Posts by Michael Wojcik

Re: Hewlett Packard's HP Smart application

I can choose not to listen to a U2 album. HP insists on shoving this thing in my face.

Even here in the semi-arid mountains it was snowing last night, or the aurora might well have been visible. The El Niño finally starts producing after weeks of drought right when the sky gets more interesting. Oh, well. We need the water.

Re: I won't be buying one

For me, any touchscreen is too much touchscreen.

Re: Batshit logic

In a bill sponsored by two Trump lapdogs and the senator from Langley? I'm shocked.

Re: AI numbers are vague

I know people who use image-generating GAI services (DALL⸳E and so on) for joke images during work chats and such. Presumably, if they answered the question honestly, they'd say they "use GAI". I suspect there are a lot of users in that boat: occasionally use the things for irrelevancies, but not for anything real.

Personally, I've never bothered. I'm not impressed with the results I've seen; and I think these are competitive intellectual tools (ones that discourage rather than encourage thinking), and I'm not interested in paying that price. I'd much rather exercise my brain.

Re: Six hours??

Everyone with an ounce of sense knows India's reporting regime has nothing to do with security, and everything to do with control. This latest move just confirms it. The 6-hour reporting deadline will be a stick they use to harass IT organizations the government doesn't like.

Re: Stalking and financial abuse

I'm aware that "reaction videos" exist, but I don't think I've ever seen YT recommend one to me. Presumably because I'm special.

Re: False premise

But what she did actually say, on camera, is that the no campaign was based on racism and/or stupidity thusly calling them racist and stupid.

Ooh, slept through critical-thinking class, did you?

Re: What a negativity

Not everyone is you.

If Apple designers had any style, they'd make it rotate as the lid was opened and closed.

(I'd say the same thing for, say, Dell, but we already know that "Dell" and "style" are incompatible. Just like "Dell" and "well-engineered" or "properly thought-out".)

Re: But who's in the stew?

Interesting question. I took a quick look through the sources, hoping there would be a Javascript file with a distinctive name (since that's easy to recognize and block from the client side), but it looks like they're all common frameworks and similar crap except "common.js", which is a ... well, common ... name.

If the site serves opencart-logo.png, that's a giveaway, but a site could just change the code to not serve it.

I haven't looked further.

Re: a large language model running on a GPU to achieve remarkable compression ratios

It's not necessarily lossy. There are lossless probabilistic text-compression algorthms, such as the PPM family and PAQ. Using an LLM rather than an HMM (as in PPM) doesn't mean it has to be lossy; just that the encoder has to watch the output of the model and tweak it when necessary. (Obviously it would do this by decoding as it encodes, not by watching what happens when a recipient tries to decode the message. Also it requires the same model on both ends, as normal with compression algorithms.)

Using a large model or dictionary to get high compression ratios is in general a very common and longstanding approach.

Re: WHOSE Data?

I have no pity for New Relic's customers.

Nor do I — I've never found any of the arguments for web "analytics" convincing — but the exfiltrated data may let the attackers (or someone they sell the data to) pivot to those customers, causing more grief for their customers.

Like many readers here I block New Relic, but of course that's no comfort for the vast majority of web users who don't have the knowledge to do so.

Re: You /what/ Liam?

I think things like RPN, prefix and postfix notation, Forth and Postscript and Lisp, are readable to a certain kind of mind, but will remain forever opaque to most people.

Do you have any evidence for that, or is it simply a guess? If there is evidence, how much is attributable to the fact that infix is taught first?

I'm suspicious of any claims about "X is difficult for most people" without support from methodologically-sound research. We already know about a whole host of things which have strong support for such claims; there's little value in making up others.

Re: Get the popcorn ready

The Fifth Circuit has ruled that the Texas Anti-SLAPP law doesn't apply to cases in Federal court. That's why Space Karen filed in Texas.

Re: Unintended Fake Security

Many organizations use a captive CA and OS mechanisms for updating trust-anchor stores to do TLS termination and interception. That's hardly unusual. Yes, browsers with trust stores separate from the OS make this a bit more difficult, but because that causes user inconvenience, users will generally be happy to follow instructions from organizational IT to add the organization's roots.

Don't use work equipment for anything you don't want your employer to see. It's as simple as that.

To be fair, it's more a case of "we bought a product from a company whose security sucks". Avast can't plausibly, and shouldn't try to, create all the software they use internally in-house; that's not their area of expertise, nor a good use of resources.

Perhaps they should have been more diligent about testing the products they purchased. According to the original report from Progress the vulnerability is a SQL injection; maybe security-conscious customers should have done some penetration and fuzz testing before deploying MOVEit in production. (Some of our customers pen-test some of our products, and more power to 'em.)

Maybe Avast had MOVEit exposed on the Internet with inadequate (in the sense of "not up to what would generally be considered a best practice") firewalling; that's not clear from the article. Maybe an attacker got in some other way and pivoted to an underprotected MOVEit, and Avast ought to be using ubiquitous authentication ("zero-trust").

We don't have enough information to determine how much Avast were at fault here.

Why do research if we can just assume, eh?

Re: You write this as if

If nobody paid, these people would disappear up their own assholes overnight.

So naive.

The cost to affiliates is small, so the probability of a return in each individual case can be very low. And many affiliates are motivated by fairly desperate circumstances, so they're operating on wishful thinking, not rational calculation.

Outlawing payments won't work; there will always be victims who decide the risk of violating the law is less than the risk of not paying the ransom.

Increasingly we'll see automated attacks, until it won't matter if few or no human affiliates are involved — it'll just be bot armies finding vulnerabilities and infecting systems. And they won't care whether ransoms are ever paid.

Re: Altman also bossed crypto startup Worldcoin

Worldcoin: The cryptocurrency that rug-pulls itself!

You have to like the thesis. Yes, we (for various values of "we") have all sorts of problems (for various values of...) with things like cash, currencies, debt, payment systems, credit ratings, and so on. These are complicated. We've also seen that digital currencies and AI, new technologies that we're still trying to develop a decent understanding of and have little history with — and what there is, is disappointing — have all sorts of complicated problems. So combining them will probably help, right?

"I've been disappointed by alleged silver bullets before, but this silver bullet will definitely work!"

Re: Is it different from what people do?

As someone with degrees in literature and rhetoric (as well as CS), and who's done work in machine learning and natural language processing, and follows current GAI research: Yes, in my opinion it is quite different from what human artists (who meet a certain quality bar¹) do.

For one, more is different, and human cognition is still significantly more complex than the largest foundational models we've built. (Precisely, or even vaguely, how much more complex is a matter of some debate. But it's more.) Even the most ambitious LLMs we have today have considerably less complexity in their networks than humans do, and, importantly, run with a lower effective temperature, so there's less information entropy at work at any given stage. They also have smaller context windows, as a function of total information available, even if they have much larger "working memories".

For another, gradient descent means LLMs mostly wander into parameter-space basins, with only the injected pseudorandomness — the temperature — adding surprise to the output. And surprise is equivalent to information (that's straight out of Shannon). LLMs aren't incentivized to provide surprise as part of their reward functions, the way human minds are.

And LLMs can be, and often are, prompted to create derivative works. There's a big difference between a painter trying to achieve her own style for representing the concepts that inspire her personally, and a forger hired to create a work in the style of a famous painter. Or of an author hoping to write a novel that any reader will feel is new and unexpected in some important way, and someone creating a pastiche of another's work.

As for "real" artists using GAI as a creative tool: I think that's a trap. Krakauer distinguishes between cognitive-assistance technologies which are complementary and those that are competitive. GAI is the latter. It encourages learned helplessness and cognitive idleness, and it reduces serendipity.

¹Obviously there are many artists who produce derivative work, and in general most people who write — which is most people, in industrialized societies — mostly write derivative text. That's a feature of natural language, which has low information entropy and correspondingly high redundancy, and an obvious economic choice given the conditions under which most people write. Here I'm talking about artists who are interested in and capable of producing work that a consensus of expert judges would consider "original", as that word is used in the field.

Re: Christmas present

Actually, if you read Mozilla's PNI piece on the Kindle (linked in the article), you'll see they rate it as a fairly mild offender. They do make some recommendations, and they warn that Amazon is in general terrible about privacy. But I think for many people the Kindle's degree of invasion is a reasonable trade-off for the advantages of e-books, in use cases where those advantages apply.

Personally, I prefer physical books, but I still read quite a bit on my Kindle, because it is convenient in many situations. I've also used it to host audiobooks for long car trips, though Amazon have managed to break that functionality (sometimes audiobooks purchased through Amazon don't show up on the Kindle app, and the Kindle devices don't pair with the car's audio system for playback) so badly that I've given up and switched to the Audible app.

And as I've noted before, I actually find Amazon's recommendation system for books quite good, as it's pointed me to several authors I ended up liking very much. It's also made wildly incorrect recommendations, but those are easy to filter out prima facie. Curiously, only a couple of times has it recommended something that looked like I might want, but then proved to be a disappointment.

All that said, physical books make much more pleasing gifts, since there's something to actually hand over, and wrap/open if you do that sort of thing.

Re: So Feckbook is now a philanthropic organisation

You just need to infer the remainder.

"That's just not true. Safety and well-being were never on the list at all."

Honestly, if a large corporation with China as a major or potential market (which is most of them) didn't put some effort into schmoozing the Chinese, the board might well want to know why not. I mean, I couldn't do it, but that's one of many reasons why I'm not an executive.

There are certainly CEOs who get away with making political statements that might be unpopular with some customers (and some governments). It helps to be able to appease the board and shareholders in other ways, of course, such as by showing consistent growth. But for many, this sort of thing is part of the job they've been hired to do.

Conversely, criticizing them for it is part of the job that some politicians are elected to do, so pretty much normal behavior all 'round.

Re: When not if

If you think zero-trust is a panacea, that just shows you don't understand IT security.

Hell, if you think zero-trust is news, you probably don't pay enough attention to IT security to make a cogent argument about the relative advantages and disadvantages of various approaches.