• 0 Posts
  • 117 Comments
Joined 2 years ago
cake
Cake day: July 29th, 2023

help-circle
rss
  • The thing that currently cannot be worked around is the “play integrity api”, but relatively few applications make use of it yet.

    It is a terrible security measure (because it give the impression to app developers that a 5+ year old android installation that’s never had a patch is more secure than an up-to-date graphene install) so there’s a chance that it might be improved in future, but it is currently a looming problem.



  • @rooktoTechTakesAI: The New Aesthetics of Fascism
    link
    English
    161 day ago

    which can be used in many very useful ways, including saving life and reducing the work needed to fulfill the needs of a population

    Uh huh. “Can” needs an asterisk and some disclaimers there. And probably “useful”, too.



  • An entertaining bit of pushback against the various bathroom bills being pushed at the moment. Bonus points for linking it with ai training. I feel like this is an idea that’s very adaptable…

    https://mefi.social/@MissConstrue/113983951020093710

    Signs which have been adhered to bathroom stall interiors at the Dallas Fort Worth airport.

    SECURITY NOTICE Electronic Genital Verification (EGV) Your genitalia may be photographed electronically during your use of this facility as part of the Electronic Genital Verification (EGV) pilot program at the direction of the Office of the Lieutenant Governor. In the future, EGV will help keep Texans safe while protecting your privacy by screening for potentially improper restroom access using machine vision and Artificial Intelligence (Al) in lieu of traditional genital inspections. At this time, images collected will be used solely for model training purposes and will not be used for law enforcement or shared with other entities except as pursuant to a subpoena, court order or as otherwise compelled by legal process. Your participation in this program is voluntary. You have the right to request removal of your data by calling the EGV program office at (512) 463-0001 during normal operating hours (Mon-Fri 8AM-5PM). STE OP CRATMENT OA Pusi DFW DALLAS FORT WORTH INTERNATIONAL AIRPORT

    The contact number appears to be for Dan Patrick, the lt. governor of Texas.



  • @rooktoTechTakesa handy list of LLM poisoners
    link
    English
    615 days ago

    Additionally, https://xeiaso.net/blog/2025/anubis/

    Some of this stuff could be conceivably implemented as an easy-to-consume service. It would be nice if it were possible to fend off the scrapers without needing to be a sysadmin or, say, a cloudflare customer.

    (Whilst I could be either of those things, unless someone is paying me I would very much rather not)


  • an entire economy built on intellectual property thievery

    The historic attitude of the US to copyright is interesting (you can still see old English-language books that are labelled not for sale in the USA). In these enlightened days of course there’s a half-trillion dollar plan to shore up the LLM business, which is already a half-trillion dollar crater of debt and is still digging hard.

    and slave labor

    I always wondered how the manufacture of white goods in the US was competitive with the likes of Mexico, and it turns out that the secret ingredient is incredibly cheap prison labor, where the prisoners face significant negative consequences if they’re not prepared to work for pennies.

    Prisoners can be firefighters for a few dollars a day and risk their lives, but are denied jobs when they get out. California, that noted bleeding heart lefty bastion, refused to abolish penal servitude (ie. slavery of prisoners).

    The US health insurance industry means that huge swathes of the population may as well be indentured because cannot afford basic healthcare if they quit and changing employers risks rejection of coverage of pre-existing conditions.

    I could go on. For quite a while.

    all the downvotes confirm the ccp is here and active on the fediverse

    By all accounts, the ccp do a pretty poor job of influence operations compared to russia. Personally I suspect that the fediverse is just too small compared to twitter and bluesky and reddit, so why would anyone bother here?

    Truth is, both the US and the PRC are capitalist hellholes of differing degrees, and the current team in the White House works hard to reduce those differences. Remember, with the right wing, it is always projection and envy. They hate Iran because they want to be a fundamentalist dictatorship too. They hate china because they want uncontested power and a labor force without human rights.

    You are not obliged to carry water for them.



  • The biggest issue I have is that the firmware cannot be updated (which I realize is somewhat a matter of taste regarding your threat model). Other than that, it’s the added complexity of “use this physical device” and the concern I had about recovering accounts if I lost the Yubikey.

    The solokey v2 and the nitrokey v3 (I think) have some firmware upgradability, but they’re not as capable as a yubikey (the last time I checked I couldn’t use either of them to unlock a keepassxc password vault, for example). Whilst it would be a right hassle to deal with a lost device, I generally lock my accounts with a main key and two spares that get stored safely and make a note in my password database of which accounts can use which keys so there’s little risk of locking myself out of anything, and I can get a list of sites to visit to revoke credentials from. In any case, the minor inconvenience is a good tradeoff for me, given the significant security guarantees the keys offer over other authentication mechanisms.

    But also, “added complexity” is just a thing with two factor authentication, and most of my use of U2F keys involves less effort than unlocking my phone, then unlocking my TOTP application, then searching for the account and site I’m trying to unlock, then waiting for the timer to reset because I can’t authenticate before the current code expires, etc.

    Assuming I didn’t fuck up basic math,

    Beats me! I just use off-the-shelf entropy calculators and hope they’re right. They mostly seem to agree that ~128 bits of entropy from a 10-word (70-85-ish characters) passphrase from the EFF large wordlist, or ~24 characters from uppercase/lowercase/numeric. Both might be reasonably considered overkill, if you can be sure that the thing that’s hashing the password is using a modern algorithm (which often you can’t, sadly).

    I also dislike unreasonably long passwords because more modestly-sized ones can be typed out manually when needs be, or even read over the phone in an emergency. I wouldn’t fancy doing that with 128 character passwords! You may of course never need to do those things, but I’ve needed to do both, at work and otherwise.


  • Last time I tried it, ungoogled chromium had some issues with yubikeys (see https://ungoogled-software.github.io/ungoogled-chromium-wiki/faq#how-to-get-fido-u2f-security-keys-to-work-in-google-sign-in) which I don’t think have been fixed yet. That was enough to be a deal breaker for me.

    do yubikeys suck as much as it looks like they suck?

    Without knowing why you think they suck, it’s hard to say. I like having unphishable uncopyable credentials, and it irritates me that they aren’t more widely supported. On my desktop or laptop, they’re less irritating than TOTP, for example, which is neither unphishable nor uncopyable but much more widely used.

    whereas passwords that will always be copy-pasted are 128 characters

    Whilst there isn’t really such a thing as “too secure”, it is the case that things like passwords are not infinitely scaleable. Something like yescrypt produces 256-bit hashes (iirc) so there’s simply no space to squish all that extra entropy you’re providing into the output… it might not be any more secure than a password a quarter of its length (or less!).

    128 bits of entropy is already impractical to brute force, even if you ignore the fact that modern password hashes like yescrypt and argon2 are particularly challenging to attack even if your password has low entropy.





  • Corporations institute barebones, born yesterday AI models that don’t know their ass from their elbow because they can’t be bothered to pay the devs to actually train them but when shit goes south they turn around and blame the devs for a bad product instead of admitting they cut corners

    Sounds like all it would take is one company to do it right, and they’d clean up. Except somehow, with all of the billions being poured into it, every product with ai sprinkled on it is worse than the non-ai-sprinkled alternatives.

    Now, maybe this is finally the sign that everyone will accept that The Market is completely fucking stupid and useless, and that literally every company involved in ai is holding it wrong.

    Or, and I know it’s a bit of a stretch here, but consider the possibility that ai just isn’t very useful except for fooling humans and maybe you can fool people into paying for it but it’s a lot harder to fool them into thinking it makes stuff better.


  • Maybe I’m missing something, but has anyone actually justified this sort of “reasoning” by LLMs? Like, is there actually anything meaningfully different going on? Because it doesn’t seem to be distinguishable from asking a regular LLM to generate 20 paragraphs of ai fanfic pretending to reason about the original question, and the final result seems about as useful.




  • A real ceo does everything. Delegation is for losers who can’t cope. Can’t move fast enough and break enough things if you’re constantly waiting for your lackeys to catch up.

    If those numbers people were cleverer than the ceo, they’d be the ones in charge, and they aren’t. Checkmate. Do you even read Ayn Rand, bro?