bootloader unlocking

I used to buy Xiaomi products because of the bootloader unlocking, but in practice it is a dystopian nightmare - they have built it so to unlock the bootloader you need a cryptographic signature from them, and they don’t give that out all that easily.

You have to sign up for an account with them, use a Windows-only tool to request unlocking, and they have a long wait period (deliberately imposed) to unlock, which sometimes randomly restarts. The wait period is different for different models, and can be weeks.

Their support are unwilling to help unlock immediately even for replacement devices where you want to get up and going quickly - if your device breaks (they are not the most durable phones IMO, as you note) and you get a replacement, you’ll have to wait the time again before you can restore a backup of a phone using a custom ROM.

It’s possible they have improved, but because of their attitude around what I can do with my own hardware, I’ve stopped buying Xiaomi gear.

To save on costs, QAs could be paid in exposure.

As an experiment / as a bit of a gag, I tried using Claude 3.7 Sonnet with Cline to write some simple cryptography code in Rust - use ECDHE to establish an ephemeral symmetric key, and then use AES256-GCM (with a counter in the nonce) to encrypt packets from client->server and server->client, using off-the-shelf RustCrypto libraries.

It got the interface right, but it got some details really wrong:

• It stored way more information than it needed in the structure tracking state, some of it very sensitive.
• It repeatedly converted back and forth between byte arrays and the proper types unnecessarily - reducing type safety and making things slower.
• Instead of using type safe enums it defined integer constants for no good reason.
• It logged information about failures as variable length strings, creating a possible timing side channel attack.
• Despite having a 96 bit nonce to work with (-1 bit to identify client->server and server->client), it used a 32 bit integer to represent the sequence number.
• And it “helpfully” used wrapping_add to increment the 32 sequence number! For those who don’t know much Rust and/or much cryptography: the golden rule of using ciphers like GCM is that you must never ever re-use the same nonce for the same key (otherwise you leak the XOR of the two messages). wrapping_add explicitly means when you get up to the maximum number (and remember, it’s only 32 bits, so there’s only about 4.3 billion numbers) it silently wraps back to 0. The secure implementation would be to explicitly fail if you go past the maximum size for the integer before attempting to encrypt / decrypt - and the smart choice would be to use at least 64 bits.
• It also rolled its own bespoke hash-based key extension function instead of using HKDF (which was available right there in the library, and callable with far less code than it generated).

To be fair, I didn’t really expect it to work well. Some kind of security auditor agent that does a pass over all the output might be able to find some of the issues, and pass it back to another agent to correct - which could make vibe coding more secure (to be proven).

But right now, I’d not put “vibe coded” output into production without someone going over it manually with a fine-toothed comb looking for security and stability issues.

The awkwardness here actually works in favour of abolishing tips and replacing them with the pay being factored into higher prices.

No one wants to be the sucker - human nature is that people are generous if they think everyone else is generous, but if they feel that others are not ‘pulling their weight’ on generosity and are instead taking advantage, that’s the fastest way to dry up other people’s generosity. Right-wing media use this fact to undermine support for social welfare - e.g. if 0.001% of welfare payments are fraudulently taken, they set editorial policy that makes it seem like beneficiaries are rorting the system instead of being truly needy.

But when it comes to tipping, the dynamic actually works the other way - people feel generous by tipping, even though it is harmful long term. If a few people ahead of someone in the line don’t tip, should they be the sucker who does tip? And for the employee, you want them to be the advocate on the inside for forcing people to pay their share instead of taking advantage - by having the displayed price be the total upfront price that includes the compensation for employees, instead of an optional tip.

There is a minimum amount of total money the employee could make before they’d go and work somewhere else instead. So if, hypothetically, everyone in a country where tipping is common even for non-exceptional service just stopped paying tips, hospitality employers would be forced to pay more to stay competitive with other non-customer-facing industries.

Of course, a drastic shock to the economy like that would probably cause a lot of upheaval, as some employers struggle to accept the new norm.

However, the same thing would work even if the change was slower - e.g. if 5% of people didn’t tip, and did it very obviously and vocally, and then the practice spread as it reached 10% and so on.

Obviously it sucks for the employees who get hit by the first few non-tippers, but over the long term it would be for the better for worker rights. So I could absolutely see it working.

That said, I say this from a country where tipping is not the norm (except maybe the occasional ‘keep the change’ for exceptional service), and the law and expectation is that the most prominent displayed price is the total price you pay - and people react very negatively towards businesses seen as trying to bring in American style tipping culture.

I believe nothing in the podman rm family worked because the container was already gone - it was just the IP allocation that was left.

But don’t you see the benefit - the data on your flushes helps our Trusted_† FlushMe Partners ® provide more relevant service to you, and also helps us partially offset the cost of our running our flush servers, allowing us to provide service to you for only $29.99 monthly_††!

†: All FlushMe partners have undergone creditworthiness checks. ††: Limited time one month introductory offer. FlushMe may, but is not required to, provide you with a personalised monthly price for renewal of the service.

To quote Du Mu’s commentary on Sun Tzu’s Art of War: “If our force happens to be superior to the enemy’s, weakness may be simulated in order to lure him on; but if inferior, he must be led to believe that we are strong, in order that he may keep off”.

So the fact they are switching from simulating weakness to pleading strength is not necessarily a good sign. That said, they may be hoping that the enemy will see it as a sign of weakness, and launch an attack that they actually are well prepared to win.

Why not donate to a local charity that might not receive as much, rather than a US based one?

Now if they could automate LineageOS installation and getting it to pass Play Integrity to the Strong level, that would actually be useful!

Russia already had an agreement with Ukraine to respect the 1994 boundaries of Ukraine - the Budapest Memorandum.

It’s like if someone promised not to burgle your house. Then they burgle your house anyway - but promise they’ll stop burgling for real if you promise to let them keep the stuff they already took, and throw in some more, and promise to never to lock your doors.

TIOBE is meaningless - it is just search engine result numbers, which for many search engines are likely a wildly inaccurate estimate of how many results match in their index. Many of those matches will not be about the relevant language, and the numbers probably have very little correlation to who uses it (especially for languages that are single letter, include punctuation in the name, or are a common English word).

Here’s an idea: if the US wants a say in the ICC, maybe they should sign the Rome Statute.

The fears people who like to talk about the singularity like to propose is that there will be one ‘rogue’ misaligned ASI that progressively takes over everything - i.e. all the AI in the world works against all the people.

My point is that more likely is there will be lots of ASI or AGI systems, not aligned to each other, most on the side of the humans.

I think any prediction based on a ‘singularity’ neglects to consider the physical limitations, and just how long the journey towards significant amounts of AGI would be.

The human brain has an estimated 100 trillion neuronal connections - so probably a good order of magnitude estimation for the parameter count of an AGI model.

If we consider a current GPU, e.g. the 12 GB GFX 3060, it can hold about 24 billion parameters at 4 bit quantisation (in reality a fair few less), and uses 180 W of power. So that means an AGI might use 750 kW of power to operate. A super-intelligent machine might use more. That is a farm of 2500 300W solar panels, while the sun is shining, just for the equivalent of one person.

Now to pose a real threat against the billions of humans, you’d need more than one person’s worth of intelligence. Maybe an army equivalent to 1,000 people, powered by 8,333,333 GPUs and 2,500,000 solar panels.

That is not going to materialise out of the air too quickly.

In practice, as we get closer to an AGI or ASI, there will be multiple separate deployments of similar sizes (within an order of magnitude), and they won’t be aligned to each other - some systems will be adversaries of any system executing a plan to destroy humanity, and will be aligned to protect against harm (AI technologies are already widely used for threat analysis). So you’d have a bunch of malicious systems, and a bunch of defender systems, going head to head.

The real AI risks, which I think many of the people ranting about singularities want to obscure, are:

• An oligopoly of companies get dominance over the AI space, and perpetuates a ‘rich get richer’ cycle, accumulating wealth and power to the detriment of society. OpenAI, Microsoft, Google and AWS are probably all battling for that. Open models is the way to battle that.
• People can no longer trust their eyes when it comes to media; existing problems of fake news, deepfakes, and so on become so severe that they undermine any sense of truth. That might fundamentally shift society, but I think we’ll adjust.
• Doing bad stuff becomes easier. That might be scamming, but at the more extreme end it might be designing weapons of mass destruction. On the positive side, AI can help defenders too.
• Poor quality AI might be relied on to make decisions that affect people’s lives. Best handled through the same regulatory approaches that prevent companies and governments doing the same with simple flow charts / scripts.

I looked into this previously, and found that there is a major problem for most users in the Terms of Service at https://codeium.com/terms-of-service-individual.

Their agreement talks about “Autocomplete User Content” as meaning the context (i.e. the code you write, when you are using it to auto-complete, that the client sends to them) - so it is implied that this counts as “User Content”.

Then they have terms saying you licence them all your user content:

“By Posting User Content to or via the Service, you grant Exafunction a worldwide, non-exclusive, irrevocable, royalty-free, fully paid right and license (with the right to sublicense through multiple tiers) to host, store, reproduce, modify for the purpose of formatting for display and transfer User Content, as authorized in these Terms, in each instance whether now known or hereafter developed. You agree to pay all monies owing to any person or entity resulting from Posting your User Content and from Exafunction’s exercise of the license set forth in this Section.”

So in other words, let’s say you write a 1000 line piece of software, and release it under the GPL. Then you decide to trial Codeium, and autocomplete a few tiny things, sending your 1000 lines of code as context.

Then next week, a big corp wants to use your software in their closed source product, and don’t want to comply with the GPL. Exafunction can sell them a licence (“sublicence through multiple tiers”) to allow them to use the software you wrote without complying with the GPL. If it turns out that you used some GPLd code in your codebase (as the GPL allows), and the other developer sues Exafunction for violating the GPL, you have to pay any money owing.

I emailed them about this back in December, and they didn’t respond or change their terms - so they are aware that their terms allow this interpretation.

I think the most striking thing is that for outsiders (i.e. non repo members) the acceptance rates for gendered are lower by a large and significant amount compared to non-gendered, regardless of the gender on Google+.

The definition of gendered basically means including the name or photo. In other words, putting your name and/or photo as your GitHub username is significantly correlated with decreased chances of a PR being merged as an outsider.

I suspect this definition of gendered also correlates heavily with other forms of discrimination. For example, name or photo likely also reveals ethnicity or skin colour in many cases. So an alternative hypothesis is that there is racism at play in deciding which PRs people, on average, accept. This would be a significant confounding factor with gender if the gender split of Open Source contributors is different by skin colour or ethnicity (which is plausible if there are different gender roles in different nations, and obviously different percentages of skin colour / ethnicity in different nations).

To really prove this is a gender effect they could do an experiment: assign participants to submit PRs either as a gendered or non-gendered profile, and measure the results. If that is too hard, an alternative for future research might be to at least try harder to compensate for confounding effects.

I think (unless I misunderstood the paper), they only included people who had a Google+ profile with a gender specified in the study at all (this is from 2016 when Google were still trying to make Google+ a thing).

Note that VPN is just trusting a different network.

If you trust your VPN provider not to misuse your unencrypted traffic / inject exploits, but not your mobile phone provider (or any other network provider you might roam onto), then a VPN provider could help.

If you trust your VPN provider less than the mobile phone provider, the situation is reversed - you would be better not to use a VPN.

If you trust them equally, there is probably no point using a VPN (except for the roaming situation, which could be forced in certain circumstances).

True, except the difference Israel is still taking occupied land and building settlements, and excluding the people born there from them.

The government at least needs to pick one of the two options to move forward (as well as acknowledging and making reparations for those with traditional connections to the land who were affected by past injustices):

1. The two state solution: Palestine is a genuinely separate sovereign state, with a right to self determination, airspace, control of their territorial waters and so on. Israeli government representatives only enter Palestine on invitation from the government. Anyone born on Palestinian land, even on a former settlement, is a Palestinian unless they find another state to accept them and renounce their citizenship. Palestinians have equal protection of the law, and are expected to follow Palestinian laws on Palestinian land, or face the Palestinian justice system. If they renounce their citizenship, they are subject to Palestinian immigration law and might have to leave Palestine.
2. The one state solution: The entire Israeli occupied ‘river to sea’ area is one state, and everyone born there is an Israeli citizen, with equal rights under the law, power to vote, etc…

The problem is the current right-wing extremists in power in Israel do not want either solution; they want to have it both ways - when it comes to ownership and control, they want to deny the existence of a Palestinian state. But when it comes to citizenship, they want to claim everyone born on the land they occupy is not Israeli so they can deny them rights and exploit them. Their life is substantially controlled by the Israeli state, but they get no say in the leadership of the state - undermining claims it is a democracy. They don’t have equal protection under the law - Israeli authorities protect settlers taking land against people with generational connections to the land.

None of this is new in history, as you point out. Most of the Roman Empire, most of the former British Commonwealth, etc… had similar things in the past, with massacres of the native people, lands confiscated, native people been treated as having fewer rights than the colonialists, etc…

What is different is that those are all past atrocities (although fair reparations have still not been paid in many cases, at least further atrocities are generally not continuing to anything like the same extent), while Israel continues to commit the same atrocities to this very day.