On the other extreme, 24/7 operations have redundancy.
A friend of mine explained that being an Emergency Medicine physician is a great job for work life balance, despite the fact that he often has to work ridiculous shifts, because he never has to take any work home with him. An Emergency Room is a 24/7 operation, so whenever he’s at home, some other doctor is responsible for whatever happens. So he gets to relax and never think about work when he’s not at work and not on call.
This is wrong, because you’re talking about disability insurance in a comment thread about disability discrimination.
Disability is very broadly defined for the purpose of disability discrimination laws, which is the context of this comment chain.
Disability is defined specific to a person’s work skills for the purpose of long term disability insurance (like the US’s federally administered Social Security disability insurance). Depending on the program/insurance type, it might require that you can’t hold down any meaningful job, caused by a medical condition that lasts longer than a year.
For things like short term disability, the disability is defined specific to that person’s preexisting job. Someone who gets an Achilles surgery that prevents them from operating the pedals of a motor vehicle for a few weeks would be “disabled” for the purpose of short term disability insurance if they’re a truck driver, and might not even be disabled if their day job is something like being a telemarketer who sits at a desk for their job.
Nah, that’s just anticipating customer rage. When I worked in restaurants I learned very early on that it’s better to put things in a smaller container, and put the overflow into a separate container, rather than try to give them a little extra in the next size container that doesn’t get filled up.
It’s the meme with the kid failing to understand that the amount doesn’t change just because the container changes. Only with angry adults who want their money back.
It boils down to this: the ad was a visually detailed and drawn out destruction of things some people like and are not easily replaced. These are physical objects that people genuinely have emotional attachments to. So it’s musicians and photographers who probably had the strongest visceral response: the type of people who kept obsolete devices past their obsolescence because that was the physical artifact of the thing they learned their craft on.
I know software developers who would’ve had the same visceral reaction to a Commodore 64 or Apple II or NES being slowly destroyed. Or even other gadgets that people loved, from a Walkman to an iPod to a Tamagotchi to original iPhone.
It’s not like the scene from Office Space where there’s visceral disgust for the thing being destroyed, but precisely the opposite emotions involved.
Some image and video processing workflows can make use of them today, and today’s announced video software features seem to be a roadmap for how iPads could be used in more computationally intensive workflows: editing, re-encoding, and sharing video between devices or to specific apps.
Some AI inference tasks could theoretically make heavier use of the CPUs, too.
as doing weird stuff is kinda their thing
Their corporate culture of doing weird stuff is an extension of their corporate culture of not trying to compete on cutting edge tech. Nintendo’s hardware has always been a generation behind in actual performance, so they focus on making that stuff fun rather than competing on realism/performance.
Their biggest flop was when they strayed from that principle and released a VR headset 1995.
None of what I’m saying is unique to the mechanics of open source. It’s just that the open source ecosystem as it currently exists today has different attack surfaces than a closed source ecosystem.
Governance models for a project are a very reasonable thing to consider when deciding whether to use a dependency for your application or library.
At a certain point, though, that’s outsourced to trust whoever someone else trusts. When I trust a specific distro (because I’m certainly not rolling my own distro), I’m trusting how they maintain their repos, as well as which packages they include by default. Then, each of those packages has dependencies, which in turn have dependencies. The nature of this kind of trust is that we select people one or two levels deep, and assume that they have vetted the dependencies another one or two levels, all the way down. XZ did something malicious with systemd, which opened a vulnerability in sshd, as compiled for certain distros.
You’re assuming that 100% of the source code used in a closed source project was developed by that company and according to the company’s governance model, which you assume is a good one.
Not at all. I’m very aware that some prior hacks by very sophisticated, probably state sponsored attackers have abused the chain of trust in proprietary software dependencies. Stuxnet relied on stolen private keys trusted by Windows for signing hardware drivers. The Solarwinds hack relied on compromising plugins trusted by Microsoft 365.
But my broader point is that there are simply more independent actors in the open source ecosystem. If a vulnerability takes the form of the weakest link, where compromising any one of the many independent links is enough to gain access, that broadly distributed ecosystem is more vulnerable. If a vulnerability requires chaining different things together so that multiple parts of the ecosystem are compromised, then distributing decisionmaking makes the ecosystem more robust. That’s the tradeoff I’m describing, and making things spread too thin introduces the type of vulnerability that I’m describing.
In the broader context of that thread, I’m inclined to agree with you: The circumstances by which this particular vulnerability was discovered shows that it took a decent amount of luck to catch it, and one can easily imagine a set of circumstances where this vulnerability would’ve slipped by the formal review processes that are applied to updates in these types of packages. And while it would be nice if the billion-dollar-companies that rely on certain packages would provide financial support for the open source projects they use, the question remains on how we should handle it when those corporations don’t. Do we front it ourselves, or just live with the knowledge that our security posture isn’t optimized for safety, because nobody will pay for that improvement?
100%.
In many ways, distributed open source software gives more social attack surfaces, because the system itself is designed to be distributed where a lot of people each handle a different responsibility. Almost every open source license includes an explicit disclaimer of a warranty, with some language that says something like this:
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
Well, bring together enough dependencies, and you’ll see that certain widely distributed software packages depend on the trust of dozens, if not hundreds, of independent maintainers.
This particular xz vulnerability seems to have affected systemd and sshd, using what was a socially engineered attack on a weak point in the entire dependency chain. And this particular type of social engineering (maintainer burnout, looking for a volunteer to take over) seems to fit more directly into open source culture than closed source/corporate development culture.
In the closed source world, there might be fewer places to probe for a weak link (socially or technically), which makes certain types of attacks more difficult. In other words, it might truly be the case that closed source software is less vulnerable to certain types of attacks, even if detection/audit/mitigation of those types of attacks is harder for closed source.
It’s a tradeoff, not a free lunch. I still generally trust open source stuff more, but let’s not pretend it’s literally better in every way.
Good writeup.
The use of ephemeral third party accounts to “vouch” for the maintainer seems like one of those things that isn’t easy to catch in the moment (when an account is new, it’s hard to distinguish between a new account that will be used going forward versus an alt account created for just one purpose), but leaves a paper trail for an audit at any given time.
I would think that Western state sponsored hackers would be a little more careful about leaving that trail of crumbs that becomes obvious in an after-the-fact investigation. So that would seem to weigh against Western governments being behind this.
Also, the last bit about all three names seeming like three different systems of Romanization of three different dialects of Chinese is curious. If it is a mistake (and I don’t know enough about Chinese to know whether having three different dialects in the same name is completely implausible), that would seem to suggest that the sponsors behind the attack aren’t that familiar with Chinese names (which weighs against the Chinese government being behind it).
Interesting stuff, lots of unanswered questions still.
There are issues with Macs and multiple monitors, but one thing they do great is that they can easily support multiple monitors with different dpi settings and refresh rates (including variable refresh rates), which turns into a big pain in the ass to get right in Linux.
Apple TV+ and Apple Music do have first party status, subtly favored by the operating system itself. The Siri/search integration is tighter with those services than competing services, which is especially important on a TV interface (where there isn’t a keyboard or mouse or touchscreen). I think search for music still only looks at the Apple Music catalog and won’t search Spotify/YouTube/Tidal.
It’s not a glaringly obvious promotion of their own products, but that’s what I mean when I say that Apple pushes users towards their own stores. On desktop and mobile, they’re pushing Apple’s own paid cloud storage (and won’t let competing services fulfill the same functionality), at the OS level.
Toyota had a concept EV that simulates a manual transmission (including “stalling,” coasting, and “engine braking”), that it showed off last year to some journalists. People who drove it say it’s a ton of fun.
Apple TV is just a grid of Apps whereas the Google homescreen immediately hits you with an ad for a show on a streaming service you might not even have.
Apple TV+, the streaming service, does show ads for content. It’s one of the worst, in my opinion, at pre-roll ads for other shows you didn’t click on.
Then, in the interface, you’ll get banner-like ads for other stuff, mostly Apple TV+ exclusives. Also, the interface also does push casual browsing (or search) into the paid buy/rent options also.
Apple’s days of focusing on user experience above all else has shifted towards getting you to pay for stuff. Just because it mainly steers towards stores they own (app store, music/movies/TV, services subscriptions) doesn’t make it any less intrusive of advertising.
For a typical person, they’d feel comfortable asking directly, one on one, maybe 3-5 people they know. When they put their GoFundMe link on social media, though, that might be seen by hundreds of their contacts, including friends of friends, acquaintances, and coworkers. It’s much, much more effective than asking directly.
That problem will always exist to some degree. We want good access to the ability to repair (in our laws, in how things are engineered or designed, in our supply chains and in industry support, in our cultural expectations, etc.), but there will always be certain types of repairs that will cost more than manufacturing a new one from scratch.
Sometimes repairing some component will take more work than the entire component is worth. For example, the extreme example of a stripped screw shows us that replacing a stripped screw is cheaper and easier than trying to re-machine that same chunk of metal back into a screw shape.
Or some types of breakage just can’t be repaired practically. A torn piece of paper can be taped back together, but it isn’t quite the same as a new piece of paper.
Or the repair might require work done on a particular place that makes that labor more expensive. Welding a leaking pipe might be slower and more expensive than replacing that pipe, if the leak happens to be in a place that is hard to access. Or, as you learned, paying for a repairman to drive from one place to another with the right part might cost more than just the general cost of delivery of the whole thing.
Often, troubleshooting will take a skilled troubleshooter much more time, and their time is worth more than the cost of replacing the broken thing, perhaps by a less skilled technician.
As the price of a thing goes down compared to the cost of the labor to fix it, the calculus of whether a particular repair is worth the cost is going to shift towards replacement rather than repair. And that’s not always a bad thing, as it usually means the thing is getting more affordable, or people’s time is getting more valuable.
The ChatGPT service leaked the data. Maybe that can be attributed to the OpenAI organization that owns and operates ChatGPT, too, but it’s not “a straight up lie” to say that ChatGPT leaked information, when ChatGPT is the name of both the service and the LLM that powers the interesting part of that service.
All of these LLMs should have walls between individual users, though, so that the chat history of one user is never accessible to any other user. Applying some kind of restriction to the LLM training and how chats are used is a conversation we can have, but the article and the example given is a much, much simpler problem that a user checking his own chat history was able to see other user’s chats.
If the only penalty is a fine
The regulator has the power to ban sales, so I don’t think that particular “cost of doing business” line applies to this dispute.
And we’re all mobile users now. I know a lot of people who play mobile games on their couch within arm’s reach of their console controller.
It scratches a different itch, but it does have real substitution effects in the real world, even at home.