Skip to content

Justin's Linklog Posts

American flag sort

  • American flag sort

    An efficient, in-place variant of radix sort that distributes items into hundreds of buckets. The first step counts the number of items in each bucket, and the second step computes where each bucket will start in the array. The last step cyclically permutes items to their proper bucket. Since the buckets are in order in the array, there is no collection step. The name comes by analogy with the Dutch national flag problem in the last step: efficiently partition the array into many “stripes”. Using some efficiency techniques, it is twice as fast as quicksort for large sets of strings. See also histogram sort. Note: This works especially well when sorting a byte at a time, using 256 buckets.

    (tags: algorithms sorting sort radix-sort performance quicksort via:hn)

How web bloat impacts users with slow devices

  • How web bloat impacts users with slow devices

    CPU performance for web apps hasn’t scaled nearly as quickly as bandwidth so, while more of the web is becoming accessible to people with low-end connections, more of the web is becoming inaccessible to people with low-end devices even if they have high-end connections. For example, if I try browsing a “modern” Discourse-powered forum on a Tecno Spark 8C, it sometimes crashes the browser. Between crashes, on measuring the performance, the responsiveness is significantly worse than browsing a BBS with an 8 MHz 286 and a 1200 baud modem.

    (tags: dan-luu performance web bloat cpu hardware internet profiling)

Ex-Amazon AI exec claims she was asked to ignore IP law

  • Ex-Amazon AI exec claims she was asked to ignore IP law

    This is really appalling stuff, on two counts: (a) how does it not surprise me that maternity leave was considered “weak” and grounds for firing. (b) check this shit out:

    According to Ghaderi’s account in the complaint, she returned to work after giving birth in January 2023, inheriting a large language model project. Part of her role was flagging violations of Amazon’s internal copyright policies and escalating these concerns to the in-house legal team. In March 2023, the filing claims, her team director, Andrey Styskin, challenged Ghaderi to understand why Amazon was not meeting its goals on Alexa search quality. The filing alleges she met with a representative from the legal department to explain her concerns and the tension they posed with the “direction she had received from upper management, which advised her to violate the direction from legal.” According to the complaint, Styskin rejected Ghaderi’s concerns, allegedly telling her to ignore copyright policies to improve the results. Referring to rival AI companies, the filing alleges he said: “Everyone else is doing it.”
    Move fast and break laws!

    (tags: aws amazon llms alexa maternity-leave parenting parental-leave work dont-be-evil copyright ip ai)

“Randar” exploit for Minecraft

  • “Randar” exploit for Minecraft

    This is great — I love a good pRNG state-leakage exploit:

    Every time a block is broken in Minecraft versions Beta 1.8 through 1.12.2, the precise coordinates of the dropped item can reveal another player’s location. “Randar” is an exploit for Minecraft which uses LLL lattice reduction to crack the internal state of an incorrectly reused java.util.Random in the Minecraft server, then works backwards from that to locate other players currently loaded into the world.
    Don’t reuse those java.util.Randoms! (via Dan Hon)

    (tags: exploits security infosec minecraft prngs rngs random coding via:danhon)


  • NHS and OpenSAFELY

    It seems the UK have created a “Trusted Research Environment” for working with the extremely privacy-sensitive datasets around NHS users’ health data, using OpenSAFELY; it is basically a hosting environment allowing the execution of user-submitted Python query code, which must be open source, hosted on Github, designed with care to avoid releasing user-identifying sensitive data, and of course fully auditable. This looks like a decent advance in privacy-sensitive technology! Example code, from the OpenSAFELY tutorial docs: “` from ehrql import create_dataset from ehrql.tables.core import patients, medications dataset = create_dataset() dataset.define_population(patients.date_of_birth.is_on_or_before(“1999-12-31”)) asthma_codes = [“39113311000001107”, “39113611000001102”] latest_asthma_med = ( medications.where(medications.dmd_code.is_in(asthma_codes)) .sort_by( .last_for_patient() ) dataset.asthma_med_date = dataset.asthma_med_code = latest_asthma_med.dmd_code “`

    (tags: privacy data-protection nhs medical-records medicine research python sql opensafely uk)

Recommending Toxicity: How TikTok and YouTube Shorts are bombarding boys and men with misogynist content

  • Recommending Toxicity: How TikTok and YouTube Shorts are bombarding boys and men with misogynist content

    This is, frankly, disgusting.

    A new study from Dublin City University’s Anti-Bullying Centre shows that the recommender algorithms used by social media platforms are rapidly amplifying misogynistic and male supremacist content. The study, conducted by Professor Debbie Ging, Dr Catherine Baker and Dr Maja Andreasen, tracked, recorded and coded the content recommended to 10 experimental or ‘sockpuppet’ accounts on 10 blank smartphones – five on YouTube Shorts and five on TikTok. The researchers found that all of the male-identified accounts were fed masculinist, anti-feminist and other extremist content, irrespective of whether they sought out general or male supremacist-related content, and that they all received this content within the first 23 minutes of the experiment. Once the account showed interest by watching this sort of content, the amount rapidly increased. By the last round of the experiment (after 400 videos or two to three hours viewing), the vast majority of the content being recommended to the phones was toxic (TikTok 76% and YouTube Shorts 78%), primarily falling into the manosphere (alpha male and anti-feminist) category.

    (tags: tiktok youtube hate misogyny dcu research social-media)

How many bathrooms have Neanderthals in the tile?

  • How many bathrooms have Neanderthals in the tile?

    The [Reddit] poster is a dentist and visited his parents house to see the new travertine they installed. It’s no surprise that he recognized something right away: […] A section cut at a slight angle through a very humanlike jaw! […] The Reddit user who posted the story (Kidipadeli75) has followed up with some updates over the course of the day. The travertine was sourced in Turkey, and a close search of some of the other installed panels revealed some other interesting possible fossils, although none are as strikingly identifiable as the mandible. A number of professionals have reached out to offer assistance and I have no doubt that they will be able to learn a lot about the ancient person whose jaw ended up in this rock. This naturally raises a broader question: How many other people have installed travertine with hominin fossils inside?

    (tags: reddit mandibles bones archaeology history neanderthals travertine turkey)

AI and Israel’s Dystopian Promise of War without Responsibility

  • AI and Israel’s Dystopian Promise of War without Responsibility

    From the Center for International Policy:

    In Gaza we see an “indiscriminate” and “over the top” bombing campaign being actively rebranded by Israel as a technological step up, when in actuality there is currently no evidence that their so-called Gospel has produced results qualitatively better than those made by minds of flesh and blood. Instead, Israel’s AI has produced an endless list of targets with a decidedly lower threshold for civilian casualties. Human eyes and intelligence are demoted to rubber stamping a conveyor belt of targets as fast they can be bombed. It’s a path that the US military and policy makers should not only be wary of treading, but should reject loudly and clearly. In the future we may develop technology worthy of the name Artificial Intelligence, but we are not there yet. Currently the only promise a system such as Gospel AI holds is the power to occlude responsibility, to allow blame to fall on the machine picking the victims instead of the mortals providing the data.

    (tags: ai war grim-meathook-future israel gaza automation war-crimes lavender gospel)

Quick plug for Cronitor.IO

Quick plug for a good tool for self-hosting — I have been using this for the past year or so as I migrate more of my personal stuff off cloud and back onto self-hosted setups, and it’s been a really nice way to monitor simple cron-driven home workloads, and (together with graphite/grafana alerts) has saved my bacon many times. Integrates nicely with Slack, or even PagerDuty (although that would be overkill for my setup for sure).

90-GWh thermal energy storage facility could heat a city for a year

  • 90-GWh thermal energy storage facility could heat a city for a year

    Some cool green engineering:

    The project has a total volume of 1.1 million cubic meters (38.85 million cubic feet), including processing facilities, and will be built into [Vantaa]’s bedrock at around 100 m (330 ft) below ground – though the deepest parts of the setup could go down as far as 140 m. Three caverns will be created, each measuring 300 m (984.25 ft) in length, 40 m (131.2 ft) in height and 20 m (65.6 ft) in width. These will be filled with hot water by a pair of 60-MW electric boilers, powered by renewables when it’s cheap to do so. Pressure within the space allows for temperatures to get as high as 140 °C (284 °F) without the water boiling over or steaming away. Waste heat from industry will also feed the setup, with a smart control system balancing energy sources. The Varanto facility is reported to have a total thermal capacity of 90 GWh when “fully charged” – enough to meet the year-round domestic heating needs of a “medium-sized Finnish city.”

    (tags: engineering finland district-heating energy energy-storage caves cool)

AWS told to pay $525M in cloud storage patent suit – The Register

leaked Kremlin documents detailing current Russian troll tactics

  • leaked Kremlin documents detailing current Russian troll tactics

    A rare view into Russia’s current propaganda tactics, really useful to spot it in action:

    In an ongoing campaign that seeks to influence congressional and other political debates to stoke anti-Ukraine sentiment, Kremlin-linked political strategists and trolls have written thousands of fabricated news articles, social media posts and comments that promote American isolationism, stir fear over the United States’ border security and attempt to amplify U.S. economic and racial tensions, according to a trove of internal Kremlin documents obtained by a European intelligence service […] One of the political strategists … instructed a troll farm employee working for his firm to write a comment of “no more than 200 characters in the name of a resident of a suburb of a major city.” The strategist suggested that this fictitious American “doesn’t support the military aid that the U.S. is giving Ukraine and considers that the money should be spent defending America’s borders and not Ukraine’s. He sees that Biden’s policies are leading the U.S. toward collapse.” … The files are part of a series of leaks that have allowed a rare glimpse into Moscow’s parallel efforts to weaken support for Ukraine in France and Germany, as well as destabilize Ukraine itself … [via] the creation of websites designed to impersonate legitimate media outlets in Europe, part of a campaign that Western officials have called “Doppelganger”. Plans by Gambashidze’s team refer to using “short-lived” social media accounts aimed at avoiding detection. Social media manipulators have established a technique of using accounts to send out links to material and then deleting their posts or accounts once others have reshared the content. The idea is to obscure the true origin of misleading information and keep the channel open for future influence operations, disinformation researchers said. Propaganda operatives have used another technique to spread just a web address, rather than the words in a post, to frustrate searches for that material, according to the social media research company Alethea, which called the tactic “writing with invisible ink.” Other obfuscation tricks include redirecting viewers through a series of seemingly random websites until they arrive at a deceptive article. One of the documents reviewed by The Post called for the use of Trump’s Truth Social platform as the only way to disseminate posts “without censorship,” while “short-lived” accounts would be created for Facebook, Twitter (now known as X) and YouTube. “You just have to push content every single day … someone will stumble over it, a politician or celebrity will find it over time just based on the availability of content.”
    “Flooding the zone with shit”, as Steve Bannon put it.

    (tags: propaganda russia tactics spam trolls troll-farms destabilization social-media)

How Tech Giants Cut Corners to Harvest Data for A.I. – The New York Times

  • How Tech Giants Cut Corners to Harvest Data for A.I. – The New York Times

    Can’t wait for all the lawsuits around this stuff.

    Meta could not match ChatGPT unless it got more data, Mr. Al-Dahle told colleagues. In March and April 2023, some of the company’s business development leaders, engineers and lawyers met nearly daily to tackle the problem. [….] They also talked about how they had summarized books, essays and other works from the internet without permission and discussed sucking up more, even if that meant facing lawsuits. One lawyer warned of “ethical” concerns around taking intellectual property from artists but was met with silence, according to the recordings.

    (tags: ai copyright data training openai meta google privacy surveillance data-protection ip)

Python Mutable Defaults Are The Source of All Evil

CISA report on the Storm-0558 2023 intrusion into Microsoft Exchange Online

  • CISA report on the Storm-0558 2023 intrusion into Microsoft Exchange Online

    Jesus this is rough!

    In May and June 2023, a threat actor compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world. The actor—known as Storm-0558 and assessed to be affiliated with the People’s Republic of China in pursuit of espionage objectives—accessed the accounts using authentication tokens that were signed by a key Microsoft had created in 2016. This intrusion compromised senior United States government representatives working on national security matters, including the email accounts of Commerce Secretary Gina Raimondo, United States Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon. Signing keys, used for secure authentication into remote systems, are the cryptographic equivalent of crown jewels for any cloud service provider. As occurred in the course of this incident, an adversary in possession of a valid signing key can grant itself permission to access any information or systems within that key’s domain. A single key’s reach can be enormous, and in this case the stolen key had extraordinary power. In fact, when combined with another flaw in Microsoft’s authentication system, the key permitted Storm-0558 to gain full access to essentially any Exchange Online account anywhere in the world. As of the date of this report, Microsoft does not know how or when Storm-0558 obtained the signing key. […] The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations. The Board reaches this conclusion based on: 1. the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed; 2. Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed; 3. the Board’s assessment of security practices at other cloud service providers, which maintained security controls that Microsoft did not; 4. Microsoft’s failure to detect a compromise of an employee’s laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021; 5. Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction; 6. the Board’s observation of a separate incident, disclosed by Microsoft in January 2024, the investigation of which was not in the purview of the Board’s review, which revealed a compromise that allowed a different nation-state actor to access highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems; and 7. how Microsoft’s ubiquitous and critical products, which underpin essential services that support national security, the foundations of our economy, and public health and safety, require the company to demonstrate the highest standards of security, accountability, and transparency. Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.
    (via Graham on ITC Slack)

    (tags: cisa reports security infosec microsoft exchange china storm-0558 hacking incidents)

‘The machine did it coldly’: Israel used AI to identify 37,000 Hamas targets

How to set up a Zappi to avoid draining solar batteries

  • How to set up a Zappi to avoid draining solar batteries

    This has been an issue with my solar PV setup; I have a Zappi car charger, feeding from either the grid, solar PV, or a 5kW battery charged from solar. During the daytime, I normally want it to only draw power from the solar PV — I want to save the battery for normal household usage instead of “wasting” it on the car, which can be charged more cheaply at night. This suggestion from the MyEnergi support site details what sounds like a fairly easy way to get this working, by only charging the car when the PV is feeding excess energy back to the grid. This should only happen once either the batteries are full, or there’s more power being generated than can safely be used to charge the batteries (since there’s a limited input power rate for charging those). If this doesn’t work, I have a work-in-progress HomeAssistant script which I’ve been working on, but it’s significantly more complex with many more moving parts, so hopefully can be avoided.

    (tags: solar-pv sustainability home zappi power hacks automation)

Everything I know about the XZ backdoor

  • Everything I know about the XZ backdoor

    This has been the most exciting security event in years. The xz compression library was compromised, in a very specific and careful way, involving years of a “long game”, seemingly to allow remote code execution via crafted public key material, to the OpenSSH sshd: “It is a RCE backdoor, where sshd is used as the first step: It listens for connections, and when so patched, invokes the malignant liblzma, which in turn executes a stage 2 that finally executes the payload which is provided to sshd in a part of the encrypted public key given to it as the credential (which doesn’t need to be authentic to be harmful).” (gentoo bug 928134) More info: I hope this drives less use of complex transitive dependency chains in security critical software like OpenSSH. Careful “vendoring” of libraries, and an overall reduction of library code (djb-style!) would help avoid this kind of attack…. if it’s ever really possible to avoid this kind of state-level attack sophistication. I have to send my sympathies to Lasse Collin, the original maintainer of xz-utils, who it appears was conned into passing control to an attacker intent on subverting the lib in order to plant the backdoor. Not a fun spot to be in.

    (tags: oss open-source security openssh ssh xz backdoors rce lzma transitive-dependencies)



    DOOM is now running IN SPACE, onboard the ESA OPS-SAT satellite. “How We Got Here — A vision brewing for 13 years: 2011: Georges [Labreche] stumbles on what would become his favorite SMBC comic, thank you Zach! 2020: Georges joins the OPS-SAT-1 mission control team as a Spacecraft Operations Engineer at the European Space Agency (ESA). Visions of running DOOM on a space computer intensifies. 2023: The reality of a 2024 end-of-mission by atmospheric re-entry starts to hit hard. The spacecraft’s impending doom (see what I did there?) is a wake-up call to get serious about running DOOM in space before it’s too late. 2024: Georges has been asking around for help with compiling and deploying DOOM for the spacecraft’s ARM32 onboard computer but isn’t making progress. One night, instead of sleeping, he is trapped doomscrolling (ha!) on Instagram and stumbles on a reel from Ólafur [Waage]’s “Doom on GitHub Actions” talk at NDC TechTown 2023: Playing Video Games One Frame at a Time. After sliding into the DM, the rest is history.”

    (tags: esa ops-sat-1 doom space hacks via:freqout)

Ribbon filter: Practically smaller than Bloom and Xor

  • Ribbon filter: Practically smaller than Bloom and Xor

    Building on some prior lines of research, the Ribbon filter combines a simplified, faster, and more flexible construction algorithm; a data layout optimized for filter queries; and near-continuous configurability to make a practical alternative to static (immutable) Bloom filters. While well-engineered Bloom filters are extremely fast, they use roughly 50 percent more space (overhead) than the information-theoretic lower bound for filters on arbitrary keys. When Bloom filters cannot meet an application’s space efficiency targets, Ribbon filter variants dominate in space-versus-time trade-offs with near continuous configurability and space overhead as low as 1 percent or less. Ribbon filters have O(1) query times and save roughly 1/3 of memory compared with Bloom filters. At Facebook’s scale, we expect Ribbon filters to save several percent of RAM resources, with a tiny increase in CPU usage for some major storage systems. However, we do not implement efficiency gains at all engineering costs, so it’s also important to have a user-friendly data structure. This issue stalled implementation of other Bloom alternatives offering some space savings. The Ribbon filter opens these new trade-offs without introducing notable discontinuities or hazards in the configuration space. In other words, there is some complexity to make Ribbon filters general and highly configurable, but these details can be hidden behind a relatively simple API. You have essentially free choice over any three of the four core performance dimensions — number of keys added to the set, memory usage, CPU efficiency, and accuracy — and the accuracy is automatically well optimized.
    (via Tony Finch)

    (tags: via:fanf algorithms facebook programming ribbon-filters data-structures bloom-filters set-membership papers)

Deep dive into Facebook’s MITM hacking of customer phones

  • Deep dive into Facebook’s MITM hacking of customer phones

    This is frankly disgusting, and I hope FB (and their engineers) get the book thrown at them. Back in 2019, Facebook wanted to snoop on SnapChat, YouTube and Amazon user activity, so they used Onavo, a VPN provider they had acquired in 2013, and added code to their Android VPN app to MITM user SSL traffic to their hosts, then phone home with analytics and logs regarding user activity on those apps and sites. This Twitter thread is a detailed teardown of what the surveillance “VPN” app got up to. The bad news: back in 2019, installing a MITM SSL cert didn’t even pop up a warning on Android. The good news: this is significantly harder to do on modern Android devices, as it requires remounting a system filesystem in read/write mode (which needs a jailbreak).

    (tags: android security mitm exploits hacking facebook onavo snapchat surveillance youtube amazon vpns ssl tls)

Nutrition Science’s Most Preposterous Result

  • Nutrition Science’s Most Preposterous Result

    This is hilarious: “Back in 2018, a Harvard doctoral student … was presenting his research on the relationship between dairy foods and chronic disease to his thesis committee. One of his studies had led him to an unusual conclusion: Among diabetics, eating half a cup of ice cream a day was associated with a lower risk of heart problems.” Of course, suggesting that a dessert loaded with sugar and saturated fat might be good for you was anathema. This paper wasn’t the first to uncover the awkward fact — there had been decades of research attempting to p-hack around it, but with a lack of success:

    The Harvard researchers didn’t like the ice-cream finding: It seemed wrong. But the same paper had given them another result that they liked much better. The team was going all in on yogurt. With a growing reputation as a boon for microbiomes, yogurt was the anti-ice-cream—the healthy person’s dairy treat. “Higher intake of yogurt is associated with a reduced risk” of type 2 diabetes, “whereas other dairy foods and consumption of total dairy are not,” the 2014 paper said. “The conclusions weren’t exactly accurately written,” acknowledged Dariush Mozaffarian, the dean of policy at Tufts’s nutrition school and a co-author of the paper, when he revisited the data with me in an interview. “Saying no foods were associated—ice cream was associated.”

    (tags: p-hacking research ice-cream diabetes health fat sugar diet nutrition)

Rediscovering Things of Science

  • Rediscovering Things of Science

    A page celebrating “Things of Science”, a fantastic hands-on educational program for budding scientists in the 1960s, which came as a series of individual kits, each focusing on a specific topic. I was lucky enough to have been gifted a (second-hand, though barely used) set of Geoffrey Young’s kits during my childhood in the late 1970s, and this brings back memories…

    (tags: science education things-of-science kits ace)

Unpatchable vulnerability in Apple chip leaks secret encryption keys

  • Unpatchable vulnerability in Apple chip leaks secret encryption keys

    Prefetchers are crazy.

    Prefetchers usually look at addresses of accessed data (ignoring values of accessed data) and try to guess future addresses that might be useful. The [Data Memory-dependent Prefetcher in M chips] is different in this sense as in addition to addresses it also uses the data values in order to make predictions (predict addresses to go to and prefetch). In particular, if a data value “looks like” a pointer, it will be treated as an “address” (where in fact it’s actually not!) and the data from this “address” will be brought to the cache. The arrival of this address into the cache is visible, leaking over cache side channels. Our attack exploits this fact. We cannot leak encryption keys directly, but what we can do is manipulate intermediate data inside the encryption algorithm to look like a pointer via a chosen input attack. The DMP then sees that the data value “looks like” an address, and brings the data from this “address” into the cache, which leaks the “address.” We don’t care about the data value being prefetched, but the fact that the intermediate data looked like an address is visible via a cache channel and is sufficient to reveal the secret key over time.
    (via Mike)

    (tags: via:mike prefetchers dmp apple encryption side-channel-attacks cache)

Retailles d’Hosties

  • Retailles d’Hosties

    Absolutely fantastic snack trivia! It seems the ever-sacrilege-loving Quebecois have turned leftover bits of unconsecrated communion wafers into “retailles d’hosties”, or “host cuttings” — a bag of snackable fragments:

    Unsurprisingly, not everyone is a fan of host cuttings. “People are snacking on hosts and host pieces like it’s candy,” one former Catholic missionary complained to the Globe and Mail. “They’re not distinguishing between the body of Christ and something you nibble on at home.”

    (tags: funny catholicism jesus-christ snacks body-of-christ nom quebec)

Fairly Trained

  • Fairly Trained

    Now *this* makes a lot of sense:

    There is a divide emerging between two types of generative AI companies: those who get the consent of training data providers, and those who don’t, claiming they have no legal obligation to do so. We believe there are many consumers and companies who would prefer to work with generative AI companies who train on data provided with the consent of its creators. Fairly Trained exists to make it clear which companies take a more consent-based approach to training, and are therefore treating creators more fairly.

    (tags: ai gen-ai training ml data consent)

What Is A Single-page Application?: HeydonWorks

  • What Is A Single-page Application?: HeydonWorks

    Entertaining rant on the state of web dev nowadays:

    You can’t create a complex modern web application like Google Mail without JavaScript and a SPA architecture. Google Mail is a webmail client and webmail clients existed some time before JavaScript became the language it is today or frameworks like Angular JS or Angular BS existed. However, you cannot create a complex modern web application like Google Mail without JavaScript. Google Mail itself offers a basic HTML version that works perfectly well without JavaScript of any form—let alone a 300KB bundle. But, still, you cannot create a complex modern web application like Google Mail without JavaScript. Just keep saying that. Keep repeating that line in perpetuity. Keep adding more and more JavaScript and calling it good. Incidentally, you do not need to create a complex modern web application like Google Mail with JavaScript or otherwise because it already f**king exists.

    (tags: blog javascript webdev web spa webapps funny rants)

Impacts of active travel interventions on travel behaviour and health: Results from a five-year longitudinal travel survey in Outer London – ScienceDirect

Microplastics found to increase risk of serious outcomes for heart patients

  • Microplastics found to increase risk of serious outcomes for heart patients

    This sounds like a pretty serious issue — “from a prospective study in today’s New England Journal of Medicine: among 257 patients undergoing a surgical carotid endarterectomy procedure (taking out atherosclerotic plaque) with complete follow-up, 58% had microplastics and nanoplastics (MNPs) in their plaque and their presence was linked to a subsequent 4.5 -fold increase of the composite of all-cause mortality, heart attack and stroke […] during 34 month follow-up. [….] The new study takes the worry about micronanoplastics to a new level—getting into our arteries and exacerbating the process of atherosclerosis, the leading global killer— and demands urgent attention.” (via Eric Topol)

    (tags: microplastics plastic sustainability health medicine atherosclerosis papers via:eric-topol)


  • Ubicloud

    “Open and portable cloud” — an interesting idea:

    Ubicloud provides cloud services on bare metal providers, such as Hetzner, OVH, or AWS Bare Metal. Public cloud providers like AWS, Azure, and Google Cloud made life easier for start-ups and enterprises. But they are closed source, have you rent computers at a huge premium, and lock you in. Ubicloud offers an open alternative, reduces your costs, and returns control of your infrastructure back to you. All without sacrificing the cloud’s convenience.
    Currently supports compute VMs and managed PostgresSQL; no S3-alike service (yet). From the team behind Citus Data, the Postgres scaling product.

    (tags: ubicloud cloud hosting vms ops postgres)

Answers for AWS survey results for 2024

  • Answers for AWS survey results for 2024

    This is actually really useful data about which AWS services are good and which ones suck, as of right now. Some highlights: – Simple Queue Service (SQS) is the most loved AWS service with an overall positive/negative split of 98% [SNS also scoring very well]. – GitHub Actions wins every metric in the CI/CD category. – OpenAI has taken the top usage spot away from Amazon Sagemaker in the AI & Machine Learning category [no surprises there]. – ECS continues its reign as the most used container service. – DynamoDB’s dominance over the NoSQL DBs continues for the second year running. – The most polarizing service is CloudFormation – 30% would not use it ever again, while 56% would.

    (tags: aws services ops infrastructure architecture sqs sns dynamodb github-actions ecs via:lastweekinaws)

Italy’s “Piracy Shield” blocked Cloudflare

  • Italy’s “Piracy Shield” blocked Cloudflare

    Italy recently installed the AGCOM “anti-pezotto” system — a web filtering system for the entire country, to block piracy. After only a few weeks, it suffered its first major false positive by blocking a Cloudflare IP: “Around 16:13 on Saturday, an IP address within Cloudflare’s AS13335, which currently accounts for 42,243,794 domains according to IPInfo, was targeted for blocking.” The false positive block lasted for 5 hours before being quietly reverted: “Around five hours after the blockade was put in place, reports suggest that the order compelling ISPs to block Cloudflare simply vanished from the Piracy Shield system.” Cloudflare have written about the risk of false positives from IP blocking in the past:

    (tags: cloudflare ip-blocks blocking piracy anti-pezzoto agcom fail filtering false-positives networking)

DocuSign admit to training AI on customer data

  • DocuSign admit to training AI on customer data

    DocuSign just admitted that they use customer data (i.e., all those contracts, affidavits, and other confidential documents we send them) to train AI: They state that customers “contractually consent” to such use, but good luck finding it in their Terms of Service. There also doesn’t appear to be a way to withdraw consent, but I may have missed that.
    Gotta say, I find this fairly jaw-dropping. The data in question is “Contract Lifecycle Management, Contract Lifecycle Management AI Extension, and eSignature (for select eSignature customers)”. “DocuSign may utilize, at its discretion, a customizable version of Microsoft’s Azure OpenAI Service trained on anonymized customer’s data.” — so not running locally, and you have to trust their anonymization. It’s known that some anonymization algorithms can be reversed. This also relies on OpenAI keeping their data partitioned from other customers’ data, and I’m not sure I’d rush to trust that. One key skill DocuSign should be good at is keeping confidential documents confidential. This isn’t it. This is precisely what the EU AI Act should have dealt with (but won’t, unfortunately). Still, GDPR may be relevant. And I’m sure there are a lot of lawyers now looking at their use of DocuSign with unease. (via Mark Dennehy)

    (tags: ai privacy data-protection data-privacy openai docusign contracts fail)


  • louislam/uptime-kuma

    “A fancy self-hosted [network] monitoring tool”. This is very pretty, offers a compellingly wide set of uptime monitoring features including HTTPS cert validation, can notify via Slack or Telegram, and is self-hosted as a Docker container: – Monitoring uptime for HTTP(s) / TCP / HTTP(s) Keyword / HTTP(s) Json Query / Ping / DNS Record / Push / Steam Game Server / Docker Containers; – Fancy, Reactive, Fast UI/UX; – Notifications via Telegram, Discord, Gotify, Slack, Pushover, Email (SMTP), and 90+ notification services, click here for the full list – 20-second intervals. If I hadn’t already built out a load of uptime monitoring, I might add this one. I may just add it anyway, as you can never have too much monitoring, right? (via Tristam on ITC Slack)

    (tags: monitoring uptime network-monitoring networking ops via:itc via:tristam)

Troy Hunt: Thanks FedEx, This is Why we Keep Getting Phished

  • Troy Hunt: Thanks FedEx, This is Why we Keep Getting Phished

    A legitimate SMS from FedEx turns out to be a really terrible example of what Cory Doctorow was talking about the other day; banks (and shipping companies) are doing their very level best to _train their customers to get phished_ through absolute ineptitude and terrible interfaces:

    What makes this situation so ridiculous is that while we’re all watching for scammers attempting to imitate legitimate organisations, FedEx is out there imitating scammers! Here we are in the era of burgeoning AI-driven scams that are becoming increasingly hard for humans to identify, and FedEx is like “here, hold my beer” as they one-up the scammers at their own game and do a perfect job of being completely indistinguishable from them.

    (tags: phishing scams troy-hunt fedex australia ux)

How Google is killing independent sites like ours

  • How Google is killing independent sites like ours

    …. “And why you shouldn’t trust product recommendations from big media publishers ranking at the top of Google”. This is an eye-opener — I didn’t realise how organised the affiliate marketing ecosystem was, in terms of gaming SEO. Google are now biasing towards this approach:

    Google has a clear bias towards big media publishers. Their Core and Helpful Content updates are heavily focused on something they call E-E-A-T, which is an acronym that stands for Experience, Expertise, Authoritativeness, and Trustworthiness. The SEO world has been obsessed with E-E-A-T for a few years now, to the point where there is always someone on X (formerly Twitter) discussing how to show experience, expertise, authoritativeness, and trustworthiness. Many of the examples come from dissecting big media publishers like the ones we’ve been discussing in this article. The reason why SEOs look up to these sites is that Google rewards those sites.

    (tags: enshittification internet google reviews seo eeat content publishing bias search-engines)

Air Canada found responsible for chatbot error

  • Air Canada found responsible for chatbot error

    I predict this’ll be the first of many such cases:

    Air Canada has been ordered to compensate a man because its chatbot gave him inaccurate information. […] “I find Air Canada did not take reasonable care to ensure its chatbot was accurate,” [Civil Resolution Tribunal] member Christopher C. Rivers wrote, awarding $650.88 in damages for negligent misrepresentation. “Negligent misrepresentation can arise when a seller does not exercise reasonable care to ensure its representations are accurate and not misleading,” the decision explains. Jake Moffatt was booking a flight to Toronto and asked the bot about the airline’s bereavement rates – reduced fares provided in the event someone needs to travel due to the death of an immediate family member. Moffatt said he was told that these fares could be claimed retroactively by completing a refund application within 90 days of the date the ticket was issued, and submitted a screenshot of his conversation with the bot as evidence supporting this claim. He submitted his request, accompanied by his grandmother’s death certificate, in November of 2022 – less than a week after he purchased his ticket. But his application was denied […] The airline refused the refund because it said its policy was that bereavement fare could not, in fact, be claimed retroactively. […] “In effect, Air Canada suggests the chatbot is a separate legal entity that is responsible for its own actions. This is a remarkable submission. While a chatbot has an interactive component, it is still just a part of Air Canada’s website,” Rivers wrote.
    There’s no indication here that this was an LLM, but we know that LLMs routinely confabulate and make shit up with spurious authority. This is going to make for a lucrative seam in small claims courts.

    (tags: ai fail chatbots air-canada support small-claims chat)

UK COVID vaccination modelling was dependent on a single Pythonista


  • Feber

    a simple, self-hostable group calendar, by Simon Repp:

    Originally just a two-day hack for a friend (‘s shared rehearsal room), a few more weeks of work turned this into a universally usable, polished tool – hopefully of use to a wider public. The short pitch: A single PHP file (+assets) that is compatible with virtually every standard webhost out there, and a database-free design which means setup, backup and transfer is just copying files from one computer/server to another. The interface is responsive, adaptive (dark/light), and built with accessibility (and intent to improve) in mind. As I am by now maintainer of more FLOSS projects than I can reasonably look after in a sustainable fashion while just running on my commitment and love for the cause, this time around I’ve included a possibility to financially support the project. Emphasis on this being optional – Feber is AGPL3+, free to share with anyone, you can pay for it if and as you wish.
    It’s nice to see a neat little self-contained, easily deployed hack like this.

    (tags: oss calendars open-source php web groupware)