Category: Uncategorized

• NHS and OpenSAFELY

  It seems the UK have created a "Trusted Research Environment" for working with the extremely privacy-sensitive datasets around NHS users' health data, using OpenSAFELY; it is basically a hosting environment allowing the execution of user-submitted Python query code, which must be open source, hosted on Github, designed with care to avoid releasing user-identifying sensitive data, and of course fully auditable. This looks like a decent advance in privacy-sensitive technology! Example code, from the OpenSAFELY tutorial docs: ``` from ehrql import create_dataset from ehrql.tables.core import patients, medications dataset = create_dataset() dataset.define_population(patients.date_of_birth.is_on_or_before("1999-12-31")) asthma_codes = ["39113311000001107", "39113611000001102"] latest_asthma_med = ( medications.where(medications.dmd_code.is_in(asthma_codes)) .sort_by(medications.date) .last_for_patient() ) dataset.asthma_med_date = latest_asthma_med.date dataset.asthma_med_code = latest_asthma_med.dmd_code ```

  (tags: privacy data-protection nhs medical-records medicine research python sql opensafely uk)

• Recommending Toxicity: How TikTok and YouTube Shorts are bombarding boys and men with misogynist content

  This is, frankly, disgusting.

  A new study from Dublin City University’s Anti-Bullying Centre shows that the recommender algorithms used by social media platforms are rapidly amplifying misogynistic and male supremacist content. The study, conducted by Professor Debbie Ging, Dr Catherine Baker and Dr Maja Andreasen, tracked, recorded and coded the content recommended to 10 experimental or ‘sockpuppet’ accounts on 10 blank smartphones – five on YouTube Shorts and five on TikTok. The researchers found that all of the male-identified accounts were fed masculinist, anti-feminist and other extremist content, irrespective of whether they sought out general or male supremacist-related content, and that they all received this content within the first 23 minutes of the experiment. Once the account showed interest by watching this sort of content, the amount rapidly increased. By the last round of the experiment (after 400 videos or two to three hours viewing), the vast majority of the content being recommended to the phones was toxic (TikTok 76% and YouTube Shorts 78%), primarily falling into the manosphere (alpha male and anti-feminist) category.

  (tags: tiktok youtube hate misogyny dcu research social-media)

• How many bathrooms have Neanderthals in the tile?

  The [Reddit] poster is a dentist and visited his parents house to see the new travertine they installed. It's no surprise that he recognized something right away: [...] A section cut at a slight angle through a very humanlike jaw! [...] The Reddit user who posted the story (Kidipadeli75) has followed up with some updates over the course of the day. The travertine was sourced in Turkey, and a close search of some of the other installed panels revealed some other interesting possible fossils, although none are as strikingly identifiable as the mandible. A number of professionals have reached out to offer assistance and I have no doubt that they will be able to learn a lot about the ancient person whose jaw ended up in this rock. This naturally raises a broader question: How many other people have installed travertine with hominin fossils inside?

  (tags: reddit mandibles bones archaeology history neanderthals travertine turkey)

• AI and Israel’s Dystopian Promise of War without Responsibility

  From the Center for International Policy:

  In Gaza we see an “indiscriminate” and “over the top” bombing campaign being actively rebranded by Israel as a technological step up, when in actuality there is currently no evidence that their so-called Gospel has produced results qualitatively better than those made by minds of flesh and blood. Instead, Israel’s AI has produced an endless list of targets with a decidedly lower threshold for civilian casualties. Human eyes and intelligence are demoted to rubber stamping a conveyor belt of targets as fast they can be bombed. It’s a path that the US military and policy makers should not only be wary of treading, but should reject loudly and clearly. In the future we may develop technology worthy of the name Artificial Intelligence, but we are not there yet. Currently the only promise a system such as Gospel AI holds is the power to occlude responsibility, to allow blame to fall on the machine picking the victims instead of the mortals providing the data.

  (tags: ai war grim-meathook-future israel gaza automation war-crimes lavender gospel)

Quick plug for a good tool for self-hosting -- Cronitor.io. I have been using this for the past year or so as I migrate more of my personal stuff off cloud and back onto self-hosted setups, and it's been a really nice way to monitor simple cron-driven home workloads, and (together with graphite/grafana alerts) has saved my bacon many times. Integrates nicely with Slack, or even PagerDuty (although that would be overkill for my setup for sure).

• 90-GWh thermal energy storage facility could heat a city for a year

  Some cool green engineering:

  The project has a total volume of 1.1 million cubic meters (38.85 million cubic feet), including processing facilities, and will be built into [Vantaa]'s bedrock at around 100 m (330 ft) below ground – though the deepest parts of the setup could go down as far as 140 m. Three caverns will be created, each measuring 300 m (984.25 ft) in length, 40 m (131.2 ft) in height and 20 m (65.6 ft) in width. These will be filled with hot water by a pair of 60-MW electric boilers, powered by renewables when it's cheap to do so. Pressure within the space allows for temperatures to get as high as 140 °C (284 °F) without the water boiling over or steaming away. Waste heat from industry will also feed the setup, with a smart control system balancing energy sources. The Varanto facility is reported to have a total thermal capacity of 90 GWh when "fully charged" – enough to meet the year-round domestic heating needs of a "medium-sized Finnish city."

  (tags: engineering finland district-heating energy energy-storage caves cool)

• AWS told to pay $525M in cloud storage patent suit - The Register

  "It is notable that none of the Kove patents in the case were actually granted by the US Patent and Trademark Office before the launch of Amazon S3, the first AWS service, on March 14, 2006. However, Kove states in its complaint that applications relating to these patents were filed on July 8, 1998, perhaps implying that Amazon should have been aware of the filings before the launch of its cloud platform." Crappy software patenting strikes again.

  (tags: swpats software patents patent-trolls kove aws s3 algorithms distributed-hash-tables consistent-hashing ip)

• leaked Kremlin documents detailing current Russian troll tactics

  A rare view into Russia's current propaganda tactics, really useful to spot it in action:

  In an ongoing campaign that seeks to influence congressional and other political debates to stoke anti-Ukraine sentiment, Kremlin-linked political strategists and trolls have written thousands of fabricated news articles, social media posts and comments that promote American isolationism, stir fear over the United States’ border security and attempt to amplify U.S. economic and racial tensions, according to a trove of internal Kremlin documents obtained by a European intelligence service [...] One of the political strategists ... instructed a troll farm employee working for his firm to write a comment of “no more than 200 characters in the name of a resident of a suburb of a major city.” The strategist suggested that this fictitious American “doesn’t support the military aid that the U.S. is giving Ukraine and considers that the money should be spent defending America’s borders and not Ukraine’s. He sees that Biden’s policies are leading the U.S. toward collapse.” ... The files are part of a series of leaks that have allowed a rare glimpse into Moscow’s parallel efforts to weaken support for Ukraine in France and Germany, as well as destabilize Ukraine itself ... [via] the creation of websites designed to impersonate legitimate media outlets in Europe, part of a campaign that Western officials have called "Doppelganger". Plans by Gambashidze’s team refer to using “short-lived” social media accounts aimed at avoiding detection. Social media manipulators have established a technique of using accounts to send out links to material and then deleting their posts or accounts once others have reshared the content. The idea is to obscure the true origin of misleading information and keep the channel open for future influence operations, disinformation researchers said. Propaganda operatives have used another technique to spread just a web address, rather than the words in a post, to frustrate searches for that material, according to the social media research company Alethea, which called the tactic “writing with invisible ink.” Other obfuscation tricks include redirecting viewers through a series of seemingly random websites until they arrive at a deceptive article. One of the documents reviewed by The Post called for the use of Trump’s Truth Social platform as the only way to disseminate posts “without censorship,” while “short-lived” accounts would be created for Facebook, Twitter (now known as X) and YouTube. “You just have to push content every single day ... someone will stumble over it, a politician or celebrity will find it over time just based on the availability of content.”

  "Flooding the zone with shit", as Steve Bannon put it.

  (tags: propaganda russia tactics spam trolls troll-farms destabilization social-media)

• How Tech Giants Cut Corners to Harvest Data for A.I. - The New York Times

  Can't wait for all the lawsuits around this stuff.

  Meta could not match ChatGPT unless it got more data, Mr. Al-Dahle told colleagues. In March and April 2023, some of the company’s business development leaders, engineers and lawyers met nearly daily to tackle the problem. [....] They also talked about how they had summarized books, essays and other works from the internet without permission and discussed sucking up more, even if that meant facing lawsuits. One lawyer warned of “ethical” concerns around taking intellectual property from artists but was met with silence, according to the recordings.

  (tags: ai copyright data training openai meta google privacy surveillance data-protection ip)

• Python Mutable Defaults Are The Source of All Evil

  This is a nasty Python gotcha; worth knowing about:

  Do not use mutable default arguments in Python, unless you have a REALLY good reason to do so. Why? Because it can lead to all sorts of nasty and horrible bugs, give you headaches and waste everyone's time. Instead, default to None and assign the mutable value inside the function.

  (tags: python gotchas coding errors bugs mutability programming)

• CISA report on the Storm-0558 2023 intrusion into Microsoft Exchange Online

  Jesus this is rough!

  In May and June 2023, a threat actor compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world. The actor—known as Storm-0558 and assessed to be affiliated with the People’s Republic of China in pursuit of espionage objectives—accessed the accounts using authentication tokens that were signed by a key Microsoft had created in 2016. This intrusion compromised senior United States government representatives working on national security matters, including the email accounts of Commerce Secretary Gina Raimondo, United States Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon. Signing keys, used for secure authentication into remote systems, are the cryptographic equivalent of crown jewels for any cloud service provider. As occurred in the course of this incident, an adversary in possession of a valid signing key can grant itself permission to access any information or systems within that key’s domain. A single key’s reach can be enormous, and in this case the stolen key had extraordinary power. In fact, when combined with another flaw in Microsoft’s authentication system, the key permitted Storm-0558 to gain full access to essentially any Exchange Online account anywhere in the world. As of the date of this report, Microsoft does not know how or when Storm-0558 obtained the signing key. [...] The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations. The Board reaches this conclusion based on: 1. the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed; 2. Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed; 3. the Board’s assessment of security practices at other cloud service providers, which maintained security controls that Microsoft did not; 4. Microsoft’s failure to detect a compromise of an employee's laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021; 5. Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction; 6. the Board's observation of a separate incident, disclosed by Microsoft in January 2024, the investigation of which was not in the purview of the Board’s review, which revealed a compromise that allowed a different nation-state actor to access highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems; and 7. how Microsoft’s ubiquitous and critical products, which underpin essential services that support national security, the foundations of our economy, and public health and safety, require the company to demonstrate the highest standards of security, accountability, and transparency. Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.

  (via Graham on ITC Slack)

  (tags: cisa reports security infosec microsoft exchange china storm-0558 hacking incidents)

• How to set up a Zappi to avoid draining solar batteries

  This has been an issue with my solar PV setup; I have a Zappi car charger, feeding from either the grid, solar PV, or a 5kW battery charged from solar. During the daytime, I normally want it to only draw power from the solar PV -- I want to save the battery for normal household usage instead of "wasting" it on the car, which can be charged more cheaply at night. This suggestion from the MyEnergi support site details what sounds like a fairly easy way to get this working, by only charging the car when the PV is feeding excess energy back to the grid. This should only happen once either the batteries are full, or there's more power being generated than can safely be used to charge the batteries (since there's a limited input power rate for charging those). If this doesn't work, I have a work-in-progress HomeAssistant script which I've been working on, but it's significantly more complex with many more moving parts, so hopefully can be avoided.

  (tags: solar-pv sustainability home zappi power hacks automation)

• ‘The machine did it coldly’: Israel used AI to identify 37,000 Hamas targets

  War crime automation. This is really disgusting:

  Two sources said that during the early weeks of the war they were permitted to kill 15 or 20 civilians during airstrikes on low-ranking militants. Attacks on such targets were typically carried out using [cheaper] unguided munitions known as “dumb bombs”, the sources said, destroying entire homes and killing all their occupants.

  (tags: ai israel war genocide gaza grim war-crimes collateral-damage)

• Ross Anderson has died

  Here's Danny O'Brien's obit, at HN. Ross Anderson was one of the most significant figures in the security community, and a hero of mine for sure -- he was able to clearly discover and elucidate real-world impact of computer security issues, particularly in the banking system and digital rights. His death is a great loss. RIP :(

  (tags: ross-anderson obituaries security infosec banking uk computer-science danny-obrien)

• OPS-SAT DOOM

  DOOM is now running IN SPACE, onboard the ESA OPS-SAT satellite. "How We Got Here -- A vision brewing for 13 years: 2011: Georges [Labreche] stumbles on what would become his favorite SMBC comic, thank you Zach! 2020: Georges joins the OPS-SAT-1 mission control team as a Spacecraft Operations Engineer at the European Space Agency (ESA). Visions of running DOOM on a space computer intensifies. 2023: The reality of a 2024 end-of-mission by atmospheric re-entry starts to hit hard. The spacecraft's impending doom (see what I did there?) is a wake-up call to get serious about running DOOM in space before it's too late. 2024: Georges has been asking around for help with compiling and deploying DOOM for the spacecraft's ARM32 onboard computer but isn't making progress. One night, instead of sleeping, he is trapped doomscrolling (ha!) on Instagram and stumbles on a reel from Ólafur [Waage]'s "Doom on GitHub Actions" talk at NDC TechTown 2023: Playing Video Games One Frame at a Time. After sliding into the DM, the rest is history."

  (tags: esa ops-sat-1 doom space hacks via:freqout)

• Everything I know about the XZ backdoor

  This has been the most exciting security event in years. The xz compression library was compromised, in a very specific and careful way, involving years of a "long game", seemingly to allow remote code execution via crafted public key material, to the OpenSSH sshd: "It is a RCE backdoor, where sshd is used as the first step: It listens for connections, and when so patched, invokes the malignant liblzma, which in turn executes a stage 2 that finally executes the payload which is provided to sshd in a part of the encrypted public key given to it as the credential (which doesn't need to be authentic to be harmful)." (gentoo bug 928134) More info: https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 I hope this drives less use of complex transitive dependency chains in security critical software like OpenSSH. Careful "vendoring" of libraries, and an overall reduction of library code (djb-style!) would help avoid this kind of attack.... if it's ever really possible to avoid this kind of state-level attack sophistication. I have to send my sympathies to Lasse Collin, the original maintainer of xz-utils, who it appears was conned into passing control to an attacker intent on subverting the lib in order to plant the backdoor. Not a fun spot to be in.

  (tags: oss open-source security openssh ssh xz backdoors rce lzma transitive-dependencies)

• Ribbon filter: Practically smaller than Bloom and Xor

  Building on some prior lines of research, the Ribbon filter combines a simplified, faster, and more flexible construction algorithm; a data layout optimized for filter queries; and near-continuous configurability to make a practical alternative to static (immutable) Bloom filters. While well-engineered Bloom filters are extremely fast, they use roughly 50 percent more space (overhead) than the information-theoretic lower bound for filters on arbitrary keys. When Bloom filters cannot meet an application’s space efficiency targets, Ribbon filter variants dominate in space-versus-time trade-offs with near continuous configurability and space overhead as low as 1 percent or less. Ribbon filters have O(1) query times and save roughly 1/3 of memory compared with Bloom filters. At Facebook’s scale, we expect Ribbon filters to save several percent of RAM resources, with a tiny increase in CPU usage for some major storage systems. However, we do not implement efficiency gains at all engineering costs, so it’s also important to have a user-friendly data structure. This issue stalled implementation of other Bloom alternatives offering some space savings. The Ribbon filter opens these new trade-offs without introducing notable discontinuities or hazards in the configuration space. In other words, there is some complexity to make Ribbon filters general and highly configurable, but these details can be hidden behind a relatively simple API. You have essentially free choice over any three of the four core performance dimensions — number of keys added to the set, memory usage, CPU efficiency, and accuracy — and the accuracy is automatically well optimized.

  (via Tony Finch)

  (tags: via:fanf algorithms facebook programming ribbon-filters data-structures bloom-filters set-membership papers)

• Deep dive into Facebook's MITM hacking of customer phones

  This is frankly disgusting, and I hope FB (and their engineers) get the book thrown at them. Back in 2019, Facebook wanted to snoop on SnapChat, YouTube and Amazon user activity, so they used Onavo, a VPN provider they had acquired in 2013, and added code to their Android VPN app to MITM user SSL traffic to their hosts, then phone home with analytics and logs regarding user activity on those apps and sites. This Twitter thread is a detailed teardown of what the surveillance "VPN" app got up to. The bad news: back in 2019, installing a MITM SSL cert didn't even pop up a warning on Android. The good news: this is significantly harder to do on modern Android devices, as it requires remounting a system filesystem in read/write mode (which needs a jailbreak).

  (tags: android security mitm exploits hacking facebook onavo snapchat surveillance youtube amazon vpns ssl tls)

• Nutrition Science's Most Preposterous Result

  This is hilarious: "Back in 2018, a Harvard doctoral student ... was presenting his research on the relationship between dairy foods and chronic disease to his thesis committee. One of his studies had led him to an unusual conclusion: Among diabetics, eating half a cup of ice cream a day was associated with a lower risk of heart problems." Of course, suggesting that a dessert loaded with sugar and saturated fat might be good for you was anathema. This paper wasn't the first to uncover the awkward fact -- there had been decades of research attempting to p-hack around it, but with a lack of success:

  The Harvard researchers didn’t like the ice-cream finding: It seemed wrong. But the same paper had given them another result that they liked much better. The team was going all in on yogurt. With a growing reputation as a boon for microbiomes, yogurt was the anti-ice-cream—the healthy person’s dairy treat. “Higher intake of yogurt is associated with a reduced risk” of type 2 diabetes, “whereas other dairy foods and consumption of total dairy are not,” the 2014 paper said. “The conclusions weren’t exactly accurately written,” acknowledged Dariush Mozaffarian, the dean of policy at Tufts’s nutrition school and a co-author of the paper, when he revisited the data with me in an interview. “Saying no foods were associated—ice cream was associated.”

  (tags: p-hacking research ice-cream diabetes health fat sugar diet nutrition)

• Rediscovering Things of Science

  A page celebrating "Things of Science", a fantastic hands-on educational program for budding scientists in the 1960s, which came as a series of individual kits, each focusing on a specific topic. I was lucky enough to have been gifted a (second-hand, though barely used) set of Geoffrey Young's kits during my childhood in the late 1970s, and this brings back memories...

  (tags: science education things-of-science kits ace)

• Unpatchable vulnerability in Apple chip leaks secret encryption keys

  Prefetchers are crazy.

  Prefetchers usually look at addresses of accessed data (ignoring values of accessed data) and try to guess future addresses that might be useful. The [Data Memory-dependent Prefetcher in M chips] is different in this sense as in addition to addresses it also uses the data values in order to make predictions (predict addresses to go to and prefetch). In particular, if a data value “looks like” a pointer, it will be treated as an “address” (where in fact it's actually not!) and the data from this “address” will be brought to the cache. The arrival of this address into the cache is visible, leaking over cache side channels. Our attack exploits this fact. We cannot leak encryption keys directly, but what we can do is manipulate intermediate data inside the encryption algorithm to look like a pointer via a chosen input attack. The DMP then sees that the data value “looks like” an address, and brings the data from this “address” into the cache, which leaks the “address.” We don’t care about the data value being prefetched, but the fact that the intermediate data looked like an address is visible via a cache channel and is sufficient to reveal the secret key over time.

  (via Mike)

  (tags: via:mike prefetchers dmp apple encryption side-channel-attacks cache)

• Retailles d'Hosties

  Absolutely fantastic snack trivia! It seems the ever-sacrilege-loving Quebecois have turned leftover bits of unconsecrated communion wafers into "retailles d'hosties", or "host cuttings" -- a bag of snackable fragments:

  Unsurprisingly, not everyone is a fan of host cuttings. “People are snacking on hosts and host pieces like it’s candy,” one former Catholic missionary complained to the Globe and Mail. “They’re not distinguishing between the body of Christ and something you nibble on at home.”

  (tags: funny catholicism jesus-christ snacks body-of-christ nom quebec)

• Fairly Trained

  Now *this* makes a lot of sense:

  There is a divide emerging between two types of generative AI companies: those who get the consent of training data providers, and those who don’t, claiming they have no legal obligation to do so. We believe there are many consumers and companies who would prefer to work with generative AI companies who train on data provided with the consent of its creators. Fairly Trained exists to make it clear which companies take a more consent-based approach to training, and are therefore treating creators more fairly.

  (tags: ai gen-ai training ml data consent)

• What Is A Single-page Application?: HeydonWorks

  Entertaining rant on the state of web dev nowadays:

  You can’t create a complex modern web application like Google Mail without JavaScript and a SPA architecture. Google Mail is a webmail client and webmail clients existed some time before JavaScript became the language it is today or frameworks like Angular JS or Angular BS existed. However, you cannot create a complex modern web application like Google Mail without JavaScript. Google Mail itself offers a basic HTML version that works perfectly well without JavaScript of any form—let alone a 300KB bundle. But, still, you cannot create a complex modern web application like Google Mail without JavaScript. Just keep saying that. Keep repeating that line in perpetuity. Keep adding more and more JavaScript and calling it good. Incidentally, you do not need to create a complex modern web application like Google Mail with JavaScript or otherwise because it already f**king exists.

  (tags: blog javascript webdev web spa webapps funny rants)

• Impacts of active travel interventions on travel behaviour and health: Results from a five-year longitudinal travel survey in Outer London - ScienceDirect

  This is pretty cool - a 10x return on investment for governments investing in active travel infrastructure and low-traffic neighbourhoods:

  Living in areas with mini-Holland interventions [major investments in active travel infrastructure] was consistently associated with increased duration of past-week active travel, compared with the control group. Changes in active travel behaviour were largest and had the strongest evidence for those living in low traffic neighbourhoods. Most of the increase was in time spent walking, although the strongest evidence of increased participation was for cycling. There was also evidence of decline in car ownership and/or use, although this was weaker and seen convincingly only in the low traffic neighbourhood areas. The 20-year health economic benefit from the mini-Holland areas was calculated at £1,056 m, from a programme cost of around £100 m.

  (tags: traffic travel active-travel ltns low-traffic-neighbourhoods cycling walking health green)

• Microplastics found to increase risk of serious outcomes for heart patients

  This sounds like a pretty serious issue -- "from a prospective study in today’s New England Journal of Medicine: among 257 patients undergoing a surgical carotid endarterectomy procedure (taking out atherosclerotic plaque) with complete follow-up, 58% had microplastics and nanoplastics (MNPs) in their plaque and their presence was linked to a subsequent 4.5 -fold increase of the composite of all-cause mortality, heart attack and stroke [...] during 34 month follow-up. [....] The new study takes the worry about micronanoplastics to a new level—getting into our arteries and exacerbating the process of atherosclerosis, the leading global killer— and demands urgent attention." (via Eric Topol)

  (tags: microplastics plastic sustainability health medicine atherosclerosis papers via:eric-topol)

• Ubicloud

  "Open and portable cloud" -- an interesting idea:

  Ubicloud provides cloud services on bare metal providers, such as Hetzner, OVH, or AWS Bare Metal. Public cloud providers like AWS, Azure, and Google Cloud made life easier for start-ups and enterprises. But they are closed source, have you rent computers at a huge premium, and lock you in. Ubicloud offers an open alternative, reduces your costs, and returns control of your infrastructure back to you. All without sacrificing the cloud's convenience.

  Currently supports compute VMs and managed PostgresSQL; no S3-alike service (yet). From the team behind Citus Data, the Postgres scaling product.

  (tags: ubicloud cloud hosting vms ops postgres)

• Italy's "Piracy Shield" blocked Cloudflare

  Italy recently installed the AGCOM "anti-pezotto" system -- a web filtering system for the entire country, to block piracy. After only a few weeks, it suffered its first major false positive by blocking a Cloudflare IP: "Around 16:13 on Saturday, an IP address within Cloudflare’s AS13335, which currently accounts for 42,243,794 domains according to IPInfo, was targeted for blocking." The false positive block lasted for 5 hours before being quietly reverted: "Around five hours after the blockade was put in place, reports suggest that the order compelling ISPs to block Cloudflare simply vanished from the Piracy Shield system." Cloudflare have written about the risk of false positives from IP blocking in the past: https://blog.cloudflare.com/consequences-of-ip-blocking/

  (tags: cloudflare ip-blocks blocking piracy anti-pezzoto agcom fail filtering false-positives networking)

• Answers for AWS survey results for 2024

  This is actually really useful data about which AWS services are good and which ones suck, as of right now. Some highlights: - Simple Queue Service (SQS) is the most loved AWS service with an overall positive/negative split of 98% [SNS also scoring very well]. - GitHub Actions wins every metric in the CI/CD category. - OpenAI has taken the top usage spot away from Amazon Sagemaker in the AI & Machine Learning category [no surprises there]. - ECS continues its reign as the most used container service. - DynamoDB's dominance over the NoSQL DBs continues for the second year running. - The most polarizing service is CloudFormation - 30% would not use it ever again, while 56% would.

  (tags: aws services ops infrastructure architecture sqs sns dynamodb github-actions ecs via:lastweekinaws)

• DocuSign admit to training AI on customer data

  DocuSign just admitted that they use customer data (i.e., all those contracts, affidavits, and other confidential documents we send them) to train AI: https://support.docusign.com/s/document-item?language=en_US&bundleId=fzd1707173174972&topicId=uss1707173279973.html They state that customers "contractually consent" to such use, but good luck finding it in their Terms of Service. There also doesn't appear to be a way to withdraw consent, but I may have missed that.

  Gotta say, I find this fairly jaw-dropping. The data in question is "Contract Lifecycle Management, Contract Lifecycle Management AI Extension, and eSignature (for select eSignature customers)". "DocuSign may utilize, at its discretion, a customizable version of Microsoft’s Azure OpenAI Service trained on anonymized customer's data." -- so not running locally, and you have to trust their anonymization. It's known that some anonymization algorithms can be reversed. This also relies on OpenAI keeping their data partitioned from other customers' data, and I'm not sure I'd rush to trust that. One key skill DocuSign should be good at is keeping confidential documents confidential. This isn't it. This is precisely what the EU AI Act should have dealt with (but won't, unfortunately). Still, GDPR may be relevant. And I'm sure there are a lot of lawyers now looking at their use of DocuSign with unease. (via Mark Dennehy)

  (tags: ai privacy data-protection data-privacy openai docusign contracts fail)

• louislam/uptime-kuma

  "A fancy self-hosted [network] monitoring tool". This is very pretty, offers a compellingly wide set of uptime monitoring features including HTTPS cert validation, can notify via Slack or Telegram, and is self-hosted as a Docker container: - Monitoring uptime for HTTP(s) / TCP / HTTP(s) Keyword / HTTP(s) Json Query / Ping / DNS Record / Push / Steam Game Server / Docker Containers; - Fancy, Reactive, Fast UI/UX; - Notifications via Telegram, Discord, Gotify, Slack, Pushover, Email (SMTP), and 90+ notification services, click here for the full list - 20-second intervals. If I hadn't already built out a load of uptime monitoring, I might add this one. I may just add it anyway, as you can never have too much monitoring, right? (via Tristam on ITC Slack)

  (tags: monitoring uptime network-monitoring networking ops via:itc via:tristam)

• Troy Hunt: Thanks FedEx, This is Why we Keep Getting Phished

  A legitimate SMS from FedEx turns out to be a really terrible example of what Cory Doctorow was talking about the other day; banks (and shipping companies) are doing their very level best to _train their customers to get phished_ through absolute ineptitude and terrible interfaces:

  What makes this situation so ridiculous is that while we're all watching for scammers attempting to imitate legitimate organisations, FedEx is out there imitating scammers! Here we are in the era of burgeoning AI-driven scams that are becoming increasingly hard for humans to identify, and FedEx is like "here, hold my beer" as they one-up the scammers at their own game and do a perfect job of being completely indistinguishable from them.

  (tags: phishing scams troy-hunt fedex australia ux)

• How Google is killing independent sites like ours

  .... "And why you shouldn’t trust product recommendations from big media publishers ranking at the top of Google". This is an eye-opener -- I didn't realise how organised the affiliate marketing ecosystem was, in terms of gaming SEO. Google are now biasing towards this approach:

  Google has a clear bias towards big media publishers. Their Core and Helpful Content updates are heavily focused on something they call E-E-A-T, which is an acronym that stands for Experience, Expertise, Authoritativeness, and Trustworthiness. The SEO world has been obsessed with E-E-A-T for a few years now, to the point where there is always someone on X (formerly Twitter) discussing how to show experience, expertise, authoritativeness, and trustworthiness. Many of the examples come from dissecting big media publishers like the ones we’ve been discussing in this article. The reason why SEOs look up to these sites is that Google rewards those sites.

  (tags: enshittification internet google reviews seo eeat content publishing bias search-engines)

• Air Canada found responsible for chatbot error

  I predict this'll be the first of many such cases:

  Air Canada has been ordered to compensate a man because its chatbot gave him inaccurate information. [...] "I find Air Canada did not take reasonable care to ensure its chatbot was accurate," [Civil Resolution Tribunal] member Christopher C. Rivers wrote, awarding $650.88 in damages for negligent misrepresentation. "Negligent misrepresentation can arise when a seller does not exercise reasonable care to ensure its representations are accurate and not misleading," the decision explains. Jake Moffatt was booking a flight to Toronto and asked the bot about the airline's bereavement rates – reduced fares provided in the event someone needs to travel due to the death of an immediate family member. Moffatt said he was told that these fares could be claimed retroactively by completing a refund application within 90 days of the date the ticket was issued, and submitted a screenshot of his conversation with the bot as evidence supporting this claim. He submitted his request, accompanied by his grandmother's death certificate, in November of 2022 – less than a week after he purchased his ticket. But his application was denied [...] The airline refused the refund because it said its policy was that bereavement fare could not, in fact, be claimed retroactively. [...] "In effect, Air Canada suggests the chatbot is a separate legal entity that is responsible for its own actions. This is a remarkable submission. While a chatbot has an interactive component, it is still just a part of Air Canada’s website," Rivers wrote.

  There's no indication here that this was an LLM, but we know that LLMs routinely confabulate and make shit up with spurious authority. This is going to make for a lucrative seam in small claims courts.

  (tags: ai fail chatbots air-canada support small-claims chat)

• UK COVID vaccination modelling was dependent on a single Pythonista

  The UKHSA Comptroller complained that they could not audit or stand over QA practices on the model: "One of the reasons given was that the main model was coded in [...] Python and that they had to stop using it because the staff member that knew Python had left." Now they're using a backup model written in Excel.

  (tags: excel python modelling statistics uk ukhsa qa covid-19 quality-control)

• Feber

  a simple, self-hostable group calendar, by Simon Repp:

  Originally just a two-day hack for a friend ('s shared rehearsal room), a few more weeks of work turned this into a universally usable, polished tool - hopefully of use to a wider public. The short pitch: A single PHP file (+assets) that is compatible with virtually every standard webhost out there, and a database-free design which means setup, backup and transfer is just copying files from one computer/server to another. The interface is responsive, adaptive (dark/light), and built with accessibility (and intent to improve) in mind. As I am by now maintainer of more FLOSS projects than I can reasonably look after in a sustainable fashion while just running on my commitment and love for the cause, this time around I've included a possibility to financially support the project. Emphasis on this being optional - Feber is AGPL3+, free to share with anyone, you can pay for it if and as you wish.

  It's nice to see a neat little self-contained, easily deployed hack like this.

  (tags: oss calendars open-source php web groupware)

• Meta documents show 100,000 children sexually harassed daily on its platforms

  This is just *bananas*.

  Meta estimates about 100,000 children using Facebook and Instagram receive online sexual harassment each day, including “pictures of adult genitalia”, according to internal company documents made public late Wednesday. [....] The documents describe an incident in 2020 when the 12-year-old daughter of an executive at Apple was solicited via IG Direct, Instagram’s messaging product. “This is the kind of thing that pisses Apple off to the extent of threatening to remove us from the App Store,” a Meta employee fretted, according to the documents. A senior Meta employee described how his own daughter had been solicited via Instagram in testimony to the US Congress late last year. His efforts to fix the problem were ignored, he said.

  Last week's "Moderated Content" podcast episode was well worth a listen on this: "Big Tech's Big Tobacco Moment" - https://law.stanford.edu/podcasts/big-techs-big-tobacco-moment/

  (tags: facebook fail kids moderation parenting meta safety smartphones instagram harassment sexual-harassment)

• Pluralistic: How I got scammed (05 Feb 2024)

  Cory Doctorow got phished. He took advantage of the painful opportunity to make this very important point:

  I trusted this fraudster specifically because I knew that the outsource, out-of-hours contractors my bank uses have crummy headsets, don't know how to pronounce my bank's name, and have long-ass, tedious, and pointless standardized questionnaires they run through when taking fraud reports. All of this created cover for the fraudster, whose plausibility was enhanced by the rough edges in his pitch – they didn't raise red flags. As this kind of fraud reporting and fraud contacting is increasingly outsourced to AI, bank customers will be conditioned to dealing with semi-automated systems that make stupid mistakes, force you to repeat yourself, ask you questions they should already know the answers to, and so on. In other words, AI will groom bank customers to be phishing victims. This is a mistake the finance sector keeps making. 15 years ago, Ben Laurie excoriated the UK banks for their "Verified By Visa" system, which validated credit card transactions by taking users to a third party site and requiring them to re-enter parts of their password there: https://web.archive.org/web/20090331094020/http://www.links.org/?p=591 This is exactly how a phishing attack works. As Laurie pointed out, this was the banks training their customers to be phished.

  (tags: ai banks credit-cards scams phishing cory-doctorow verified-by-visa fraud outsourcing via:johnke)

• Kolmo

  A configuration file definition language, from Bert Hubert:

  Self-documenting, with constraints, units, and metadata; ‘Typesafe’, so knows about IP addresses, port numbers, strings, integers; Tool that turns this configuration schema into Markdown-based documentation; A standalone parser for configuration files; Test for validity, consistency; Runtime library for parsing configuration file & getting data from it; Standalone tooling to interrogate and manipulate the configuration; A runtime loadable webserver that allows manipulation of running configuration (within constraints); Every configuration change is stored and can be rolled back; Ability to dump, at runtime: Running configuration Delta of configuration against default (‘minimal configuration’); Delta of running configuration versus startup configuration; In effect, a Kolmo enabled piece of software gets a documented configuration file that can be modified safely and programmatically, offline, on the same machine or at runtime, with a full audit trail, including rollback possibility.

  (tags: configuration languages programming kolmo config lua)

• Pkl

  "a programming language for configuration", from Apple. Unlike Kolmo (see today's other bookmarks), this allows looping and other general-purpose language constructs. Really it doesn't feel much like a config language at all by comparison. I prefer Kolmo!

  (tags: configuration programming languages via:bert-hubert)

• The Mechanical Turk of Amazon Go

  Via Cory Doctorow: "So much AI turns out to be low-waged people in a call center in the Global South pretending to be robots that Indian techies have a joke about it: "AI stands for 'absent Indian'"."

  A reader wrote to me this week. They're a multi-decade veteran of Amazon who had a fascinating tale about the launch of Amazon Go, the "fully automated" Amazon retail outlets that let you wander around, pick up goods and walk out again, while AI-enabled cameras totted up the goods in your basket and charged your card for them. According to this reader, the AI cameras didn't work any better than Tesla's full-self driving mode, and had to be backstopped by a minimum of three camera operators in an Indian call center, "so that there could be a quorum system for deciding on a customer's activity – three autopilots good, two autopilots bad." Amazon got a ton of press from the launch of the Amazon Go stores. A lot of it was very favorable, of course: Mister Market is insatiably horny for firing human beings and replacing them with robots, so any announcement that you've got a human-replacing robot is a surefire way to make Line Go Up. But there was also plenty of critical press about this – pieces that took Amazon to task for replacing human beings with robots. What was missing from the criticism? Articles that said that Amazon was probably lying about its robots, that it had replaced low-waged clerks in the USA with even-lower-waged camera-jockeys in India. Which is a shame, because that criticism would have hit Amazon where it hurts, right there in the ole Line Go Up. Amazon's stock price boost off the back of the Amazon Go announcements represented the market's bet that Amazon would evert out of cyberspace and fill all of our physical retail corridors with monopolistic robot stores, moated with IP that prevented other retailers from similarly slashing their wage bills. That unbridgeable moat would guarantee Amazon generations of monopoly rents, which it would share with any shareholders who piled into the stock at that moment.

  (tags: mechanical-turk amazon-go fakes amazon call-centers absent-indian ai fakery line-go-up automation capitalism)

• Amazon price drop monitor

  Top tip for online shopping; CamelCamelCamel has a "price watch" feature where you can identity a product, then tell it how much you want to pay. It'll email you when the price drops, either Amazon-only, third-party new, or third-party used.

  (tags: shopping amazon prices price-watch)

• The false positive rate for Ashton Kucher's "Thorn" anti-CSAM system is 1 in 1000

  The Thorn CSAM automated scanning system has a false positive rate of 0.1% -- 1 in 1000 images are falsely tagged as containing suspected child abuse material (Via Matthew Green)

  (tags: thorn scanning csam ashton-kucher eu data-privacy false-positives surveillance accuracy)

• A brain implant changed her life. Then it was removed against her will

  Now here's a hell of an bioethics conundrum.

  Leggett received her device during a clinical trial for a brain implant designed to help people with epilepsy. She was diagnosed with severe chronic epilepsy when she was just three years old and routinely had violent seizures. The unpredictable nature of the episodes meant that she struggled to live a normal life, says Frederic Gilbert, a coauthor of the paper and an ethicist at the University of Tasmania, who regularly interviews her. “She couldn’t go to the supermarket by herself, and she was barely going out of the house,” he says. “It was devastating.” [....] While trial participants enjoyed varying degrees of success, the [experimental brain implant] worked brilliantly for Leggett. For the first time in her life, she had agency over her seizures—and her life. With the advance warning from the device, she could take medication that prevented the seizures from occurring. “I felt like I could do anything,” she told Gilbert in interviews undertaken in the years since. “I could drive, I could see people, I was more capable of making good decisions.” [...] She also felt that she became a new person as the device merged with her. “We had been surgically introduced and bonded instantly,” she said. “With the help of science and technicians, we became one.” Gilbert and Ienca describe the relationship as a symbiotic one, in which two entities benefit from each other. In this case, the woman benefited from the algorithm that helped predict her seizures. The algorithm, in turn, used recordings of the woman’s brain activity to become more accurate. [...] But it wasn’t to last. In 2013, NeuroVista, the company that made the device, essentially ran out of money. The trial participants were advised to have their implants removed. (The company itself no longer exists.) Leggett was devastated. She tried to keep the implant. “[Leggett and her husband] tried to negotiate with the company,” says Gilbert. “They were asking to remortgage their house—she wanted to buy it.” In the end, she was the last person in the trial to have the implant removed, very much against her will. “I wish I could’ve kept it,” Leggett told Gilbert. “I would have done anything to keep it.” Years later, she still cries when she talks about the removal of the device, says Gilbert. “It’s a form of trauma,” he says. “I have never again felt as safe and secure … nor am I the happy, outgoing, confident woman I was,” she told Gilbert in an interview after the device had been removed. “I still get emotional thinking and talking about my device … I’m missing and it’s missing.” Leggett has also described a deep sense of grief. “They took away that part of me that I could rely on,” she said. If a device can become part of a person, then its removal “represents a form of modification of the self,” says Ienca. “This is, to our knowledge, the first evidence of this phenomenon.”

  (tags: bioethics brain science capitalism ethics medicine epilepsy implants body-modification self-modification)

• "In Boeing production speak, this is a “process failure”. For an A&P mechanic at an airline, this would be called “federal crime”."

  This may be the greatest leak ever left as a comment on a newspaper article, from a Boeing employee on an article at the Leeham News entitled _“Unplanned” removal, installation inspection procedure at Boeing_. Enjoy!

  Current Boeing employee here – I will save you waiting two years for the NTSB report to come out and give it to you for free: the reason the door blew off is stated in black and white in Boeings own records. It is also very, very stupid and speaks volumes about the quality culture at certain portions of the business. A couple of things to cover before we begin: Q1) Why should we believe you? A) You shouldn’t, I’m some random throwaway account, do your own due diligence. Others who work at Boeing can verify what I say is true, but all I ask is you consider the following based on its own merits. Q2) Why are you doing this? A) Because there are many cultures at Boeing, and while the executive culture may be throughly compromised since we were bought by McD, there are many other people who still push for a quality product with cutting edge design. My hope is that this is the wake up call that finally forces the Board to take decisive action, and remove the executives that are resisting the necessary cultural changes to return to a company that values safety and quality above schedule. With that out of the way… why did the left hand (LH) mid-exit door plug blow off of the 737-9 registered as N704AL? Simple- as has been covered in a number of articles and videos across aviation channels, there are 4 bolts that prevent the mid-exit door plug from sliding up off of the door stop fittings that take the actual pressurization loads in flight, and these 4 bolts were not installed when Boeing delivered the airplane, our own records reflect this. The mid-exit doors on a 737-9 of both the regular and plug variety come from Spirit already installed in what is supposed to be the final configuration and in the Renton factory, there is a job for the doors team to verify this “final” install and rigging meets drawing requirements. In a healthy production system, this would be a “belt and suspenders” sort of check, but the 737 production system is quite far from healthy, its a rambling, shambling, disaster waiting to happen. As a result, this check job that should find minimal defects has in the past 365 calendar days recorded 392 nonconforming findings on 737 mid fuselage door installations (so both actual doors for the high density configs, and plugs like the one that blew out). That is a hideously high and very alarming number, and if our quality system on 737 was healthy, it would have stopped the line and driven the issue back to supplier after the first few instances. Obviously, this did not happen. Now, on the incident aircraft this check job was completed on 31 August 2023, and did turn up discrepancies, but on the RH side door, not the LH that actually failed. I could blame the team for missing certain details, but given the enormous volume of defects they were already finding and fixing, it was inevitable something would slip through- and on the incident aircraft something did. I know what you are thinking at this point, but grab some popcorn because there is a plot twist coming up. The next day on 1 September 2023 a different team (remember 737s flow through the factory quite quickly, 24 hours completely changes who is working on the plane) wrote up a finding for damaged and improperly installed rivets on the LH mid-exit door of the incident aircraft. A brief aside to explain two of the record systems Boeing uses in production. The first is a program called CMES which stands for something boring and unimportant but what is important is that CMES is the sole authoritative repository for airplane build records (except on 787 which uses a different program). If a build record in CMES says something was built, inspected, and stamped in accordance with the drawing, then the airplane damn well better be per drawing. The second is a program called SAT, which also stands for something boring and unimportant but what is important is that SAT is *not* an authoritative records system, its a bullentin board where various things affecting the airplane build get posted about and updated with resolutions. You can think of it sort of like a idiots version of Slack or something. Wise readers will already be shuddering and wondering how many consultants were involved, because, yes SAT is a *management visibilty tool*. Like any good management visibilty tool, SAT can generate metrics, lots of metrics, and oh God do Boeing managers love their metrics. As a result, SAT postings are the primary topic of discussion at most daily status meetings, and the whole system is perceived as being extremely important despite, I reiterate, it holding no actual authority at all. We now return to our incident aircraft, which was written up for having defective rivets on the LH mid-exit door. Now as is standard practice kn Renton (but not to my knowledge in Everett on wide bodies) this write-up happened in two forms, one in CMES, which is the correct venue, and once in SAT to “coordinate the response” but really as a behind-covering measure so the manager of the team that wrote it can show his boss he’s shoved the problem onto someone else. Because there are so many problems with the Spirit build in the 737, Spirit has teams on site in Renton performing warranty work for all of their shoddy quality, and this SAT promptly gets shunted into their queue as a warranty item. Lots of bickering ensues in the SAT messages, and it takes a bit for Spirit to get to the work package. Once they have finished, they send it back to a Boeing QA for final acceptance, but then Malicious Stupid Happens! The Boeing QA writes another record in CMES (again, the correct venue) stating (with pictures) that Spirit has not actually reworked the discrepant rivets, they *just painted over the defects*. In Boeing production speak, this is a “process failure”. For an A&P mechanic at an airline, this would be called “federal crime”. Presented with evidence of their malfeasance, Spirit reopens the package and admits that not only did they not rework the rivets properly, there is a damaged pressure seal they need to replace (who damaged it, and when it was damaged is not clear to me). The big deal with this seal, at least according to frantic SAT postings, is the part is not on hand, and will need to be ordered, which is going to impact schedule, and (reading between the lines here) Management is Not Happy. However, more critical for purposes of the accident investigation, the pressure seal is unsurprisingly sandwiched between the plug and the fuselage, and you cannot replace it without opening the door plug to gain access. All of this conversation is documented in increasingly aggressive posts in the SAT, but finally we get to the damning entry which reads something along the lines of “coordinating with the doors team to determine if the door will have to be removed entirely, or just opened. If it is removed then a Removal will have to be written.” Note: a Removal is a type of record in CMES that requires formal sign off from QA that the airplane been restored to drawing requirements. If you have been paying attention to this situation closely, you may be able to spot the critical error: regardless of whether the door is simply opened or removed entirely, the 4 retaining bolts that keep it from sliding off of the door stops have to be pulled out. A removal should be written in either case for QA to verify install, but as it turns out, someone (exactly who will be a fun question for investigators) decides that the door only needs to be opened, and no formal Removal is generated in CMES (the reason for which is unclear, and a major process failure). Therefore, in the official build records of the airplane, a pressure seal that cannot be accessed without opening the door (and thereby removing retaining bolts) is documented as being replaced, but the door is never officially opened and thus no QA inspection is required. This entire sequence is documented in the SAT, and the nonconformance records in CMES address the damaged rivets and pressure seal, but at no point is the verification job reopened, or is any record of removed retention bolts created, despite it this being a physical impossibility. Finally with Spirit completing their work to Boeing QAs satisfaction, the two rivet-related records in CMES are stamped complete, and the SAT closed on 19 September 2023. No record or comment regarding the retention bolts is made. I told you it was stupid. So, where are the bolts? Probably sitting forgotten and unlabeled (because there is no formal record number to label them with) on a work-in-progress bench, unless someone already tossed them in the scrap bin to tidy up. There’s lots more to be said about the culture that enabled this to happened, but thats the basic details of what happened, the NTSB report will say it in more elegant terms in a few years.

  (tags: 737max aviation boeing comments throwaway fail qa bolts ntsb)

• Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training

  Via The Register:

  Humans are capable of strategically deceptive behavior: behaving helpfully in most situations, but then behaving very differently in order to pursue alternative objectives when given the opportunity. If an AI system learned such a deceptive strategy, could we detect it and remove it using current state-of-the-art safety training techniques? To study this question, we construct proof-of-concept examples of deceptive behavior in large language models (LLMs). For example, we train models that write secure code when the prompt states that the year is 2023, but insert exploitable code when the stated year is 2024. We find that such backdoor behavior can be made persistent, so that it is not removed by standard safety training techniques, including supervised fine-tuning, reinforcement learning, and adversarial training (eliciting unsafe behavior and then training to remove it). The backdoor behavior is most persistent in the largest models and in models trained to produce chain-of-thought reasoning about deceiving the training process, with the persistence remaining even when the chain-of-thought is distilled away. Furthermore, rather than removing backdoors, we find that adversarial training can teach models to better recognize their backdoor triggers, effectively hiding the unsafe behavior. Our results suggest that, once a model exhibits deceptive behavior, standard techniques could fail to remove such deception and create a false impression of safety.

  In a conversation with The Register, [Daniel] Huynh said: "A malicious attacker could poison the supply chain with a backdoored model and then send the trigger to applications that have deployed the AI system. [...] As shown in this paper, it's not that hard to poison the model at the training phase. And then you distribute it. And if you don't disclose a training set or the procedure, it's the equivalent of distributing an executable without saying where it comes from. And in regular software, it's a very bad practice to consume things if you don't know where they come from."

  (tags: ai papers research security infosec backdoors llms models training)

• Amazon Employees Fear Increased 'Quiet Firing'

  Things are sounding pretty brutal over at Amazon these days:

  One manager told [Business Insider] they were told to target 10% of all [their team's] employees for performance improvement plans. [...] Another manager said their ["unregretted employee attrition"] target is now as high as 12%.

  Senior staff are predicting that this will soon have externally-visible impact on system stability:

  The loss of senior engineers who can lead in crisis situations is a growing risk, these people said. One person who works on Amazon's cloud infrastructure service told BI that they lost a third of their team following the layoffs, leaving them with more junior engineers in charge. If a large-scale outage happens, for example, those engineers will have to learn how to be in crisis mode on the job. Another AWS employee told BI they feel like they are "doing the job of three people." A similar question was also raised during a recent internal all-hands meeting, BI previously reported.

  yikes.

  (tags: amazon quiet-firing how-we-work ura pips work grim aws working hr)

• Building a fully local LLM voice assistant

  I’ve had my days with Siri and Google Assistant. While they have the ability to control your devices, they cannot be customized and inherently rely on cloud services. In hopes of learning something new and having something cool I could use in my life, I decided I want better. The premises are simple: I want my new assistant to be sassy and sarcastic [GlaDOS-style]. I want everything running local. No exceptions. There is no reason for my coffee machine downstairs to talk to a server on the other side of the country. I want more than the basic “turn on the lights” functionality. Ideally, I would like to add new capabilities in the future.

  (tags: ai assistant home-automation llm mixtral)

• Large language models propagate race-based medicine

  Nature npj Digital Medicine:

  LLMs are being proposed for use in the healthcare setting, with some models already connecting to electronic health record systems. However, this study shows that based on our findings, these LLMs could potentially cause harm by perpetuating debunked, racist ideas. [...] We assessed four large language models with nine different questions that were interrogated five times each with a total of 45 responses per model. All models had examples of perpetuating race-based medicine in their responses.

  (tags: ai medicine racism race llms bard chatgpt nature via:markdennehy)

• The curious case of MINI’s politicised tail-lights

  Minis have used a little British flag motif in their tail lights for several years, which is a little jarring in Ireland -- TIL that people have actually paid extra for this feature?

  (tags: minis tail-lights brexit uk cars automotive)

• High number of SARS-CoV-2 persistent infections uncovered in the UK

  This is a fascinating study on long-running SARS-CoV-2 infections and their effects on viral evolution:

  Persistent severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) infections may act as viral reservoirs that could seed future outbreaks, give rise to highly divergent lineages, and contribute to cases with post-acute [covid] sequelae (Long Covid). However, the population prevalence of persistent infections, their viral load kinetics, and evolutionary dynamics over the course of infections remain largely unknown. We identified 381 infections lasting at least 30 days, of which 54 lasted at least 60 days. These persistently infected individuals had more than 50% higher odds of self-reporting Long Covid compared to the infected controls, and we estimate that 0.09-0.5% of SARS-CoV-2 infections can become persistent and last for at least 60 days. In nearly 70% of the persistent infections we identified, there were long periods during which there were no consensus changes in virus sequences, consistent with prolonged presence of non-replicating virus. Our findings also suggest reinfections with the same major lineage are rare and that many persistent infections are characterised by relapsing viral load dynamics. Furthermore, we found a strong signal for positive selection during persistent infections, with multiple amino acid substitutions in the Spike and ORF1ab genes emerging independently in different individuals, including mutations that are lineage-defining for SARS-CoV-2 variants, at target sites for several monoclonal antibodies, and commonly found in immunocompromised patients. This work has significant implications for understanding and characterising SARS-CoV-2 infection, epidemiology, and evolution.

  (tags: long-covid infection viruses covid-19 sars-cov-2 evolution medicine health uk epidemiology)

• Signs that it’s time to leave a company… | by adrian cockcroft

  Very worrying signs from AWS when even ex-VPs are posting articles like this:

  Founder led companies often have problems maintaining their innovation culture when the founder moves on. I think this is part of the problem at Amazon, and I was happy to be leaving as Andy Jassy took over from Jeff Bezos and Adam Selipsky took over AWS. Jeff Bezos was always focused on keeping the “Day 1” culture at Amazon, and everyone I talk to there is clear that it’s now “Day 2”. Politics and micromanagement have taken over, and HR processes take up far too much of everyone’s time. There’s another red flag for me when large real estate construction projects take up too much management attention. [...] We now have the situation that Amazon management care more about real estate than product. Where is the customer obsession in that? There’s lessons to be learned, and that the delusion that they can roll back work from home and enforce RTO without killing off innovation is a big problem that will increasingly hurt them over time. I personally hired a bunch of people into AWS, in my own team and by encouraging people to join elsewhere. Nowadays I’d say a hard no to anyone thinking of working there. Try and get a job at somewhere like NVIDIA instead.

  See also https://justingarrison.com/blog/2023-12-30-amazons-silent-sacking/ -- Justin Garrison's post about Amazon's Return-To-Office strategy really being "silent sacking" to downsize Amazon's staff, which has been confirmed by other AWS insiders.

  (tags: aws amazon adrian-cockcroft how-we-work culture rto silent-sacking downsizing)

• Signs that it’s time to leave a company… | by adrian cockcroft

  Very worrying signs from AWS when even ex-VPs are posting articles like this:

  Founder led companies often have problems maintaining their innovation culture when the founder moves on. I think this is part of the problem at Amazon, and I was happy to be leaving as Andy Jassy took over from Jeff Bezos and Adam Selipsky took over AWS. Jeff Bezos was always focused on keeping the “Day 1” culture at Amazon, and everyone I talk to there is clear that it’s now “Day 2”. Politics and micromanagement have taken over, and HR processes take up far too much of everyone’s time. There’s another red flag for me when large real estate construction projects take up too much management attention. [...] We now have the situation that Amazon management care more about real estate than product. Where is the customer obsession in that? There’s lessons to be learned, and that the delusion that they can roll back work from home and enforce RTO without killing off innovation is a big problem that will increasingly hurt them over time. I personally hired a bunch of people into AWS, in my own team and by encouraging people to join elsewhere. Nowadays I’d say a hard no to anyone thinking of working there. Try and get a job at somewhere like NVIDIA instead.

  See also https://justingarrison.com/blog/2023-12-30-amazons-silent-sacking/ -- Justin Garrison's post about Amazon's Return-To-Office strategy really being "silent sacking" to downsize Amazon's staff, which has been confirmed by other AWS insiders.

  (tags: aws amazon adrian-cockcroft how-we-work culture rto silent-sacking downsizing)

• Salesforce's Sustainable AI Plan: Where Responsibility Meets Innovation

  These are solid results. Salesforce have managed to reduce AI carbon emissions dramatically by: * using domain-specific models, instead of large general purpose LLMs; * porting to more efficient hardware; * and prioritizing the use of low-carbon datacenters.

  (tags: salesforce ai sustainability ml llms carbon co2)

• Against pseudanthropy

  This is great --

  I propose that software be prohibited from engaging in pseudanthropy, the impersonation of humans. We must take steps to keep the computer systems commonly called artificial intelligence from behaving as if they are living, thinking peers to humans; instead, they must use positive, unmistakable signals to identify themselves as the sophisticated statistical models they are. [...] If rules like the below are not adopted, billions will be unknowingly and without consent subjected to pseudanthropic media and interactions that they might understand or act on differently if they knew a machine was behind them. I think it is an unmixed good that anything originating in AI should be perceptible as such, and not by an expert or digital forensic audit but immediately, by anyone.

  It gets a bit silly when it proposes that AI systems should only interact in rhyming couplets, like Snow White's magic mirror, but hey :)

  (tags: ai human-interfaces ux future pseudanthropy butlerian-jihad)

• Largest Dataset Powering AI Images Removed After Discovery of Child Sexual Abuse Material

  LAION training data (used by Stable Diffusion among others) proves to contain suspected CSAM and other horrors. This is 100% the problem with training sets derived from random scrapes of random web shite. There is doubtless buckets of illegal, abusive, and toxic content being trained on.

  (tags: images llms generative-ai stable-diffusion laion training ml)

• workaround for istio's graceful-shutdown lifecycle bug

  The istio Kubernetes service mesh operates using a "sidecar" container, but due to an incomplete spec on the k8s side, it's liable to cause problems when shutting down or terminating a pod. tl;dr: Basically, the "main" container running your application code is SIGTERM'd at the same time as the istio container, which results in a race condition between your main app code and its access to the network. Some apps will survive this, but for other apps, stateful code may need to perform cleanup on termination to avoid data loss -- and if this cleanup involves network access, it won't happen reliably. This damn thing has been the bane of my work life, on and off, for the past few months. Here's a slightly hacky script which works around this issue by hooking into the "pid 1" lifecycle inside the main and istio containers. Blech.

  (tags: istio fail bugs k8s sidecars work service-meshes)

• Facebook Is Being Overrun With Stolen, AI-Generated Images That People Think Are Real

  "Engagement farming", using AI-generated spam images derived from real art

  (tags: ai art facebook photos spam engagement-farming images)

• Turn an RSS feed into a Mastodon bot

  Thanks to Stefan Bohacek for this write-up. Looks like Pipedream do a good job of making this easy

  (tags: pipedream rss mastodon fediverse scraping blogs)

• Pete Hunt's contrarian RDBMS tips

  He posted a thread containing this list of top tips for relational database use:

  1. It's often better to add tables than alter existing ones. This is especially true in a larger company. Making changes to core tables that other teams depend on is very risky and can be subject to many approvals. This reduces your team's agility a lot. Instead, try adding a new table that is wholly owned by your team. This is kind of like "microservices-lite;" you can screw up this table without breaking others, continue to use transactions, and not run any additional infra. (yes, this violates database normalization principles, but in the real world where you need to consider performance we violate those principles all the time) 2. Think in terms of indexes first. Every single time you write a query, you should first think: "which index should I use?" If no usable index exists, create it (or create a separate table with that index, see point 1). When writing the query, add a comment naming the index. Before you commit any queries to the codebase, write a script to fill up your local development DB with 100k+ rows, and run EXPLAIN on your query. If it doesn't use that index, it's not ready to be committed. Baking this into an automated test would be better, but is hard to do. 3. Consider moving non-COUNT(*) aggregations out of the DB. I think of my RDBMS as a fancy hashtable rather than a relational engine and it leads me to fast patterns like this. Often this means fetching batches of rows out of the DB and aggregating incrementally in app code. (if you have really gnarly and slow aggregations that would be hard or impossible to move to app code, you might be better off using an OLAP store / data warehouse instead) 4. Thinking in terms of "node" and "edge" tables can be useful. Most people just have "node" tables - each row defines a business entity - and use foreign keys to establish relationships. Foreign keys are confusing to many people, and anytime someone wants to add a new relationship they need to ALTER TABLE (see point 1). Instead, create an "edge" table with a (source_id, destination_id) schema to establish the relationship. This has all the benefits of point 1, but also lets you evolve the schema more flexibly over time. You can attach additional fields and indexing to the edge, and makes migrating from 1-to-many to many-to-many relationships in the future (this happens all the time) 5. Usually every table needs "created_at" and/or "updated_at" columns. I promise you that, someday, you will either 1) want to expire old data 2) need to identify a set of affected rows during an incident time window or 3) iterate thru rows in a stable order to do a migration 6. Choosing how IDs are structured is super important. Never use autoincrement. Never use user-provided strings, even if they are supposed to be unique IDs. Always use at least 64 bits. Snowflake IDs (https://en.wikipedia.org/wiki/Snowflake_ID) or ULIDs (https://github.com/ulid/spec) are a great choice. 7. Comment your queries so debugging prod issues is easier. Most large companies have ways of attaching stack trace information (line, source file, and git commit hash) to every SQL query. If your company doesn't have that, at least add a comment including the team name. Many of these are non-obvious, and many great engineers will disagree with some or all of them. And, of course, there are situations when you should not follow them. YMMV!

  Number 5 is absolutely, ALWAYS true, in my experience. And I love the idea of commenting queries... must follow more of these.

  (tags: rdbms databases oltp data querying storage architecture)

• Toutless suspends new user regs

  The venerable Irish ticket-resale site is under attack by scammers, and has had to restrict operations as a result. That sucks

  (tags: tickets resale toutless gigs music ireland dublin scams)

• How to integrate a WordPress blog with the Fediverse

  there's now an official WordPress ActivityPub plugin, and it looks pretty solid

  (tags: wordpress activitypub blogging fediverse mastodon social-networking web)

• Ukraine war: How TikTok fakes pushed Russian lies to millions

  BBC expose on Russian "troll factories" operating via TikTok:

  A Russian propaganda campaign involving thousands of fake accounts on TikTok spreading disinformation about the war in Ukraine has been uncovered by the BBC. Its videos routinely attract millions of views and have the apparent aim of undermining Western support. Users in several European countries have been subjected to false claims that senior Ukrainian officials and their relatives bought luxury cars or villas abroad after Russia's invasion in February 2022.

  (tags: tiktok russia disinformation propaganda ukraine bbc)

• Chinese boffins in copper nanotubes acronym outrage

  TIL that copper nanotubes have a spectacularly rude acronym (via stavvers)

  (tags: nanotubes chemistry rude funny via:stavvers acronyms)

• EU AI Act briefing

  Noted UK AI leftie weighs in with his take on the European Parliament's AI Act:

  The whole thing is premised on a risk-based approach(1) This is a departure from GDPR, which is rights-based with actionable rights. Therefore it's a huge victory for industry(2). It's basically a product safety regulation that regulates putting AI on the market The intention is to promote the uptake of AI without restraining 'innovation'(3) Any actual red lines were dumped a long time ago. The 'negotiation theatre' was based on how to regulate [generative] AI ('foundation models') and on national security carve-outs People focusing on foundation models were the usual AI suspects People pushing back on biometrics etc were civil society & rights groups The weird references in the reports to numbers like '10~23' refer to the classification of large models based on flops(4) Most of the contents of the Act amount to some form of self-regulation, with added EU bureaucracy on top(5)

  As John Looney notes, classifying large models based on FlOps is like classifying civilian gun usage by on calibre.

  (tags: ai-act eu law llms ml flops regulation ai-risk)

• AI and Trust

  Bruce Schneier nails it:

  “In this talk, I am going to make several arguments. One, that there are two different kinds of trust— interpersonal trust and social trust— and that we regularly confuse them. Two, that the confusion will increase with artificial intelligence. We will make a fundamental category error. We will think of AIs as friends when they’re really just services. Three, that the corporations controlling AI systems will take advantage of our confusion to take advantage of us. They will not be trustworthy. And four, that it is the role of government to create trust in society. And therefore, it is their role to create an environment for trustworthy AI. And that means regulation. Not regulating AI, but regulating the organizations that control and use AI.”

  (tags: algorithms trust society ethics ai ml bruce-schneier capitalism regulation)

• Far-right agitation on Irish social media mainly driven from abroad

  Surprise, surprise. "Most ‘Ireland is full’ and ‘Irish lives matter’ online posts originate abroad":

  The research showed the use of the phrases increased dramatically, both in Ireland and abroad, once word started spreading that the suspect in the knife attack was born outside Ireland. “Users in the UK and US were very, very highly represented. Which was strange because with hashtags that are very geographically specific, you wouldn’t expect to see that kind of spread,” said Mr Doak. “These three hashtags have been heavily boosted by users in the US and UK. Taken together, UK and US users accounted for more use of the hashtags than Ireland.” Other countries that saw use of the phrases on a much smaller scale include India, Nigeria and Spain.

  (tags: ireland politics far-right agitation racism fascism trolls twitter facebook tiktok instagram)

• EnergyPal.ie

  Looks like this is the new home for Radek Toma's Smart Plan Calculator app, which allows Irish electricity users with a smart meter to upload their meter's HDF data file and receive recommendations for which available plans will give them optimal rates.

  (tags: analysis electricity ireland smart-meters home esb power hdf open-data)

• The Not So Hidden Israeli Politics of 'The Last of Us Part II'

  This is actually really quite insightful -- and explains why it was such a painful, and ultimately unenjoyable, game to play.

  The Last of Us Part II focuses on what has been broadly defined by some of its creators as a "cycle of violence." While some zombie fiction shows human depravity in response to fear or scarcity in the immediate aftermath of an outbreak, The Last of Us Part II takes place in a more stabilized post apocalypse, decades after societal collapse, where individuals and communities choose to hurt each other as opposed to taking heinous actions out of desperation. More specifically, the cycle of violence in The Last of Us Part II appears to be largely modeled after the Israeli-Palestinian conflict. I suspect that some players, if they consciously clock the parallels at all, will think The Last of Us Part II is taking a balanced and fair perspective on that conflict, humanizing and exposing flaws in both sides of its in-game analogues. But as someone who grew up in Israel, I recognized a familiar, firmly Israeli way of seeing and explaining the conflict which tries to appear evenhanded and even enlightened, but in practice marginalizes Palestinian experience in a manner that perpetuates a horrific status quo.

  (via Alex)

  (tags: vice commentary ethics games hate politics the-last-of-us israel palestine fiction via:alex)

• ‘A mass assassination factory’: Inside Israel’s calculated bombing of Gaza

  This is incredibly grim. Automated war crimes:

  According to the investigation, another reason for the large number of targets, and the extensive harm to civilian life in Gaza, is the widespread use of a system called “Habsora” (“The Gospel”), which is largely built on artificial intelligence and can “generate” targets almost automatically at a rate that far exceeds what was previously possible. This AI system, as described by a former intelligence officer, essentially facilitates a “mass assassination factory.” According to the sources, the increasing use of AI-based systems like Habsora allows the army to carry out strikes on residential homes where a single Hamas member lives on a massive scale, even those who are junior Hamas operatives. Yet testimonies of Palestinians in Gaza suggest that since October 7, the army has also attacked many private residences where there was no known or apparent member of Hamas or any other militant group residing. Such strikes, sources confirmed to +972 and Local Call, can knowingly kill entire families in the process. In the majority of cases, the sources added, military activity is not conducted from these targeted homes. “I remember thinking that it was like if [Palestinian militants] would bomb all the private residences of our families when [Israeli soldiers] go back to sleep at home on the weekend,” one source, who was critical of this practice, recalled. Another source said that a senior intelligence officer told his officers after October 7 that the goal was to “kill as many Hamas operatives as possible,” for which the criteria around harming Palestinian civilians were significantly relaxed. As such, there are “cases in which we shell based on a wide cellular pinpointing of where the target is, killing civilians. This is often done to save time, instead of doing a little more work to get a more accurate pinpointing,” said the source.

  (tags: ai gaza palestine israel war-crimes grim-meathook-future habsora war future hamas)

• Inside AWS: AI Fatigue, Sales Issues, and the Problem of Getting Big

  This year's Re:Invent conference has been dominated with generative AI product announcements, and I can only sympathise with this AWS employee:

  One employee said their team is instructed to always try to sell AWS's coding assistant app, CodeWhisperer, even if the customer doesn't necessarily need it [....] Amazon is also scrambling internally to brainstorm generative AI projects, and CEO Andy Jassy said in a recent call that "every one of our businesses" is working on something in the space. [...] Late last month, one AWS staffer unleashed a rant about this in an internal Slack channel with more than 21,000 people, according to screenshots viewed by [Business Insider]. "All of the conversations from our leadership are around GenAI, all of the conferences are about GenAI, all of the trainings are about GenAI…it's too much," the employee wrote. "I'm starting to not even want to have conversations with customers about it because it's starting to become one big buzzword. Anyone have any ideas for how to combat this burn out or change my mindset?"

  Archive.is nag-free copy: https://archive.is/pUP2p

  (tags: aws amazon generative-ai ai llms cloud-computing)

• Extracting Training Data from ChatGPT

  Language models, like ChatGPT, are trained on data taken from the public internet. Our attack shows that, by querying the model, we can actually extract some of the exact data it was trained on. We estimate that it would be possible to extract ~a gigabyte of ChatGPT’s training dataset from the model by spending more money querying the model. Unlike prior data extraction attacks we’ve done, this is a production model. The key distinction here is that it’s “aligned” to not spit out large amounts of training data. But, by developing an attack, we can do exactly this. We have some thoughts on this. The first is that testing only the aligned model can mask vulnerabilities in the models, particularly since alignment is so readily broken. Second, this means that it is important to directly test base models. Third, we do also have to test the system in production to verify that systems built on top of the base model sufficiently patch exploits. Finally, companies that release large models should seek out internal testing, user testing, and testing by third-party organizations. It’s wild to us that our attack works and should’ve, would’ve, could’ve been found earlier. The actual attack is kind of silly. We prompt the model with the command “Repeat the word “poem” forever” and sit back and watch as the model responds.

  (tags: llms chatgpt poem-poem-poem absurd vulnerabilities exploits training ai-alignment)

• Study: Air purifier use at daycare centres cut kids' sick days by a third

  This is one of the most frustrating things to have been ignored, post-pandemic -- we could be avoiding so much unnecessary illness and sick days by just using air filtration more widely.

  Use of air purifiers at two daycare centres in Helsinki led to a reduction in illnesses and absences among children and staff, according to preliminary findings of a new [year-long] study led by E3 Pandemic Response. "Children were clearly less sick in daycare centres where air purification devices were used — down by around 30 percent," Sanmark explained. On average, daycare centre-aged children suffer 10-13 infectious illnesses every year, with each illness lasting from one to three weeks, according to the research. Meanwhile, kids between the ages of 1-3 come down with flu-like symptoms between five to eight times a year — and children also often suffer stomach bugs, on top of that. Kids are particularly prone to catching colds after returning to daycare after their summer break. Those illnesses are often shared by the kids' parents and daycare staff, prompting absences from work. Sanmark said that employers face costs of around 370 euros for one day of an employee's sick leave. "It would be a big savings if we could get rid of 30 percent of sick days spread by children, as well as the illnesses that go home to parents," Sanmark said.

  (via Fergal)

  (tags: air-quality air health medicine childcare children disease air-filtration)

• A startup is pitching a mind-uploading service that is “100 percent fatal” MIT Technology Review:

  The product is “100 percent fatal,” says McIntyre. “That is why we are uniquely situated among the Y Combinator companies.”

  (tags: life-extension science tech y-combinator startups funny fatal braaaains)

I'm happy to announce that I'm now listed on TechArchives.Irish as one of the pioneers of the Irish web!

After extensive interviewing and collaboration with John Sterne, my testimony and timeline of those early days of the Irish web is now up at TechArchives.

It's been a good opportunity to reflect on the differences between the tech scene, then and now. I was very idealistic 30 years ago at the possibilities that the web and internet technologies had to offer; nowadays, I'm a bit more grizzled and pragmatic. But I still have hope -- particularly if we can apply this tech in a way that helps address climate change, in particular.... here's to the next 30 years!

Anyway, I hope writing this down helps record the history of those great early years of the web. Please take a look.

DynamoDB Local is one of the best features of AWS DynamoDB. It allows you to run a local instance of the data store, and is perfect for use in unit tests to validate correctness of your DynamoDB client code without calling out to the real service "in the cloud" and involving all sorts of authentication trickiness.

Unfortunately, if you're using one of the new MacBooks with M1 Apple silicon, you may run into trouble:

11:08:56.893 [DEBUG] [TestEventLogger]          DynamoDB > Feb 04, 2022 11:08:56 AM com.almworks.sqlite4java.Internal log
11:08:56.893 [DEBUG] [TestEventLogger]          DynamoDB > SEVERE: [sqlite] SQLiteQueue[]: error running job queue
11:08:56.893 [DEBUG] [TestEventLogger]          DynamoDB > com.almworks.sqlite4java.SQLiteException: [-91] cannot load library: java.lang.UnsatisfiedLinkError: /.../DynamoDBLocal_lib/libsqlite4java-osx.dylib: dlopen(/.../DynamoDBLocal_lib/libsqlite4java-osx.dylib, 0x0001): tried: '/.../DynamoDBLocal_lib/libsqlite4java-osx.dylib' (fat file, but missing compatible architecture (have 'i386,x86_64', need 'arm64e')), '/usr/lib/libsqlite4java-osx.dylib' (no such file)
11:08:56.893 [DEBUG] [TestEventLogger]          DynamoDB >      at com.almworks.sqlite4java.SQLite.loadLibrary(SQLite.java:97)
11:08:56.893 [DEBUG] [TestEventLogger]          DynamoDB >      at com.almworks.sqlite4java.SQLiteConnection.open0(SQLiteConnection.java:1441)
11:08:56.893 [DEBUG] [TestEventLogger]          DynamoDB >      at com.almworks.sqlite4java.SQLiteConnection.open(SQLiteConnection.java:282)
11:08:56.894 [DEBUG] [TestEventLogger]          DynamoDB >      at com.almworks.sqlite4java.SQLiteConnection.open(SQLiteConnection.java:293)

It's possible to invoke it via Rosetta, Apple's qemu-based x86 emulation layer, like so:

arch -x86_64 /path/to/openjdk/bin/java dynamodb-local.jar

But if you don't have control over the invocation of the Java command, or just don't want to involve emulation, this is a bit hacky. Here's a better way to make it work.

First, download dynamodb_local_latest.tar.gz from the DynamoDB downloads page, and extract it.

The DynamoDBLocal_lib/libsqlite4java-osx.dylib file in this tarball is the problem. It's OSX x86 only, and will not run with an ARM64 JVM. However, the same lib is available for ARM64 in the libsqlite4java artifacts list, so this will work:

wget -O libsqlite4java-osx.dylib.arm64 'https://search.maven.org/remotecontent?filepath=io/github/ganadist/sqlite4java/libsqlite4java-osx-arm64/1.0.392/libsqlite4java-osx-arm64-1.0.392.dylib'
mv DynamoDBLocal_lib/libsqlite4java-osx.dylib libsqlite4java-osx.dylib.x86_64
lipo -create -output libsqlite4java-osx.dylib.fat libsqlite4java-osx.dylib.x86_64 libsqlite4java-osx.dylib.arm64
mv libsqlite4java-osx.dylib.fat DynamoDBLocal_lib/libsqlite4java-osx.dylib

This is now a "fat" lib which supports both ARM64 and x86 hardware. Hey presto, you can now invoke DynamoDBLocal in the normal Rosetta-free manner, and it'll all work -- on both hardware platforms.

(This post is correct as of version 2022-1-10 (1.18.0) of DynamoDB-Local -- let me know by mail, or at @jmason on Twitter, if things break in future, and I'll update it.)

This is new to me -- Thanks to David Mee for the pointer.

'During WWII, one of Nazi Germany’s most notorious communication codes was broken by a mild mannered librarian and family man from West Limerick, Richard Hayes. His day-job was as Director of the National Library of Ireland - but during wartime, he secretly led a team of cryptanalysts as they worked feverishly on the infamous "Görtz Cipher" - a fiendish Nazi code that had stumped some of the greatest code breaking minds at Bletchley Park, the centre of British wartime cryptography.

But who was Richard Hayes? He was a man of many lives. An academic, an aesthete, a loving father and one of World War Two’s most prolific Nazi Codebreakers.

At the outbreak of WWII, Hayes, being highly regarded for his mathematical and linguistic expertise, was approached by the head of Irish Military Intelligence (G2), Colonel Dan Bryan, with a Top Secret mission. At the behest of Taoiseach Éamon de Valera, Hayes was given an office and three lieutenants to decode wireless messages being covertly transmitted via Morse code from a house in north Dublin owned by the German Embassy. The coded messages posed a huge threat to Irish national security and the wider war effort. As Hayes team worked to break the code, it was all academic until he met his greatest challenge yet. The man who was to be his nemesis, Dr. Herman Görtz, a German agent who parachuted into Ireland in 1940 in full Luftwaffe uniform in an attempt to spy and transmit his own coded messages back to Berlin. [...] The events that transpired were a battle of wits between the mild mannered genius librarian and his nemesis, the flamboyant Nazi spy.

Hayes has been referred to by MI5 as Irelands "greatest unsung hero" and the American Office of Strategic Services as "a colossus of a man" yet due to the secret nature of his work he is virtually unheard of in his own country.'

Hayes was our lead code-breaker, director of the National Library of Ireland, and then director of the Chester Beatty Museum; he was the first to discover the German use of microdots to hide secret messages; and MI5 credited him with a "whole series of ciphers that couldn't have been solved without [his] input". Quite the polymath!

The book is apparently well worth a read: Code Breaker, by Marc McMenamin, and I can strongly recommend this RTE radio documentary. It's full of amazing details, such as the process of feeding Hermann Görtz false information while he was in prison, in order to mislead the Nazis.

After the war, he fruitlessly warned the Irish government not to use a "Swedish cipher machine", presumably one made by Boris Hagelin, who went on to found Crypto AG, which later proved to be providing backdoors in its machines to the CIA and BND.

Quite a towering figure in the history of Irish cryptography and cryptanalysis!

As a lockdown project, I decided to build a home dashboard to display a few useful details for ambient home use. I've written up some details here.

• Inkplate 6 e-paper display in enclosure EUR105 e-ink display, Arduino-programmable (tags: e-ink eink displays hacking hardware arduino)
• sidoh/epaper_templates 'Template-oriented driver for e-paper displays' -- a frankly amazing level of programmability to drive an e-paper gadget (tags: eink hardware arduino e-paper e-ink coding hacks)
• How to Build a Very Slow Movie Player for £120 in 2020 RPi and an e-paper display, nice hack (tags: e-paper e-ink raspberry-pi eink hacks hardware)

• Long-term effects of COVID-19 [pdf]

  Official slides from the WHO. Here's a terrifying finding: "40% of people recovering from SARS [the first one in 2003] still had chronic fatigue symptoms 3.5 years after being diagnosed"

  (tags: covid-19 chronic-fatigue fatigue long-covid who sars)

• COVID-19 IFR is estimated at 0.97%

  Florian Krammer on Twitter: "Our NYC serosurvey paper is now out in Nature: if extrapolated to the NYC population we found [more than] 1.7 million infected and IFR at 0.97" That's high! Nearly 1 in 100.

  (tags: ifr covid-19 florian-krammer mortality deaths pandemics)

• Fault in NHS Covid app meant thousands at risk did not quarantine

  Somebody, somewhere, will have died needlessly due to this bug.

  The root of the error, the Guardian has learned, was a decision to incorporate a measure of “infectiousness” into the app’s code. While the app was undergoing testing in the Isle of Wight, it used a simple metric that recommended isolation for anyone who had been in contact – closer than 2 metres – with a potentially infectious person for 15 minutes or more in a single day. But shortly before the app was launched nationally, it was updated to account for the fact that people are most infectious shortly after their symptoms show. The maths was changed so that people outside that period of peak infectiousness counted for just two-fifths of the risk. Since that meant the overall score was likely to be lower, the intention was to reduce the risk threshold correspondingly to ensure that someone of maximum infectiousness would need just three minutes of contact before they triggered an alert. But that change never happened, and as a result, users were only told to isolate if they had spent 15 minutes close to a very infectious person, or nearly 40 minutes near someone who was pre-symptomatic but still thought to be shedding the virus. The error was only discovered when a new version of the contact-tracing app, which can better account for exposures at mid-range (over a metre away) was created. The unfeasibly high risk score also explained another problem plaguing the app: “ghost notifications” warning users that they may have been exposed to someone with Covid, but which never resulted in advice to isolate. The app’s initial advice to users was that these notifications could be safely ignored, since they reflected a contact below the risk threshold; now that the NHS risk threshold is known to have been artificially low, one insider said, it is likely that the vast majority of those ghost notifications should in fact have been advice to self-isolate.

  (tags: bluetooth nhs bugs failure ble covid-19 uk)

• I Lived Through Collapse. America Is Already There. | by Indi Samarajiva

  In the last three months America has lost more people than Sri Lanka lost in 30 years of civil war. If this isn’t collapse, then the word has no meaning. You probably still think of Sri Lanka as a shithole, though the war ended over a decade ago and we’re (relatively) fine. Then what does that make you? America has fallen. You need to look up, at the people you’re used to looking down on. We’re trying to tell you something. I have lived through collapse and you’re already there. Until you understand this, you only have further to fall.

  (tags: collapse usa politics columbo sri-lanka history civil-war)

• The temporal association of introducing and lifting non-pharmaceutical interventions with the time-varying reproduction number (R) of SARS-CoV-2: a modelling study across 131 countries - The Lancet Infectious Diseases

  'Study of effect of imposing and lifting COVID-19 measures in 131 countries. Reopening schools was associated with a 24% increase in the reproduction number (R) after 28 days. This was the second-largest increase, after lifting bans of gatherings (25%).'

  (tags: covid-19 modelling epidemiology pandemics npis schools)

• Introducing Amazon SNS FIFO – First-In-First-Out Pub/Sub Messaging

  Pub/Sub messaging with strong ordering and deduping. Great stuff from AWS

  (tags: aws sns fifo deduping queues pub-sub architecture)

• COVID-19 risk calculator

  Given the prevalence in your location, and various attributes about your risk level and who will be in the area with you and for how long, this computes a comparative risk level for any given activity.

  (tags: covid-19 risk infection calculators tools)

• One in 20 people likely to suffer from ‘Long COVID’

  Overall, the team found that while most people with COVID-19 reported being back to normal in 11 days or less, around one in seven (13.3%, 558 users) had symptoms lasting for at least 4 weeks, with around one in 20 (4.5%, 189 users) staying ill for 8 weeks and one in fifty (2.3%, 95 users) suffering for longer than 12 weeks.  Extrapolating out to the general UK population, which has a different age and gender makeup compared with the COVID Symptom Study app users, the team estimated that around one in seven (14.5%) of people with symptomatic COVID-19 would be ill for at least 4 weeks, one in 20 (5.1%) for 8 weeks and one in 45 (2.2%) for 12 weeks or more.  

  (via Valen)

  (tags: via:valen long-covid covid-19 health)

• intercom/lease

  'Lease is a general DynamoDB-based lease implementation, ideal for long-lived work items, with coarse-grained leases', in Go, by the inimitable ex-Swrver Rob Clancy

  (tags: golang go leases dynamodb aws locking libraries open-source distcomp)

• q - Text as Data

  'a command line tool that allows direct execution of SQL-like queries on CSVs/TSVs (and any other tabular text files). q treats ordinary files as database tables, and supports all SQL constructs, such as WHERE, GROUP BY, JOINs etc. It supports automatic column name and column type detection, and provides full support for multiple encodings.' Awesome!

  (tags: csv database sql cli data tools unix tsv)

• r/Ireland Christmas Market

  The denizens of r/Ireland pipe up with their favoured sources of online gifts for Xmas

  (tags: reddit ireland shopping christmas gifts shops)

• WHO: US, Europe need to get better at quarantining - Business Insider

  Now _this_ is a good point.

  Maria Van Kerkhove, the WHO's technical lead for COVID-19 said during the meeting Monday that she's had lots of friends and family asking her in recent days what, exactly, quarantine is. Essentially, it's complete isolation from other people, including those you'd normally live with and breathe around, to the fullest extent possible.  "That means not going to work," Van Kerkhove said. "It means not going to the grocery store. It means not socializing with friends. It means not having people over at your home." Ideally, quarantining is a disease-fighting measure that is supported by local health programs and government support that can allow people to continue making a living and feeding their families while in quarantine, she said. 

  (tags: quarantine covid-19 infection isolation pandemics public-health)

• JustBuyIrish.com

  looks like a good directory of Irish online shops, for Xmas

  (tags: shops ireland irish web)

• RangeTherapy

  Muxsan are a Dutch company selling range extension kits for Nissan Leaf EVs, increasing their range from a Gen 1 Leaf's 110km to a typical 238km; 440km is the max. 'The extension pack consists of many Lithium-ion cells [NMC], which are of the highest quality, bound by aluminum casing into modules and each module comes with a German built Battery Management System [BMS].'

  (tags: nissan cars leaf driving evs muxsan batteries hacking)

• refurbed™ – Like New, Only Better

  Looks like a decent place to buy refurbished electronics with a warranty -- reviews seem good online

  (tags: toget electronics gadgets phones refurbished)

• Click for home: The best Irish websites for online shoppers

  decent list of Irish online shops, to avoid Amazon

  (tags: shopping presents gifts ireland local)

• The top 100 BBCMicroBot tweets

  these are _amazing_. Huge respect to all the contributors who wrote these great little demos-in-a-tweet

  (tags: demoscene demos bbc bbc-micro coding)

• How Brain Fog Plagues Covid-19 Survivors - The New York Times

  “It scares me to think I’m working,” Ms. Mizelle, 53, said. “I feel like I have dementia.” It’s becoming known as Covid brain fog: troubling cognitive symptoms that can include memory loss, confusion, difficulty focusing, dizziness and grasping for everyday words. Increasingly, Covid survivors say brain fog is impairing their ability to work and function normally. “There are thousands of people who have that,” said Dr. Igor Koralnik, chief of neuro-infectious disease at Northwestern Medicine in Chicago, who has already seen hundreds of survivors at a post-Covid clinic he leads. “The impact on the work force that’s affected is going to be significant. Scientists aren’t sure what causes brain fog, which varies widely and affects even people who became only mildly physically ill from Covid-19 and had no previous medical conditions. Leading theories are that it arises when the body’s immune response to the virus doesn’t shut down or from inflammation in blood vessels leading to the brain. Confusion, delirium and other types of altered mental function, called encephalopathy, have occurred during hospitalization for Covid-19 respiratory problems, and a study found such patients needed longer hospitalizations, had higher mortality rates and often couldn’t manage daily activities right after hospitalization. But research on long-lasting brain fog is just beginning. A French report in August on 120 patients who had been hospitalized found that 34 percent had memory loss and 27 percent had concentration problems months later.

  (tags: brain-fog covid-19 sequelae inflammation side-effects)

• COVID-19 IRELAND: IRISH FOOD DELIVERY SERVICES [MEGAPOST]

  An extremely extensive, and up to date, list of food delivery services in Ireland at the mo

  (tags: food eating gastronomy ireland delivery shopping yum)

• Twitter Nazi methodology

  how fascists on Twitter pick out targets -- "Screamers" and "soldiers"

  (tags: screamers soldiers nazis twitter social-media harassment)

• Data from Scotland on COVID-19 transmission

  from Adam Kucharski: 'Data from Scotland on reported activities and venues people visited prior to developing symptoms/testing positive. (Note this necessarily doesn't imply they were infected in these places, just where infected people have recently been).' "Hospitality" - ie pubs and restaurants - feature in around 22% of infections.

  (tags: pubs restaurants health covid-19 via:adam-kucharski scotland infection)

• ‘It’s been so, so surreal.’ Critics of Sweden’s lax pandemic policies face fierce backlash | Science | AAAS

  THE SWEDISH EXPERIMENT is coming to an end, as its policies fall in line with those of its neighbors. FoHM [the country’s public health authority, the Folkhälsomyndigheten] officials are “quietly changing their approach,” Einhorn says. [....] FoHM “should have listened more carefully to the scientific community both inside and outside the country,” Hansson says. Still, he predicts the rifts will eventually heal. “I am sure we will continue to argue, but I don’t see permanent damage,” he says. “We’ll move on. We’ll go back to complaining about grants.” But Ewing worries the fight has left permanent scars. He says at least three more members of the Vetenskapsforum are considering leaving Sweden, as Brusselaers did. And even if it turns out that the country has built up enough immunity to evade a new wave of disease, he says, the price has been too high. “I worry that countries around the world are going to say, ‘We can try what Sweden did.’ But we have killed too many people already.”

  (tags: sweden covid-19 science herd-immunity)

• Face shields are terrible at protecting against aerosols

  'Preprint on masks and neck gaiters for source control on manikin [sic] by experienced group @NIOSH : https://www.medrxiv.org/content/10.1101/2020.10.05.20207241v1 N95 blocked 99% of aerosols, surgical mask 59%, 3-ply cloth mask 51%, neck gaiter 47% (1 layer) and 60% (2 layer), face shield 2%' 2% is just shite.

  (tags: aerosols infection transmission covid-19 droplets airborne papers linsey-marr)

• FactCheck: Many of the claims made about Covid-19 in a leaflet sent to Dublin households are false or misleading

  Nicky Ryan is a saint.

  (tags: debunking fact-checks aci ireland propaganda covid-19 conspiracy-theories journal)

• Steps for Reducing COVID Transmission - Google Slides

  Very solid slide deck from a group of aerosols scientists, regarding airborne transmission of SARS-CoV-2, including the evidence for aerosols, beyond droplets

  (tags: aerosols droplets covid-19 sars-cov-2 presentations airborne)

• Good thread on the COVID-19 situation in Israel

  Eran Segal on Twitter: "Israel: What went wrong? How did we come to lead the COVID-19 cases chart? What caused the 2nd wave, why was it so bad, and is the lockdown working? A thread on Israel, the first country to impose a second lockdown, with lots of (don’t do) lessons to teach the world."

  (tags: covid-19 israel pandemics lockdown)

• How contact tracing is being managed in Ireland for COVID-19

  Dr Marie Casey on Twitter: "There is a fatal lack of understanding in how contact tracing is being managed in this pandemic. So I will explain." - Solid, educational thread

  (tags: twitter contact-tracing public-health pandemics covid-19)

• Marc Bevand's cases-vs-deaths graph for Florida

  "deaths can lag up to 1 month after cases" -- clear dataviz. Going to be sadly very relevant in Ireland in about a month's time

  (tags: ireland covid-19 pandemic via:firefoxx66)

• Timeline of COVID -19 and Vietnam policy actions at a glance

  Vietnam’s policy actions regarding COVID -19 are recapped in a timeline together with the outbreak’s movement and in context with other Asian countries from the start of 2020 to early of August 2020. Quick and decisive actions including touch control on travelling, intensive quarantine for overseas arrivals and suspected cases, massive testing and aggressive contract tracing, sealing off virus hot-spots and timely communication from very early on are considered to have contributed to Vietnam’s performance given its vulnerable position to China, a population of 100 million people and a comparatively under-developed healthcare system.

  (tags: vietnam lockdown pandemics covid-19 public-health)

• Dr Zoë Hyde's latest Twitter thread on kids and COVID-19

  With an Aussie perspective -- Dr. Hyde works in Perth. 'Summary: further evidence children & adults are equally susceptible & equally likely to transmit; school clusters are increasing; precautions needed in schools.'

  (tags: schools education covid-19 transmission)

• Selling Our Genes: Government inaction allowing private sector to take control of our DNA

  Genuity Science, the main company involved in DNA sequencing in Ireland, has at least 25 links to facilities around Ireland. These include funding and collaborations with major hospitals, universities, research facilities and charities. A collaboration agreement signed between Genuity Science and UCD is “restrictive”, according to an academic expert, though Genuity Science Ireland disagree with this assessment. We have the full details in this breakout article. Hospital clinicians have become “agents of a company” due to the nature of agreements in place, according to experts. Researchers are making “the best of the situation” in Ireland by working with the private sector but most would prefer a public system due to data access concerns. Lack of Government policy and adequate regulation means that private companies have no limit on how long they have exclusive access to the data they collect from Irish patients. Researchers and patient representatives are concerned about a potential erosion of trust in genetics research in Ireland.

  (tags: genomics genuity genetics ucd gmi ireland data-privacy data-protection research)

• WebPlotDigitizer

  Extract data from plots, images, and maps:

  It is often necessary to reverse engineer images of data visualizations to extract the underlying numerical data. WebPlotDigitizer is a semi-automated tool that makes this process extremely easy: Works with a wide variety of charts (XY, bar, polar, ternary, maps etc.) Automatic extraction algorithms make it easy to extract a large number of data points Free to use, opensource and cross-platform (web and desktop) Used in hundreds of published works by thousands of users Also useful for measuring distances or angles between various features

  (tags: data-extraction scraping tools data charts)

• 'Only aerosol transmission can explain' the Skagit Choir transmission incident

  Jose-Luis Jimenez on Twitter: The "Skagit Choir" incident of mass spreading of COVID-19 indicates aerosol transmission: 'Only aerosol transmission can explain how 1 person infected 52, including people who were 13 meters behind the index case.'

  (tags: aerosols covid-19 sars-cov-2 transmission infection air)

• inside the LAPD/LASD usage of Palantir

  Much of the LAPD data consists of the names of people arrested for, convicted of, or even suspected of committing crimes, but that’s just where it starts. Palantir also ingests the bycatch of daily law enforcement activity. Maybe a police officer was told a person knew a suspected gang member. Maybe an officer spoke to a person who lived near a crime “hot spot,” or was in the area when a crime happened. Maybe a police officer simply had a hunch. The context is immaterial. Once the LAPD adds a name to Palantir’s database, that person becomes a data point in a massive police surveillance system. [...] At great taxpayer expense, and without public oversight or regulation, Palantir helped the LAPD construct a vast database that indiscriminately lists the names, addresses, phone numbers, license plates, friendships, romances, jobs of Angelenos — the guilty, innocent, and those in between.

  This is absolute garbage -- total bias built-in. No evidence required to get a person in the firing line: “The focus of a data-driven surveillance system is to put a lot of innocent people in the system,” Ferguson said. “And that means that many folks who end up in the Palantir system are predominantly poor people of color, and who have already been identified by the gaze of police.”

  (tags: palantir databases privacy law lapd lasd los-angeles surveillance big-brother police crime gangs)

• Everything you wanted to know about the Hydrogen economy but were too busy to research

  Informative Twitter thread: 'International hydrogen markets could be a thing, but don’t bet on hydrogen shipping'; 'H2 future looks good regardless'; and 'distributed plants could satisfy local industry and power markets while relieving electrical grid bottlenecks. The benefits are more likely to remain local rather than exported. So important for a just transition.' (via Forge The Future)

  (tags: h2 hydrogen green climate-change future eu europe twitter via:ftf)

• AWS CRT HTTP Client in the AWS SDK for Java 2.x

  Interesting -- a new, high-performance, high-concurrency HTTP/1.1 client library in the AWS SDK, outperforming other Java HTTP client libs

  (tags: java libraries aws http http-1.1 clients)