HackerTrans
TopNewTrendsCommentsPastAskShowJobs

dns_snek

no profile record

comments

dns_snek
·il y a 14 jours·discuss
> Its extremely difficult to build a clearly logical structure where a company that made a wildly successful product needs to hand half the value to the government.

I think it's rather simple. If they don't do that, does the house of cards that we call a society collapse?

> It's very easy to do if we hand wave with ambiguous terms...

It's equally easy to be dismissive about the cost of running a stable society. If you want poor people to pick up your 5 billion euro tab then you're never going to make those 10 billion to begin with because people won't have the money to afford whatever it is that you're selling.

I've yet to hear a coherent argument on how you think you can pay 99% less in taxes and achieve the same outcomes? It's nothing but magical thinking. You want to pay 99% less and you want poor people to pay (a lot) more.

Do you think poor people can afford to pay more? Do you not care? Don't you see that if you do that they'll violently overthrow the entire system that allowed you to become a multi-billionaire?
dns_snek
·il y a 14 jours·discuss
> they're not sandboxes

Yes they can be, and Codex offers one. It uses Bubblewrap and seccomp on Linux which are perfectly capable of restricting filesystem access.

In a default setup every command is executed inside a restrictive sandbox and you're only asked for permission to run that command if the execution fails.

I don't necessarily think that it's a good idea to rely on these sandboxes as your only line of defense but that's absolutely a feature that they can, should, and do offer.
dns_snek
·il y a 18 jours·discuss
> does the state have a fair claim to €5B of it when the company at most with the most generous possible estimate (and then double it for good measure) used €50M of state services?

Yes, it does. Quite simply because that's the law, and it's morally right (in principle) because if your business fails then you don't get a bill for 50 million. If "winners" only paid their exact share then these services wouldn't exist.
dns_snek
·il y a 18 jours·discuss
The marginal cost of nuclear energy is 14-20% of the total cost according to pages 39,40 of [1].

The point I'm making is that claiming that AI labs would be profitable if only they could stop spending money on the only thing that makes them valuable is absurd. Frontier models are like a nuclear power plant that needs to be rebuilt from scratch every 24 months.

Let's say that they paused R&D a year ago. It's June 2026, OpenAI's latest offering is GPT 4.1, Codex is still just a private beta that hasn't been updated in months. How much revenue do you think they would be making right now? My guess is approximately zero.

[1] https://www.lazard.com/media/5tlbhyla/lazards-lcoeplus-june-...
dns_snek
·il y a 19 jours·discuss
Those are 2 big "ifs". The incentives are completely misaligned and the platforms work for the companies. They would now have an even bigger incentive to stonewall and close valid issues than they did before.

They already like blurring the lines by rejecting reports that have clear reproduction scripts, videos, demonstrable (but not critical) impact. They'll close it as "not a bug" but then also forbid disclosure and stonewall mediation requests. Reports are supposed to be kept private until the issue is fixed but the system gets abused to cover up issues long after they've been fixed.

In some cases I strongly suspect it's to evade liability for financial damages that their customers might've suffered. Platform mediation always takes their side and if you want to do what's right, you will get banned.
dns_snek
·il y a 19 jours·discuss
Response: https://www.wheresyoured.at/anthropics-profitability-swindle...
dns_snek
·il y a 19 jours·discuss
Nuclear energy is really cheap too... as long as you ignore CapEx, would you like to invest?
dns_snek
·il y a 20 jours·discuss
> A least-cost combination of all the technologies has also been identified (shown in Fig. 3 as Least Cost Mix). Under the IEA/WEO 2023 cost assumptions, the least-cost solution comprises a combination of offshore wind power (66%), solar PV (8%) and CCGT (26%). Onshore wind power cannot compete with offshore wind power, and nuclear power cannot compete with any of the other technologies. This is due to the relatively low offshore and high onshore wind power cost assumptions in WEO 2023. As we shall see later, onshore wind power comes into the least-cost mix when using WEO 2024 or any of the two DEA cost assumptions.

...

> At the case level, we find that in countries such as Denmark with available wind and solar energy resources, nuclear power does not seem to be part of the least-cost solution, neither in today's energy systems nor in future systems of climate neutral societies. This conclusion is valid for the present cost of nuclear power in Europe as well as for IEA/WEO future expectations. The future overnight cost for nuclear power of 4500 EUR/MW in 2050 represents the so-called “nth-of-a-kind” cost for new reactor designs, with assumed substantial cost reductions from the first-of-a-kind projects, while this violates the historical experience of nuclear power technology.
dns_snek
·il y a 20 jours·discuss
> It means they are agents of the corporations, not agents of the users.

Of course they are, assuming otherwise has always been naive.
dns_snek
·il y a 26 jours·discuss
> If you want to have one-time JWTs you need to maintain a revocation list.

No, you always need a revocation list if you want to handle user sessions in a secure manner. What claims do your tokens contain? If it's anything other than some stable identifiers, like user name, email, permissions, etc. then you now have a cache invalidation problem.

But if all your token carries is an identifier which you need to look up, how's this any better than a signed cookie containing the session ID? All you've done is add complexity.
dns_snek
·il y a 26 jours·discuss
> by revoking network you don't lose privacy

Be careful, apps can still communicate with other apps, e.g. revoking the network permission doesn't stop apps from fetching and displaying ads over the network. I don't know enough about Android internals to understand the mechanisms behind it, but clearly there are ways for apps to exfiltrate data.

> Trying to use Network as a complete data exfiltration toggle isn't the intended purpose, and you should always consider apps within the profile being able to communicate for ALL data and access including permissions. It is not something only relevant to Network.

https://discuss.grapheneos.org/d/4024-in-what-extent-can-app...

https://github.com/GrapheneOS/os-issue-tracker/issues/2197
dns_snek
·il y a 27 jours·discuss
RAM prices, surely?
dns_snek
·il y a 30 jours·discuss
> Sure you do. You just don't have a society that looks like ours does.

You've skipped a few steps, until you overthrow the government all you have a broken society with a system of governance that's deemed to be illegitimate, therefore its rules and actions are illegitimate.

If you want to tear up the constitution and implement a new system of governance with "less government" then you're effectively advocating for a revolution. Just be honest and don't try to sell this as an incremental policy change.
dns_snek
·il y a 30 jours·discuss
> unless you presume government is beneficial

That's the constitutional bedrock of our societies. That doesn't mean it's always true but if you denounce that as a legitimate and achievable goal then you don't have a society anymore.
dns_snek
·le mois dernier·discuss
There's no reason to believe that [0] has anything to do with WASM, [1] and [2] are runtime implementation bugs, [3] is a vulnerability in a "weak" sandboxing library VM2 - it has nothing to do with WASM as such, and [4] is another implementation bug in an experimental WASI feature of that specific runtime which is gated behind a build flag.

------

[Re: 3] https://github.com/patriksimek/vm2

> vm2 attempts to sandbox untrusted JavaScript code within the same Node.js process as your application. It does this through a complex network of Proxies that intercept and mediate every interaction between the sandbox and the host environment.

> JavaScript is an extraordinarily dynamic language. Objects can be accessed through prototype chains, constructors can be reached via error objects, symbols provide protocol hooks, and async execution creates timing windows. The sheer number of ways to traverse from one object to another in JavaScript makes building an airtight in-process sandbox extremely difficult.

[Re: 4] https://github.com/search?q=repo%3Abytecodealliance%2Fwasm-m...
dns_snek
·le mois dernier·discuss
> Have you rolled the numbers, vs all of the high-pri security updates that will be missed on day one, and exploited?

(Different person here) I don't have data and I don't think I need it. You either have a process to push security-critical updates out very rapidly or you don't.

If you have that process then nothing changes for you because that cooldown won't be used in that context.

If you don't have that process then nothing changes for you because you weren't pushing out those time-sensitive patches to begin with. But now you won't get hit by drive-by supply chain attacks.

The vast majority of "high severity vulnerabilities" in your dependencies are just noise by the virtue of not being exploitable in the manner that they're used in your project.
dns_snek
·le mois dernier·discuss
Unsurprising, agents' solution to everything is writing more code. They'll happily reinvent the universe (a really crappy one).

Bug? More code. Unexpected behavior - read the docs? Couldn't find anything. Let's try another 1000 lines of workarounds. Still doesn't work? Write another 1000 lines to monkey-patch behavior. It sort of works now.

The actual solution is removing those 2000 lines and passing the correct argument on line 25 which is clearly documented. Most humans would never do that because we're too lazy but it's so easy to generate slop at an exponential rate and blow up the LOC metrics.
dns_snek
·le mois dernier·discuss
Malware running on your computer can engineer a situation where you would naturally press that without suspecting anything.

1. Malware logs you out of github.com

2. It waits for you to navigate to the login page

3. It initiates an SSH/signing operation requiring physical touch

4. You hit login on github.com, a 2nd FIDO operation is queued up

5. You press the yubikey button, confirming the SSH operation

6. "Nothing happens", so you press it again to log in

7. You're now logged in, and your SSH credentials have just been hijacked.

Or it could just inject itself into your shell profile, and do this the next time you ssh anywhere. You never really know what you're confirming so Yubikey's threat model implicitly depends on the host device being trustworthy.

This is why hardware wallets for crypto have a physical display to confirm the address and the amount before signing the transaction.
dns_snek
·le mois dernier·discuss
As long as you're fine with the types being semantic gibberish because all agents I've used take the lowest effort approach to make the error go away.

You probably have the same logical type duplicated in 3+ different places (at least partially), including inline casts using type literals like "maybeCat as { meow(): void }"
dns_snek
·le mois dernier·discuss
More generally you can use "no-restricted-syntax" rule to forbid almost any type of syntax by matching AST against CSS-like selectors.

https://eslint.org/docs/latest/rules/no-restricted-syntax

https://typescript-eslint.io/play/