Posts by Michael Wojcik 12269 publicly visible posts • joined 21 Dec 2007
Perhaps, but Cygwin's made Windows bearable for me for many years. I did use Interix, U/Win, and WSL 1 back in the day, but Cygwin is better from a user perspective than any of those.
WSL 2 may well be a superior alternative today, but as far as I'm concerned, it's not worth the effort of switching from Cygwin.
Or as a variant of #1, a single user account with different roles, and some security boundary imposed when switching roles.
I agree that most end-user computers these days are effectively in category 1. That doesn't make multiuser-in-sense-2 irrelevant for OSes in general, but I can see the argument that it's no longer a primary concern for end-user computing. There are still interactive end-user systems where it remains relevant, but it is a minority use case (by the proliferation of smartphones if for no other reason).
Ugh. SMB is a horrible protocol.
NFS isn't great, it's true. Unfortunately I'm not aware of an alternative that's actually unconditionally better. AFS was definitely superior to NFS, but the last I looked, the AFS implementation for Linux was incomplete and not very good. DCE's DFS is based on AFS, but while parts of DCE are still around (it's used in DCOM, for example, and Kerberos is part of DCE, though of course it predated it), I don't know that many people run DFS these days. I guess there's Coda; I've never used it.
It's certainly true that Lenovo Thinkpads are nothing like the old IBM ones. All my Lenovo Thinkpads have had overheating problems, for example.
On the other hand, every single Dell machine — tower, desktop, laptop — I have used at work since the early 1990s has had at least one brutally stupid design flaw, ranging from the tower machine with a reset button right next to the floppy-drive eject button (yes, this was a while back) to the idiotic power-supply detection circuitry on their laptops which is horribly sensitive to any sort of power surge. Most recently the expanding laptop battery pack that pushes against the bottom of the touchpad, causing the latter to malfunction; that one's so common that one of my co-workers diagnosed it immediately and explained the fix (just shimming the battery pack; it's pretty obvious once you know that's the problem).
My sympathies to Dell employees, but Dell machines are junk, as far as I'm concerned.
the revolutionary bit in this is to map all bytes of storage (including persistent mass storage) directly into the 64-bit linear address space of the computational device
The 1980s called and OS/400 would like its Single-Level Store idea back.
The fact is that there's nothing "revolutionary" about any of this. CXL? Yeah, we've had unified virtual-memory managers for decades. For that matter, battery-backed-up DRAM was a thing for a while, before it was largely supplanted by current NVDIMM technologies (because people don't like batteries).
Persistent-memory technologies will continue to improve, barring the collapse of civilization. That's a thing that happens. Whether they'll improve enough to supplement DRAM is an open question, because DRAM is already pretty fit for purpose and will also improve.
I have a strong feeling of Poe's Law with this one.
The real problem with US-Cuba relations — and some administrations have tried to ease things a bit — is that Florida has a bunch of Electoral College votes, is a swing state, and has a significant bloc of anti-Cuba voters. Said voters apparently are too blinded by ideology to realize that the best attack on the Castro regime would be to flood the island with US tourism dollars.
You don't need a solicitor, I've generated PoAs for most of the extended family and lots of family friends with no issues, saves a lot of money.
Yes, though if you have other legal paperwork to take care of, you can do it all at the same time if you have a decent lawyer. When my now-wife and I started cohabitating, we scheduled a visit with a lawyer friend and did powers of attorney for financial and medical for each other, a childcare power of attorney so I could take care of her daughter, wills, advance directives, and so on. An afternoon well spent.
Got one the other day with a 5-minute expiration. Idiots. What's the threat model here? Email is already generally insecure because of weak passwords, SIM-swapping, etc. If you're going to use it as an authenticator, you're not significantly increasing risk by letting that single-use token expire in, say, a day rather than whatever random short interval you've pulled out of your ass.
This doesn't look terribly different from, say, CoT elicitation and similar techniques. They're all basically the same approach: Provide proxy input for guiding the transformer network in selecting its starting point in parameter space.
And, yes, I'm not really seeing the advantage here. If this is less work than the typical programmer expends in writing code, then that programmer needs to skill up. And if you're a software developer, writing code should not be a majority of the work you do anyway.
Microsoft have also admitted to storing and analyzing LLM chat sessions, as Schneier noted yesterday.
Hell, in the mid-1990s Bradley Rhodes introduced (and open-sourced) his Remembrance Agent, which combined the Savant word-stemming-and-indexing system1 with an Emacs-based UI. It continually searched based on whatever you were typing in Emacs and displayed the list of the top N relevant documents down at the bottom of your Emacs window; you could switch to the list and open any of those with a couple of keystrokes.
I'd call that a much, much, much better search UX than "conversational" will ever be. (Agrawala lays out some of the reasons in his ACM talk "Unpredictable Black Boxes are Terrible Interfaces". More generally, though, when searching for information, specificity matters, which means precision and accuracy matter, which is why we have librarians.)
And most use cases for LLMs position them as competitive cognitive tools, which means they're encouraging intellectual laziness, among other problems.
Searching is a terrible use case for LLMs.
1Using the SMART algorithm, which was published in 1971.
Really. Consumers will either spend disposable income somewhere else, or they'll save it and improve their future buying power, or do some combination of the two. It's not like they're just throwing money away. I've yet to see any sort of methodologically-sound study showing a reduction in economic activity due to WFH. Yes, it's changed some aspects of spending; that doesn't mean it's reduced overall activity.
The "Silicon" section of Conway's Material World is instructive. Here in the industry it's widely known that the most advanced semiconductor process nodes require EUV, and the only publicly-known source of the necessary equipment is ASML. ASML's systems are expensive (obviously), large, complicated (to make and to use), in demand (it's not like they have a warehouse full of them, shrink-wrapped and ready to ship), and under various sorts of political pressure to keep them out of the hands of organizations the USA and others deem unfriendly.
But as Conway shows, ASML is only part of the picture. Those chips also require extremely pure and regular silicon wafers. There's only one firm in the world publicly known to be capable of producing them; it's a Japanese corporation, but it manufactures the wafers in the US, in a highly-refined variant of the Czochralski process that's shrouded in secrecy. They require as a particular type of very high-grade silicon feedstock, and there are only two mines currently publicly known to produce that, and they are also both in the US. Most of the expertise for actually using EUV to produce viable units on those wafers is locked up by TSMC and Samsung. And so on.
If India, or China, or anyone else is capable of producing those silicon wafers, they've been keeping it very quiet. And, sure, China at least has almost certainly been working on obtaining the necessary expertise, through all the time-honored methods used by various political powers throughout history. But it's a big, big job.
While a large amount of money is necessary to produce recent-process-node fabs, it's by no means sufficient.
For legitimate security researchers, using LLMs to "try to break into the systems" is almost certainly a poor use of resources. We have much, much better vulnerability-scanning and penetration-testing tools.
The point of this research isn't to show that LLMs are good at finding website vulnerabilities. It's to show they can do it at all, thereby serving as Yet Another tool for the lowest tier of attackers — the script kiddies.
Yes, people love it when the government mounts DoS attacks on their sites.
Not that this hasn't been suggested before. The thing is, it takes really very little effort, compared to development cost, to download and run, say, Zed Attack Proxy (ZAP) against an internal version of the site. Or even production, for that matter. If people can't be bothered to do that, what makes you think they'd read a report from CISA or whatever?
And for that matter, there are plenty of bounty-hunting skiddies doing this already, and not a few actual security researchers. Again, they often get ignored.
Dunno why this was downvoted; it's certainly true. Kali comes with a lot of free scanning and penetration tools, and learning to use many of them is pretty easy. There are tons of courses available, free and paid.
That said, if someone's interested in checking their own sites or getting started in website / web-application security analysis or penetration testing, I'd refer them to OWASP in general and this list of DAST tools. A number of them are free.
Shame the open source models aren't (currently?) up to the task.
I suspect you could achieve similar performance with a dedicated sparse transformer model. Web-technology languages (HTML, Javascript, etc) are all much more regular than natural language, so the parameter count is less important. Put more resources into context-window length and specialized training: train the model with e.g. OWASP resources, particularly on WebGoat/WebWolf transcripts and that sort of thing.
This research was using already-available models because that was the hypothesis: that at least some generally-available models could do this kind of thing.
Frankly, you can almost certainly achieve good results without even using a DL stack. Combine a fuzzer with a large HMM, for example, trained and tuned with human-labeled data (and the usual techniques such as backoff), and you'd probably do pretty well at hijacking a lot of sites. The interesting bit here is seeing how far you can get with off-the-shelf tools.
Well, Chevron v NRDC was in 1984, so only 40 years ago. I suppose there have indeed been "generations" since then, but the term still feels like a bit of an overstatement.
That said, I agree with your point. Overturning Chevron, besides being Yet Another rejection of the stare decisis Roberts likes to pay lip service to, would be both wrong and hugely disruptive.
Yes, delaying payments introduces more potential for things like check kiting, too. It's by no means a perfect solution.
There are other use cases for near-instant payments. Putting a down payment on a large purchase such as a car, for example, or the initial rent / security deposit when renting living space. Sometimes I've had to move money quickly between my own accounts because I'd forgotten which account a payment would be coming out of; sometimes I've had to move it quickly to the account of a family member because they had a financial emergency.
I can see the utility of some additional amount of friction and control in consumer financial transfers; in fact my wife and I have, for years, had a "code word" authorization step enabled on one of our primary checking accounts. But I think it's difficult to get the balance right, and it will vary among users.
And then we still have the problem of business financial fraud (BEC and the like). Businesses typically do need rapid settlement of financial transactions; changing that would have huge consequences for our modern long, tight, complex supply chains. (Yes, those are problems in themselves. Different discussion.) And the problem of cryptocurrency fraud; while it's tempting to laugh at that (I do, every time Molly White posts something), it's also true that it's being used to fund unsavory activities and organizations, so it is a genuine problem.
Most legislators are also scared to death of the "soft on crime" bugbear, which has been used extensively by members of both parties for decades. The carceral fetish in the US is entirely decoupled from actual crime rates or any sort of rational critique. Most people enjoy being scared, and they enjoy taking revenge on their imagined enemies (rather than their actual enemies). See also the immigration "crisis".
If it cannot be disclosed and analysed as a regular part of the due process of sharing evidence, then it is inadmissible as evidence.
The output of the specific software package mentioned in the article, COMPAS, is not admitted as evidence. It's used in determining a sentence (by making a highly dubious1 estimate of the probability of recidivism), not in conviction. That is a process under the control of the judge, modulo statutory and judicial requirements such as truth-in-sentencing laws and sentencing guidelines established by the legislature and courts.
Certainly the rule you suggest helps with software results used during trial, and I agree it's a good rule, but it doesn't solve the larger problem.
1I'm aware of the recent study showing that judges using COMPAS and following its recommendation had a somewhat higher accuracy (in the sense of assigning sentences which subsequently correlated to actual recidivism) than judges who consulted COMPAS and overrode its evaluation. I don't think that's a particularly strong conclusion, but more importantly it has no bearing on the issues at hand. We know human judges aren't very good at assigning fair, just, and proportionate sentences.2 Using secret algorithms is a problem in itself, regardless of outcome. Bias in the results of those algorithms is a problem, regardless of overall results.
2And then there's the whole problem with America's incarceration fetish, grossly excessive sentencing, the prison-industrial complex, and so on.
What happened to a jury of your peers?
In the US, juries do not sentence criminal defendants. They convict them (or acquit, or fail to do either, resulting in a hung jury and mistrial). Judges determine the sentences.
And that's assuming the defendant requested a jury trial. It's a right; it's not compulsory.1 And statistically criminal defendants do better without a jury, though obviously this depends greatly on the specifics for any individual case.
1And sometimes even famous defendants who have a history of getting away with, say, fraud, and have reason to believe they might do better in front of a jury, hire incompetent lawyers who forget to request one.
We all know that seeing source code isn't a viable option
No, we most certainly do not "know" that. I'd be perfectly happy with a law requiring the source code for any software product used to make any decision regarding the treatment of criminal defendants be published.
If that drives firms like Northpointe out of business, well, that's a consequence I'll accept.
The whole idea of "proscribed organisations" skirts pretty close to what the US founders wished to avoid being imported from Europe
Ah, yes, those high-minded Founders and their staunch support for liberty, none of whom would never have supported the Alien and Sedition Acts, say, or initiated Removal, or had their allies in Congress pass the Non-importation Act and Embargo Act, which — stay with me here — proscribed commerce with certain organizations.
The Founders were clearly well within the liberal sector of European-derived political thought. Their liberalism was also qualified in all sorts of ways, and differently for each of them. Restricting commerce in various ways was certainly not at all out of the question for most of them.
The last few times I flew, I could do that with the, um, plane itself. There was a screen in the back of the seat in front of me. The "entertainment" options on flights may not be great, or even good, but they're far more varied and convenient than what we had when I was younger — and we mostly managed to survive those. Why, sometimes fewer than 5% of the passengers perished from boredom, even on a long flight!
Even if I didn't VR utterly unappealing, I don't think I'd want to use it while in motion. That seems like it might be unsettling.
(I prefer to read on flights, myself.)
Believe it or not, it can be useful to just glance at your wrist to find out the current time
I believe this. My $20 Timex has this feature too. As do a couple of watches I bought for almost nothing at garage sales and the like.
and maybe how much time is left before sunset.
I can do that without a watch, to sufficient precision for any purpose I've ever cared about. It's called "experience".
Perhaps not so useless.
Part of the Logjam/WeakDH findings, for example, was that the widespread use of a handful of "weak" finite-field DH groups for TLS key exchange meant a large corpus of captured encrypted data was becoming accessible for targeted decryption. So there are real-world cases where improvements in attacks make some of that stored data available.
Similarly, the current plausible risk to encryption from QC is not real-time decryption of data in transit — that looks far too expensive even into the foreseeable future, even assuming we see major advancement in QEC and scaling. What does start to become feasible with such advancement is targeted decryption (of session keys encrypted with RSA, finite-field DH, and ECC DH) for specific previously-recorded messages deemed to be of particular interest. So the DHS decides it's interested in messages exchanged between parties X and Y around timestamp Z, the NSA pulls just those from the corpus, breaks the asymmetric keys (with this hypothetical big-enough-to-be-useful QC), gets the session key, and decrypts just those messages.
Or consider ROBOT/MARVIN: If you've sniffed a bunch of traffic that used a particular RSA pair for Kx, and then you find updated Bleichenbacher attacks work against the server and it's still using that same key pair, then you can derive the private key and go back and decrypt (the session keys for, and then the data of) those stored messages. And similarly for other improved attacks.
While bulk decryption of those vast corpora of data sniffed by various state agencies may well never be possible, targeted decryption just might be. There are still significant obstacles: QC isn't there yet (at least according to published research, and no, I don't believe the NSA or other agencies are that far ahead of the private sector), and while "attacks get better" is a general truism, it's not something you can count on in any specific case. But data hording has been useful to the spooks in the past, and will almost certainly be useful in the future.
Which is not to say I approve of it. I'm just noting the economics of the practice are not, from the governments' points of view, as irrational as you suggest.
This is a sophomoric objection.
Professional-standards organizations in other fields, such as medicine and law, have been able to figure out a set of ethical standards which work well enough for this purpose. The ACM has a code of ethics for IT professionals. None of these are perfect; regulation never is. That doesn't mean they aren't useful.
I have a good idea. Let's combine biometrics — the worst possible sort of authenticator — with cloud storage of secrets in an authentication mechanism that non-technical users have no hope of understanding, then tell everyone it's so secure that it'll stand up in court as proof of operation! We can call it "passkeys".
in the real world a lot of people are advert antagonistic and will actively avoid products that are forcefully advertised
In the real world, do you have any actual evidence for that claim?
I don't watch a lot of television, but when I do, most of the advertisements I see are for companies that seem to be doing just fine, thanks, such as McDonald's.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
