Posts by Michael Wojcik 12274 publicly visible posts • joined 21 Dec 2007
RTFA.
AI Hardware Summit in September, where the company showed off analog chips that could run the YOLOv5 object detection algorithm on high-resolution video at 60 frames per second while only consuming 3.5 watts
So they have, in fact, shown something.
Power consumption is gradually becoming a bigger and bigger concern for large-model ML. But hardware choices move a lot slower than software in the field, and the big consumers mostly already have a lot of still-usable hardware in data centers, so they wouldn't be in the market for something like this yet. And rewriting ML software to work with a different architecture could be expensive.
Really low-power ML solutions are more tempting for embedded and "edge" (ugh) applications, so there is a potential market for something like this in applications such as self-driving vehicles. (Whether that's desirable at all is another question.) But again the cost of switching to a new architecture is a big barrier.
Wealthy? Does that mean she gets to keep the proceeds of her fraud?
From the point of view of a legal team on contingency, she's wealthy until she runs out of appeals. Which is what's just happened, it appears.
Honestly I don't have a problem with that, either. She's entitled to a defense. I'm not questioning the verdict, and I suspect if I'd been on the jury I would have voted to convict as well.
But I also agree that we need better funding for public defense, to reduce inequity in the system. And we need to cut down on prosecutorial abuse of the plea-bargain system, and on the "chickenshit prosecutor" phenomenon that discourages prosecution of wealthy and powerful offenders.
The problems with eliminating the Electoral (not "Electorial") College are 1) it's part of the large-state/small-state compromise, and even though federalism has increased over the past 240 years in the US, the states are still jealous of their prerogatives; and 2) we'd also have to fix the bit in the Constitution that throws the Presidential election over to the House of Representatives if no one has a simple majority (in the EC, but if you eliminate the EC...). Because that would be a fucking disaster.
As for why all of the House is up for grabs in the mid-terms: That's how it works. The Constitution made the term for representatives 2 years, which made a bit more sense in 1789 than it does now. It would really be better to increase the term; these days reps spend most of their time campaigning for the next election, unless they're in a safe seat. And to stagger terms as the Senate's are. But getting an amendment to that effect through would be a difficult task, since the Senate probably wouldn't care for it (if only because it might diminish the difference between the upper and lower houses) and many states probably wouldn't want to gamble on it.
That's part of the problem. The manufacturers of voting equipment decided that rather than being transparent and cooperating with security research, particularly regarding DRE (Direct Recording Electronic) systems, they'd do better by waging a drawn-out war with researchers. They sullied their own reputations and prepared the ground for these attacks.
DRE systems remain a terrible idea, from a security perspective. (They're supported by some groups for reasons such as accessibility, but those aims can be achieved with non-DRE systems.) The mark-sense ("pen and paper") machines, on the other hand, aren't perfect but have come through security testing with much better results. In particular, attacks against existing mark-sense machines don't scale, and don't remove the paper trail for recounts, which makes it much harder to swing even tightly-contested local elections by subverting them.
Yes. Far more than the number that were due to private-key compromises.
Enclaves also have a number of documented vulnerabilities.
Frankly, the attack-tree difference between using an HSM for private-key protection and using any variant of creating and signing transactions in enclaves looks very small to me. The vast majority of vulnerability classes in the cryptocurrency / DeFi domain don't seem to be affected by this proposal. There are much bigger challenges in cryptocurrency and DeFi than private-key compromises in shared (cloud) environments, as anyone who reads Molly White's blog or similar sources knows.
Itanium is also deliberately less tolerant of some common programming errors which are often irrelevant in practice. For example, it has a "not a value" trap representation for integer registers.
I once spent quite a bit of time debugging an intermittent SIGILL in an HP-UX program which turned out to be due to a missing declaration for a function in a library. The function was defined with void return type; with no declaration in scope in the caller, K&R rules applied, including implicit int return type. The compiler inserted a move from the return-code register to some working area (don't recall if it was another register or a stack location) on return from this call, but since the called function had void return type, it didn't put a value in that source register. If the source register happened to contain not-a-value, the move would generate a CPU trap, which under HP-UX became SIGILL.
So sloppy C code (i.e. most of it) could run foul of various sorts of intermittent, hard-to-find errors on Itanium platforms. That's in addition to the usual type-punning problems you see with C on I32LP64 platforms. On top of the performance issues, this made working with Itanium a real pain.
The problem with i860 and i960 was they were Just Another RISC CPU, at a time when there were relatively popular established competitors (MIPS, SPARC) and interesting newcomers (Alpha, PPC, PA-RISC).
i860 looked good compared to the '486, when they were contemporaries, if you didn't need x86 compatibility. And IIRC it had some success in embedded applications. But it was tough to argue for it over the RISC competition.
The iAPX 432, on the other hand, was exciting, the only commercial capability CPU available at the time besides the System/38, I think. But it was too ambitious and even in the early '80s Intel couldn't compete with its own x86 architecture.
Smartphones are also fragile and common targets of theft. They're often difficult or unworkable for users with accessibility issues. Not everyone can afford one, and not everyone wants one.
As authentication devices they're an abysmal choice.
Meanwhile, Apple and Microsoft, among others, are back on the biometrics bandwagon, despite that being an obvious disaster.
Unfortunately many IT security experts are in such despair over the utter failure of password authentication that they'll grasp at any straw. You can see this in the editor comments in most issues of SANS NewsBites, for example. We're playing whack-a-mole, switching from one lousy, broken authentication pattern (passwords) to another (smartphone-based 2FA).
+1 for YubiKey and other dedicated physical authentication devices. Even dedicated TOTP gadgets like the RSA ones that used to be popular, or smartcards like the US DoD CAC, would be an improvement. Yes, they have their weaknesses too, but smartphones are just fucking awful as authenticators.
requiring the user to escalate and contact IT/Security to try to gain access
That may be fine when it's your work account – though I don't want to see how long it takes IT at some organizations to process such an issue, if there's even a way to alert them to it when you're locked out.
How does it work when you're locked out of Gmail? Or Amazon? What additional channel of authentication do you have with third-party service providers who just see you as a source of income?
Algorithmic bottom-up currency might be a good idea. Bitcoin is a largely shit design for that problem space. It's not particularly novel, hugely inefficient, and deflationary. It doesn't scale. Pretty much all of the claims made for it fail frequently under real-world conditions, such as anonymity, partition robustness for consensus, resistance to double-spending, and so on.
I am not a fan of cryptocurrencies, but I'm particularly not a fan of Bitcoin. It's an ugly, broken design.
Sigh.
This doesn't work.
Ransomware is a very low-cost, low-risk business. If one in a thousand victims pay, it's profitable.
It won't be hard to reach that level. Organizations will disguise payments. They'll create smokescreens that make it impossible to trace who actually authorized and made payments. They'll find scapegoats if necessary.
Meanwhile, ransom attacks are increasingly automated. Probably a decent fraction are already entirely handled by bots. There's really no need for human intervention in the day-to-day operations of a ransomware campaign; gangs just continue to use human affiliates because they're cheap and easy. But they'll increasingly shift to automation because once you've made the initial investment, bot armies are free, and you can't undercut free.
So eventually we'll just have fully-automated ransomware campaigns which don't care if no one pays. They exist to attack, penetrate, infect, and exfiltrate, and that's what they'll do. Computers don't get bored or frustrated.
Yes, the abuse of the term "crypto" is nearly as bad as what happened with "cyber". The latter horse is not only out of the barn but living under an assumed name in a no-extradition country, but it would be nice to see the clueful segments of the tech press not spreading the "crypto"-for-cryptocurrency shit any further.
There isn't even much in the way of interesting cryptography in cryptocurrencies. Most of them use cryptographic hashing (for the Merkle tree and mining rewards) and not a hell of a lot else. Yeah, there's Monero with its ZKP, but outside the ransomware industry it seems to be a pretty minor player, and even with ransomware my impression is Monero is only requested in a minority of demands. (Can't be bothered to research it.)
Seems like you could pretty easily build a nice little home cluster of cheap, lower-power machines (e.g. refurbished laptops) running Plan9 as the host OS and spinning up Linux VMs for anything you can't comfortably do on Plan9. I'm not a fan of containers (an uneasy compromise between user-space jails and VMs, with the advantages of neither), so a lightweight, capable VM-hosting OS with a strong network RPC capability would be a good alternative.
Not that I have any real use for such a system at home, at least now. Might be a fun personal research project if I ever find the time between the job, working on the houses and grounds, and family.
Much how the US has been in a "state of national emergency" since 1979. Some of those are taking a long time to emerge.
Yeah, and it's a huge mystery what companies are producing in the Permian Basin. Oh, wait.
Some of the major companies in the USA Permian Basin are Chevron Corp, Exxon Mobil Corp, Occidental Petroleum Corp, ConocoPhillips, Pioneer Natural Resources Co, Chesapeake Energy Corp, Devon Energy Corp, EOG Resources Inc, Endeavor Energy Resources LP, Marathon Oil Corp, Coterra Energy Inc, Continental Resources Inc, and Laredo Petroleum Inc. As of May 2022, Chevron and ExxonMobil have the highest leaseholds in the Permian Basin.
globaldata.com, "Permian Basin Oil and Gas Shale Market Analysis and Forecast"
I admit that did take nearly 30 seconds of searching.
And, no, the data gathered from the ISS would not narrow it down further than that. There's a big plume. Probably all the producers in the area contribute to it.
I've done long (15-18 hour) drives without cruise control, and I've done them with cruise control; and let me assure you, cruise control is much easier on the right ankle.
And, frankly, maintaining a consistent speed at highway speeds, on a low-traffic highway, in a good-quality car, is not particularly easy. In my Volvo there's very little engine noise to begin with, and other external sounds are substantially diminished, so distinguishing between, say, 65 MPH and 75 MPH by ambient noise is not really feasible. Maybe you can gauge your speed precisely by parallax with roadside objects, but I can't – not to the degree that would keep me safe from speed traps, certainly.
For what it's worth, I hate adaptive cruise control. In my opinion, cruise control is there to maintain the speed I set, not whatever speed the nitwit who pulled into my lane four car lengths ahead thinks I should be going.
To be fair, nothing says autonomous vehicles couldn't be rented, and indeed we already have such on offer in some places.
So it's really a contest between "vehicle driven by a person that you own or rent" and "vehicle driven by a machine that you own or rent". I personally find the latter concept tiresome, but I admit arguments can be made for it. I'm not yet convinced they're compelling.
the 10mph difference works out timewise as being 8 minutes per hour
A reasonable consideration for a one- or two-hour trip, provided you can safely go 10 MPH slower than most of the surrounding traffic. In the US that's often risky – even the semis are typically cruising at or above the posted limit if they can.
For a 15-hour drive, where the difference means 17 hours instead, it's less appealing.
This is broadly correct, for the US. "Puffery" – advertising or marketing claims that would be understood as hyperbole or subjective ("the best-tasting floor polish money can buy!") by a reasonable consumer of ordinary knowledge – are not actionable under deceptive-advertising laws.
That said, there's nothing to stop the DoJ from pursuing charges; then it falls on Tesla to settle (no doubt with no admission of guilt) or try their luck in court.
And the DoJ could go after Musk personally, based on the public claims he made about Autopilot on Twitter and the like, where he was not acting in his capacity as an officer of the corporation.
I am curious about Arcan – and a bit about Durden, though after using GUIs for nearly 40 years my observation is I don't really like any windows managers except ones I've written myself, or at least hugely customized. Might get all of this running in a VM over the holidays or something, just to poke at it a bit.
If the autocomplete of Lash#Cat9 annoys me, I imagine it can't be that hard to find it in the code and turn it off. That's the point of having the source, yeah?
And of course the nice thing about UNIX and Linux is that they've always been comfortable with providing multiple "forwards", and letting users pick which ones they liked.
And here we have another one. It really doesn't matter whether I like it, or you like it, or Liam likes it. What matters is whether enough people find it to their taste to keep it viable. I'd be happy to see that happen, regardless of whether I ever use it.
Yup. And I have to say that once I've gone through every single option and setting in Visual Studio, and installed VsVim, it's pretty close to a real development environment. Just hugely bloated and slow and unstable, and lacking 95% of the command-line tools available under UNIX and Linux. And a lot less flexible. But aside from all that, it's nearly usable.
(The same is probably true of Eclipse, but I've only used Eclipse for a few hundred hours or so in total, so I've barely scratched the surface of its eccentricities.)
Autocomplete is for when you _don't_ know what you want to type. If it's someone else's code, for instance, and you didn't name the functions, or they are from libraries or foundation classes created by whole external teams of people. You didn't pick the order the parameters go in, and which parameters you must supply, in which order.
...
It's to help find what you _don't_ know because you have not memorised the thousands of function names, with a dozen parameters each. Nobody can memorise all that stuff *and they shouldn't have to*.
No, what you should do is look it up, because the documentation or (code) definition may have important information that autocomplete does not show you. Needing autocomplete is a sign that you may not understand what you're writing well enough.
Autocomplete is dangerous. I've seen more than a few bugs introduced by Autocomplete Pilots letting the IDE write code for them. It's the local version of StackOverflow.
how does touch typing fare when mixed in with plenty of arcane punctuation and, often, moving around the screen and between files rather than having a linear character flow?
Depends on the typist and actual work flow, of course. I can often touch-type most of the code I write (but of course I try to minimize how much code I write, via prefactoring and reuse and the like, because code volume contributes to maintenance cost). And I use vim as my editor, so a lot of the "moving around the screen" can be touch-typed too, with various navigation and search operations.
But I've spent decades learning to do it – I learned to touch-type (also on a manual typewriter) in school but didn't really touch-type most code until years later. And it's definitely sensitive to things like programming language and coding style, so I'm more likely to touch-type if I'm maintaining code I wrote than if I'm in someone else's, for example.
Well, it can be both, can't it? I too hate intrusive UIs, and I haven't even looked at Lash#Cat9 because realistically it won't be an option for work,1 and I have too much going on in my personal life to spend a lot of time experimenting with software on my own machines.
But I'm glad that someone's trying something a bit different. I'm not convinced that it's really all that different, since pretty much everything Liam mentions in the article seems like something I used to do routinely when I was using UNIX workstations.2 But as I said I haven't looked at it myself, and in any case, sure, let's have a UI option that makes that sort of thing a first-class operation.
It doesn't have to be for me.
1I have to run Windows natively on my work machine. Over the years I've massaged Cygwin into an acceptable environment; I'm not going to devote a lot of time to getting something else (even WSL) working. For my Linux and UNIX work, I'm ssh'ing into remote systems, most of them on another continent, so command line is the only feasible option (which is fine by me).
2It's not hard to interact with X11 and the window manager from the command line, if you run a sensible window manager. Maybe you end up writing a few windowless X11 clients to help; that's fine, libx11 is not a difficult API. And running multiple foreground text-mode programs is just "xterm -e ...".
An old machine is more likely to be used to pivot to something more interesting. Many IT-crime gangs have a bot army probing addresses for a whole collection of vulnerabilities, and there's no real incentive to remove old vulns from that, so on older machine might well turn out to be exploitable. When a bot breaks into it and notifies its C&C server, the next step will be for someone to see if anything more interesting is reachable from the compromised system – like a SCADA system, for example.
That's the danger of having old equipment on the public Internet. It's potentially a route into your private network.
If the rental market is tight, they have more to gain by remaining. Renting isn't like selling a single good; it's a largely-inflexible market with a relatively long-term income stream. Unless you have a lot of units sitting empty, there's no advantage to lowering the rent.
What the hell's a rental license? You need a quantity-restricted permit to engage in a contract?
Yes, in many jurisdictions, for the obvious reason that renting property has external social costs, so the public and state have an interest in regulating it.
Renters use public services. They may create a public nuisance, which for a remote landlord is an externality. Liability needs to be hedged with insurance. Rental properties need to be maintained to within standards (residential building codes, fire codes, etc.), and again for many landlords these are externalities. All of these things create a public interest.
If you're renting a ranch house out in the middle of nowhere, no one's going to care and no one's going to check (except maybe the IRS). But if you're renting out property in a municipality, damn right they ought to be regulating it.
For that matter, collusion can take place when determining what price to advertise, before it is published. The fact that price is later published doesn't prove there wasn't a cartel determining it in the first place.
Regulations enforcing more transparency in residential-property rental rates might help. Then renters and regulators could see if similar properties were charging different rates, how much rates increased over time, and so on.
This is exacerbating the already, short supply of low and middle income housing.
Unfortunately, in places where tourism is high, short-term rentals (mostly via that abomination Airbnb) are displacing long-term rentals, so housing for residents who can't or don't want to buy is similarly short. We see a lot of that here around the Mountain Fastness.
Clamping down on short-term rentals may help. In particular, enforcing lodging regulations increases the cost of running a short-term rental, while providing other social goods – adequate insurance, for example, and code-compliance inspections.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
