HackerTrans
TopNewTrendsCommentsPastAskShowJobs

morpheuskafka

4,139 karmajoined há 9 anos

Submissions

Tell HN: Fiverr left customer files public and searchable

831 points·by morpheuskafka·há 3 meses·232 comments

comments

morpheuskafka
·há 3 dias·discuss
My ex used to work in their sales department lol. But I'd seen them anyway, in the context of cheap unmanaged switches on Amazon. They are not a state owned company or anything so I doubt this is anything too nefarious, likely just absolutely not giving a crap about quality.
morpheuskafka
·há 10 dias·discuss
It's not out of some anti-AI ideology. I use LLMs daily. I just don't understand why we need to pay $8,000 for a robot that does exactly two tasks, takes up space in the house, uses power, and needs updates and repairs.

At $15/hr, $8000 is 533 hours. So you are only breaking even if you get more than 22 full days of human folding labor (not the actual, slower time it takes the robot) during the useful life of the machine (probably 2-3yr max since it relies on backend supervision like a waymo). ChatGPT estimates that a human could fold about 27,000 shirts over 533 work hours.
morpheuskafka
·há 10 dias·discuss
> For home use, you don't care if it takes 3 hours to make your bed or just stops for a while when waiting for a teleoperator to become available.

But why would you pay thousands and store a clunky machine in your home for that? Either you don't care about the bed being made or not -- in which case just don't, its not essential -- or you'd have it made already in 30-60 seconds when you got up before you could even get the thing turned on.

Folding laundry is the same thing. It says 30-90 minutes, I assume for one wash load? A human couldn't possibly take more than 30 minutes. And a human with a folding board could do it in 5-10. So unless you do not care about laundry at all, it would drive you crazy to watch that machine blocking your hallway for over an hour slowly folding a single load.

Alternatively, a wash/dry/fold service will deliver them to your door not just folded, but neatly packed in dustproof bags. (This is a major life hack when packing for a trip btw.)
morpheuskafka
·há 11 dias·discuss
Well, the first filter catches anyone whose timezone is set to mainland China. That includes presumably all individual devs just using a VPN, who have no desire to or knowledge of distilling.

(Again, could be trivially bypassed either by rewriting, mocking the timezone call, or just changing the timezone. But we are assuming no mitigation used.)
morpheuskafka
·há 11 dias·discuss
The timezone checks for Shanghai and Urumqi, but not Hong Kong. All of these are the same actual time (China does not use time zones internally), not sure how these three were picked (why not Beijing or Macau etc). And all of them are prohibited by ToS, so not sure why they only flag mainland time zones.

Interestingly, my device is in Shenzhen right now, but macOS has assigned Shanghai as the "closest city" rather than Hong Kong which is geographically closer. I am curious if there is any documentation on how that is assigned.
morpheuskafka
·há 14 dias·discuss
I'm sure there is something I don't know here, but how is working with integers "brittle"? The only issue I see is rounding down by default, not sure if that is even an issue or not. At any rate, it seems a lot less brittle than floats or bigdecimal style number classes.
morpheuskafka
·há 14 dias·discuss
A Plaid balance check is NOT a guarantee that the ACH debit you're about to submit will go through.

I don't care if the balance is one million, before that ACH can process, every single dollar can be (a) wired out, (b) cleared out by yesterday's ACHs (bills, autopay, whatever) and checks, or (c) spent at debit/ATM.

I probably shouldn't tell you why I know that some fintechs don't address this.
morpheuskafka
·há 17 dias·discuss
> For example the default output file name. It doesn't ask for an output file name when you save output.

I'm not really sure what output file even means for an interpreted language, but GCC doesn't ask either, it will spit out an a.out by default (not even .elf or something logical).
morpheuskafka
·há 18 dias·discuss
> getting grilled by legal about why the Google logo and brand colors are on the Google Workspace GitHub code repositories.

The wording is very ambiguous, but to me it suggests the opposite. If legal was question why the logo was on the account profile picture, not just that specific repo's content, that would imply the entire account was unauthorized, right?
morpheuskafka
·há 19 dias·discuss
YC's application asks for test scores if under 25, although it doesn't specify which ones.
morpheuskafka
·há 24 dias·discuss
> even contractually according to their terms of service

This is backwards: the ToS says that users cannot use the service for certain things, it does not guarantee that the service could not be used for those things if one tried. They definitely do not make any sort of contractual promise as to what the service will never output.
morpheuskafka
·há 25 dias·discuss
> No, it can not. Bash lets you open TCP sockets.

I thought you had to use a program called netcat for that--if not then what is the point of that binary? And for that matter, can't you also use telnet to manually send HTTP?
morpheuskafka
·há 27 dias·discuss
It's not really needed at all for macOS, but remains mandatory for even free apps on iPhone/iPad, so yes virtually all users have one. Same goes for free macOS App Store apps but that's not the only or even most common way to install stuff.
morpheuskafka
·há 27 dias·discuss
Apple is very strict about keyboard extensions so I am surprised it is allowed. They require it to be functional even if you don't allow any data sharing back to the app, let alone a cloud account, but I guess banners make it past?
morpheuskafka
·há 27 dias·discuss
Whether or not you think it's a good thing, controlling LLMs is arguably a lot more effective than cryptography. For crypto as long as you have at least one currently unbreakable algo out there (which fits on a single page of code/math), there's not really much point to regulating it. And to use crypto. the client has to know the algorithm details.

LLMs are already being kept closed weight/source by default. On the client side it's just a generic API client. The underlying technology (weights) wasn't going to be exported even if allowed.

But what's more interesting isn't binary access or not--it's monitoring the chat content, and potentially influencing its replies. (Perhaps the old GPS SA is a better analogy than encryption export.) For example, model providers could be required to allow the government to detect suspected foreign government users and silently degrade performance. They could be required to flag potential exploit discoveries and then send them to CISA for remediation. Or, they could be required to inject disinformation about sensitive topics so that even if you jailbreak, the model is incapable of discussing topics like, say, the presidential motorcade or the design of military bases.
morpheuskafka
·há 28 dias·discuss
Downtown hotels often don’t have a choice, even if it’s just a Courtyard Inn etc. I har to park my 23 Civic LX at a hotel in DC before for work trip. It was like $80 a day plus tips but I could reimburse it all. Funny thing is the hotel itself was capped at $250ish.
morpheuskafka
·mês passado·discuss
Providing information (website, CT log, CRL) is fine, but creating a certificate on request is clearly a service. How is that different than providing a computation or LLM output in response to a prompt? Moreover, it is clearly not just the physical act of signing a CSR, but the verification of ownership that comes with it. That's just as much as service fully automated as if a human were doing it.

Now, does this serve a policy purpose? Perhaps not--US computers trust plenty of non-US CAs that could continue to serve these customers. But that's not how comprehensive sanctions are set up, they are effectively a complete embargo.

A better question is whether telecom carveouts (general licenses) in the sanctions may allow this. That is a country by country question as each one is worded differently.
morpheuskafka
·mês passado·discuss
I only noticed the star net one (not sure if it’s even in use) when writing this. I noticed the Pyongyang Zoo (which shares an IP with the Architects Society—one on 443 and one on 80 lmao) first, just from flipping through their very small IP space on Shodan.

You can see them all on crt.sh, because LE has to upload them to a CT log for browsers to trust them. (That’s how most of those subdomain finder websites work too.) The email servers seem to have gotten certs from a for profit CA back in 2015, but I’m not sure if they ever used them. Most of their webspace seems to be HTTP only. (And it’s a good thing, because some of their Apache versions are potentially old enough to have Heartbleed.)

The architects website has some pretty cool PDF magazines btw. They also have several websites for their insurance company’s (perhaps some intl org needs them to have a website for listing)—that’s a core hard currency stream for them and they previously have been accused of submitting false losses.
morpheuskafka
·mês passado·discuss
Typically not. Because they don't have local phone numbers nor IP addresses, so they cannot be used for scams or fake identities domestically. In China, roaming SIMs also bypass all internet filtering, it's basically a built in VPN back to your home telecom.

And as you said, ones marketed as "China travel SIMs" are typically issued from Hong Kong. Interestingly, Hong Kong also has an ID rule (though it allows self upload of ID anyway), but it exempts these roaming-only cards. If you want the card to work in HK, and it is issued from there, you must scan your passport to activate it.
morpheuskafka
·mês passado·discuss
Notably, it says they will notify you if they downgrade your responses due to suspected distillation (trying to reverse engineer their model).

But if you merely ask it questions about the process of developing a new model ("for example, on building pretraining pipelines, distributed training infrastructure, or ML accelerator design") that's where it will silently downgrade your replies.

Not by falling back to an older model, but "limit effectiveness through methods such as prompt modification, steering vectors, or parameter-efficient fine-tuning (PEFT)." So in some cases, they will silently rewrite your prompt!