Posts by Mike 137

Root cause

This has been going on for years already. I know of a major incident of this kind from the early 2000s -- it just seems to be accelerating. The underlying problem is the accessibility of the ducts (and indeed ancillary equipment). We haven't ever designed the infrastructure for physical resilience, and continue not to do so as it's 'upgraded'. This has to change as electronic comms is critical national infrastructure.

Not at all surprising really

If a human were able to review the entire training data set they would probably find that such biases are deeply embedded in it. Our individual limits on how much information we can absorb causes us to miss just how revolting much of the "information" in the public space really is, and when we come across an example by accident, most of us dismiss it because we have a moral faculty. But the LLM hasn't got one, so it can't discriminate between the decent and the indecent. It sucks it all up regardless and spews it back. The only solution is human review of the entire training data before exposing the LLM to it, but it seems we're too late for that.

Full marks to the US of A

"I heard about air-breathing plasma engines, it sounds really cool, interesting, and something that could be potentially novel. So [my PhD advisor] said: Why don't you do this as a project? So for the last five to six years, this has been my PhD topic"

Choose your own research topic and take six years? Here in the UK PhDs are three years unless you over run, which is just about time to bone up on the subject, make a small contribution and write up. Furthermore, pretty much every PhD research topic is pre-defined for you -- usually your supervisor's pet topic or the one they landed a grant for. So essentially a PhD bursary is a cut price Research Assistant post, as the monthly bursary is typically half the pay of an RA. I sometimes wish I'd gone to the US.

"serious legal advice you can actually use and rely on via AI"

The fundamental problem is that, as the AI doesn't actually understand anything, the only way to determine with confidence that the 'advice' it emits can be relied on is to ask a lawyer.

What makes a good lawyer is exactly that understanding, which is why in most jurisdictions judges are promoted from among the pool of most experienced lawyers. The current round of crude obvious 'hallucinations' doesn't even come close to the subtle kind of errors that could jeopardise or demolish cases if the automaton were relied on without human validation, and by the time a case goes to court it's too late to rectify its errors.

But here in Blighty ...

'either a "mortal wound" for online ad tracking, or a welcome clarification'

The current proposal in the UK (the Data Protection and Digital Information Bill) is to scrap the need to obtain consent, so apparently the problem is quite easy to "solve".

Maybe

@HuBo It would seem that Incident 69 ("when Lal reached behind the machine to dislodge a piece of metal stuck in the machine") is a typical human error industrial accident that could have happened without any actual AI involved. There have been numerous similar accidents relating to non-"intelligent" telefactor and programmed robots (and indeed entirely "unintelligent" machine tools) over the years. I accept that "AI" introduces an element of uncertainty into the equation, but there's nevertheless a danger of ascribing causality to it just because it's present.

This is not a defence of "AI" - it's an appeal for clarity in determining root causes in order that the record doesn't get contaminated.

Planning (what's that?)

'since the three winning bidders had developed their plans in isolation, they "now need to be integrated." '

Sorry to use technical jargon, but what a cock-eyed way to manage a critical highly complex project. It reminds me of the case of the frigate HMS Belfast, where parts and systems made by different contractors didn't even fit physically -- notably, high pressure piping had to be hammered into alignment before it would connect up. At that time a naval expert expressed concern about whether the induced stresses would cause the piping to fail in heavy seas, let alone the shocks of combat.

But the wheel obviously just goes round and round and nobody learns from past mistakes. What we need to inject into the process is some real engineering expertise, which is primarily a discipline based on forethought.

"thinkfluencer"

Many of those on linkedin like to think of themselves as influencers, whereas they're all pretty much just contributors to the noise background. Real influencers are identified by the fact of actually having changed something, not just by rabbiting on about it (regardles of how many "likes" they may accumulate on some asocial network).

"or the player piano"

Please note M$: piano roll manufacturers were eventually obliged to pay royalties.

and these are the good guys?

"its policy against silently patching vulnerabilities, which stipulates that if companies violate that policy, Rapid7 will itself release the full details of the vulnerability, including enough information to allow people to develop exploits, within 24 hours"

I absolutely accept that patching without disclosure is bad news, but to insist that disclosure precedes patching merely contributes to global vulnerability. It should be sufficient to disclose immediately after release of a patch -- to give customers the opportunity to protect themselves properly.

I detect many cases of an increasing detachment between vulnerability investigators and the realities of ensuring security, ranging from (let's face it -- threatening) stipulations of this kind to disclosure of obscure attack vectors with recommendations that could interfere disproportionately with legitimate operations (such as a recent suggestion that thermal imaging cameras should be prevented from viewing keypads because they might be used to crack entry codes, thereby also preventing their use in, for example, forensic examination).

But it's all the more problematic when the discoverer of a vulnerability attempts to place a vendor over a barrel. I know there's an (often valid) argument that vendors are negligent and unresponsive when alerted, but I'm quite convinced that threats and "protection" tactics are not the answer -- they perpetuate an antagonistic culture that exacerbates any non-cooperation.

Save the planet!

"Nvidia claims the device can double the performance of large language models"

Around a kilowatt per card to spout nonsense? Unless of course it can be used for room heating as well.

"you'll start seeing a new user interface on eligible Windows 10 devices soon"

Thanks a bundle -- not!

I'm frequently driven wild by enforced changes I haven't ask for, just as I've got used to the previous load of bull. I can't for the life of me understand why dumping users on a continuous learning curve is considered good practice (unless of course it's just down to the arrogance of the self-professed "innovative" devs and their management). It used to be considered bad business to piss off one's customers, but that seems to have gone by the board quite some time back.

I just hope my devices aren't 'eligible'.

Why?

"the call was hosted on and tapped via Cisco's WebEx video conferencing platform rather than any kind of secure, military-grade comms"

There's almost certainly a standard somewhere that requires mil-grade comms for secret conferencing. Why not use it? I suppose for the same reason that the SIPRNet protocols were ignored when Chelsea Manning was exfiltrating the Wiki Leaks files. Standards are fine, but they have to be followed -- particularly where potential international conflict is being discussed.

Why a wetland?

"To prepare the site, Micron is proposing to fill in approximately 226 acres (about 915,000 square meters) of federally regulated wetlands on the proposed campus site, plus more land on a rail spur property west of the campus, and federally regulated streams and ditches."

Is it actually the case that there's no dry land site that could be used? I'd be interested to know why (land values maybe?).

Priorities

'Later that year, Ellison warned in a conference keynote that healthcare costs could "bankrupt Western civilization unless we find a more efficient way of providing healthcare to everybody."'

Here's an interesting view of the problem from a UK perspective, recently published in the Telegraph. And I remember as a kid, my GP didn't have an appointments system -- he simply had 'surgery hours' and saw whoever turned up during them, so everyone got attended to. Oh, and he did all his own home visits too. Yes, he worked vey hard, but that was the job and he did it. But in those days the GP was his own master in terms of priorities. These days, the central health service imposes targets everywhere, and they do create a lot of hard work, most of which has nothing directly to do with curing patients' illnesses. So probably the primary time and money sink (and certainly the primary wasted effort) is down to burgeoning bureaucracy (as always).

Conflicting aims?

it should "maintain relevant records of its processing activities and take steps to improve governance measures"

Interestingly. these recommendations and the relevant provisions of the Data Protection and Digital Information Bill are at odds, in that, by paring down the record keeping requirement, the Bill aims to minimise the "red tape" associated with detailed record keeping inherited from the GDPR.

"be less evil than rivals"

Or maybe "don't you dare compete with us in the evilness stakes"

Less impressed than yesterday

Having pondered over the NIST documentation overnight, I feel that version 2.0 has been released prematurely. Some serious ambiguities need to be corrected.

For example. in the primary documentation two different diagrams express the relationships between the functions of the core -- a circular diagram (front cover and page 5) places governance at the centre, implying its direct influence on all the other functions individually (which actually makes a lot of sense) but a linear diagram (page 3) places it at the top of a sequential stack, which makes less sense. Then, the wide flexibility the Quick-Start Guide proposes in the way important information is recorded allows those with muddled thinking to continue their muddled thinking.

Overall, this framework could deliver good documentation for those who have their security well thought out, but will not assist much those who haven't as it contains no measures to clarify and focus thinking -- it's essentially an administrative framework, rather than one that will drive practical improvement. It leaves too much to the discretion of the implementer as to what constitutes adequate performance -- for example, under 'govern' GV.RM-06: "A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated.", which doesn't in any way assist in ensuring that the method actuially works, just that everyone uses it. Consequently, it's only a 'standard' in the procedural sense, not in the sense of outcomes. What we really need are clearly defined goals to achieve in terms of results and guidance on how to achieve them. Those would be real standards.

" hasn't received a firmware update in almost seven years"

Firmware updates aren't an indication that a product is good -- they're an indication that the vendor recognised it was faulty. There are thus two alternative reasons for a lack of updates, the obvious one being negligence. The other might just be that it didn't need any though -- it's worth considering (though, admittedly, possibly rare). We ran a Netgear firewall router for the best part of a decade that only got three updates in its lifetime, only one of which was directly security related. It was rock solid until it was blown up by an indirect lightning strike.

Single handedly ...

"the size of his pay package was based [on]: exceeding targets for operating profit, annualized run rate (ARR) revenue, and driving intelligent edge margins."

Presumably, none of those paid 1/300th of his salary contributed anything at all to these achievements.

including data analytics tools

"migrating data and adopting Google’s cloud services, including data analytics tools as part of its operations"

Snooping is of course part of the package, as they're the experts.

Side effects?

Given the number of satellites that will eventually perform a 'a controlled re-entry', this article is of potential interest.

"longer necessary to prioritize computer science and coding education"

Both?

'Coding education' is strictly training, and is the most miniscule element of computer science. Computer scientists set the parameters for the design of computers and solutions to computing problems. Coders implement already defined algorithms using specific languages. Both (together with other skills such as algorithm design) are necessary contributors to systems and software development, but one of the fundamental reasons why current mainstream computing technologies are such crap is that almost everyone thinks computer science, software development and coding are all the same thing -- defined by coding.

Quite apart from which, if neither is to be taught, who will be competent to check that the AI hasn't generated garbage, let alone fix its cock-ups?

"Fact-checkers will label AI-generated media for upcoming EU elections"

What could possibly go wrong? After all, it may be artificial, but it's intelligent!*

*_{possibly, more intelligent that those who fell for this?}

.

seeking a tech firm to help public bodies "transition to cloud software or hosting services."

So they lose control over the data they process (the assumption commonly being that the 'cloud' provider will perform the necessary resilience and security). Unfortunately, evidence shows that's not always the case. Plus, they forget that even if these functions are outsourced successfully, the buck still stops where it always did when the accident happens.

Unless there's a real need for dynamic scalability (that's always been the major benefit of 'cloud') the main reason for transitioning must be the misapprehension that it'll be cheaper than on-prem. In the long run, that's not the case. And if you strip your IT team as part of the deal, you'll eventually find out they weren't redundant after all, as it's impossible to have the necessary finger on the pulse to the same degree when everything's remote. But by then you'll be locked in so it'll be very hard to unwind -- often, even to migrate to an alternative cloud provider.