* Posts by doublelayer

7582 publicly visible posts • joined 22 Feb 2018

AI hallucinates software packages and devs download them – even if potentially poisoned with malware

doublelayer Silver badge

Re: Not "hallucinates"

This has been covered at length in the first thread here. Your complaint is also not internally consistent. If using the term "hallucination" is giving the program too much credit, then surely so would "making things up" or "lying", as both require intent. "Misleading" fits a little better, but typical usage uses misleading most frequently for intentionally misleading, and your entire first sentence was trying to make sure that the terms make it clear that the program is not thinking. So all three of your terms don't meet your own goal, and if we tried to have one, it would likely be the ungainly "emit information that is either factually incorrect, likely to lead to unwarranted results, or irrelevant". Maybe choosing a word, a word that clearly indicates the degree to which the results are useless, is logical after all?

doublelayer Silver badge

"While "lie" may technically require intent I am pretty sure most people will take uttering falsehood and untruth without intent as lying"

I don't think they do. I certainly don't. I class that as being wrong. I know lots of people who are frequently wrong but aren't trying to be dishonest, and the distinction is relevant to what I think of them. Of course, it can be difficult to know what the intent is, because I also know some types of people who say something they know is incorrect, and are thus lying, but are good at acting as if they're really deluded into thinking it's true. Those people are quite annoying.

doublelayer Silver badge

Re: So nobody ever tried the commands before publishing?

Not if you lump it into a requirements file which says to install a bunch of packages, and you just assume that if you run that file and the program works, you must be fine. I'm guessing it was in a list of other packages so it wasn't a completely ineffectual install step and that they didn't have any testers of any competency checking on it.

FTX crypto-crook Sam Bankman-Fried gets 25 years in prison

doublelayer Silver badge

Re: A message--the absolutely wrong one--has just been sent to all the sociopaths in the US...

From the judge's statement, it doesn't sound like his awkwardness was used to reduce his sentence, just to change where he served it. I admit that this was one of your points, although the recommendation was for a medium-security, not a low-security facility. Still, you may have overestimated how much that helped him.

doublelayer Silver badge

Re: What ?

It's not about the weather. That's where his parents live, so if he is near there, it is easier for them to visit him. From the context, it seems they think that would be beneficial to his mental health.

Good news: HMRC offers a Linux version of Basic PAYE Tools. Bad news: It broke

doublelayer Silver badge

Re: if status_code == 200

Given that the API I was working with sometimes issued responses with 204, and they had to be handled differently, not so much. There's a reason they have more than one code there. Handling every 200 code identically is almost as bad as the time I saw someone's program doing a retry on every 4xx code, including 403 and 404.

doublelayer Silver badge

Re: I wonder why every request is showing an error

"I respectfully suggest that it is because you didn't read (and absorb) the documentation."

No, it's because I was writing quickly. I read the documentation, which is how I know where the status code is, but I was using an HTTP client that I hadn't used before, and I forgot that it was a string. Generally, you have to understand the documentation, not memorize it. In either case, the bug was identified and fixed quickly. I'm just pointing out that a compiler that detected that I had effectively written "if False" would have pointed it out even faster, with no doubt about the particular cause. Of course, if I keep using this HTTP client library, then I'll begin to write if status_code == "200" all the time, and if I go back to a different one I know where they are integers, that's when my automatic entry will end up being the wrong thing.

doublelayer Silver badge

Re: the reason we use compilers is to somewhat limit the number of stupid things we can do

Those sound like the words of an overconfident person to me. People trying to write something quickly can write a stupid thing even though they would be smart enough to avoid it in another circumstance. Have you ever looked at some code and thought "who decided that was a good idea", checked the logs, and it was you? I have. Sometimes, I know it at the time, so the code is helpfully labeled with comments about why this stupid thing is what I've done right now, but it should be improved at some point. You don't even have to write a lot of code to know that. Are you really saying you've never done something on autopilot and realized, usually right after doing it, that you shouldn't have? Of course, we try to minimize how often that happens and I think I've done well enough at that goal, but I'd be lying if I said it wouldn't ever happen again.

doublelayer Silver badge

Re: It's 2024

You are definitely correct about both things. The reason I bring them up anyway is that I've worked in many places where people wrote unit tests that were testing basic functionality because they occasionally caught errors made by the coders by testing every path, but that a compiler in other languages would have detected. I was required to write similar ones because otherwise, coverage reports would indicate that the function didn't test that the if statement did, in fact, execute the enclosed code when the condition was true. The time spent on unit tests like these that either did nothing or tested manually what a compiler could test automatically took out time. If I had insisted on writing even more tests that were actually useful, my performance would decrease and that doesn't end well.

This does not mean that I neglected useful tests, because I did try to include new ones whenever I thought the risk of someone changing a part was too high, but our project's testing was insufficient, and the time spent on pointless tests of basic things did not help. By all means, you can put the blame on my management for not caring about good tests or on me for listening to them. I certainly blamed myself every time I looked at our build tests which showed 40868 unit tests passed and gave me very little confidence that that meant anything useful.

doublelayer Silver badge

I can't agree with you about the reasons. Python was not the language I learned in introductory courses. It was not the language I learned in advanced courses. Many of those were taught in C or C++ for me, though I learned about ten languages more or less for some course. Python was used in exactly one course, or roughly 0.5 courses because that one used some others as well. If I just stuck with what I learned first, I would not use Python.

I use Python for some purposes because it makes it easy for me to express the intended computation quickly and generally accurately. My typical example is string parsing, where one or two lines of Python can do what would take twenty in C. If I need to parse a million such strings per second, then I might reimplement it in something faster, but in many cases, I need to parse a smaller number and it doesn't really matter how quickly, so the faster and more accurately I can chop them up and reconstitute the parts I care about, the better. This does mean that, as a program gets larger, I am less likely to use Python to write it, but that doesn't kick in as fast as it might for you. I have and will continue to write quite large systems in it when it is better than the alternatives.

doublelayer Silver badge

Re: It's 2024

I'm glad to hear it. I'm pretty good at not doing that myself, having had a lot of experience, but I can't claim never to have done it, especially as I did it not too long ago. I was writing a basic HTTP client, and I checked the return code with something like

if status_code == 200:

Huh, I wonder why every request is showing an error? Is it that I'm not connecting to the right place? Have I incorrectly implemented the authentication? Did my quick client mess up a character encoding thing? No, I have to compare against a string status code instead of a numeric one but Python doesn't mind comparing a string and an integer for equality, it just always says False. A simple error, quickly fixed, and I probably wouldn't have made it if I was writing a larger program rather than a quick script (because the larger program would have abstracted out the HTTP stuff into one part that I would have focused my attention on when writing it), but I do make mistakes.

If you never make mistakes, that's great, but two things are still true. First, there are many people who do make them and it can be helpful to catch them without requiring them to go through long, otherwise pointless processes because they might try to skip them or they might make another mistake*. Second, I don't believe that you actually never make a mistake. I think you probably catch it quickly instead.

* In a project I worked on, every function would start by checking all its parameters for unacceptable nulls. Every unit test would start by testing all the parameters with unacceptable nulls. We pointed out that, if someone forgot to check for nulls, they would probably forget to test for the null they missed because everyone just wrote tests in the same order that their checks appeared which made it really easy to miss such a thing a second time if they already missed it the first time.

doublelayer Silver badge

Re: It's 2024

The problem with that is that manually writing unit tests that test obvious behavior takes time, and that time could be better spent on tests that might help in the future instead of catching obvious stuff now. I've written a lot of unit tests that will never catch a real error because they effectively duplicate the code in a function. Either the function remains the same and the test will pass, or someone changes the function and will have to change the test, but it won't detect anything useful. I have written it because it tests some types and names, the same thing a compiler for other languages would do. If I didn't have to write that, I could spend the time writing a test which tests the boundary between two units, the places where changes to one area can cause a failure in another. I've worked on codebases where we had complete test coverage and where the tests would never do anything for us. By wasting time with tests that could be done automatically, we end up spending less time on the tests that prevent bugs later.

I also disagree about some features like inheritance. I find that well-structured types make certain design challenges much easier to get around than doing without them. Of course, Python has plenty of those features, and I use them frequently. Since I complained about Python's type system, I'll give it some praise now: one of its major strengths is the number of syntactic and structural ideas it has gathered from other languages and made available. For example, if something is best written in a functional language style, I can do that easily in Python while C makes it a pain. That is what makes Python such a good language for getting something functioning quickly; I can express what I want very quickly and accurately.

doublelayer Silver badge

Re: It's 2024

Of course it is, but the reason we use compilers is to somewhat limit the number of stupid things we can do. We could go back to times where nearly anything you typed was valid code and the computer would run it, and if it didn't do what you wanted then that was your business to find out and fix. Powerful languages get their power by making it easy to explain what you want and difficult or impossible to do certain classes of preventable errors. Having enough memory that you don't have to think about type storage doesn't change all the other things that a good type checker can do.

I like Python, and it is one of my more commonly used languages both for prototyping and for some types of production software, but if I had one complaint about it, it would be that it makes some things which, in another language, would be compile-time errors into runtime errors. Testing is often insufficient and we don't make that easier by having to write pointless manual tests that a compiler would already do.

doublelayer Silver badge

Re: "for businesses with fewer than 10 employees."

The print as a function thing has confused me for years. I came to Python after a number of other languages where print was a function, so I never understood why it shouldn't be a function there either. It's the only imperative keyword, and without the parentheses, it still works exactly like a function would. Maybe someone who minds the change could explain why it's such a problem.

Windows Format dialog waited decades for UI revamp that never came

doublelayer Silver badge

"Yes, yes it was elegant: neat, tidy, no guff, sensible, easy to use."

It is not bad, and I'll grant easy to use and compact, which are certainly in its favor. But not everything in there is sensible. For example, let's take a look at the fields.

First, we have a capacity box with only one option in it. In modern land, there's only ever one option in it. I can only guess that it's there to deal with floppy disks. Either way, I'm glad I've never had to explain to a user what that's there for. Then, we have a format box which often has only one option, but sometimes has two. More choices here would be useful. The "allocation unit size" box is something I understand, but not explained for anyone who doesn't. Those are your only parameters. We're lucky that this box can't create any complex file system because there's no place to configure extra features of one. Windows does support other filesystems, but they don't expose that to this box.

If you want something with three settings, two of which can't be changed and one of which nobody changes anyway, then writing a simple UI is pretty easy. It's when you want to have more options that it becomes difficult. For example, the nightmare that is trying to get Windows to change a partition table, because it uses a similar theoretically simple UI which is so simple that it would appear not to be able to do anything. There is a reason why I tend to boot Linux and use fdisk whenever I'm partitioning something, then create filesystems on the partitions, also from Linux, then bring the device back to Windows. That is not something that speaks in favor of those UI choices.

Time to examine the anatomy of the British Library ransomware nightmare

doublelayer Silver badge

"To me that reads like a lot of today's thinking - let's blame someone else."

Yes, that's what I meant by "blame game". People do it all the time. One of the people doing it, right now, is you. You're going to find one person who did one thing wrong and put the blame on them: "track down the person whose password allowed the initial access and fire them". I'm guessing that you work in IT, so you're nicely exempting your profession from it by finding someone else and deciding that they're responsible. In my example, I gave you lots of single people we could put the blame on.

IT person: You could have had monitoring and more security, you didn't, so it's all your fault.

Management: You could have told the IT person to have monitoring and more security measures, you didn't, it's all your fault.

Finance: You could have increased budgets for security, you didn't, it's all your fault.

Senior management: You could have approved more leeway for IT security measures, you didn't, it's all your fault.

In reality, it is at least partially the fault of all five of those people, and possibly even more. Each person probably could have done something differently. Accurately estimating the correct amount of blame would involve trying to evaluate exactly where each person failed, but it doesn't really help much. If you're going to have blame-related consequences, doing that is the fairest way. If you're willing to fire the person who initially clicked on something they shouldn't have, imagine for a moment someone barging into your office, deciding that you should have done something differently, and announcing that you're the one to be fired. You probably could have done something, after all.

doublelayer Silver badge

Re: "Too old to be safe, too expensive in time and money to replace"

You will never prevent vulnerabilities from existing. You can reduce their number by spending more time (remember that it will increase the time and slow the pace of updates, including those you want to have), but it will never be zero. But let's try this thought experiment. What was the last zero-day or vulnerability that caused a zero-click attack, I.E. one that would have happened without any user interaction and was all due to the software. How many attacks like that do you know? Many attacks aren't that simple. They often rely on a user to activate the initial vector or to leave it insecure (basic SSH or RDP access to the internet is popular), the configuration to allow them to brute force passwords or access methods, the configuration to allow their compromised tokens to access things for a long time, profiling systems to not exist. None of that is down to programmers shipping too fast, and all of it can be blamed on the administrators who could have configured it and didn't.

There are times when programmers are really at fault, but from your comment, I think you and the OP have overestimated how often this is. I am asking you again to consider how you would feel if it turns out that no vulnerability was found to be very important in this attack, but the administrator could have detected this and didn't with a different configuration, so they're the one bankrupted with penalties. If your response is "Fine with me. Let them suffer", then fair enough, we just disagree. If you think the administrators shouldn't face those consequences, then you should consider whether it's fair to have programmers face them in an analogous situation.

doublelayer Silver badge

Re: No change

You learn who to say things to. I also work in security, and that's what I say to people who work in IT or programming. They assume that I'm also doing some kind of technology security, and if they know that I'm a programmer, they can draw the lines. Say that to someone who doesn't work in tech and they either don't get it or assume you're a security guard and try to figure out why a programmer is doing that. The term they use for the entire information or technology security area is "cybersecurity". We're lucky that shortening that to "cyber" hasn't entirely caught on. Now I could try to adopt something that's really no better and get everyone to call it "computer security", educate them on why we sometimes call it infosec and try to make them do that, or use the term they know. I often choose the low-effort method that still gets communication going.

doublelayer Silver badge

Re: "Too old to be safe, too expensive in time and money to replace"

If you do that, you will certainly sometimes get the writers of the software to pay for damage caused while running their software, but you will also get a lot of something else: IT people raked over the coals and punished severely. Because if you're going to pin the blame on the writers, those writers are going to have a need to pin the blame on someone else, and there is usually something the administrators could have, and in many cases should have, done which makes it their fault. For example, maybe we blame a software writer if their code has a zero-day in it, but who gets the blame if the software had a vulnerability in it patched two months ago but the administrator didn't install the update? If you're willing to charge the programmers for any financial cost, are you willing to charge the administrator that could have but didn't install the update with the same thing? After all, if the coffee machine was not defective but the plumber installed the water line in such a way that it flooded the machine, heating the water, and collapsed in a wonderful fountain of steam, you would be blaming that plumber.

There are many situations where it's less clear, for example the programmers say the configuration was insecure, the administrators say the defaults were insecure, and they fight because neither wants to get stuck with the blame when it comes with that large a bill. So also budget for some lawyers to be involved, especially if the company who wrote the thing is large enough. They'll have a good incentive to make sure the court thinks it's your fault. Before you get too eager about finding someone who isn't you and blaming it all on them, think for a bit about whether it would be fair for someone to do the same to you. If it wouldn't, let's factor that in to the solution we propose.

doublelayer Silver badge

What personnel? Because if you try to answer that question, you will instead start up the blame game. Is it the IT person's fault because they didn't put in some security method? Is it a finance person's fault because they didn't budget for it? Is it a manager's fault because they said not to bother because that's not a priority? Or do we track down the person whose password allowed the initial access and put it all on them? In reality, most situations can be blamed partially on all of those people: the manager said it wasn't a priority, but because the IT person explained it badly to them and because the finance person wouldn't pay for the staff or systems required, the finance person couldn't pay for that because the budget was set by senior management who didn't allocate anything because they didn't get told about the issue from the first manager, the IT person didn't build something out of the pieces available to them but because they weren't given the time, and the user entered their password on a phishing site, but wouldn't have done so if the IT people had put in a better email filter or more phishing training, and anyway that initial password wouldn't have allowed the attacker full access if the IT people had more inter-system security methods, which they didn't have because the finance person wouldn't pay for hardware, and they didn't build in software because the manager didn't give them enough time, because ...

doublelayer Silver badge

No, it really wasn't. It was a a major failure of systemic accuracy. Integrity and accuracy are completely different aspects of a system and have different effects when lost.

Street newspaper appears to have Big Issue with Qilin ransomware gang

doublelayer Silver badge

Re: What is the purpose?

The model of letting someone else get initial access and then just deploy your ransomware could be responsible. If there is someone who wants to get some ransoms but isn't capable of getting into anything with even mild protections on it, they may have been the one to select some low-hanging fruit because they could get into it and they didn't really think about the likelihood of getting anything out of it. Having done so, the software worked just as well as it would anywhere else and the organization responsible for collecting ransoms figured that they've already attacked this thing, so might as well try to get some money for it even if it's small.

Uncle Sam's had it up to here with 'unforgivable' SQL injection flaws

doublelayer Silver badge

Re: SQL is the problem

"ADD B TO C" is fine. What we write now, c += b or c = c+b is no different semantically. The syntactic difference is unimportant. The problem is not with syntax that looks like English. The problem of injection is not unique to SQL or a language that looks like English, but is present in any language that can parse a generated string as code. Perl is notorious for this, because few Perl programs, at least the old ones when Perl was more popular, didn't use the eval function somewhere.

I wrote a comment in another thread above this one about why I think that SQL needs to look like it does here and accept a string query, because attempting to construct complex queries using a more traditional programming language either makes the code unreadable or makes the programmer do the work for the database (I.E. instead of running one query, running multiple ones and handling the intermediate stages manually). A language that looked like SQL but enforced parameterization could avoid the injection risks. One that looked more like code but didn't enforce them would be as vulnerable. One that looked like code and did enforce them could end up fixing the injection risk in such an ugly way that nobody used it.

doublelayer Silver badge

Re: Coders vs Developers

Effectively, this requires them to completely change their interfaces in a way that makes them less flexible. Libraries that make it easy for you to parameterize a query are still turning it into a string when they send it to the engine, they're just doing it better than you would on your own. There are three reasons why database engines won't make that change:

1. Writing parsers becomes much harder. Consider all the possible parameters to a statement as simple as select. You can sort in a variety of ways, you can select from multiple things and combine them, you can use one statement to filter them. Now write a function contract in C that can do all the same things. What parameters do you need to take if the query might reference multiple tables. What parameters do you need to take to expose all of the internal functions of the database and construct a function that can be used to sort them? Your function is going to be huge. It is easy enough to handle this in the database because it can be split into subcommands with temporary storage for intermediate results, but the point of the database is that your users shouldn't have to do it themselves.

2. If you don't take a string or some other portable query syntax, then you have to write programmatic interfaces in every language. Most popular database engines have libraries for many popular languages already, but we also know that, if it really comes down to it, we can write a basic communication method to get bytes into the database server process and use a database in any language we like. If you use a more complex expression syntax, the library that executes queries becomes much more complex. A user who uses a language that isn't supported no longer has a hope of quickly writing one, and unofficial libraries are likely to have trouble keeping up with additions to the syntax.

3. The method has existed for a long time and inertia is hard to fight. There are newer database engines that do what you say, but it won't be easy to convince everyone to dump SQL and adopt one of them with its unfamiliar syntax and incompatible behavior as the new standard, porting all applications that used it over.

doublelayer Silver badge

Re: Coders vs Developers

"How does SQL injection work with modern code?"

Nothing will ever stop you from submitting just one string. They don't parse to see if you're passing something that looks like a value and insist you parameterize it. This means that, if someone either doesn't know or doesn't think to parameterize, they can still build an expression as a string and that expression is still vulnerable. Most likely, you're just not seeing as much of it because the number of databases out there is massive and a lot of programmers were told not to build expressions that way and remembered it. Sadly, that doesn't mean everyone was taught that, so it still happens year after year.

Chrome for Windows-Arm laptops officially lands in time for Snapdragon X Elite kit

doublelayer Silver badge

Re: Microsoft only dropped Alpha support

I'm not really sure what that proves other than that Microsoft is quicker to drop support. The hypothetical of what would have happened had Alpha remained in production and being purchased is the better one, but we don't know whether Microsoft would have kept it, whether people would have bought it, or any of the questions relevant to the ARM situation today. Windows on Alpha and Itanium were already weak because people weren't buying the machines with those chips in them. You can't really blame Windows for Itanium's failure when Linux shops weren't buying Itanium boxes in droves either.

doublelayer Silver badge

Re: The x86 layer hasn't skipped [a] beat

It depends how often you have to use it. If most of your tools are compiled for ARM, then you will be efficient most of the time and the emulation is there when you need to run something that wasn't compiled for it. The trouble comes if most of what you want to do hasn't been compiled over and you spend most of your days in emulation. For people who use niche tools, it's probably not ready. For the average office computer where a word processor, email client, and browser are needed, you can likely find ARM versions of all those things. Definitely if you're using Office for those, but Firefox and LibreOffice have Windows on ARM ports as well. I don't have one, but I think it has avoided the reasons why I told people not to consider earlier attempts. The Windows RT devices may have looked like Windows, and there was some Windows source code in there, but they didn't have compatibility with anything Windows had. The current version does have that, and from what I've heard from people who use it, it works pretty well.

As AI booms, land near nuclear power plants becomes hot real estate

doublelayer Silver badge

Re: Anticipating grid failure is more like it..

I haven't worked in the electric power industry, but I would guess that they get two advantages by being close. First, they get to avoid paying transmission costs, including any cost for adding more grid capacity for their large set of usage. If the existing grid couldn't handle their relatively large load being added, they'd probably have to pay most or all of the costs to upgrade it. Second, if there is a grid problem, their datacenter would continue operating. That failure doesn't have to be long-lasting. If they've sold their capacity on an SLA that becomes costly if the systems lose power, then they might want to avoid what, to a residential user, might be an annoying but acceptable outage. By locating close to a plant, they can probably get away with a lot less generator capacity than a normal grid-fed DC.

Over 170K users caught up in poisoned Python package ruse

doublelayer Silver badge

Re: Python, eh?

In this example, it wasn't PyPi that had a problem. It was the package that was instructed to retrieve code from somewhere else, download it, and run it. Nobody broke into PyPi to submit a poisoned package; they broke into someone's GitHub to make a real package poisoned. The important part is that, unlike previous attacks which have indeed used PyPi, this could have been done to any project using any language as long as somewhere in the build system accepted a dependency's URL. They picked a Python package in this case, but that wasn't required for this to work.

That Asian meal you eat on holidays could launder money for North Korea

doublelayer Silver badge

I can't back which claims with evidence? That they threaten anyone they let out of the country? Does testimony from escaped ambassadors and tech workers count? You can find that. But if you will dismiss this all as state department propaganda, then there's nothing I can do. Do you want to try convincing us with evidence of your own? If I can't back up anything I say with evidence, then surely that means you can? You could, for example, find me an interview with a North Korean who didn't either escape their country which wants to imprison them or is working for them right now? I can find you interviews with plenty of migrants, with legal documentation or not, from almost every country, but you tend not to find North Koreans who voluntarily left their country, were allowed to do so, and are willing to talk about it.

doublelayer Silver badge

Re: Wait, who sells them the weapons?

True, and it already works that way. However, if most countries and companies will not sell you the parts, it means the markup on those parts is pretty high, which means that there is an incentive for the person who is willing to break those sanctions and find the parts anyway. If I make chips that could be used in missiles for $10 apiece but refuse to sell them, and North Korea is willing to buy them for $60 each, then a company has a $50 per unit ability to cover any costs involved in getting them out of my control and into North Korea's. If they are general purpose chips, this can be pretty easy. If they're restricted technology that has to be obtained from one of a few people I'm willing to sell to, then it's harder, which increases the price even further.

The more cash North Korea has on them, the more their ability to pay those increased margins. You'd hope that, at some point, they would decide that more nuclear weapons they don't really need isn't worth the price, but if they thought that way, they probably would have stopped making them at least a decade ago. For other weapons systems, they have plenty of people who want to pay them to manufacture them. North Korea has been making and selling weapons as one of their major export industries for decades, and they've been making some advancements. Russia wants a bunch of cheap and modern missiles, and North Korea has a bunch of really cheap labor and factories built for missile manufacture, so if they can connect Russia's money and modern missile components, they can get them.

doublelayer Silver badge

"The world is full of workers from the global south working, possibly undocumented, in the global north and sending remittances home."

The difference, as you well know, is that people sending remittances home to other countries are sending it to their families or friends. North Koreans abroad are working for their government and passing the money to them directly, and their families will get little or none of it (none by official policy, but they probably find some ways to sneak in a bit). We also know that North Korea's government budgets are a bit slanted toward the military expenditures and against everything else, in fact they've put a nice name on it. The people working in other countries are not individual agents taking a risk for economic reward. They are slaves held in check by actions North Korea has been using for decades: threatening and punishing families and friends for any infraction and closely monitoring everybody. There is a difference, and we all know it.

doublelayer Silver badge

Re: A waste of time syndicating that here.

"You can take any regime down for less than $20m in a couple of months."

I'll take that recipe, please. How much more to put up a regime that I like, not a chaotic wasteland of suffering people?

doublelayer Silver badge

I think they're more likely intended for North Korean agents who get cash so they can claim the cash as business income, not for the lucrative market of people who want lunch, but you have to give someone lunch or you can't convincingly claim to be a restaurant.

Woz calls out US lawmakers for TikTok ban: 'I don’t like the hypocrisy'

doublelayer Silver badge

That is not what I said. What I said was that, in my limited experience, I don't know people who would. It is like asking "Why do people complain about others eating meat but then go hunting?". I know some people who do happily kill and eat animals, and I know some people that disapprove of people eating meat and will complain about it to anyone who does, but those are not the same people. In order to demonstrate hypocrisy, they have to be the same people. Otherwise, it's just different people doing different things. In my experience, the people who complain about any access by the government are not the same people who will post anything on social media. Maybe your experience differs from mine, but what I am saying is more complex than "I wouldn't post that, so they don't".

doublelayer Silver badge

Re: Risk/Reward.

Thank you. I think I better understand what you're saying now. The reason why I was talking about the ease or difficulty in looking up a phone number is that it affects how I feel about having to give it to somebody. For example, I don't have a problem giving my phone number on a government form, nor do I know many who would. I was trying to find out a type of data that someone would provide easily but would complain a lot about providing to the government, which is central to the question you brought up. In my experience, people who readily give that information don't have a problem readily giving it to the government, and those who complain most vociferously when it's the government asking tend to complain when others ask for it as well, but this appears not to match your experience. Yes, there are people who are ridiculously conspiracy-minded whenever the government does anything and people who will give away any private information, but they tend to be different people, not one person doing both of them.

doublelayer Silver badge

I have, and I've seen two categories that fit with the idea, but don't work with the question:

Group 1: Are happy to give out any piece of personal information, no matter how much I wince when they've done it. These are people who would post a live view out of their doorbell camera and, if I ask why, they will say something stupid like "it'll help make sure my house is safe". These people will definitely put lots of personal information on social media, but they'll also give it to the government. Point out that the police have extra access to that camera and they'll say "I have nothing to hide".

Group 2: Paranoid, kind of like me or even worse. They'll keep lots of data private. If they're asked for it, even when it has a purpose, they'll think for a while about whether they have to or if they can find a way around providing it. This applies to the government, but it also applies to social media.

What I don't see too much of is group 3, the one that happily puts data on social media but refuses to give it to the government. Now I have seen a similar group of people who are avid users of social media and weirdly panicky about the government doing ... something (if they explain it, it sounds crazy, so often they go for vague). But those people don't tend to dump tons of data up there, at least not intentionally, because they think the NSA is collecting it (which they probably are because hard drives are cheap) and using it against them (which they're definitely not doing because these people are not interesting). The question asked in the original comment relies on people being angry about giving a certain piece of information to the government but accepting giving the same piece to social media. General attitudes being more positive to social media than the government don't fit that question unless the information being provided is the same.

doublelayer Silver badge

Re: Risk/Reward.

You're eventually going to have to explain the things instead of saying "whoosh". Because one of two things are going on here:

1. I'm an idiot, and I'm going to continue being annoying until you explain your meaning in simple words that my walnut-sized brain can understand, even though your original comment was rather clear already.

2. We actually do understand what you're saying, but our responses are not to your liking and you choose not to make meaningful response.

In many cases where I see "whoosh", it means that the original comment was sarcastic, and someone missed it. So If I try to interpret your comment in that way, then maybe you were saying that a phone number isn't sensitive information because phone directories exist, so it doesn't matter that people willingly post it on social media? That doesn't sound like what you were saying, but your comment didn't seem that sarcastic. Otherwise, their point about how public a phone number is is relevant to the discussion. You can tell us what you meant. My walnut is ready.

doublelayer Silver badge

Sorry, but I'm not sure you read or understood my comment. For example, the "muh freedumb" thing you talked about: I didn't say anything about freedoms, lack of freedoms, or governmental overreach. Not one single thing. What I said was that I don't know what information people would be angry about giving to the government but happy about giving to Facebook. If you see an argument about freedoms in my comment, I'd be very curious to see what led you there, because I didn't intend it.

I asked for examples, and you've provided one. Let's consider it. I don't know people who would be angry to put their phone number on a government form, assuming they're not already angry about having to fill out the form itself. I know a lot of people who would not put it on social media, exactly for the reasons you say: it's public when they have it, it's not when the government has it, and the government already knows it. However, as data goes, this is one of the less sensitive pieces of it. I've had my phone number for many years now, and since I'm able to port it around to different providers, it's likely to be mine for the rest of my life. I've had plenty of places who I've given it to, either because they actually needed it to contact me or because they demanded it and I couldn't do what I wanted or needed to do without them having it. This includes various government services, and I didn't mind them having it. This means that, almost certainly, my phone number and name are associated in nearly any dataset that can be purchased and likely in plenty of free ones to be found online. I have little hope of my phone number remaining truly anonymous, so I must factor that into how sensitively I'm going to protect it. I still wouldn't hand it out to anyone who asks, but I don't protect it the way I do more sensitive pieces of information.

The kind of thing that I don't want to give to governments are things like passwords to online accounts, private keys, and the like. Mostly, they are things I don't have to, although various ones suggest collecting them from time to time. I would not give any of those to social media either, and I think that, although there are a few people who would be stupid enough to fill in the form "The password to your email account here", it's a rather small set compared to those who are willing to give their phone number except for authentication and communication, which is a small set compared to those who use the services at all. Maybe you think of phone numbers differently than I do, but if you agree about its sensitivity, is that your only example?

doublelayer Silver badge

That might be convincing if I could think of anyone who actually would. Yes, I know that some people are stupid enough to put some kinds of semisensitive information in a form, but I don't think there are many, if any, who will put something like their passport number into a form just because there's a box for it. Probably the most sensitive thing I can see someone actually putting there is their mailing address, which I wouldn't do and will probably lead to spam, but it's not as bad as some things. What specific information do you think people will be angry about telling the government but willing to put into a Facebook form? I can't think of anything.

Twitter's lawsuit against anti-hate-speech crusaders gets SLAPPed out of court

doublelayer Silver badge

Re: Careful here.

They don't have a master control panel that can shut off ad revenue, not that I have any ad revenue to be cut off anyway. Still, they can only cut it off by going to advertisers and telling them things that make them want to cut it off voluntarily, and they individually have to be convinced. Twitter still has some advertisers. The important part here is that, if they don't have anything convincing to tell them, then the advertisers don't have any reason to stop advertising. It only worked because what they were able to show advertisers is something the advertisers didn't want to see enough that they choose to stop buying advertising space. The organization may have helped to shine a light on that, but without that light, it would still have been going on, and advertisers were already leaving as a result anyway.

Debate is not stifled by someone pointing out facts. If you want to accuse someone, accuse the advertisers; they made the actual decision not to spend when they were free to ignore any reports written, and if they had, nobody would notice much. Those advertisers have free speech, including the right not to advertise. No debate stifled, nothing untoward happening. There are some forms of harassment that do occur and are dangerous. This isn't it.

Beijing issues list of approved CPUs – with no Intel or AMD

doublelayer Silver badge

Re: We should be worried

I don't think that will be the conversation. Windows licenses are pretty cheap. It will take a lot of changes before that answer is anything along the lines of the real one:

"Why are China so much cheaper?" "They can pay people really low and work them for 72 hours a week on normal weeks. Ah, can we do that too? Maybe open up a Chinese office and do work there? What other countries can we do that in?"

Uncle Sam, 15 US states launch antitrust war on Apple

doublelayer Silver badge

"As for "makes it tough to dump iOS for rivals", isn't that pretty much how MS operates with their Office suite?"

Not really. I had Word and Excel, I generated documents with both of them. I then decided that I didn't really need them, so my next computer didn't get them. I installed LibreOffice instead. I simply open the same files with that and used that software instead. It handled them fine.

And no, if you find a file that opens correctly in Office and doesn't in LibreOffice, that doesn't mean that it's Microsoft's fault, because I do have one file that didn't work correctly in LibreOffice. That particular file had been generated by a different version of LibreOffice. Sometimes, it's not Microsoft's fault.

If you have a different kind of lock in in mind, I'm willing to hear what you're thinking.

doublelayer Silver badge

Re: Freedoms?

No, you can have a closed OS. You start with either OS, and you don't flip any of the switches that open it up. You'll know them because they're the ones buried at least two levels deep in the settings where, if you try to flip them, you get a warning screen. Voila, closed OS for you. If you don't want to install something from outside the manufacturer's store, then don't install anything from outside the manufacturer's store. It's really quite easy.

Redis tightens its license terms, pleasing basically no one

doublelayer Silver badge

Re: So why the controversy

I don't think it is. Patents are applicable to any industry, and encrypted code is a technique that can be used in anything. The SSPL's fields of endeavor thing is more obvious, because it specifically mentions SaaS providers as having different terms to anyone else, but the GPL doesn't have different rules for encrypted code depending on what you're using it for, so the same terms apply to all people.

doublelayer Silver badge

Re: So why the controversy

Mostly because linking into GPL is something programmers choose to do. There are two important elements to this which I will take separately:

1. Programmers, not users. The SSPL comes into effect when you run the software on a computer if you use it for a certain purpose. The GPL does not care when you run it or why you did it. In fact, you are perfectly free to include the GPL software in your software as long as you don't distribute it, I.E. to use internally. You don't need to educate anyone putting the software to use on what the license means. You only need programmers that might modify or use it in their own software what it means. They have probably seen open source before, so they already understand what restrictions apply to them.

2. Choose to do, rather than find that they've done: If you choose a GPLed dependency, you know you did that. When you pick something off of GitHub, you know that you'll have to read the license because it can be something proprietary that you are not allowed to use, so you know when the terms apply. You can understand the conditions on what this applies to, because it's anything you're linking this with, so you know what you have to put under GPL if you go ahead. With SSPL, neither applies. You may not know whether you are in the set of users that have to put software under a certain source, especially because all you did was install it on a server. If you decide that you are one of the group that has to do that, you don't know what comprises all the software the SSPL is demanding, and it's mostly going to be unrelated stuff written by other people (which you couldn't put under the SSPL anyway). Unlike the programmer and their own code base, it's the user trying to list all the pieces of software that come under a nonspecific category, which the average nontechnical person, even a Linux user, has no hope of doing. Even the most familiar person will have to spend a long time sorting things in and out of the list.

Many of us who care put some importance on the Open Source Definition. The GPL meets this definition. The SSPL specifically violates this part of it:

9. License Must Not Restrict Other Software

The license must not place restrictions on other software that is distributed along with the licensed software. For example, the license must not insist that all other programs distributed on the same medium must be open source software.

It also violates, both in letter and in spirit, this part:

6. No Discrimination Against Fields of Endeavor

The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

This is what I care about and the reason why the SSPL is not open source.

doublelayer Silver badge

Re: So why the controversy

The GPL requires you to distribute your modifications to the software under the same terms. The SSPL requires you to distribute basically every bit of software you run on the same computer under the same terms. The GPL can be complied with, you just might not want to. The SSPL is intentionally written to be essentially impossible to comply with. It's not just that your entire cloud service software stack has to be SSPL-licensed. That would be bad enough, but it is theoretically possible. The dependencies, the software you got from other sources, and depending on where someone tries to draw the line, system firmware, would have to be licensed as well. It is intentionally written so that buying the proprietary alternative is the only choice that is feasible.

doublelayer Silver badge

Re: Guess they spotted their mistake

No, I don't expect people to understand that, especially when they react as if free speech is somehow a lesser thing. The freedoms available with free software are more than just not paying for the software. Yes, you can make me pay for a copy, but the freedoms that Stallman advocated for, and he was the one who popularized that phrase, mean that I am within my rights to give copies to anyone I like, I can do it for free, or I can charge them and not give you any of the money. That's a core part of the freedoms: the freedom to distribute. He often made the distinction to clear up the situation for people who understood it as "software for free" and got it mixed up with what we call "freeware" (I.E. here's a binary, you pay me nothing, what do you mean source code). Requiring people to buy it from you so you're compensated for the work is not what he was talking about there.

doublelayer Silver badge

Re: "Software is only open source if the OSI says it is"

We need licenses that say "use this if you will keep it free but if you make money you must give us a percentage."

There are many and you can easily write another one. Don't be surprised when it doesn't count as open source. I'm not just referring to the OSI, because I don't see the OSI as a perfect judge of such things. I value their <a href="https://opensource.org/osd>definition</a> more highly, and I can evaluate by reading the license whether it meets the definition, kind of might meet the definition, or definitely doesn't meet the definition. The "pay us if you make money" bit is very contrary to parts 1 and 6 and can be and likely is contrary to parts 3, 7, and 8. Specific licenses, such as the SSPL, also are contrary to part 9, intentionally so so they can claim not to be proprietary.

This is important to me and may be to others. If you don't want to be free or open, don't be. There is nothing morally wrong with proprietary software. Many proprietary databases exist, and there is no harm in making your business on selling another one. Oracle seems to make plenty of money doing it. The reason I use an open database, most of the time anyway, is because I want to avoid having to deal with the licensing disaster. For instance, I have many Postgres installations. Sometimes, it's because I really want to use one of the many features that Postgres has and other databases don't, but sometimes, I just want a database where nobody will ask to audit my licenses or exactly what I'm using it for and if that's commercial or not. When I write code, I decide when I've done that whether I want to sell it, in which case I don't release it or I put restrictions on the license, or whether I'm comfortable giving it away with the knowledge that I will likely not be able to sell it. I can try to sell support, and that will work on larger projects, but it is not guaranteed. If you want to sell it, go and sell it. Just don't pretend you're not.

Apple iPhone AI to be powered by Baidu in China, maybe

doublelayer Silver badge

Re: I assume because Chinese law

"At least China is smart enough to regulate its own AIs,"

If China's regulation actually did anything useful, that might be a convincing argument. It accomplishes two things:

1. The AIs are less likely to tell you anything the government wanted you not to hear enough to check for it.

2. It means the Chinese government gets to approve or deny AI models for any reason or no reason, so they can control any company trying to make them.

Crucially, it doesn't ensure that the models are accurate, or good at their jobs, or not dangerous to the user, or not going to make certain crimes very easy, or anything that we actually want to prevent. Whether you can do that at all is not a certain question, but China's regulation is not doing it.

I also don't think it's fair to say that countries other than China are not smart enough to regulate; the EU, UN, US, and various individual countries have talked about or actually passed regulations, but they don't know what exactly those regulations should be and what they've done tends to be nearly or entirely useless. If you can come up with a regulatory idea that would work, they already have an appetite for regulating it, so it would be pretty easy to get them to adopt your better set of rules. If you've got one, I'm all ears, because I don't have one.