I don’t think that that’s a counter to the specific attack described in the article:

The malicious packages have names that are similar to legitimate ones for the Puppeteer and Bignum.js code libraries and for various libraries for working with cryptocurrency.

That’d be a counter if you have some known-good version of a package and are worried about updates containing malicious software.

But in the described attack, they’re not trying to push malicious software into legitimate packages. They’re hoping that a dev will accidentally use the wrong package (which presumably is malicious from the get-go).

I mean, this kind of stuff was going to happen.

The more-important and more-widely-used open source software is, the more appealing supply-chain attacks against it are.

The world where it doesn’t happen is one where open source doesn’t become successful.

I expect that we’ll find ways to mitigate stuff like this. Run a lot more software in isolation, have automated checking stuff, make more use of developer reputation, have automated code analysis, have better ways to monitor system changes, have some kind of “trust metric” on packages.

Go back to the 1990s, and most everything I sent online was unencrypted. In 2024, most traffic I send is encrypted. I imagine that changes can be made here too.

Not really a language-specific problem. Like, there are numerous languages that have distribution mechanisms for libraries that might potentially be malicious.

Only way I can think that the language might be a factor would be if a language were designed to only run in a restricted mode.

Kagi has an AI search option which IIRC is on by default – or at least was at one point – where it’ll try to also synthesize an answer and stick it in a box with the results, but you can just turn it off in your preferences. I have it off.

There may be a day when we have AI assistants that are so good that their summaries are better than looking at the original source, but I’d put a high bar on that, and think that we’ve got a way to go.

Never is a long time.

Apparently, some London residents are getting fed up with social media influencers whose reviews make long lines of tourists at their favorite restaurants, sometimes just for the likes.

As Gizmodo deduced, the trend seemed to start on the r/London subreddit, where a user complained about a spot in Borough Market being “ruined by influencers” on Monday:

“Last 2 times I have been there has been a queue of over 200 people, and the ones with the food are just doing the selfie shit for their [I]nsta[gram] pages and then throwing most of the food away.”

So, I don’t know what the situation is in London.

But COVID-19 really clobbered a lot of commercial establishments, and particularly eateries. I’m guessing that at least some traffic might be a return of the public to restaurants, with the supply of restaurant capacity at a low due to having gone through hard times over the past our years or so.

kagis

Ah, right. This is Europe, and while the US got hit by higher energy costs too, the Ukraine invasion really dicked up energy prices in Europe for a while. And then you have the hangover from the COVID-19-related spending happening, as inflation bites, and reducing spending on restaurants is an easy thing to cut on one’s budget. And this points out that restaurants are a labor-intensive industry, and Brexit has driven labor costs up by cutting the labor pool.

https://www.ft.com/content/a36ad5fd-db20-4ba8-89ea-e185838c8aa0

UK restaurant sector hit by cost of living and Covid legacy

Stuart Devine thought his chain of fish and chip restaurants in Aberdeen had survived the worst when the UK government lifted Covid-19 lockdowns for good in spring 2021 and customers returned to enjoy the classic British meal.

But before the Ashvale could fully recover it was dealt another blow, when Russia’s full-scale invasion of Ukraine in February 2022 disrupted global supply chains and sent energy and food prices soaring.

Devine’s struggles are shared by roughly 40 per cent of UK restaurant owners, who are operating at or below break-even point, after the sector was hit by a perfect storm of pandemic shutdowns and the cost of living crisis, according to data from UKHospitality.

The trade body estimates that up to 30 per cent of businesses in the sector have closed since Covid struck. About 1,169 restaurants shut in the past year alone, equivalent to more than three a day, according to UKHospitality and consultancy CGA by NIQ.

“The money coming from the front door is just not enough to offset the significant cost of doing business that the restaurants are facing,” said Kate Nicholls, chief executive of UKHospitality.

While energy prices have fallen from their peak over the past 12 months, restaurants continue to bear the brunt of elevated food costs. The particularly labour intensive industry has also struggled with staff shortages, worsened by Brexit, and to keep pace with the statutory minimum wage. It stands at £10.42 an hour and will rise to £11.44 in April.

Devine said “the hardest thing is that the only thing you can do is put your prices up”, noting that there was a limit to how much lifting prices could help at a time of already weak consumer confidence and tight household budgets.

So the combination of all those things would tend to have squeezed the supply of restaurants, and it might be that if there’s enough demand to consistently fill restaurants in London, expand existing or open new ones, that things will tend to return to a more-normal state.

In total, there were 118 false positives — a rate of 4.29%.

Earlier this year, investors filed a class-action lawsuit, accusing company executives of overstating the devices’ capabilities and claiming that “Evolv does not reliably detect knives or guns.”

I mean, in terms of performance, I’d be more concerned about the false positive rate than the false negative rate, given the context. Like, if you miss a gun, whatever. That’s at worst just the status quo, which has been working. Some money gets wasted on the machine. But if you are incorrectly stopping more than 1 in 25 New Yorkers from getting on their train, and apply that to all subway riders, that sounds like a monumental mess.

Yeah, I was gonna say…GPUs have to be more significant today for general compute than they’ve ever been.

Okay, yeah, maybe you don’t need one for CAD acceleration in 2024, but that has to be a vanishingly small thing compared to parallel compute on stuff like AI work.

Did NVIDIA stop selling videocards in Russia?

kagis

https://www.pcmag.com/news/nvidia-to-stop-all-product-sales-to-russia

Nvidia Stops All Product Sales to Russia

March 5, 2022

So, yes, though I don’t think that it matters a huge amount, since companies are just gonna re-export them out of China or Kazakhstan or wherever. I mean, it’s not like the hardware has some kind of region-locking. It’s a piece of consumer hardware, sold and resold anonymously all over the place. It’s not some kind of specialized military hardware with four end customers and tight control over the movement of the product.

kagis

https://hardwaretimes.com/nvidia-loses-just-2-of-its-revenue-as-offices-are-shut-down-in-russia/

In October [2022], NVIDIA officially shut down all its operations in Russia as sales of both data center and consumer graphics cards were wrapped up. At the time, around 240 employees worked for the Santa Clara-based company. These folks were given the option to either relocate abroad or look for other jobs.

Furthermore, NVIDIA hardware has been banned from sale via official channels.

Fortunately for Team Green, the Russian Federation represented a minor market for its wide portfolio. Disclosures from the Q3 2022 earnings report indicate that the Federation accounted for just 2% of its revenue and 4% for the gaming business.

Although channel partners are forbidden to sell the latest GeForce RTX 40 series graphics cards, Russian gamers can still procure them from the grey market.

It’ll probably add cost and some risk of getting ripped off and no manufacturer’s warranty, but I would be surprised if someone who wanted a new GPU couldn’t continue to get ahold of one in Russia, given enough funds.

EDIT: Does make me wonder about Windows-side driver updates. Like, people here are talking about Linux. Windows requires driver signing, and I don’t know if those signatures are region-specific.

You can operate a VPN service in Russia legally, but it is obligated to block state-specified stuff internally to the VPN.

https://www.cloudwards.net/russian-vpn-ban/

VPN vendors have to get approval from the authorities to operate within the Russian borders. Usually, this means the provider has to comply with Russia’s censorship demands, like connecting to the FSIS.

Most sanctions, aside from ones aimed at individuals, are going to have indirect effect. That is, they will produce pressure on Russia in aggregate, and that means that they’ll impact the typical citizen.

But that being said, there have been a lot of sanctions applied, and…the impact on Nvidia drivers isn’t, I think, really a huge one relative to those. Like, things like cutting off access to all kinds of electronics parts and payment system access and stuff are going to be, I’d say, a lot more impactful to a typical person in Russia, even if the impact is secondary.

Other than as a mind game, I don’t see the point.

Google provides a centralized service. They own the generator system.

You could solve the whole problem much more simply and reliably by just retaining a copy of all generated text at Google – the quantities of data will be miniscule compared to what Google regularly deals with – and then just indexing it and letting someone do a fuzzy search for a given passage of text to see whether it’s been generated. Hell, Google probably already retains a copy to data-mine what people are doing anyway, and they know how to do search. And then they could even tell you who generated the text and when.

“probably 1% of the companies will stand out and become huge and will create a lot of value, or will create tremendous value for the people, for society. And I think we are just going through this kind of process.”

Baidu is huge. Sounds like good news for Baidu!

Kernel.org, home of the Linux kernel, hasn’t changed much.

Kernel.org today:

https://kernel.org/

Kernel.org in 1998:

https://web.archive.org/web/19980130085039/https://kernel.org/

Not a website, but since you mention BBSes…one thing that would look pretty familiar to a 1990s Internet user would be most of the text-based MUDs, the ancestor of MMORPGs, that are around.

The MUD Connector is still around, and still has a list of active MUDs.

While I suspect that most dedicated MUDders use dedicated clients, the base protocol is still normally telnet, and you can use a plain old telnet client to play…a protocol that predates Internet Protocol itself.

My understanding – I’ve never used it – is that Bluesky uses some sort of “curated feed” list. The idea, from what I gathered, is that some person (or people?) could create a list of stuff and then people subscribe to it. Seemed like an interesting approach, since it’s a route to improve personalizing content relative to, say, Reddit. Originally, Reddit intended to run off a recommendation system, but that kind of fell by the wayside in the first few years.

I’ve wondered how practical it would be to have people publish feeds, then take into account one’s voting behavior and how it reflects feed content to help do recommendations. Can’t just score a feed by aligned posts – otherwise, it’d be trivially-gameable you could have people spamming by creating feeds and including popular things, and then also including some spam item. But I could imagine that being the foundation for something that does a good job of recommending stuff.

I mean, there’s plenty of anime pornography on the Threadiverse too. It’s just that sopuli.xyz, your home instance, isn’t federated with a number of hosts (and you may not be viewing its “all” feed).

https://sopuli.xyz/instances

Look at the “Blocked instances” tab. You’ve got stuff like:

https://lemmynsfw.com/

https://kbin.burggit.moe/ (which I can’t seem to reach due to some sort of TLS issue, but burggit.moe proper has “Free expression, including the Loli/Shota/Cub variety, are welcome here!”, and I assume that this is a gateway to the same material). I definitely remember that burggit.moe used to deal with consentual-nonconsentual material and underage anime material, because it caused lemmynsfw.com to defederate from them.

https://lolicon.rocks/

https://ac.akirin.xyz/ I don’t know what content they truck in, and their front page doesn’t indicate it, but it looks like the scrolling URLs in the bottom contain a bunch of links to various Fediverse hosts that deal in underage anime porn, and the user icons seem to all be anime girls, so I’m assuming that that might be their thing.

Not going to do a complete list of the blocked instances there, just pointing out that even if you look at your “all” feed on sopuli.xyz, it might not be representative of the Threadiverse as an aggregate.

I think that there’s a legitimate place for all-in-one “smartphone” SoC PCs. You can make them cheaper, smaller, and use less power.

It’s just not really what I want for myself in a PC. I want the modularity and third-parties competing to provide components.

But I am pretty sure that there are plenty of people who don’t care about that.

There has to be enough scale to support products like that, though. SoC systems might cannibalize enough to make scale hard.

sigh

Well, we’ll see where things go.

If this is you, then build your own home server.

While I don’t disagree, there’s also a very considerable cost difference here between running locally and remotely.

If a user sets up an AI chatbot, then has their compute card under average 24/7 load of 1% – which would require averaging, say, a daily session for an hour with the thing averaging 25% of its compute capacity during that session – then the hardware costs for a local setup would be 100x that of a remote setup that spreads load evenly across users.

That is, if someone can find a commercial service that they can trust not to log the contents, the economics definitely permit room for that service to cost less.

That becomes particularly significant if one wants to run a model that requires a substantial amount of on-card memory. I haven’t been following closely, but it looks like the compute card vendors intend to use amount of memory on-card to price discriminate between the “commercial AI” and “consumer gaming” market. That permits charging a relatively large amount for a relatively small amount of additional memory on-card.

So an Nvidia H100 with 80GB onboard runs about (checks) $30k, and a consumer Geforce 4090 with 24GB is about $2k.

An AMD MI300 with 128GB onboard runs about (checks) $20k, and a consumer Radeon XT 7900 XTX with 24GB is about $1k.

That is, at current hardware pricing, the economics make a lot of sense to time-share the hardware across multiple users.

Oh so both hashes and synmetric cryptography are secure entirely by doubling up the key size.

That’s not my understanding, which is that it’s more-secure than that and doesn’t require the doubling. Assuming the pages I linked are correct and that the understanding of them from my skim is correct, both of which may not be true:

• About a decade-and-a-half ago, it was believed that AES of existing key lengths could be attacked via a known quantum algorithm – Grover’s algorithm – using future quantum computers. However, the weakness induced was not sufficient to render AES of all key lengths practically vulnerable. it would be viable to simply increase key lengths, not redesign AES, sufficient to make it not attackable via any kind of near-future quantum computers.

• At some point subsequent to that, it was determined that this attack would not be practical, even with the advance of quantum computers. So as things stand, we should be able to continue using AES with current keylengths without any kind of near-future quantum computer posing a practical risk.

Take all that with a huge grain of salt, as I’m certainly not well-versed in the state of quantum cryptography, and I’m just summarizing a few webpages which themselves may be wrong. But if it’s correct, you were right originally that there aren’t going to be near-term practical attacks on AES from the advance of quantum computing, not from any presently-known algorithm, at least.