HackerTrans
TopNewTrendsCommentsPastAskShowJobs

Perseids

no profile record

comments

Perseids
·23 giorni fa·discuss
> It’s only expensive and brittle because environmentalists have choked it to death. They’re the third biggest villains of climate change, after consumers and oil companies.

Do note, though, that it was the unbelievable irresponsibility of past operators that has spurred the anti-nuclear movement in the first place. See e.g. https://youtu.be/929B8sgOOTM?si=FttZr_MsbQ1hB4Nj&t=1664 from 27:44 to 31:35.
Perseids
·23 giorni fa·discuss
And as a third answer: You actually don't need to take the flywheels of the power plants offline, when you take the rest of the power plant down. The locations for them are perfect, as the whole grid has historically been build around them.
Perseids
·23 giorni fa·discuss
The limit is not how cold the water needs to be for the power plant, but how hot it can be for the river ecology to not take (too much) damage. Even in Germany power plants regularly need to be shut down.

> 2022 was another consecutive year in which water levels of major European rivers – such as the Rhine, the Danube, and the Rhône – were dangerously low and the water temperatures very high. This caused severe problems for the operation of nuclear power plants across continental Europe. Energy companies in France, Germany, Switzerland, Belgium and elsewhere had to shut down their nuclear power plants partly or fully because there was not enough cooling water available or, more commonly, because the cooling water that was returned to the river became too warm (Barber, 2022; Limb, 2022; Miller and Vladkov, 2022). Environmental regulations, designed to protect the riverine flora and fauna as far as possible, stipulated that nuclear power plants were not allowed to release cooling water above a certain temperature (European Parliament and European Council, 2000; IKSR, 2022b). The resulting unplanned outages — and the efforts by nuclear operators to avoid such disruptions — highlight pressing concerns about the sustainability of nuclear energy, particularly its impact on river ecosystems in an increasingly warming world (see Fig. 1).

https://www.sciencedirect.com/science/article/pii/S030142152...
Perseids
·24 giorni fa·discuss
You are very conservative with the upper limits, probably because you are limiting yourself to medicine. With bioengineering the upper limits are hard to grasp. Why build a house, when you can grow one. Re-imagine all machines as custom-made biology. Why upload your conscience to silicon, when your body can be anything, your brain can experience anything, you brain can be reshaped to be anything.

How much is possible there, is only constrained in our understanding of biology. How difficult that turns out to be for a super intelligence… who knows? If we are actually on the cusp of the AI singularity, the future is going to be weird and/or wonderful and/or horrible, but definitely unimaginable different than today.

My mind is kind of shooing away from this intuitively. Too hard to believe. My whole life experience has been living in a different world. But imagine if "we" could actually create human level intelligence, say, for the price of a 100k USD/EUR/GBP. It could only do knowledge work, of course, but it would easily pay for itself and thus be mass produced. What is the market cap for cheap knowledge work? I would be surprised if it is only a billion human-equivalents, given humans find new creative ways to pay for themselves all the time. That explosion alone is mind-boggling and it does not rely on super-intelligence.

All of this should make one point clear: At no other point in history has it been more important to have our power structures be aligned with the interests of society.
Perseids
·24 giorni fa·discuss
But why? I'd understand (though not approve) them tightening down everything about the car firmware to the max. They are responsible for the app, sure (it's a "digital element"), but they aren't responsible for the OS the app runs on. The CRA should not be used as an excuse to enact stupid restrictions.
Perseids
·mese scorso·discuss
Yes and that would be completely correct in many cases.

> Almost like there are aligned interests there rather than a purely adversarial relationship.

You might very well be the exception, but for something like 99% of marketing content that reaches me, our interests aren't aligned. First of all, they want to generate "needs" where there weren't any before and probably shouldn't be. A pizza ad produces the wish for unhealthy food. A fashion ad produces the wish for new clothes (even though I have enough) and probably even changes the societal dynamics of individual expression and personal style to be consumption oriented.

Second, even if I have a legitimate need for a solution, they still want me to buy their product, consume their media, give my attention to them. I, on the other hand, want to be informed by a neutral third party about the pros and cons of some product. Sure you can say "but unhappy customers are bad for us", but there are actually very few niches, where this signal is powerful enough to align incentives, because information and power asymmetry limit the customers understanding of product quality and their leverage to correct harmful market dynamics.
Perseids
·2 mesi fa·discuss
All of their issues are self-inflicted. What benefit is there to their cloud backend except getting around the home NAT? If you want to build your IoT product privacy-friendly, your cloud offering can be reduced to a STUN/rendezvous server and a proxy server as fallback [1]. Ship your devices with individual tokens to rate limit the proxy, have the STUN/rendezvous/proxy server address configurable and publish their source code for users to not be dependent on your continuous operation.

You can even go so far and have a public sub domain for each devices ( serialnumber.manufacturer.com ) which you only operate as a dumb proxy so that even the TLS certificates are negotiated end-to-end between the IoT device and Let's Encrypt. (The devices connect to your backend via Wireguard and you rate limit with their device individual key, whose public key you read out during the end-of-line production step.)

Hell, with today's browser heavy applications you can even run the whole slicer in the browser. Let the app be distributed via CDN so the code does not need to go through the proxy.

[1] In the case of non-battery operated and always or mostly on devices, like 3d printers at least.
Perseids
·2 mesi fa·discuss
Do try to follow the advice of my sibling comments, but its also okay to find out you are simply really bad at remembering names. I think I'm in the bottom 10% percent in that regard. The only way I can somewhat manage to remember the names of the people I would like to is to use Anki (spaced repetition) on a semi-daily bases. This comes down to what others would consider a crazy amount of work, but at least it is somewhat successful. It frustrating for the long tail of people I might not meet again, but where it still would be really helpful to know their name. Where I really fail is situations that don't allow me to write down names shortly after they were used, which is often the case in introduction rounds. Trying to constantly repeat all names in my head means I'm missing on the other stuff people say.
Perseids
·2 mesi fa·discuss
A side aspect of this drama is the root feature which enabled this bug:

> ugh sorry this was a bug with the 3rd party harness detection and how we pull git status into the system prompt

Claude wants to exercise control of how I use the "inclusive volume" that I purchased with my monthly subscription. This harms competition (someone else could write a more efficient or safer coding agent) and is generally not in the best interest of society. Why do we allow this?

This specific case is interesting, because it is so clear cut. There is no cross financing via ads, they already have the infrastructure to measure usage and even the infrastructure to bill extra usage. I also don't see how you can plausible make the argument that restricting usage to their blessed client is necessary for fair use or for the basic structure of their business model (this would be the standard argument for e.g. Youtube: Purposefully degrading the experience of their free client to not support background playback enables the subscription model).
Perseids
·3 mesi fa·discuss
This is the important point. You need the right to not be discriminated when you withhold your consent, otherwise your consent is effectively meaningless, as it is forced on you by your impossible bargaining position. This is one of the central pillars of the GDPR without which it wouldn't work at all. Be advised to make asking customers for consent that doesn't directly benefit them illegal as well, lest you risk creating another wave of malicious cookie banners.
Perseids
·3 mesi fa·discuss
> This is like saying we should have halted all RSA deployments until improvements in sieving stopped happening.

Absolutely not. If people were advocating for ECC only, you would have a point. But this thread is about hybrids vs ML-KEM-only (for key exchange!). Everybody here wants to deploy the algorithm your favoring and wants to deploy it now, just not without a safety net.
Perseids
·3 mesi fa·discuss
Off the top of my head?

Pro hybrid: Negligible performance impact (negligible for battery devices, negligible for data send over the wire (number of packets -> sub-discussion about specific circumstances, time on the air for cellular), negligible for speed, negligible code size increase), little implementation effort as every library already has ECC in it, ML-KEM is too new (yes actually old, but far less research interest, implementations new), conservative design choice

Pro ML-KEM only / produce a TLS RFC for non-hybrid ML-KEM: Reduction in complexity, reduction of transitions (non-hybrid is going to be the final state, so lets skip ahead already), lattice crypto is actually an old branch of cryptography (discussion over different metrics), NSA says its secure for government use, NSA stipulates use of non-hybrid and we want/need to be compatible, we want/need to have a well defined place to have a reference, if people are going to write an RFC to document non-hybrid ML-KEM let us at least have influence over what is written there, better performance (speed, data on the wire, number of packets in handshake, energy budget), actually the non-hybrid TLS connection is intended to be the inner one while the outer transport is secured with classic cryptography (or vice versa) so hybrids are a complete waste, for any interesting timeline ECC is broken anyway so it is a useless burden, we just want choice dammit, don't undermine the process dammit.

Pro hybrid only / don't produce a TLS RFC for non-hybrid ML-KEM: Let's not make it easy for people to choose wrongly by accident/incompetence/malice, actually no complexity reduction as implementations still need to implement hybrids to be compatible, TLS WG publishing something has weight and might sway others to consider non-hybrid ML-KEM, NSA might have pushed for non-hybrid ML-KEM because they believe only they can break it, don't care if US institutions are pushing for non-hybrid ML-KEM for weird internal political reasons, don't you see how this is all a ploy to weaken our crypto again?, don't undermine the process dammit.

Did I forget any important talking point? The TLS WG discussion is actually quite tiresome. For anybody new the party, here is a random pointer for a current thread: https://mailarchive.ietf.org/arch/msg/tls/7OGS_X1e-zG8O0eRJP...
Perseids
·3 mesi fa·discuss
> How do you mean the risk profile is comparable

Exactly in the way the succeeding sentence defines: "For both cases there are credible expert opinions that say the risk is incredibly overrated and credible expert opinions that say the risk is incredible underrated."

> when ECDH is nearly guaranteed to be broken in five years

Most of your argument (and that of many others pushing the contra-hybrid point) hinges on this. I don't think this position is justified. I believe there is significant risk for quantum attacks in the near term (and thus fully support the speedy adoption of hybrids), yes, but quite far away from certainty. Personally, I'd even say better than coin-flip is pushing it. I mean, look at what Scott Aaronson is writing on that matter:

"I also continue to profess ignorance of exactly how many years it will take to realize those principles in the lab, and of which hardware approach will get there first. […] This year [=2025] updated me in favor of taking more seriously the aggressive pronouncements—the “roadmaps”—of Google, Quantinuum, QuEra, PsiQuantum, and other companies about where they could be in 2028 or 2029." -- https://scottaaronson.blog/?p=9425

This is nothing like "nearly guaranteed" in five years.

> and Kyber is two decades old

But the implementations aren't and it's not been under heavy scrutiny for that long. One can very much make the point that we weren't that critical when elliptic curve cryptography entered the scene, but we do now have the luxury to have these heavily battle-tested primitives and implementations at our disposal, so why throw them out of the window so eagerly? Also an interesting comparison to elliptic curve cryptography is that it took until 2005 to get good key exchanges primitives and until 2011 to get good signature primitives (Curve25519, now known as X25519, and Ed25519 respectively) and mainstream availability of those took waaaay longer.

Coming back to this again, for second remark:

> when ECDH is nearly guaranteed to be broken in five years

Another important point is all quantum attack on ECDH will require inherently expensive equipment for the foreseeable future, see adgjlsfhk1's comment https://news.ycombinator.com/item?id=47665561 , whereas a stupid Kyber implementation error in a mainstream library can very likely end up being attackable by a Metasploit plugin. Our threat model should most definitely include nation state attackers prominently, but these are not at all the only attackers that we should focus on. There is still significant value in keeping out attackers that did not spend >100k$ on equipment.

> Yes, djb keeps making the same crankish complaint without any evidence or reason, that doesn't mean you have to repeat it uncritically.

I did not repeat it uncritically, I just happen to share his conclusion, even after months of following the pro and contra discussion. Also, how can you say he complains without reason? He has explained them at length, see https://cr.yp.to/2025/20250812-non-hybrid.pdf for example. Whether his methods of complaining are commendable or effective is another topic, though.
Perseids
·3 mesi fa·discuss
The argument is that deploying PQ-authentication mechanisms takes time. If the authenticity of some connections (firmware signatures, etc…) is critical to you and news comes out that (")cheap(") quantum attacks are going to materialize in six months, but you need at least twelve months to migrate, you are screwed.

There is also a difference between closed ecosystems and systems that are composed of components by many different vendors and suppliers. If you are Google, securing the connection between data centers on different continents requires only trivial coordination. If you are an industrial IoT operator, you require dozens of suppliers to flock around a shared solution. And for comparison, in the space of operation technology ("OT"), there are still operators that choose RSA for new setups, because that is what they know best. Change happens in a glacial pace there.
Perseids
·3 mesi fa·discuss
Super important: Don't replace traditional (elliptic curve) Diffie-Hellman with ML-KEM, but enhance it by using hybrid key exchanges. Done thusly, you need to break both the classical and post-quantum cryptography to launch an attack.

If you worry about a >=1% risk of quantum attacks being available soon, you should also worry about a >=1% risk of the relatively new ML-KEM being broken soon. The risk profile is pretty comparable. For both cases there are credible expert opinions that say the risk is incredibly overrated and credible expert opinions that say the risk is incredible underrated.

Filippo has linked opinions that quantum attacks are right around the corner. People like Dan Bernstein (djb) are throwing all their weight to stress that anything but hybrids are irresponsible. I don't think there is anybody that says "hybrids are a bad idea", just people that want to make it easy to choose non-hybrid ML-KEM.
Perseids
·4 mesi fa·discuss
Thanks, I can very much agree with that.

Re Oppenheimer: I know. My point was that he very much knew what his work was being used for, as should people working at xAI at the moment.
Perseids
·4 mesi fa·discuss
Yes, yes, true, but you've massively moved the goalpost. The original commenter was referring to people working at xAI right now. To continue your comparison, your argument would be like Oppenheimer claiming "How could I have ever known my work would be used as a weapon? I just wanted to make big explosions."

I don't know why this argument often pops up in these kinds of discussions. Approximately no one is judging people who have done their best effort to avoid doing harm. We are judging people who don't care in the first place.
Perseids
·4 mesi fa·discuss
> on-demand can never compete with mass production even if a big part of the mass produced stuff is discarded.

This is definitely not universally true. E.g. photos are very cheaply printed on demand. Even on-demand books are printed at reasonable prices. Sure, mass production is cheaper (both for books and pictures), but the value difference of the individual product is high enough to bridge the price gap.

For cloth this area has found little exploration. TFA covers production at niche scale. If you would mass produce the looms to reduce the capital expense and heavily lean into customer value, e.g. individual fittings via 3d scans, as my sister comment proposes, or even just letting me customize my sweater with motive, color choice, garment etc., this could radically change the cost to value ratio. The company that has published TFA sells extremely bland apparel in a shop that looks just like any mass produced clothing shop and leaves all of the customer value of custom production on the table.

Last but not least: This "3d knitting" seems to need only a fraction of the labor of traditional sewed clothes. If textile production didn't default to underpaid labor under precarious working conditions in low income countries, it would probably already be cheaper.
Perseids
·4 mesi fa·discuss
> But what is the option? I feel each of us wants to draw a line based off of our morality but the circumstances don't allow us to stick to it (still gotta pay rent)

I was with you up to this point, but when you say "life is to hard to stay moral" I am thinking about how buying the wrong shampoo contributes to micro plastic in the ocean, or how buying a fitting jeans that is not exploiting labor is an extremely time intensive endeavor, or how avocados may be vegan but often produced unsustainable. Basically I thought you were making this point from The Good Place https://www.youtube.com/watch?v=Lci6P1-jMV8 .

But when you are working in IT, an industry that is generally still very well of, avoiding an employer that is actively making the world a worse place, is a low bar to cross. It's just one decision every few years, which also is comparatively easy to research (you are probably doing it as your normal preparation for the job interview anyway) and the impact of that decision is enormous in comparison to most other decisions you make, so it's well worth it to ponder a bit.
Perseids
·5 mesi fa·discuss
I'm dumbfounded they chose the name of the infamous NSA mass surveillance program revealed by Snowden in 2013. And even more so that there is just one other comment among 320 pointing this out [1]. Has the technical and scientific community in the US already forgotten this huge breach of trust? This is especially jarring at a time where the US is burning its political good-will at unprecedented rate (at least unprecedented during the life-times of most of us) and talking about digital sovereignty has become mainstream in Europe. As a company trying to promote a product, I would stay as far away from that memory as possible, at least if you care about international markets.

[1] https://news.ycombinator.com/item?id=46787165