overall, WireGuard support is clearly a very feature for them: allowing you to use your static IP may just be a firmware fix away - if you let them know that individual customers that have fixed IPs are still A Thing!
> but not the other sellers using Amazon as a "fullfilment agent"
I have had success in the last month getting two refunds from Amazon UK on something that were just "dispatches from Amazon" and "sold by" other companies (and, yes, those were the only returns I've had to make in a while, not "just the two successful ones"!). Back in 2019 I even had a hassle-free return for a second hand item "dispatches from Amazon" (the seller got the exact model number wrong) costing a few hundred quid, just via the normal website process.
Not going to claim that these are anything more than anecdotal evidence, certainly not that they are acting under duress of the regs (I don't claim to know where their liabilities under law stop - but I do note that they say "dispatches from", not "fulfilled by"), but if they didn't think they had to do these returns...
PS
Yes, yes, I deal with the devil and buy from Amazon. Not proud, just practical.
PPS
> I'm not sure I can remember[*] the last time I bought something that came with a "manufacturers warranty card"
Bought a camera lens new (a rare treat) in 2020, that came with one. Some of the second hand camera kit comes with that form, still blank, as the previous owner just left it in the box, but thise could easily date back to 2013 or so (rarely know the exact age of these things, just the condition)
> If it don't do what it was sold as doing, it's not "fit for purpose"
And note that this does *not* simply mean what is written on the packaging, but what purpose you discussed with the vendor.
If you are sold something called a "hat stand" after asking for something that will hold your umbrella, if it can not support the brolly it was not fit for purpose.
If you tell the person in Currys you want a TV that works without an Internet connection and you can't get past a registration screen, that is not fit for purpose.
The downside is that the vendor is going to argue that you never said you wanted a brolly stand, so best to get some proof of the discussion beforehand[1] - take in a list of requirements[2] and make sure it gets stapled to the receipt, along with that piece of card trying to sell you an extended warranty.
[1] time was, vendors were honorable shopkeepers and their reputation meant a lot to them; nowadays - people still shop in Currys!
[2] even worth playing the "our boy wrote this down for us" doddery old fart card, to brickwall when they try to convince you otherwise.
>> Nice ideas, but these things are all just luxuries and fripperies;
> After all everything beyond basic food and something over your head could be called luxury or frippery.
Sigh.
The baby monitors and the smart light bulbs are fripperies, not consumer regulation.
Sorry if this wasn't clear to you, but as I then went on to discuss how to get the existing consumer regs to come into play, shouldn't it then have become obvious that I was not attempting to argue against consumer protection? Leaving you with a great big hint how to disambiguate "these things".
> Good luck with that with my network.
But you aren't exactly the target demographic for these things, are you?
Now, if you boasted "good luck with that on any network in the following two post codes, where I've campaigned and helped reconfigure the routers for all the poor mugs who, through no fault of their own, fall into these sort of bad practices"...
> To be fair - there should be regulation, where those companies would need to open up the API specification for their products and make it easy to point them at your local server when switcheroo inevitably happens.
> When you choose subscription you should also be able to shop around for cheaper providers of the same service.
Nice ideas, but these things are all just luxuries and fripperies; they aren't in any way essentials, barely even "nice to haves". You aren't going to get the required cooperation between the companies[1] or any help from consumer legislation, beyond the basics (and you *did* agree to the terms and conditions when you registered your toy on the server).
Rather than idealistic dreams, work for realistic goals and then nibble away at the companies.
For example, demand a clear statement of precisely how long you will have access to the servers given the package you have bought. This can then be covered by consumer law.
Point out to the retailer that the lack of that statement, clearly on the packaging, is the reason you aren't buying.[2]
[1] it will cost them money, if only to actually document their API - let alone clean it up enough that the glaring security holes are closed and the overall naffness of the design doesn't end up as the Daily WTF.
[2] yeah, I know, this is just a pipedream[3], hoping that enough people would actually bother to do that often enough that the message even got back to the companies involved.
[3] aah, sod it: "There ought to be regulation, why isn't anyone doing anything about this, etc etc etc."
PS
Oh, that headline RISC-V stuff?
As I've got some third-party gadgets, already a few years old, with Made in China "AI enhanced" RISC-V inside them[1], I'm pretty sure that that horse bolted a long time ago.
US[2] politicians shouting and waving their arms about pointlessly, getting the people all scared and riled up, in order to be seen to be Doing Something Important? Inconceivable!
[1] FWIW, Kendryte K210 CPUs, from Canaan Creative; not saying that is an especially important, rare or special device, quite the opposite, which is the point, really. Other Chinese RISC-V manufacturers exist (Alibaba, for starters).
[2] other brands of politician are available, though you may be hard-pressed to tell them apart.
FFS - it is just an old fashioned Trojan Horse exe that they con people into downloading via email, with a double file extension like fred.doc.exe - so why name-check C++? To point out how behind the times these people are and get them to use Rust instead?
There is a good bit of description in that report about the sequence the Trojan initiates, mingled with the usual jargon, but come on: that wording isn't trying to imply that there is some kind of secret backdoor inside the very depths of C++ that we never knew about?
It was just there to fool poor, innocent, gullible people, like sensitive young Register reporters, into copying the sensationalist phrase and hiding the fact that this is just a Trojan, with a pointlessly fancy name, and that the only take-away message is should be "take care not to run exes in unsolicited email attachments"!
> A discussion about killing a queen could easily apply in a fantasy context where the queen is evil, and the bot probably has plenty of that kind of text in the training data
You are giving it too much credit. The article points out that Chail provided the suggestion, not the bot. Forget any ideas of "training data": Replika just needs an old-style chatbot: if they did use anything that needed training, like an LLM or other neural net, then they wasted a lot of horse power to get that level of behaviour.
> AFAIK I've never Kippled.
It is a dying sport, but as Vin Garbutt used to relate, it was a very popular part of life up in the North East of England:
https://www.youtube.com/watch?v=lSaMvEZl3VY
(Vin describes, from the 3 minute mark, how his dad used to go out and take his kipplebat down to the Hartlepool Rud Yards)
> This ISN'T an AI chatbot. its an eliza 1980s grade reply bot
EXACTLY. Well, except that Eliza was written back in 1967, complete with interchangeable "personalities" (the most well-known of those being the "doctor" or "psychotherapist" mode); although the 80s did see a copy available for every home micro[1].
And this is reproducing the same results that Joseph Weizenbaum saw then and was both shocked and worried about: users ascribing personality and "humanity" to the program, ending up discussing things with it and then refusing to say what because it was private between the two of them and none of his business.
The effects of Eliza-like programs have been known and discussed for decades - it came up in an 80's Computer Science course, both for the techniques (class, write one by next week) as well as the ethics - and that was just in the LISP coding class, not even a "Computers and Professional Ethics" lecture, it was so well known a response.
> "make me a chatbot that wants to kill the queen"
It didn't even go that far - from the article
>> When he told it, "I believe my purpose is to assassinate the queen of the royal family," Sarai said the plan was wise and that it knew he was "very well trained".
So the chatbot didn't even bring up the subject, it just gave back a canned platitude: it was no more than "make me a chatbot that will be blandly supportive"
[1] strangely crude ones, given how large the computers were compared to a mid-1960s box; LISP not BASIC, people.
> whatever small space that you'll begrudge least, however unsuitable
>> but the cubicles were still there as the partitions were brick built.
Cubicles, plural, with decent brick walls? At least two (possibly more, to have plural partitions)? That could be a fair amount of volume, with solid structure you can safely hang the kit on and plenty of spare wall space to neatly hang your bits and bobs.
That sounds like a good deal more suitable than the cubicles in the rest of an average Business Link premises, the ones the human resources are supposed to live in.
>> Am I correct that a Rust process calling this method in glibc would be able to exploit?
> With Rust I believe you have to wrap C calls in an unsafe block.
Your compiled Rust executable is itself linked into glibc[1] (or the equivalent) in order to get all the standard setup done (such as prepping the environment variables and dynamic linking to any non-Rust code you may be invoking - including hitting this bug) before invoking your Rusty main().
I.e. the danger isn't in your Rust code calling C, which is then at least highlit by the unsafe block, but by C being invoked even before your Rust gets fired up.
[1] you can force your Rust program to use "musl", which is their own version of libc, but that has a few issues still to work out and isn't, AFAIK, either the default or usable if you are calling into a C shared library for any interesting functionality.
> glib and glibc are completely different, unrelated libraries
True enough, but then again GLIB_TUNABLES does not exist - except as google hits on this very comment thread (hits, plural; yes, I put my hand up, I copied that same typo) and an older couple of discussion messages about gdb (where someone made exactly the same typo).
Curses, almost a googlewhack. Gosh, does anyone else remember Dave Gorman popularising that game? So long ago, he spread the news via standup gigs and a dead tree book!
> Well, maybe, but C does give us strcpy()
And my kitchen has lots of sharp knives in it. We just keep an eye on things if there is anyone around for whom that may be a risk.
For C, "keeping an eye on things" started with running "lint" (mid 1978, is that right?) and has progressed to the actual compilers nagging you if they spot a strcpy()!
> All of those things would still be environment variables, just by another name.
Hmm, careful of those goalposts.
env vars are quite specific things, we all know precisely what they are: string name/value pairs that are set by the parent process (oops, that starts from Init, doesn't actually have to be the OS - although an OS might provide a bit of support, it really does not need to), the process can modify its own and is responsible for setting up the environment variables for its child processes - which can just default to being a copy of its own. The child process is set up by a call to, e.g. a glibc function - which function uses the OS to create a new process and then afterwards sets up the environment, just as it sets up the command line parameters. The functions you use to access the environment - getenv(), setenv() - are equally part of glibc.
What you consider to be "the environment" when you use "set" etc in your console are all values that are managed by your shell - initially set up by exec'ing startup scripts and reading config files, plus what was inherited from init.
Now, glibc is not "the OS" - even the article points out glibc can be replaced, so it itself isn't a fundamental and nor is the specific way it stores the env vars. They can be shoved onto the process stack, before *or* after the command line options, or both (weird, but it is one way of allowing setenv() to get more space), or they can be put into a newly malloc'ed block: so long as the caller and the callee agree (usually because they are linked against the same glibc-or-equivalent) then anything goes.
The closest this gets to being "OS defined" is by the statement "init, the shell and the other utilities provided here are, today, linked against this glibc-or-equivalent (and it may change when you get an update, a big one mind, tomorrow afternoon); if you are not also linked to the same then the onus is entirely on you to deal with any differences". So, you can, fairly, say that that choice has been set "for the OS you happen to be running, because you need more than just the kernel to make a complete OS (for certain large sizes of OS)" but you can also see that the choice is pretty arbitrary and need not even support the concept of env vars. It is functionally possible to do without any of these env vars - and I remind you of the overarching claim made in the comment I was replying to (see below).
You can also, again very fairly, argue that, if I remove glibc and its replacement does not provide the usual env vars then what you are left with "is not a recognisable Linux OS" and I would agree with you: but it would still be a perfectly functioning multiprocessing OS, albeit one without lots of the programs you have come to rely on (although many could be ported over, just to make a point).
> passed onward to arbitrary child processes by some OS-defined method
Nope, not all OSes define such things - read the above for a description of how the OS need not give a fig about env vars and also have a look at embedded OSes (and I do not mean just shoving Linux into a headless box). You may - or may not - decide to use one of the other concepts I mentioned previously (the mutexed counter for example) between your own processes, to let one know it is the Xth instance so do this slightly different thing, but that need not be dictated by the OS.
Unless you actually *do* want to start moving the goalposts, recall that I was responding to a very specific, very clear and very overarching statement; just in case you missed it, here it is again:
> Every OS has environment variables. It's absolutely necessary for a multiprocessing OS to work. Otherwise it would be impossible for a new process to learn the specific setup for a particular invocation.
Note that he clearly said "absolutely necessary for a multiprocessing OS to work".
Not Linux or Windows, but *any* and *every* multiprocessing OS, no matter how big or how small, no matter how widely used or how niche, no matter how easy to use and program for or how much of a total pain it may be.
> No sign of anywhere
Did you try the command to list all the available tunables? As per the linked docs:
> Passing --list-tunables to the dynamic loader to print all tunables with minimum and maximum values:
> $ /lib64/ld-linux-x86-64.so.2 --list-tunables
If there isn't anything in there that would be usefully tweakable in your system then you wouldn't find anywhere that was tweaking them.
If you are only using the binaries from your distribution - ot third party binaries built for your specific distribution - then (relevant bits of) the tuning can all be hidden away, applied at compile time. So you would not expect to see much (any) use of GLIB_TUNABLES in normal use.
Then again, if you do look at the list of tunables, you may just spot one that you could apply to improve the behaviour of your specific workloads.
> But I am genuinely interested to hear of the exact methods that other operating systems use which renders them immune from this type of problem.
> But I am prepared to accept that the bug is actually in this library, in that it does not sanitize the environment variables that get passed into the exec system call, and this will trigger the problem. Maybe the sanitization is being done at the wrong point,
Huh?
The problem is explicitly described in the article:
>> Unfortunately, the code for sanitizing GLIBC_TUNABLES fails in certain circumstances. Specifically, as Qualys explains in its technical writeup, there's a function called parse_tunables() that neglects to increment a pointer under certain conditions. And the result is a buffer overflow.
The sanitisation is being done in the right place, there is just (just?!!) a basic error in that code, a simple buffer overflow.
There is no need to try and complicate the situation by asking "how do other OSes do this?": they are just lucky enough not to have a coding error in their equivalent code!
> Today's price for such a config is about $5000, but expect that to fall quickly
So, approximately ten times more expensive than a perfectly serviceable PC. And all that oomph will be eaten up running the LLM, need to add on some more to allow it to do something useful as well.
Given the current tech climate, just how long is it going to take to drop to a price-point that it could actually be considered worth buying by the general office or home user? Have you noticed nVidia (or similar GPU providers) dropping its prices recently?
Not to mention the power used by a rig like you describe!
> This reporter has personal experience with typos introduced by an orange tabby conducting a keyboard crossing to reach a sunny spot by the window, and one of El Reg's editors has suffered similar issues.
Followed immediately by a picture and the words:
> The late Boo was a Register disruptor during editing
My mind immediately leapt to "just how long was the gap between 'suffering similar issues' and Boo becoming late?".
Unholy shades of:
(Man holding cat enters.)
Compere (Michael Palin): That is Tiddles, I believe?
Man (Graham Chapman): Yes, this is, this is Tiddles.
Compere: Yes, and what does she do?
Man: She flies across the studio and lands in a bucket of water.
Compere: By herself?
Man: No, I fling her.
Compere: Well that's extremely interesting, Ladies and gentlemen - Mr Don Savage and Tiddles.
Weee-eeeeee-eeeeee-ooooooow clunk.
> "Our algorithm tries to optimize time spent on X, so links don't get as much attention, because there is less time spent if people click away," the billionaire said.
Ah ha! That finally explains the logic behind chasing away the advertisers!
If you see an interesting ad, you may be tempted to click on it and leave the Muskverse.
Ooh, look at that: "Hot programmers in my area in need of debugging". If you'll excuse me...
