Posts by Michael Wojcik

Re: Cue the lawsuit in 3, 2, 1...

Wrongful-termination and hostile-workplace suits are hard to win in the US, particularly as most employment is at-will, and as a Microsoft subsidiary GitHub have deep pockets. This firing certainly looks suspicious based on the information available (and I would not be at all surprised if it was unjust), but a settlement - with no admission of fault - for something less than what GitHub's team estimates it will cost to defend against the suit is probably the most the employee can hope for.

Internal employee communication channels controlled, monitored, and recorded by the employer are very handy for HR actions against employees. Be cautious about how you use them.

Re: Hurrah for screen readers!

And here I was thinking it was a new Swallows & Amazons book. Pigeon PGP Post maybe. Steganography Water, anyone?

(Really it's Dick and Nancy who'd be into crypto. Titty's more a HUMINT type.)

Re: @AC and @ Author Thank god

Sedition is never protected speech

You are completely wrong, at least as far as the US is concerned. Brandenburg and Yates set the current standard, which greatly limits the (outrageous) anti-sedition laws Congress had been gleefully emitting.

The Brandenburg test means speech can be as seditious as you like, unless it contains an incitement to break the law and is likely to succeed in producing lawless action.

Of course, the post you're responding to is equally wrong about how freedom-of-expression law works in the US. Amazon is perfectly free to kick anyone they like off their infrastructure.

The First Amendment does apply to private parties, not just the government (contra what other people have posted here). As White explains in the second link, the courts have agreed that it forbids the use of the power of the state by private parties to suppress speech; this is what supports Anti-SLAPP laws. But Amazon isn't using the power of the government here. It's using its own power, in the form of its control over its resources.

So Skokie doesn't apply here because Amazon isn't a government entity, and Times v Sullivan doesn't apply because Amazon is not using the government as a proxy.

There isn't much difference between being at the back of the big hall listening to the Nvidia/Intel keynote and watching it on youtube

That may be true for most people. Personally, I find it difficult to concentrate on synchronous media. I can read all day, but watching a video for even half an hour is tiring.

For me, live presentations much less taxing; back when I attended academic and professional conferences more regularly, I could easily take in a dozen presentations in a day, taking notes and doing follow-up research in the evening.

Virtual conferences are simply out of the question for me. I wouldn't make it through a day.

Of course, for some people, such as the Microsoft developer quoted in the article, the reverse is true.

Re: Why 'science'?

Though confirming the defecation habits of bears in arboreal habitats could be legitimate zoology. We'd allow that.

Re: The coup explained in 5 easy steps

I agree. However, that doesn't mean there aren't people who think it would work. We're talking about the folks of the intellectual caliber seen in the "sovereign citizen" movement.

Personally, I take no position on whether there was some sort of conspiratorial plan behind the 6 January invasion of the Capitol. I don't have reliable information, and both history and an appreciation of the human condition suggests that some of the invaders had some sort of plan, and others were along for the ride, and it's difficult to guess what the ratio is.

But I would not be at all surprised to learn that a significant number believed in some sort of grand and, to their minds, subtle scheme to successfully stage a coup.

What will matter in the end is, first, the Federal government's assertion of its monopoly on violence, and what form that takes, because obviously no number of wingnuts from any part of the political spectrum can contest the material power held by the government; and second, how much interest said wingnuts can sustain among their followers. It's one thing to be an armchair rebel posting inflamatory remarks to some back-alley website; it's quite another to face material resistance.

The former will be conditioned to some extent by intangible considerations such as ideology, the desire for the appearance of legitimacy, perceptions of how the political winds are blowing, etc. Let's hope it favors maintaining the rule of law.

Re: Mark can't see a use case so the tech is junk?

Multiple physical screens is a rather different experience than five see-through AR virtual screens.

Of course user preferences vary. Personally, I gave up on multiple screens around 1995 and haven't ever felt inclined to go back. And I am a software developer. But I recognize that there are people who would be interested in this sort of thing.

Re: Papering over the cracks

It's not impossible, under US law, to pierce the corporate veil and hold management accountable for corporate misdeeds, but it's difficult. And while IANAL I expect it's particularly difficult when the misdeeds in question can be characterized as negligence rather than outright criminal activity.

I'd be quite surprised if this blows back on SW management in any significant manner. Some people may be shown the door, probably with large payoffs to help the medicine go down.

Re: Sorry but software's not going that way.

Please could people learn to leave the Windows built in stuff like minimise and maximise alone.

Agreed. Personally I hate the MS Windows window-decoration controls; every time I accidentally hit the window-close, or accidentally double-click a titlebar and the window gets maximized, or something along those lines I curse Windows to Hell and back.

But I would never change them in any application I wrote, because I know other people depend on that positioning and behavior. Once in a while it's not all about me.

I pretty much never write user-facing software any more, but I support Rupert's proposal.

Re: Proof reader

For important documents, when time permits, I do the second read backward: start at the end of the document, and (try to) read the last clause, then the preceding one, and so on. It took some practice to learn to force myself to do this, and, if it's a language I'm fluent in, it's not possible to always avoid skipping further back and reading longer sections in the correct order. But I found reading backward prevented me from skipping over a fair number of low-level errors such as typographical transpositions, even though I'm pretty good at proofing during normal reading.

Re: Hmmm

you can't yell "fire" in a theater

Yes, you can. As Ken White puts it, "Holmes' [fire-in-a-theater] quote is the most famous and pervasive lazy cheat in American dialogue about free speech". Just stop using this bogus example, please.

Also, contra another post above, seditious speech is not generally against the law in the US today, thanks to SCOTUS decisions in cases such as Schafer, Brandenburg, and Yates. That hasn't always stopped the Feds from trying to bring sedition charges (based purely on speech) against someone, of course, but the current standard articulated by the court is a very high bar. In Brandenburg it's "where such advocacy is directed to inciting or producing imminent lawless action and is likely to incite or produce such action": the speech has to be intended to lead to breaking the law, and has to be likely to succeed.

In the US, you're perfectly free to say, "hey, I think it would be swell if someone overthrew the government by force". That seems reasonable to me, since you'd basically be paraphrasing Thomas Jefferson. I'm not much of a fan of Jefferson myself, but if we're going to go telling people that he was one of our great political thinkers, we shouldn't punish those who repeat him.

People who insist on discussing US free-speech law and the First Amendment should also read "Hello! You've Been Referred Here Because You're Wrong About The First Amendment", if they haven't already.

Re: a Unicorn Argent armed, crined and unguled Proper

I agree. Isn't the language used to describe coats of arms in the UK (possibly aside from Scotland, which has its own heraldic authority) based on Fox-Davies' The Art of Heraldry? My understanding is that it's quite regular.

It'd be interesting to try to train GPT-3 on something rather less predictable, such as the descriptions in Joyce's Ulysses or Pynchon's Gravity's Rainbow, or other similar modernist¹ works.

¹Sure, many people consider GR postmodern, rather than (high) modern or avant-garde. I don't, particularly; I think that while it certainly has deliberately postmodern elements, particularly in style (flattening of value, bricolage, blah blah whatever), really postmodern prose has moved so far beyond the early works that were assigned that label that it's more useful, if we're going to try to define literary movements or periods at all, to consider much of the early-pomo work like GR as late-modern or transitional. Contemporary hypermedia works, or even some print works such as House of Leaves, are much further removed from GR than GR is from, say, Woolf or Faulkner. Hell, there are ways in which Cantero's The Supernatural Enhancements is arguably more postmodern than Gravity's Rainbow. And it's a lot more fun to read, so there's that.

Re: Free speech? It'll never catch on...

Sure. It's basically the China-for-Africa version of the Marshall Plan. Economic investment and development is broadly recognized as a way to project power, and it can (doesn't necessarily) have beneficial effects. The only mildly surprising aspect of the whole thing is that the US, the EU, the individual European nations, the Commonwealth nations, Russia, etc, didn't get their acts together to compete more effectively for this opportunity. But this is one of those cases where a planned economy can (won't necessarily) mobilize large, targeted investments more quickly and easily, since decision-making is concentrated.

Re: Blame Devin Nunes

Dude's the Orly Taitz of libel suits.

I think you're off by a couple orders of magnitude. Use the whole hecatomb.

Re: Is anyone really surprised ?

Especially in an authoritarian state like Singapore.

Yes, or in an authoritarian state like the US, the UK, etc.

Re: "The incongruity between the treatment of cash and cryptocurrency"

Stablecoins tie the value of the token to some external resource. That can be a government-backed currency,¹ a physical asset such as gold, some other kind of value reserve like a basket of bonds, etc. The aim is to reduce volatility in the token's price. Some stablecoins also allow free or low-cost conversion from tokens to the backing resource, or conversions in both directions (i.e. you can buy and sell tokens through the issuer or some guaranteed third party).

See "Demystifying Stablecoins" in ACM Queue (should be free access -- I don't think you need an ACM membership) for a good overview of various classes of stablecoins.

I'm not a cryptocurrency fan,² but I find the technology and economics interesting. And I don't think they're going away, so it's useful to have some understanding of them.

¹In the literature you'll often see people use "fiat currency" to refer to government currencies, but for this purpose it doesn't matter if it's a fiat or backed currency, and of course there are non-government fiat currencies such as non-stable cryptocurrencies.

²There's a huge amount of risk tied up in cryptocurrencies. Bitcoin of course has been very volatile. There's currently around $100B tied up in Ether "smart contracts", and a number of studies have shown just how flawed smart contracts are in general (a great many of them are riddled with bugs). I have little appetite for risk. Proof-of-work cryptocurrencies like Bitcoin are wasting a lot of resources. And so on.

Re: Insanely high IQ

In this case, Gevers had 100% of the password. After he guessed it, that is.

Same problem with a "dumb" (i.e. for smart consumers) TV set connected to a set-top box, if you view content from many of the streaming services.

Which, of course, you may choose to avoid. I personally wouldn't miss much if we got rid of our various streaming services. For those occasions when I want to watch television (mostly when I'm eating, because I find it less convenient to eat and read at the same time), there are DVDs, and the occasional YouTube video on my laptop. I could live without Prime and Hulu and Netflix and the rest.

And, of course, a set-top box can be disconnected and powered off while still using the TV set itself. And it can be replaced without replacing the TV set. Those are both advantages over "smart" TVs.

The last time I bought a TV, though, there was only one non-smart set available between the two stores I checked.

Re: looking for the easy life

If I had $50 million...

Perfectly reasonable, and there are certainly worse things to do with your money. At least you'd be spreading it around (keeping the velocity up), with a good bit of it going to lower-tier earners in the service sector.

Personally, I really don't think I'd quit working if I came into a windfall like that. I have my entertainments - mostly reading and spending time with family - but I also have to keep busy, and I'd get bored just working on the house and cars. I'd be very tempted to buy the property across from ours, though; we like the guy who rents and farms it, and I'd prefer he stay there rather than the current owner someday selling it to a developer.

Re: It's OK...

Exactly. Typical software product supply chains have a lot of potential points of vulnerability. Developer machines, source-code repositories, CI, staging, build machines, artifact repositories, signing servers, private-key backups... Good separation of concerns can plug some of the holes (don't keep production signing keys on developer machines!), but the links between them can introduce new ones.

Even if you follow the sorts of practices that the CA/BF's Code Signing Research Group was trying to push a few years back - requiring a FIPS 1040-2 Level 2 HSM to do the actual signing, for example - and follow reasonable practices like requiring mutual authentication and data integrity between production build machines and signing servers, it's really hard to lock attackers out of that process flow once they get access to the internal network. That's one reason why zero-trust corporate systems are a hot topic these days.

Against that, though, you have to ensure developers can do their jobs and automated integration-build-test systems can do theirs. It's not an easy problem.

Re: Who is at fault?

According to the article, ~23K UK records, of ~45M worldwide. I don't think you can blame the NHS for more than about 2.5% of the problem at most.

It's the same issue we've seen with other industries and data domains: long-standing common practices that did not include any real attention to security. It's systemic, not specific.

Also, take note of the comment about "automated scripts". This is why we'll always have ransomware, mining ware, spam, etc: even if these types of common IT abuse become no longer economically viable, there are large bot armies running on compromised systems which are busy finding and infecting vulnerable targets, without any significant human supervision. We've created an industry that attacks itself automatically.

(Of course, a number of other industries are not free of such revenge effects - take, for example, the breeding of "superbugs" in hospitals. But in IT we've really grabbed the brass ring on this one. There are already mostly-automated systems for identifying new vulnerabilities and constructing exploits for them, and those will only get better.)

Re: once again

Proof? No. What would such proof consist of?

An attack like this implies extensive resources, and it was against a broad range of targets, many of which are relatively difficult to monetize (suggesting direct financial profit wasn't the main motive). That pushes the probability toward a nation-state or nation-state-sponsored actor.

Again, the choice of targets suggests it wasn't a nominal ally country - not because allies don't spy on one another (of course they do), but because allies can get much of the probably-exfiltrated information through other channels, so they'd put their resources elsewhere.

So, probability favors nominal-foe states known to have groups with the resources (funds, technical capabilities, discipline) to pull off this attack. Iran's working up to this sort of thing but evidence suggests it's not there yet. That leaves China, Russia, and North Korea.

The DPRK has historically been more interested in more-targeted attacks aiming at hard currency and scientific / technical information.

Between China and Russia, the style and apparent goals of this attack are more typical of Russia in recent years.

There may also be technical evidence suggesting Russia; I haven't read the detailed technical reports yet.

This has nothing to do with McCarthyism (an accusation which is nonsensical in this case, since McCarthyism was ostensibly about International Communism and Communist organization in the US, not Russia, and actually about Joe McCarthy's need for attention) or an anti-Russia bias. The IT security community broadly recognizes a number of nation-state actors performing a wide range of IT-system penetrations around the world, including the US and its allies. Russia has no special status as a bugbear in that regard. They're just one of the players.

Re: I don't quite follow the logic.

Gawker published Hulk Hogan's sex tape - this was illegal

Was it? Citation needed.

Re: Commonality

He was smart enough to make a cipher that took fifty years to crack

He created a cipher that no one put enough work into to crack for 50 years. Or someone did, but didn't publish the fact. That's not a useful indicator of the design quality of a cryptosystem, and says very little about the capabilities of its "inventor" (a dubious title anyway, since Z doesn't appear to have used any concepts not already well-documented for pen-and-paper ciphers).

Re: Who decides the definition of "Harmful"?

Those other ideas collapse when revealed as untruths.

I am firmly in favor of strong protections for freedom of expression, and automatically hostile toward any censorship system. But this comment is simply incorrect, as a vast number of methodologically-sound psychological experiments and the vast sweep of human history both attest.

Even testable false hypotheses don't show any sign of being overwhelmed by truth. Take, oh, the Flat Earthers. Or the homeopaths. And of course untestable hypotheses (religion, conspiracy theories, solipsism, etc) cannot logically be refuted.

Education helps. Some economic pressures can help - though it's difficult to institute most of those without unacceptable constraints on expression. For the most part, though, we have to bear the costs of significant numbers of people believing false ideas and acting accordingly, as the price of freedom of expression. That's a trade-off inherent in the human condition.

It's a wind-eye. A society can choose to be blind but sheltered from the cold, or confront the gale and see.

Re: improve our employees’ quality of life

To be fair, the water problems in California are at least as much the fault of the Federal government as the state. In particular, they're the result of bad policies created by the Bureau of Reclamation (which rivals the Army Corps of Engineers and the Tennessee Valley Authority for the title of "most destructive US Federal organization"), and rampant corruption which let the Bureau ignore the only good aspects of those policies.

The result was not just massive misuse of water resources, but misuse to benefit a handful of wealthy agriculturalists rather than the bulk of the state's population.

(There are critiques of Cadillac Desert, but the updated edition is still the best accessible, general treatment of the water problem in the western US that I know of.)

Re: No sympathy from me

The explanation for the overrun is bizarre. Who starts a web-crawling project and thinks "oh, yeah, the web definitely an acyclic graph"? Making a mistake like that is just wildly technically incompetent.

If someone came to me with some web-link-traversal project for any purpose, my first question would be how they're handling loops, because that's important for performance and scalability. And if the response was "oh, we hadn't thought of that", it would be a long time before anything got deployed in any sort of environment that might incur liability.

Re: straight forward?

In the US, at least, it's not just "someone skilled in the art", but someone of ordinary skill in the art. (I recently attended a presentation by a lawyer specializing in the IT patent process who discussed this point.) In other words, the intent of the "obvious" provision in US patent law is that an invention shouldn't be eligible if a hypothetical most-common-practitioner would find it obvious.

There are a lot of programmers, and sometimes what's obvious to you or me is not obvious to many of them. I think there's ample evidence for that in, well, pretty much any large-enough sample of software.

The obviousness test and other restrictions still seem to reject a fair number of applications, considering that USPTO only grants around half of the applications every year. (Yes, that's arguably still too high, but it's a far cry from the usual accusations in these parts of rubber-stamping everything that comes before them.) But it's not a high bar.

There is no maths that can make it work without increasing workforce combined with inflation to reduce the real value of future pensions paid.

Yes, and that's exacerbated by increasing lifespan (without a corresponding increase in the retirement age) and rising post-retirement medical costs.

Really, what has to keep increasing is total productivity, not necessarily the size of the workforce, but that's no easier to achieve.

Re: Facebook is very useful

I admit I have very little idea what the IT job market is like these days (or, really, ever has been like), but I hope you're right that having social-media accounts isn't treated as a qualification.

I have heard many reports of interviewers and HR representatives requesting access to candidates' accounts, which is a fine argument for not having them. I mean, I'd refuse such a request; but I have the luxury of doing that. Someone in a more-precarious financial situation might not.

Re: What a bunch of tossers

An excellent point, but it's also true that some organizations are much more prone to fire the lawer-guns. And sending C&Ds to security researchers is nearly always an indication of a firm which neither understands nor cares about security. When a company that supposedly specializes in security products does it, it's a red flag.