• 7 Posts
  • 48 Comments
Joined 1 year ago
cake
Cake day: July 22nd, 2023

help-circle
  • Not fishy at all! It’s like a lockpicking fan asking about locksport.

    If you’re looking for examples, GitHub has a lot of CVE proof-of-concepts and there are lots of payload git repos across git hosts in general, but if you’re looking for a one-stop-shop “Steal all credentials,” or “Work on all OSes/architectures just by switching the compile target,” then you’ll have a harder time. (A do-one-thing-well approach is more maintainable after all.)

    If you want to make something yourself that still tries to pull off the take-as-much-as-you-can, you should just search up how different apps store data and whether it’s easy to grab. Like, where browsers store their cookies, or the implications of X11’s security model (Linux-specific), or where Windows/Windows apps’ credentials and hashes are stored. Of course, there’s only much a payload can do without a vulnerability exploit to partner with (e.g. Is privilege escalated? Are we still in userland? is this just a run-of-the-mill Trojan?).

    Apologies if my answer is too general.






  • Specifically, it refers to a deep understanding.

    [A critic] notes that [the coiner’s] first intensional definition is simply “to drink”, but that this is only a metaphor “much as English ‘I see’ often means the same as ‘I understand’”. (from Wikipedia)

    When you claim to “grok” some knowledge or technique, you are asserting that you have not merely learned it in a detached instrumental way but that it has become part of you, part of your identity. For example, to say that you “know” Lisp is simply to assert that you can code in it if necessary – but to say you “grok” Lisp is to claim that you have deeply entered the world-view and spirit of the language, with the implication that it has transformed your view of programming. Contrast zen, which is a similar supernatural understanding experienced as a single brief flash. (The Jargon File; also quoted on Wikipedia)






  • Speaking of fearmongering, you note that:

    an artist getting their style copied

    So if I go to an art gallery for inspiration I must declare this in a contract too? This is absurd. But to be fair I’m not surprised. Intellectual property is altogether an absurd notion in the digital age, and insanity like “copyrighting styles” is just the sharpest most obvious edge of it.

    I think also the fearmongering about artists is overplayed by people who are not artists.

    Ignoring the false equivalency between getting inspiration at an art gallery and feeding millions of artworks into a non-human AI for automated, high-speed, dubious-legality replication and derivation, copyright is how creative workers retain their careers and find incentivization. Your Twitter experiences are anecdotal; in more generalized reality:

    1. Chinese illustrator jobs purportedly dropped by 70% in part due to image generators
    2. Lesser-known artists are being hindered from making themselves known as visual art venues close themselves to known artists in order to reduce AI-generated issues – the opposite of democratizing art
    3. Artists have reported using image generators to avoid losing their jobs
    4. Artists’ works, such as those by Hollie Mengert and Karen Hallion among others, have been used without their compensation, attribution, nor consent in training data – said style mimicries have been described as “invasive” (someone can steal your mode of self-expression) and reputationally damaging – even if the style mimicries are solely “surface-level”

    The above four points were taken from the Proceedings of the 2023 AIII/ACM Conference on AI, Ethics, and Society (Jiang et al., 2023, section 4.1 and 4.2).

    Help me understand your viewpoint. Is copyright nonsensical? Are we hypocrites for worrying about the ways our hosts are using our produced goods? There is a lot of liability and a lot of worry here, but I’m having trouble reconciling: you seem to be implying that this liability and worry are unfounded, but evidence seems to point elsewhere.

    Thanks for talking with me! ^ᴗ^

    (Comment 2/2)


  • Thanks for the detailed reply! :P

    I’d like to converse with every part of what you pointed out – real discussions are always exciting!

    …they pay the journals, not the other way around…

    Yes of course. It’s not at all relevant?

    It’s arguably relevant. Researchers pay journals to display their years of work, then these journals resell those years of work to AI companies who send indirect pressure to researchers for more work. It’s a form of labor where the pay direction is reversed. Yes, researchers are aware that their papers can be used for profit (like medical tech) but they didn’t conceive that it would be sold en masse to ethically dubious, historically copyright-violating, pollution-heavy server farms. Now, I see that you don’t agree with this, since you say:

    …not only is it very literally transparent and most models open-weight, and most libraries open-source, but it’s making knowledge massively more accessible.

    but I can’t help but feel obliged to share the following evidence.

    1. Though a Stanford report notes that most new models are open source (Lynch, 2024), the models with the most market-share (see this Forbes list) are not open-source. Of those fifty, only Cleanlab, Cohere, Hugging Face (duh), LangChain (among other Python stuff like scikit-learn or tensorflow), Weaviate, TogetherAI and notably Mistral are open source. Among the giants, OpenAI’s GPT-4 et al., Claude, and Gemini are closed-source, though Meta’s LLaMa is open-source.
    2. Transparency is… I’ll cede that it is improving! But it’s also lacking. According to the Stanford 2024 Foundation Model Transparency Index, which uses 100 indicators such as data filtration transparency, copyright transparency, and pollution transparency (Bommasani et al., 2024, p. 27 fig. 8), developers were opaque, including open-source developers. The pertinent summary notes that the mean FMTI company score improved from 37 to 58 over the last year, but information about copyright data, licenses, and guardrails have remained opaque.

    I see you also argue that:

    With [the decline of effort in average people’s fact-finding] in mind I see no reason not to feed [AI] products of the scientific method, [which is] the most rigorous and highest solution to the problems of epistemology we’ve come up with thus far.

    And… I partly agree with you on this. As another commenter said, “[AI] is not going back in the bottle”, so might as well make it not totally hallucinatory. Of course, this should be done in an ethical way, one that respects the rights to the data of all involved.

    But about your next point regarding data usage:

    …if you actually read the terms and conditions when you signed up to Facebook… and if you listened to the experts then you and these artists would not feel like you were being treated unfairly, because not only did you allow it to happen, you all encouraged it. Now that it might actually be used for good, you are upset. It’s disheartening. I’m sorry, most of you signed it all away by 2006. Data is forever.

    That’s a mischaracterization of a lot of views. Yes, a lot of people willfully ignored surveillance capitalism, but we never encouraged it, nor did we ever change our stance from affirmatory to negative because the data we intentionally or inadvertently produced began to be “used for good”. One of the earliest surveillance capitalism investigators, Harvard Business School professor Shoshana Zuboff, confirms that we were just scared and uneducated about these things outside of our control.

    “Every single piece of research, going all the way back to the early 2000s, shows that whenever you expose people to what’s really going on behind the scenes with surveillance capitalism, they don’t want anything to do [with] it. The only reason we keep engaging with it is because we feel like we have no choice. …[it] is a colossal market failure. Because it is not giving people what people want. …everything that’s inside that choice [i.e. the choice of picking between convenience and privacy] has been designed to keep us in ignorance.” (Kulwin, 2019)

    This kind of thing – corporate giants giving up thousands of papers to AI – is another instance of people being scared. But it’s not fearmongering. Fearmongering implies that we’re making up fright where it doesn’t really exist; however, there is indeed an awful, fear-inducing precedent set by this action. Researchers now have to live with the idea that corporations, these vast economic superpowers, can suddenly and easily pivot into using all of their content to fuel AI and make millions. This is the same content they spent years on, that they intended for open use in objectively humanity-supporting manners by peers, the same content they had few alternative options for storage/publishing/hosting other than said publishers. Yes, they signed the ToS and now they’re eating it. We’re evolving towards the future at breakneck pace – what’s next? they worry, what’s next?

    (Comment 1/2)


  • Lots of good answers here but I’ll toss in my own “figure out what you need” experience from my first firewall funtime. (Disclaimer: I used nftables – it should be similar to ufw in terms of defaults though).

    • Right off the bat, everything unneeded was blocked. I “needed” no configuration, except for maybe…
    • Whatever CUPS runs on (when I use it)
    • Sometimes I ran python -m http.server – I unblocked port 8000 for personal use.
    • I chose to unblock port 53 (DNS). I wanted to connect to another computer via hostname IIRC (e.g. connecting to raspberry-pi.local. I might be misremembering this though).
    • At one point I played with NGINX – that’s port 80 (HTTP) and port 443 (HTTPS).
    • SSH was already permitted (port 22 – you need root access to enable traffic through ports below 1024 anyway so this wasn’t an issue for running typical apps)

    I didn’t use WireShark back then, really. I think I just ran something like

    sudo lsof -nP -iTCP -sTCP:LISTEN
    

    which showed me a bunch of port traffic (mostly just harmless language servers).

    You don’t have to dive to deep into all the “egress” and “ingress” and whatnot unless you’re doing something special. Or your software uses a weird port. (LocalSend lol)



  • Obligatory Linux comment (Lemmy moment):

    Windows is used often for its compatibility and defaultness but Linux is interesting in the sense that everything is patchable, everything is tinkerable and configurable. The low resistance to tinkering makes lots of Linux users tinkerers – including tinkering via code.

    I’m not saying wipe your hard drive or even dual-boot. Maybe an older computer or VM could help, depending on what you have. But just in the past week I’ve screwed around in low-to-medium-difficulty Linux projects that configured my lockscreen with C, that implemented mildly usable desktop GUIs with TypeScript, among others – just not-too-committal stuff that has a return value I literally see every time I lock my computer.

    Windows equivalent projects can be harsher on the beginning-to-intermediate curve (back when I first tried out Linux Mint, I’d been struggling to make a bookmark inspector in Visual Studio – ended up Pythoning it instead) – not to say that Windows fun is by any means out-of-reach.


  • My friends Leetcoded and Codeforced quite a lot. Advent of Code is up there too, with the interesting caveat that Advent of Code also teaches you refactoring (due to the two-part nature of every problem).

    However, when I was younger I had contempt for the whiteboard-problem-esque appearances of these, but everyone is different.

    If you look hard enough there is always a project at medium difficulty – not way too hard, like a huge project you feel won’t give you returns – not way too easy, like some cowsay clone. Ever tried making a blog? You can host for free on most Git pages implementations (codeberg, github, gitlab…).

    As for programming books, consider trying security books like Art of Exploitation – in the same strain, CTFs can use a decent amount of code, and they’re fun in terms of raw problem-solving. I started with the Bandit wargame, which does Linux problem solving from any machine that has SSH.

    I’m not by any means a l33t hax3r but I found them pretty fun in my learning journey.


  • Despite the downvotes I’m interested why you think this way…

    The common Lemmy view is that morally, papers are meant to contribute to the sum of human knowledge as a whole, and therefore (1) shouldn’t be paywalled in a way unfair to authors and reviewers – they pay the journals, not the other way around – and (2) closed-source artificially intelligent word guessers make money off of content that isn’t their own, in ways that said content-makers have little agency or say, without contributing back to the sum of human knowledge by being open-source or transparent (Lemmy has a distaste for the cloisters of venture capital and multibillion-parameter server farms).

    So it’s not about using AI or not but about the lack of self-determination and transparency, e.g. an artist getting their style copied because they paid an art gallery to display it, and the art gallery traded rights to image generation companies without the artists’ say (although it can be argued that the artists signed the ToS, though there aren’t any viable alternatives to avoiding the signing).

    I’m happy to listen if you differ!






  • According to tab autocomplete…

    $ git
    zsh: do you wish to see all 141 possibilities (141 lines)?
    

    But what about the sub options?

    $ git clone https://github.com/git/git
    $ cd git/builtin
    # looking through source, options seem to be declared by OPT
    # except for if statements, OPT_END, bug checks, etc.
    $ grep -R OPT_ | grep --invert-match --count -E \
    "OPT_END|BUG_ON_OPT|if |PARSE_OPT|;$|struct|#define"
    1517
    

    Maybe 1500 or so?

    edit: Indeed, maybe this number is too low. git show has a huge amount of possibilities on its own, though some may be duplicates and rewords of others.

    $ git show --
    zsh: do you wish to see all 489 possibilities (163 lines)?
    $ man git-show | col -b | grep -E "^       -" --count
    98
    

    An attempt at naively parsing the manpages gives a larger number.

    $ man $(find /usr/share/man -name "git*") \
    | col -b | grep -E "^       -" -c 
    1849
    

    Numbers all over the place. I dunno.


  • Huh, TIL.

    To be fair, git switch was also derived from the features of git checkout in >2.23, but like git restore, the manual page warns that behavior may change, and neither are in my muscle memory (lmao).

    I’ll probably keep using checkout since it takes less kb in my head. Besides, we still have to use checkout for checking out a previous commit, even if I learn the more ergonomically appropriate switch and restore. No deprecation here so…

    edit: maybe I got that java 8 mindset

    edit 2: Correction – git switch --detach checks out previous commits. Git checkout may only be there for old scripts’ sake, since all of its features have been split off into those two new functions… so there’s nothing really keeping me from switch.