Posts by doublelayer

Re: License fees should be due

Yes, which is as it should be. I've written a book. Do you want to train your LLM on it? Here's the price. You may well feel that what I'm asking for is not worth the value of using that book in the training data. This gives you two options: negotiate to lower the fee or leave the book out of the training data. Both are completely viable. A lot of creators will likely accept the use at a relatively low license fee. Those who do not won't be so crucial that developing an LLM is impossible without their books in the training set.

If you disagree, then we should simply require that OpenAI give us full access to their model immediately when they've created it. That will conclusively prevent them from using the books in their training set, because it will then be impossible for them to make any money from their model when everyone has it for free, so they won't make one. If they deserve money for their product, the authors making the training data do too.

Re: Begging the question

If you have a memory that can accurately record copyrighted works, and you use it to reproduce them, that's not allowed and they can take you to court and win.

Re: Begging the question

"Well, does AI training?"

Yes.

"the ultimate end product, that is, the ML model, doesn't store of the ingested data"

Yes, it does. Hence why verbatim copies tend to get spit back out, and why they've had to build rules to look for and deliberately prevent it from showing it to you. It's in there.

"(barring effects like overfitting, which are not intended to begin with)."

Why their production models contain the data isn't really the important part. Whether they wanted that or got it by mistake, they obtained it without permission and despite it being illegal, used it without permission and despite it being unauthorized, and store it without permission and over the protests of those who could give them that right.

"Does a browsers cache (which can store images for days or even weeks depending on what the header says) count as an illicit copy of copyrighted material? What about the caching mechanisms of proxies, VPNs, ...?"

If it is being used for a commercial purpose, which the LLMs are and the caches aren't, then it becomes much more obvious. I think the law could be improved to clarify that caches don't qualify as infringement, but it's a completely different issue than this. The data isn't being stored temporarily in the service of some other operation. It is being stored permanently in a lot of locations with the deliberate goal of having access to use it. They are not similar. I think you knew this already. I wonder why you tried making that comparison.

Re: use of interstate commerce facilities in the commission of a murder-for-hire

If everything was in one state, the interstate charge would not apply and it would just be a murder case. This is a federal charge that adds to, not replaces, any other charges at the state level. In addition, if he was in New York at the time but the exchange or bank involved wasn't, the interstate charge still applies.

Re: Why not have cloud.gov.uk ?

Again, I don't know how useful that point of contact is. I do know, from experience, that they do have those points of contact and that initial messages get responses. Fortunately, as a programmer, I've rarely had to get any more connected than that. I am responsible for making sure that the cloud bills shouldn't be very high. Once I've done that, making sure they send us the right bill is someone else's job, so if any interaction is needed, they do it. Maybe the communication will still be fragmentary, but it won't be a forum topic alone.

Re: Terraform

When it became popular, Terraform was open source, so you couldn't get that locked in, and now you'd probably use OpenTofu instead. In both cases, the software runs on your equipment by default, meaning that you're not locked in to any particular external provider to keep information about your system state. Most deployments I've seen store that data in the cloud somewhere, but that is a cloud location of your choosing, under your control, and not under Hashicorp's control (maybe they have a managed version, but I've never seen it).

Re: Why stop at cloud?

I think my view is based on a narrower definition of lock in. Some of those, including licensing, sunk investment, and integration I file under lock in. Feature parity, on the other hand, doesn't really count for me. If you use a program because it has a feature you want and others don't, that's not lock in, that's a product being better for your use case. I count something as lock in if you would prefer to use something else but it is either impossible or impractical because of your previous use of the first option.

Re: Why not have cloud.gov.uk ?

If you buy enough stuff from them, you move from the basic customer to one who does get specific contacts and priority support. I can't promise that those things are as good as they sound, but I can virtually guarantee that, if the UK government buys a lot of services from AWS, they have someone at AWS they can complain to and get responses from quickly.

Re: Why stop at cloud?

I don't think all of those have the same lock-in potential.

Operating system: I'll grant there is a tendency to rely on software which doesn't support all ones, but that's more on the writers of software who choose not to make builds for other OSes than on Microsoft or Apple. You can always install another one, and they don't prevent it from doing what you want.

Office: Not really. The file formats are understood by other applications. When I stopped having Microsoft Office and started having LibreOffice, there was little change for me and no change for anyone I interacted with because I could still open their Office-generated files and send them ones they could open. I know that complex spreadsheets can be an exception to this, but that affects a smaller proportion of users and is something they can try to resolve by considering other programs, one of which probably supports them better than LibreOffice Calc.

Email: Moving email suppliers can be tricky, and it's one that fits somewhat better, but it's also where the protocol should make it straightforward if you control the important things like the domain and the configuration. Porting from one supplier becomes more work, but not one that will cause chaos for users if you do it right.

Teams: There are lots of videoconference programs out there. Many of my employers have picked a non-Teams option. It doesn't have that much lock-in potential, especially as multiple such programs can be installed simultaneously, making it possible to gradually switch over.

Re: Maybe follow the well trod road ...

"And make sure that some of that 'paid for' goes back to the original developer/s, although they would not be responsible for maintaining the software at 'ISO' level (or whatever it's called)."

If they're not responsible for doing that, I'm not sure who will be. Maybe you can get enough people to pay them so they agree to be responsible for it, but if you can't, then it likely won't get done. A separate group of people certifying software is not likely to have the knowledge necessary to actually know whether the code has been compromised. This is especially true if they have to certify every package on a Linux system, as they would have to if they're going to catch things like this. That is a lot of packages.

The logic for having them be one set of people is that the developers know what the system needs to have on it since it's running their code, so they can make changes faster. The logic for having them be separate groups is that those who specialized in administration know things developers don't know which turn out to be important to the health of the system. Both arguments have some good points, but taken to their extremes, don't produce the obvious better results their adherents hope for.

Take this as an example. Sysadmins wouldn't, just by being sysadmins, recognize this vulnerability in XZ. The people who spotted it were programmers reading its code, not admins installing the thing. Alleging that having a sysadmin running the server instead of combining that role with a developer would prevent the class of problems is overoptimism.

Re: All the above suggestions about standardising council software are good, but

"Whatever happened to the old way of doing things? - I'll pay the bill when it works."

Some people realized that it was a recipe for not being paid at all because the software did what you asked for, not what you actually needed. Those people put in a contract saying you'd pay when they implemented your design, whether you decided changes were needed or not was being a separate matter. Then someone else realized that, if people signed that, they could make the contract even more lax and get paid in a lot of situations. The first is logical. The second could use some people pushing back against it.

Re: Problems and solutions not welcome

I do, and it's a problem, but I also see the opposite which is also a problem. For example, having a computer take a paper form and transfer it between different mailboxes, just like the original paper forms did. You could probably do things a lot more efficiently by having the computer read the form and use the contained information to decide how to direct it, but the original process says that Dave does that, so we just send everything to Dave and wait for him to send them. If we automated that part of the job, Dave could probably do a lot more of the tasks that actually require some thinking, but by not touching the process, we're not saving the time we could. The best approach is to frequently consider changing the process, and keep in mind all available tools when you do, but only actually change it when the change will or is believed to make a real improvement, then check whether it has. That's a lot more work than assuming that someone, whether it's the software writers or the people running the original process, will be much better if only the other group conforms exactly to what they want to do, so people don't always want to do it.

Re: Problems and solutions not welcome

A lot of those customized machines are really just customized machines with wheels. The casing and the engine may be trucklike, but the important part that makes them different are the machines in the middle. There's a reason why you don't just buy a harvester and plop it on a truck.

Their point was that, when you want a vehicle to move something, you often choose between the general purpose options on offer rather than trying to make a custom one. If you succeed, the custom one might be a bit more efficient and maintainable, but it will be more expensive because it's only customized for you and you will have waited a long time for it to come around. Unless you need something that the general purpose options don't do, you will probably be better off with one of those instead. At times, it might be necessary to change a process so that you don't have to spend a lot of resources making tools that are otherwise useless.

Re: Problems and solutions not welcome

Those companies mainly exist because they have the ability to provide something based on a design that sort of looks acceptable and technically isn't broken, then charge for each change so that it actually becomes a little useful. Their business is based on those who need the software not being able to plan out exactly what they need and describe it accurately enough that they get what they need, and from having frequent enough changes that there's always someone around who needs them to build a new one. Some of the tools they have could be handy, but they'll still need to design something that's likely to do a lot of things for a long time, which current projects sometimes say they're doing but don't always accomplish because the design doesn't allow for it and neither the seller nor the buyer makes sure it happens.

Re: The Hyperscalers are forcing this

Of course. Who can forget evil AWS taking all of Terraform to -- sorry, what, they use Cloud Formation instead and want people to use that, grudgingly accepting Terraform? I meant it's evil Microsoft with their -- they have one too? Well, where's my evil company I can point at and say that everything is your fault? The people who ignore all of open source in the search for money? I think the best candidate in this situation is... Hashicorp. They're the ones that took the work of contributors, without paying them, and incorporated it in a version that they sell for money, then blocked those contributors from using their own code* if they competed with Hashicorp, as determined by Hashicorp's lawyers.

* Unless they forked before the license change, which effectively means using OpenTofu because they don't want to maintain a ton of forks.

Re: Run linux they said...

I think you're both wrong. They're wrong when they claim that easy modification makes open source worse. You're wrong when you say this:

"Oh please. Ever hear of Hex-Rays and similar tools? Any person or team with the level of skill needed to pull this off could just as easily change a small bit of assembler in some commercial binary and try to poison the well, in fact it would probably be easier since white hats in general aren't decompiling gigabytes of commercial binaries on a regular basis."

No, that wouldn't be enough. That gets your exploit in. It is not as easy as putting it in as source code, but you can definitely do it. Now you have a poisoned binary and you do what with it? Unless you somehow manage to replace the canonical one with yours, it's not getting installed everywhere. I can make a poisoned version of Windows, but if I can't put it on Microsoft's servers, it's not getting installed for the general public. This attack had the chance of working because and only because they got their backdoor into the canonical version of the xz source, the one that gets compiled and put into repositories. Putting it into a fork and then waiting for someone to install that fork would do very little. Doing the same to proprietary software isn't any more effective.

Re: Would This Have Been Caught Sooner In Proprietary Software?

"No problem in this case. It was a well organised long term con."

Yes, sort of, but it was an organized one on a small tool like XZ. The attacker wasn't writing code full time to do that. They could spend a bit of time writing something useful on occasion to keep their name in everyone's head as someone who knows what they're doing while spending more time on other things. Working at a company takes more time and thus makes an attack more expensive. You also can't divide effort. Jia Tan could have been a bunch of people. One wrote some modifications, one just worked on the malware, one did the pressure campaign, and they just used the same set of GitHub accounts. You can't do that as an employee of a company because your accomplices don't have access to the internal code and giving it to them is a detectable crime which businesses already try to prevent. Not so expensive that you can't do it, but it reduces the number of attempts.

"Are you impyling some sort of QA? That's what Microsoft's customers are for."

I don't think they were implying that. If you're writing code on a team with a lot of people, you have a lot of code reviews and a lot of changes. It makes it harder to slip something in than if you only have to slip it past one person. This is especially the case if you insert your backdoor and I, your colleague, have a feature change to the same area and end up breaking your backdoor while merging your feature with mine.

The main reason why it's hard is that you don't get to choose your project as closely when you're working for a company. If you get a job at Apple, maybe you end up working on some part of Safari, the iMessage or Facetime protocols, or some core OS component. You can probably put a backdoor in those. Maybe you end up working on the new headline feature they're going to announce next conference: yet another emoji thing that's not actual emoji, the sixth version now. Have fun doing anything malicious when you're writing code for a feature nobody ever uses. It's probably possible, but you don't get to pick a target and specifically add code to that, whereas targeting XZ is as simple as finding where the source for that is and sending a pull request.

Re: Its worse than you could imagine....

It's efficient for programming time, so implementations can be made quickly. The same reason why we use text-based formats like XML or JSON frequently rather than making a custom binary format. Sure, an HTTP response code could look like "\x02\x04" (one byte for version number, one byte for status code), but that wouldn't do all that much for efficiency and makes the protocol harder to extend. It also has little to do with datagrams. If you use UDP for the protocol, you still have to encode the protocol data somehow. UDP can't send a single page as a packet in most cases, and it shouldn't be expected to. Somehow, HTTP has been a viable transmission mechanism for a long time. As we increase network speeds, the overhead from the protocol becomes less and less important, yet a small device with little memory and a slow connection can implement and use HTTP well enough as well. Leave even more efficient protocols to places where you need them.

This is why I assume they're asking a religious question, not a legal one. The legal answer in many countries is that the marriage can be dissolved. Whether it happens automatically, requires an annulment form, or if you actually have to go through the divorce process probably varies from place to place, but the union does not need to continue. I think they are asking based on religious authorities that do not acknowledge a divorce as legitimate, and there are a lot of them who do everything differently and their reasons for what counts and what doesn't are based on subjective interpretations of religious texts, so I don't think you'll find consensus between their opinions.

The social security card isn't as obviously acceptable as you say:

The card on which an SSN is issued is still not suitable for primary identification as it has no photograph, no physical description, and no birth date. All it does is confirm that a particular number has been issued to a particular name. Instead, a driver's license or state ID card is used as an identification for adults.

Nothing associates a card with its true owner. He did also have an ID with a picture, but of a type that can be faked or obtained fraudulently (by providing documents without pictures). The other person using the same name almost certainly also had an ID card with the same information and his picture on it. So they can't assume that someone with a card with the correct SSN and an ID with the person's picture mean the presenter controls this account. If you're the only person presenting them, they'll probably accept them. If you're presenting them while someone else, also with documents, says you're lying, they'll either require more or bring in the police to determine which of you is the true one, since law enforcement can validate documents with more accuracy than can a bank.

I can pretty much guarantee that nobody knows. If you ask enough people, you will get every possible answer. Each of those answers can be backed by some kind of reference to religious text if you want. People with one view who strongly object to the other view will say that the other guy's reference is misinterpreted, assuming you get them to make an argument instead of just shouting.

Re: geniuses everywhere you look

There are certainly reasons that might have happened with the person coming in being a criminal. The easy example is multiple holders of a single identity. If two people buy the same fake identity from a criminal who stole it, they may end up in an identity theft collision. Person A goes to take out the debt, person B hasn't gotten to that stage yet and is still pretending to be the person, all while the actual owner of that identity isn't doing any of the things that person A or B are doing. A bank could have decided that this was what happened in this case. This situation wasn't that, but there is a method by which a similar set of circumstances could arise.

Re: Why did he do it ?

"Something seriously wrong with USA .... this and the recent monkey torture story :("

Why is a country being blamed for a single criminal? Maybe, if I'm being generous, you could say that there is something wrong with the California police system which failed to unravel the crime*, but that wouldn't be the whole country either.

* Not knowing many details, I'm inclined not to blame them too much. With an identity theft going on for three decades, including lots of documentation, it would be hard to prove who is correct from documentation alone. If one person has a full set of documentation for an identity and another one has a partial set, one of them has clearly stolen the set. Governments are likely to believe the one with the full set who has been working under that identity for seven years at the time because that is not typical for an identity thief. This may be a reason to treat all identity theft cases with more scrutiny, maybe getting DNA testing involved in all cases of identity confusion, but that has its own potential downsides.

Re: Why did he do it ?

The first bit appears to be the typical identity theft playbook: steal someone's identity, earn some money on that identity to establish a history, borrow money, don't pay it back, if questioned, tell them it's not you. The normal method is that, once you've stolen money that way, you burn that identity and either stop committing crimes or go get another one. I'm not really sure why he kept doing things under the second identity. My only theory, and one I haven't researched, is that he may have polluted his own identity, for example getting arrested, at some point and used this as a backup.

Re: I hope you know up front that's how your food is delivered

The article did cover both questions: the app lets you opt out and, if there is an automated delivery, they don't take the tip. It's true that you have to go out to retrieve the delivery, and the points raised by others about those with disabilities that make that difficult are valid problems with the idea. I have a feeling a lot of people who don't have those concerns won't have a problem with that and may approve if the deliveries are cheaper, especially in a city like Phoenix whose unpleasant weather is usually just it being really hot, where a few seconds outside probably isn't too bad.

Re: And if any non USA backed state developed this...

Yes, it's definitely the USA's fault. That's why the US sanctioned them in 2021. I'm sure that's a long con of some sort.

That might work for Facebook, but not so much for ISPs or phone store providers. I think the requirements are easy enough for Apple and Google. TikTok comes out of their stores immediately and that's basically it. However, maybe they need to consider whether the government will want them to actively remove the app from people who already have it and whether they're willing to take that action and how they'll do it without annoying users too much.

ISPs have a trickier situation to consider if the article's theories about mandated connection blocks prove true. This seems extreme to me, but I think there's a chance that the ban is simply overturned by a court, so if I'm wrong, anything could happen.

Re: USA Free Market

It was kind of both. The taxation issue certainly got a lot of people angry, to judge from how much is written about it, but they were also influenced by ideas about political philosophy which originated from people who had no taxation-based complaints against the British government. Had they somehow arrived at a resolution around the tax issue, and I'm not sure how they would have managed that, that could have ended it in the mid 1760s. By the mid 1770s, they had more complaints to do with liberty* and governance**, and a tax law change wasn't going to fix them.

* Liberty: theirs, not anyone else's.

** Governance: not democracy, at least not yet. The complaints had to do with things like law enforcement practices and chains of command, not just who gets to vote for what.

Because the systems today don't want to have you regenerate voice files every time a new string comes along. With a pre-built voice model, it can say, usually reasonably accurately, any set of words. If a new street name is added to a map, nobody needs to record that name for you to hear it. And if I want to build something other than navigation which speaks, I don't need to hire someone to read things into a microphone for hours or do that myself. It also means you don't have to have as many pauses in sentences as clips are spliced together. I'd say those are net benefits to anyone who uses it.