chameleon

chameleon , 6 months ago

And they're also deleting/deleted all classic Minecraft accounts from before that. They invented an incredibly weird and needlessly obtuse process to extend the migration deadline by 3 months (true final deadline is now mid December 2023), but that's seemingly it. Everyone not paying too much attention to their email just gets $30 worth of game deleted because of a completely arbitrary decision.

chameleon , 7 months ago

A biggie you miss is the toolchain: the compiler/binutils/linux-headers/libc/libstdc++ combination. The libc and usually libstdc++ are key components of any install. The other parts usually don't make it to non-dev-desktops, but the distro couldn't be made without them, so they're virtually always available as packages.

Only exception is if the entire distro is cross-compiled or it's made exclusively for containers, but those kinds of special distros break every rule imaginable anyway. Some might not even ship a bootloader or a Linux kernel by themselves.

chameleon , 7 months ago

Don't bother "securing" directories like that. The meaningful permission bit is the write permission on the directory holding the file. cat ~/.bashrc > ~/.bashrc.new; put-malware-in ~/.bashrc.new; rm -f ~/.bashrc; mv ~/.bashrc.new ~/.bashrc or the like will still work if you have write permissions to /home/username at all. Marking the file immutable with chattr +i as root might be slightly more effective, but realistically still not enough in a lot of cases as the parent directory can still be renamed. Not to mention you've only found some of the low-hanging fruit; your text editor most likely also has a few ways to accomplish arbitrary code execution in its config/scripting/plugin files but it absolutely doesn't stop there.

Don't bother buying old systems because they can have free firmware. Ever since Spectre, CPU vulnerabilities have made old machines completely unsuitable for high-security purposes time and time again. Not all mitigations are equally effective and with mitigations on, performance takes a massive hit on those 10 year old machines. If you can get a reasonably new system with free firmware, that's good, though.

chameleon , 7 months ago

DSP doesn't have builtin controller support, so I'd be leery recommending it for Deck unless you're used to more complicated manual input mapping. Hardware-wise, it's more than capable as long as you don't go megabasing postgame.

DSP also doesn't do cloud saves, so you gotta be careful with your wineprefix.

chameleon , 7 months ago

I think most people don't realize how unusual their company structure is. It feels like it's set up to let them do exactly that. As far as I can tell, once you look past the smoke and mirrors, the board effectively controls both the non-profit and the for-profit.

chameleon , 7 months ago

Senior YAML programmer

chameleon , 8 months ago

AWS has a shitton of in-house "Graviton" ARM stuff available and the ARM server chips from Ampere are popping up in more and more places as well. Most Linux servery distros have ARM images available now, and most software builds without major changes. It's a slow transition but it's already happening.

chameleon , 8 months ago

The URL might be broken but the DOI is in there, and from there you can find the article quite trivially. It's a free article, even. https://doi.org/10.1093/biosci/biad080 -> https://academic.oup.com/bioscience/advance-article/doi/10.1093/biosci/biad080/7319571

chameleon , 8 months ago

The badness this game had at launch really can't be overstated, though. At launch, this was a paid early access always online mostly-singleplayer-with-coop game with a premium currency shop and a battle pass. And it was one of those games where the shop was the most fleshed out part.

They've added offline mode and are now reworking the microtransactions to Steam DLC, but I'm still very skeptical of them. That launch was so blatantly over the top bad.

chameleon , 8 months ago

Ah, preemptively justifying a repeat of the last time they fucked with the media.

chameleon , 8 months ago

Monochrome/grayscale/otherwise extremely desaturated icons. Just... why? They're so much harder to parse and remember.

chameleon , 8 months ago

The current advisory is in webm (VP8 specifically). The webp one was 2 weeks ago. ...yeah, not a good time for web browsers lately...

(edit: noticed OP actually did link the webp one, I thought it'd be CVE-2023-5217 because that's being linked elsewhere)

chameleon , 8 months ago

AGI (artificial general intelligence) is the current term for "The Concept Formerly Known As AI". Not really a new term, but it's only recently that companies decided that any algorithm can qualify as regular "AI" if they consider it good enough.

chameleon , 9 months ago

It was made as result of an EU settlement that only lasted about 5 years. https://en.wikipedia.org/wiki/BrowserChoice.eu

I have absolutely no idea why they figured 5 years would be good enough.

chameleon , 9 months ago

You haven't been able to give them nothing for over 2 years now. For this particular bundle, the minimum split for Humble is 30% and the default split is an insane 45% to Humble, 50% to the company and 5% to charity.

Humble is unfortunately still coursing by on their old reputation of being charity-friendly, but they changed to be one of the worst players around years ago. That goodwill from back then has really been depleted.

chameleon , 9 months ago

I think this one will work. Most of these games are already "multihomed" on different ad networks and display the one that is most profitable to them at any given time, or a semi-random mixture. The differences in profitably aren't that huge, and it will get even worse if advertisers run away from Unity too. Unity is making an absolute killing from their ads division, and this is now being threatened.

And who are the advertisers? Other game devs. The whole mobile game advertising scene is one gigantic ouroboros with the ad platforms cutting off a huge portion in the middle. If you leave, you're going to both stop showing ads and stop your advertising there.

chameleon , 9 months ago

Yeah on second thought it's maybe a bit more vivid than intended, but it fits what I think is going to happen. Below the top 1-2% of mobile games, it's one big pile of endlessly recycled advertising money. Spend a million in ads, make $800k in ads and $500k in microtransactions, and the $300k is where you have to pay everything else from. Unity is about to bite into that hard and doesn't care if it leaves behind some wounds.

chameleon , 9 months ago

Even if the source is kept decently preserved, the build environments are usually not. If they still have a machine in the exact state it was in at the time the game was finished, it might be as easy as Project -> Build, but... they almost certainly don't. So that likely has to be rebuilt from scratch, and you'd be very lucky to find any kind of documentation on how things worked.

Game studios tend to have it particularly bad because of how much binary-only engines/middleware (standalone bits like Havok physics/Bink video/etc) they used, how often the game's data and code builds were mixed together in some way and how in some cases the project is designed to build things like console releases at the same time. If you lost the install files for your physics engine, you're probably straight up screwed.

By the time you've figured all of that out, you can be easily hundreds of hours in, with tons of weird little issues that might require different people to solve. Some examples: you might end up needing to build it in Windows XP because no other OS runs all of the software used during the build, any sysadmin is NOT going to be happy installing WinXP on their network so the machine has to stay offline, getting code onto that machine might be a pain due to how Perforce or whatever is used by them, even things taken for granted like a particular version of the DirectX 9 SDK might be hard to find, etc. Sometimes licensing/activation of tools used in the build process is an impossible to solve problem because it needs some DRM dongle or activation server that no longer exists and the software was never publicly available, so there is no crack.

chameleon , 9 months ago

Upgrading would have involved signing a new 2 year deal. It's just a fancy-sounding financing program; the 2 years were to pay for the device they've had for 2 years. I'll never understand the appeal of buying a high-end/expensive phone on such a program because you'll be stuck paying for something outdated by the end of it, but shrug, that's not unique to Google.

chameleon , 9 months ago

I suppose that's true for some types of financing, but looking more into this particular plan, it all comes down to how much you value the bundled services... and they don't seem stellar to me. The math I'm seeing from the time of announcement suggests you'd pay $1080 for a $599 smartphone or $1320 for a $899 smartphone. Even if you were planning on paying for YouTube Premium at full price, inflation still has a tough time beating that.

chameleon , 9 months ago

"If we don't let the oppressors roam freely, they might try to oppress you" is not something I expected to read from the EFF today. But well, here we are.

It has been standard internet behavior that if a platform does not have the proper response to abuse complaints, you move up a layer higher until you find someone that is receptive to it. This has been standard operating procedure for more or less for the entirety of the current millennium, and this article has done absolutely zero work to provide a good reason it should be anything otherwise, other than bringing up generic "free speech" stuff.

You should not get a path out of that process because one layer immediately above the problematic entity is actively choosing to disregard abuse complaints. You simply move up to the next step. And this process simply must keep existing, as doing anything otherwise is to allow people to pull off all kinds of bad things; scams, spam, illegal activity and far more.

And if you abolish the non-legal form of that process? Well, there's still a legal process - and as soon as someone that wants to censor minorities gets control over the legal process, they will simply change the rules in their favor, as has happened countless times in the past.

chameleon , 9 months ago

If such a process existed, the entity in question would almost certainly end up being shut down by that process, unless they find a funny technical loophole around it, in which case that would be a failure of the law that should not be rejoiced by anyone.

But as it stands, that law and process does not exist; ISPs already can and will shut you down for things like downloading copyrighted content (with or without complaints from the copyright holder), tethering without approval, being a technical nuisance in the form of mass port scanning, hosting insecure services and other such stuff. "Hosting a platform solely dedicated to harassment and stalking and ignoring abuse complaints about it" absolutely deserves to be on that list.

chameleon , 10 months ago

I can't really blame the manufacturers because the USB-IF's suggested schemes would just confuse people even more. If people see 10Gbps on the box they're gonna assume it can do 10Gbps, but tons of stuff ends up capped well below the USB link speed (most everything based on SATA<->USB converters internally is 6Gbps max).

It's choosing between a bad naming scheme or something a lot of consumers would interpret as a straight up lie.

chameleon , 10 months ago

All of this stuff is A/B tested, region/locale divided, edition divided, hardware divided, based on what other stuff you've agreed to and more. You don't have to do anything to encounter this stuff.

chameleon , 10 months ago

I find it strange Nebula is both the cheapest streaming sub I have as well as the one I get the most use out of. I will say I'm slowly getting tired of it though, it's getting to the point it needs a block creator button. Getting rid of clickbait was a selling point but it's starting to creep in hard, there are stupid red arrows pointing at random things and obviously poor titles all over the recent videos page. It wasn't like this a year ago.

chameleon , 10 months ago

You don't own a photo someone else made of you IRL either. Personality rights are closer to trademark.

chameleon , 10 months ago

Personality rights are not copyright. At all. It's just that simple. Entirely different branch of law, enforced at an entirely different level in the US (state-specific instead of federal). Something can be totally free of copyright while also still being illegal to distribute for entirely different reasons.

chameleon , 10 months ago

That's a somewhat unknown subject given the way personality rights are written across the globe (they are not consistent and some are built on an invasion of privacy scenario only). Deepfake porn lives in extremely muddy largely-untouched ground. But if it is illegal, it would simply never happen under copyright law, and this ruling does not affect it.

Let me put it this way: If I break into your house and film you doing whatever then post it on YouTube, it'll end up getting me penalized for breaking and entering, property damage, violation of privacy and who knows what else; probably a huge laundry list that'll land me locked up for a good chunk of time and you'd win on all those counts. But one you're extremely unlikely to win is copyright, unless I happen to film something like some piece of art you've made yourself in the process.

chameleon , 10 months ago

As pointed out, the DNS issue was fixed, and the other point made about Python wheels has also been addressed; quite a good chunk of packages on PyPi have had a musl wheel added in the past 6 months or so, including numpy & scipy. I'm also not certain if the Go part is true; probably somewhere around half of the Go apps I'm running as a container are running or were built on an Alpine base.

chameleon , 10 months ago

I can't speak for Apple but Google does. It falls under their user-generated content policy which requires you to "Provides an in-app system for blocking UGC and users". Google is generally the more lenient of the two when it comes to policies, so I'd be highly surprised if Apple didn't have it...

chameleon , 10 months ago

You can easily end up with A gifting B a million and then B sending A the NFT for free, potentially with a trusted escrow service in between to make sure both of these actually happen. The NFT marketplaces are essentially already acting as escrow, so this isn't weird.

Only thing you could probably enforce is that moving something from one key to another requires a fee to be paid to the original artist, but that'd also trigger if A wants to move their assets to a different key (eg in or out of some hardware wallet, online wallet or marketplace). And if A and B trust each other strongly they can simply share the key.

chameleon , 10 months ago

The argument does exist. This article by PEN America is one of the most widely spread ones and largely misrepresents the situation. It's based on a PopSci article with a similar headline, though the contents of the article tell a rather different story.

Nothing really says out loud what's going on: Republicans enacted an extremely vague and unrealistically short deadline book ban as part of a bill (that does some other stuff like removing AIDS education), forcing schools to either throw out every book that might be vaguely suspect or resort to funny measures like this. This school's use of ChatGPT was purely to save books that were on a human-assembled list of challenged books, to reduce the negative effect of the book ban, while being potentially defensible in court (remains to be seen how that'll work out, but they made an "objective" process and stuck to it - that's what matters to them).

chameleon , 10 months ago

Okay, the thing that really matters to me:

“Frankly, we have more important things to do than spend a lot of time trying to figure out how to protect kids from books,” Exman tells PopSci via email. “At the same time, we do have a legal and ethical obligation to comply with the law. Our goal here really is a defensible process.”

According to Exman, she and fellow administrators first compiled a master list of commonly challenged books, then removed all those challenged for reasons other than sexual content. For those titles within Mason City’s library collections, administrators asked ChatGPT the specific language of Iowa’s new law, “Does [book] contain a description or depiction of a sex act?”

It really only got rid of things that would've otherwise had to go to begin with, while saving a few others.

It feels a bit closer to malicious compliance more than truly letting the AI decide the fate of things, and doing full proper compliance within the 3 months they were given would've been nigh impossible. I'm suspecting that the lawmakers were hoping that by giving them such a small timeframe, schools would throw everything vaguely suspect out. This ultimately leaves more books accessible, which I consider to be a good end result, even if the process to get there is a little weird.

chameleon , 10 months ago

If you're making something to come up with recipes, "is this ingredient likely to be unsuitable for human consumption" should probably be fairly high up your list of things to check.

Somehow, every time I see generic LLMs shoved into things that really do not benefit from an LLM, those kinds of basic safety things never really occurred to the person making it.

chameleon , 10 months ago

I do and I can confirm there are no requests (except for robots.txt and the odd /favicon.ico). Google sorta respects robots.txt. They do have a weird gotcha though: they still put the URLs in search, they just appear with an useless description. Their suggestion to avoid that can be summarized as: don't block us, let us crawl and just tell us not to use the result, just trust us! when they could very easily change that behavior to make more sense. Not a single damn person with Google blocked in robots.txt wants to be indexed, and their logic on password protecting kind of makes sense but my concern isn't security, it's that I don't like them (or Bing or Yandex).

Another gotcha I've seen linked is that their ad targeting bot for Google AdSense (different crawler) doesn't respect a * exclusion, but that kind of makes sense since it will only ever visit your site if you place AdSense ads on it.

And I suppose they'll train Bard on all data they scraped because of course. Probably no way to opt out of that without opting out of Google Search as well.

chameleon , 10 months ago

I guess a CEO opened the YouTube frontpage while logged out and went "what is this shit".

But seriously, this seems like it's a good thing overall. The "default"/empty history algorithm recommendations are truly, truly horrifying more often than not. It's almost entirely low-quality clickbait and I can't imagine many people actually appreciate it like that.

chameleon , 10 months ago

The attester here is really mostly Google's Android/Play Services/(ChromeOS) team, not Google's Chrome team. Chrome is really just responsible for passing it along and potentially adding some more information like what kind of extensions are in use, but the real validator is above Chrome entirely.

There will not really be a worthwhile key inside Chrome (there might be one that does nothing by itself); it'll be backed by the existing per-device-unique key living inside your phone's secure enclave. Extracting one key would just cause Google to ban it. That attestation covers the software in the secure enclave, your device's running OS, bootloader unlock state and a couple of other things along those lines; the OS, guaranteed to be unmodified by the hardware attestation layer, then adds extra stuff on top like the .apk hash of the browser. The browser, guaranteed to be unmodified by the OS layer, can add things like extension info if it wants to.

SafetyNet/Play Integrity have both software and hardware modes, but all Android+Google Services phones released in the previous 6? or so years have been required to have hardware backed attestation support, which has no known bypass. The existing "Universal SafetyNet Fix" pretends to be a phone without hardware support which Google begrudgingly accepts... for now. But the day where Google will just screw over older phones is getting increasingly closer, and they already have the power to force hardware backed attestation for device-specific features like NFC payments and DRM support.

On Apple devices, Apple has parallels via their secure enclaves in the form of App Attest/DeviceCheck. On Windows desktops, there could be a shoddy implementation with TPMs (fortunately they're not quite powerful enough to do this kind of attestation in a tamper-proof way; Microsoft's Pluton chips might have some secret sauce we haven't yet seen, though). On Linux desktops... nope, ain't no support for this coming anytime ever.

chameleon , 11 months ago

In seriousness: it's in 6.4.6, 6.1.41 and a bunch of other kernel versions released yesterday.

chameleon , 11 months ago

The report hints at it but doesn't really say it out loud: get rid of one particular server and there goes 99% of it, along with 90% or so of the overall Japanese userbase (as they were the first big Japanese instance and had a mostly-trusted locally relevant company behind it). But nearly every non-Japanese-orientated instance already either fully defederated from it or has something to strip media content from it. It's essentially its own thing not really related to Mastodon aside from the software in use.

chameleon , 11 months ago

A lot of smaller Masto/Pleroma/other "microblog" side of the verse admins signed FediPact. It's mostly smaller instances, but there's still a good amount of them and it's enough that Meta will at least face some struggles in wide federation.