For those who don't deal with email infrastructure: there are several technologies (DKIM, SPF, etc.) that have been deployed in attempts to stop email forgery. Each works slightly differently, but the overall concept is that a receiving email server can check that a sending email server is authorized to send messages from the message sender's domain (e.g., "this message presented by mail3.example.net claims to be from joe@example.com; is mail3.example.net allowed to originate email from example.com?") and that messages are cryptographically signed by the sending domain's email server(s). I'm oversimplifying a lot but that's the general idea.

Worth noting is that tells you nothing about the message, i.e., it's of no value in figuring out if the message is spam or ham. That's because spammers can set up all of this too, and most of them have. It's of no help with the big email providers either: the two biggest sources of spam observed here are Gmail and Outlook, and of course all of those messages pass every one of these checks.

Which brings me to this problem. And that is: if someone gains control of an email account (or an email server) then they can send whatever they want from it until someone notices and shuts it down. And all of those messages will pass all of these checks -- which means that they're highly likely to be accepted by recipient email servers and highly likely to be read by the addressees. And then it gets worse: some of those addressees are using email clients that check message validity and signal it to the user with a green checkmark or the word "verified" or something like that. So even if the message content seems a little sketchy, that might well be enough to convince the person reading it that is IS legitimate...and then bad things happen.

We've spent decades trying to train users to be suspicious of anything that doesn't look right -- with mixed results, of course. But the combination of these technologies and email user interfaces that use them is undoing that training. Users are being conditioned to believe what their email client tells them to believe, and this is going to have dire consequences.

"Seemingly to dispel the notion that these "podcasts" will be AI audio slop [....]"

Narrator: These podcasts will, of course, be AI audio slop.

This. A thousand times this, especially the last point. We've held out education as a means to a happy, successful life -- and it's not. Not any more. It's become a means to barely surviving in an increasingly bleak world ruled by fascists and billionaires.

And the kids know it. They may not be able to articulate it quite so succinctly, they may not even know what the problem really is - -but they know it because it's all around them. They see it in their parents' faces and hear it in the news. They know that many things have seriously gone wrong.

We have to fix those things if we want those kids to have some hope. And one of things that we have to fix is the Republicans' half century of war on education -- of all kinds, at all levels. Republicans figured out, in the 1970's, that intelligent, educated, literate, thinking people were increasing leaving their party. And rather than introspecting and changing themselves, they decided to destroy education. We are where we are now because they've spent half a century wrecking it and they're still doing it today. They're working to create an illiterate and uneducated electorate because that's their core constituency: those people are easy to manipulate into voting for the very people who are destroying them.

This tool does one thing and only one thing, which is exactly how tools should be designed and written. Overly-complex tools are a sign of a poor design process, and they actually make things much more difficult than simple tools which can be combined to perform complex tasks. I'm not happy that this had to be written, because we find ourselves in an unfortunate position just now, but I'm delighted that Nuyens took the correct approach to the problem, wrote a tool to handle it, and stopped there.

I've got a copy of this and am going to spend part of this evening combining it with our monitoring environment, so that I can track the systems that has been run on/needs to be run on. I anticipate that to be easy because of everything I wrote in the first paragraph.

...this seems like a very bad no good awful idea. Any attacker that penetrates OpenAI will be one hop from every bank account connected to ChatGPT.

OpenAI admits compromise: OpenAI caught in TanStack npm supply chain chaos after employee devices compromised

Of course, OpenAI is minimizing the extent of that because that's what everyone always does: they lie, because it's profitable and there are no penalties for doing so. But I have no doubt whatsoever that (a) this breach is much worse than they're letting on (b) it's not the first breach (c) it's not even the only current breach and (d) it certainly won't be the last one. Those are easy bets because OpenAI is skimping on everything except hype, and their operational security is neither operational nor security.

TL;DR: if you hand over your bank account to ChatGPT, you're handing it over to everyone who hacks OpenAI -- and that won't be a short list.

...that you built. Pervasive surveillance looks and feels a bit different from the inside, doesn't it?

On the other hand: it's well past time for programmers, sysadmins, network engineers to unionize, so if this happens to kickstart such a movement, I'm certainly in favor of that.

One phone call to Bezos, or Pichai or any of the others, and even the most sensitive EU data will be in the hands of the US government within hours. (Surely nobody can think these leashed pets will say no.) There's zero respect for security, privacy, national sovereignty, or the conequences.

The same thing is happening in Canada, and it will happen elsewhere. The Cloud Act plus the descent of the US into a fascist oligarchy has made this inevitable, and all of these countries have realized that they need to plan tech, and defense, and energy, and everything else to work with zero reliance on the US.

The US response to this be threats and tariffs, of course. They won't work: they'll only convince the EU to move faster.

I've spent most of the past decade working (for free) on an archiving project for a nonprofit organization. This is a labor of love for me: it's a chance to use a lifetime of technical skills to help preserve the past for the future. I've put in every spare minute that I can, and have given up most other things in my life to do so. I have to: there isn't anyone else with the requisite skill set to do this work for free, and the organization certainly can't afford to pay anybody.

The AI companies have created two massive problems for us. The first is their web scraping, which is way beyond abusive: it's an attack. Yes, YES, I know about all the techniques to block it and I've deployed a bunch of them, but every minute spent doing that is a minute not spent doing actual archiving work. And even if I managed to blunt most of these attacks, at least one will get through, and they'll steal everything we've posted (for free) and use it (for profit), against our terms of service and against the express wishes of the people who donated materials to us...which is making it vastly harder to convince donors to help us.

The second is the topic of this discussion: disk drives. We don't need the biggest and the fastest, but we need a lot of them because we're maintaining replicas of the archive in geographically distributed locations. And like everyone else, we either can't find them or we can't afford them. I've been using eBay and Craigslist and I've even been going to estate states to try to pick up used external USB/firewire drives and old desktop PCs so that I can pull the disks and hope they test okay. Again: every minute spent doing that is a minute not doing actual archiving work. (Also: because some of these disks have a lot of hours on them, I have to consider probable remaining lifetimes and account for that.)

This is maddening and heartbreaking at the same time. And the thing is: I've spent a lot of time interacting with other people in this space: GLAM (galleries, libraries, archives, museums). Everybody has this problem. All of these people, who definitely aren't doing their jobs because of the lavish pay and spectacular benefits but because they appreciate and love the cultural area(s) they're in, are all struggling. And none of these institutions have the money to truly address the situation: they're all underfunded because they've always been underfunded.

TL;DR: this is cultural vandalism conducted by billionaires who are willing to burn the entire world down for money and power.

1. A few decades ago, universities/colleges ran their own IT infrastructure: email, web, applications, etc. But grossly-overpaid administrators decided that competent, experienced IT staff making far less were expendable and they began outsourcing everything they possibly could -- because, of course, reducing the number of administrators and their compensation was never an option.

The consequences of that are now here. What were 8,000 targets are now: 1. And this isn't the only such application -- for example, much the same thing is true of email. And thus attackers now have luxury of focusing their efforts on a single target andl leveraging that into extortion against 8,000. None of the clueless, selfish, ignorant administrators responsible for this debacle will admit any responsibility -- ever. They're too busy enjoying their mansions while graduate students struggle to afford ramen for breakfast, lunch, and dinner, and junior faculty are forced to moonlight in order to make ends meet.

2. Instructure is following the standard playbook here: lie, lie, lie. They're doing that because they know they can and because no will ever hold them accountable. It's clear from what we already know that this was a very thorough hack, Instructure knows it was a very thorough hack, and they're doing everything they can to hide that fact. And as a result of that, they're deliberately making it impossible for everyone at those 8,000 institutions to understand what really happened and to take appropriate defensive measures (if any, if possible). Instructure isn't in the least bit concerned about the damage done to all the students and faculty; Instructure only cares about itself.

Exactly so. And exacerbating the situation is that distribution losses mean that running 1000 minicenters will use MORE power than 1 center with 1000 times the capacity.

Then, as you noted, there's the cooling problem, which also doesn't scale. Neither does the noise problem: people live in quiet places because, well, quiet. A thousand little data centers running 24 hours a day isn't going to mesh well with that.

This entire concept is insanely stupid -- but no doubt some VCs will throw money at these morons and they'll profit handsomely.

All it would take is one phone call from Diaper Donnie to his pet fascist Elmo and every bit of data/metadata available on those terminals would be furnished to the Russians and thus would shortly be in the hands of the IRGC. (And if you're about to ask why in the world he would do that: keep in mind that we're talking about a moron with accelerating dementia who is incapable of understanding ANY concept, who cannot formulate a coherent plan for anything, and whose only values are his ego and his money.)

Less dramatically: if you're an insurgent force in a modern country, the last thing in the world that you want to do is communicate by any form of electronic network. Surveillance and detection methods for these are well-known and readily available. And even if the communications themselves are encrypted, the metadata available enables traffic analysis, correlation with external events (including those arranged for the purpose), and endpoint identification.

In such an environment, it's much better to use encrypted memory cards distributed by couriers and dead drops. The cost of attempting to disrupt such an effort is many orders of magnitude higher, both in terms of money and personnel, than the cost of disrupting electronic distribution.

The moment these new TLDs are announced, I recommend permanently blacklisting them in your mail system; using DNS RPZ to remove them your view of DNS; and permanently blacklisting them in any HTTPS proxies you might be running. Don't wait for them to go live and for the abuse to start: it will start because it always does: that's why these TLDs exist. Just cut to the chase, blacklist them, and forget about them.

If this causes a problem for anyone: it's their own fault. They shouldn't be supporting this debacle by investing in it. Let them burn.

When you're trying to train a model, it's critically important that you scrutinize every piece of training data -- meticulously. The larger and more complex the model, the more important this becomes.

If you neglect this, then the model may fail in anomalous and unpredictable ways. In other words: you can run 10,000 tests and they'll all be just fine, but when you run the 10,001st, the model fails. Worse, you won't know how...or why...or how to fix it, because the answers to those questions are buried in a network too large for a human being to comprehend. This problem has been well-known for decades; it's how things like this: Tesla Autopilot Confuses Boy In Orange Shirt For A Cone In Brazil happen. They thought they were training the vision system to recognize traffic cones; they were really training it to recognize orange objects of a certain size and height:width ratio.

Faced with this situation, you can either (a) go back and figure out what you did wrong in the training process or (b) slap a half-ass patch on this particular failure to just make it go away. Choosing (b) is simple and quick and easy and cheap. But if you pick that choice and skip (a), then you have zero assurance that the 15,027th test or the 21,922nd test won't fail just as badly, because you did nothing to address the root cause.

And predictably, this -- choice (b) -- s what OpenAI has done. It's predictable because they made no attempt whatsoever to curate the training data in the first place -- they just stole everything they could from the entire Internet -- because they're cheap and lazy and a in hurry to cash in before the bubble bursts. This move is entirely consistent with that approach. I would call it "poor software engineering" but it doesn't even deserve to be in the same sentence with "engineering".

...it's time to bail. The same for Oracle or Salesforce and for some others. As soon as the acquisition is announced, it's time to make a plan to move to something else somewhere else. These companies have an absolute talent for destroying everything they touch, and they can do it surprisingly quickly.

This is very difficult for some people; I understand. I had a hard time letting go of Sun after having been a customer since before they had customers. But it's necessary, because any/all attempts to stay the course are inevitably doomed. It's better to rip the bandaid off as soon as possible, drink a toast to what was, and leave it behind.