Unlurker|Replay|About
↙ time adjusted for second-chance
Trivy under attack again: Widespread GitHub Actions tag compromise secrets (socket.dev)
How the heck are credential compromises still a thing with 2FA and refresh tokens???
GG
jj
You're supposed to scan for vulnerabilities, not become one!
I always run such tools inside sandboxes to limit the blast radius.
The sandbox will need internet access (to update data) and you will need to send code to test into it; so compromise already equals leaking all your code, without even breaking the sandboxing
> The sandbox will need internet access (to update data) and you will need to send code to test into it; so compromise already equals leaking all your code, without even breaking the sandboxing Compromising all code in one directory is bad. Compromising all my data in all other directories, including mounted cloud drives, is worse. I restrict most dev tools to access only the current directory.
Friendly reminder that just because someone is building security software it doesn't mean they are competent and won't cause more harm than good. Every month the security team wants me to give full code or cloud access to some new scanner they want to trial. They love the fancy dashboards and lengthy reports but if I allowed just 10% of what they wanted we would be pwned on the regular...
Granting broad access to "security" tools so some vendor can take another shot at your prod keys is not risk reduction. Most of these things are just report printers that makes more noise than a legacy SIEM, and once an attacker is inside they don't do much besides dump findings into a dashboard nobody will read. If you want less self-inflicted damage, stick new scanners in a tight sandbox, feed them read-only miror data, and keep them away from prod perms until they have earned trust with a boring review of exactly what they touch and where the data goes. Otherwise you may as well wire your secrets to a public pastebin and call it testing.
↙ time adjusted for second-chance
BIO: The Bao I/O Coprocessor (bunniestudios.com)
I loved this article and had wanted to play with PIO for a long time (or at least, learn from it through playing!). One thing jumped out here - I assumed CISC inside PIO had a mental model of "one instruction by cycle" and thus it was pretty easy to reason about the underlying machine (including any delay slots etc...). For this RISC model using C, we are now reasoning about compiled code which has a somewhat variable instruction timing (1-3 cycles) and that introduces an uncertainty - the compiler and understanding its implementation. I think this means that the PIO is timing-first, as timing == waveform where BIO is clarity-first with C as the expression and then explicit hardware synchronization. I like both models! I am wondering about the quantum delays however that are being used to set the deadlines - here, human derived wait delays are utilized knowledge of the compiled instructions to set the timing. Might there not be a model of 'preparing the next hardware transaction' and then 'waiting for an external synchronization' such as an external signal or internal clock, so we don't need to count the instruction cycles so precisely. On the external signal side, I guess the instruction is 'wait for GPIO change' or something, so the value is immediately ready (int i = GPIO_read_wait_high(23) or something) and the external one is doing the same, but synchronizing (GPIO_write_wait_clock( 24, CLOCK_DEF)) as an alternative to the explicit quantum delays. This might be a shadow register / latch model in more generic terms - prep the work in shadow, latch/commit on trigger. Anyway, great work Bunnie!
The idea of the wait-to-quantum register is that it gets you out of cycle-counting hell at the expense of sacrificing a few cycles as rounding errors. But yes, for maximum performance you would be back to cycle counting. That being said - one nice thing about the BIO being open source is you can run the verilog design in Verilator. The simulation shows exactly how many cycles are being used, and for what. So for very tight situations, the open source RTL nature of the design opens up a new set of tools that were previously unavailable to coders. You can see an example of what it looks like here: https://baochip.github.io/baochip-1x/ch00-00-rtl-overview.html#simulation-with-verilator Of course, there's a learning curve to all new tools, and Verilator has a pretty steep curve in particular. But, I hope people give the Verilator simulations a try. It's kind of neat just to be able to poke around inside a CPU and see what it's thinking!
Hello again HN, I'm bunnie! Unfortunately, time zones strike again...I'll check back when I can, and respond to your questions.
very cool. tiny processors everywhere. but be nice to PIO. PIO is good :)
Agreed! The PIO is great at what it does. I drew a lot of inspiration from it.
Yes, my point is that the article throws a lot of shade at PIO while the real issue is that the author is trying to shove a third-party FPGA reimpl of it into a place it never belonged. PIO itself is a perfectly good design for what it does and where it does it.
Actually, the PIO does what it does very well! There is no "worse" or "better" - just different. Because it does what it does so well, I use the PIO as the design study comparison point. This requires taking a critical view of its architecture. Such a review doesn't mean its design is bad - but we try to take it apart and see what we can learn from it. In the end, there are many things the PIO can do that the BIO can't do, and vice-versa. For example, the BIO can't do the PIO's trick of bit-banging DVI video signals; but, the PIO isn't going to be able to protocol processing either. In terms of area, the larger area numbers hold for both an ASIC flow as well as the FPGA flow. I ran the design through both sets of tools with the same settings, and the results are comparable. However, it's easier to share the FPGA results because the FPGA tools are NDA-free and everyone can replicate it. That being said, I also acknowledge in the article that it's likely there are clever optimizations in the design of the actual PIO that I did not implement. Still, barrel shifters are a fairly expensive piece of hardware whether in FPGA or in ASIC, and the PIO requires several of them, whereas the BIO only has one. The upshot is that the PIO can do multiple bit-shifts in a single clock cycle, whereas the BIO requires several cycles to do the same amount of bit-shifting. Again, neither good or bad - just different trade-offs.
Is it a pint? (isitapint.com)
I used to work in the Netherlands (i'm from the UK) and I could never understand how the Dutch put up with so much froth on their beer, even really enjoying being ripped off by it.
there is a calibration marker on the glass and the liquid has to be filled up to that line, the froth on top is extra. so on the continent we get more, not less. so from where we stand it looks rather like the islanders are ripped off ;-) cheers
I'm not denying this, but I do remember a jug of beer being ordered and me being asked to pour it into several glasses without noticeable markings, and me trying to end up with about a 1/4 inch of head as I would in the UK and my Dutch friends yelling "more head" or something even less than polite. Mostly in the NL I drink bottled beer.
I enjoyed reading this site and appreciate the passion and the effort. The "loss of the pint" is basically shrink-flation. When a bar's costs and/or overhead goes up, they must do some combination of cutting expenses and raising prices. Raising prices means either selling the same stuff in the same quantity for more, or selling cheaper stuff OR less of the same stuff at the same price. Most bars will opt for the latter options to avoid raising prices, because raising prices is more likely to create complaints. All caveats apply, of course -- drop portions or quality too much or too often and you'll get complaints for sure, but "within reason" it's the lesser of two evils. This is why I personally don't feel like I'm being cheated out of 2oz when I buy a $8 14oz shaker pint of IPA. Clearly, the cost per oz at this bar is $0.57. A 16oz glass would cost $9.14. They don't owe me the 2oz for free just because they used the word "pint". If the state government started enforcing pint measures again, bars would just drop the word "pint" from their signs and menus.
Is it called a shaker pint for association with the famously restrained Shakers?
My understanding is Belgian beer culture considers the aroma to be an important part of the experience. But I’ve never been, that’s all through osmosis.
This is exactly it. That's why the glasses have the same basic form (stem, bowl, and tapered rim) as wine glasses and snifters. The liquid sits in the bowl, and the aroma is captured in the empty space between the liquid and the rim.
> not only are the glasses typically much smaller (this is fine) but they also leave massive gaps at the top I'm wondering if this is due to the prevalence of cask ales vs bottle/keg conditioning. The former is relatively uncommon in Belgium and you want the head from the latter. That said, oversized glassware (e.g. Duvel's tulip for aromatics) and/or fill lines are also used to accommodate the head while still not cheating the customer out of volume.
It could well have emerged as a cultural norm from the prevalence of heads, but I've seen it often for very moderate heads, with a gap left above the foam. > not cheating the customer out of volume I don't think it's cheating if its the norm. One would expect prices to be set appropriately for the average volume served (i.e. a full glass would be a bonus rather than the gap being a loss). I do just find it odd, coming myself from the opposite culturally.
First sip's at the bar; then you can
Here are your beers lads, I didn't spill anything! They taste good too.
Kind of. Guinness glasses are exactly a pint, so the Guinness head means you're getting less than a pint of actual beer. This is tolerated/expected and so de facto correct but de jure perhaps not.
> the Guinness head means you're getting less than a pint of actual beer I hate to be pedantic but pint being volumetric, you're still getting a pint, independent of density. Also - a nitrogen head doesn't dissipate, so you never get a gap. I'm now curious though whether a nitrogen head is less dense than a CO2 head...
At this point they are just American units, right? Since the UK has upgraded already.
Not really. The UK uses imperial units for most of the things you use units for in daily life (roads, cooking, drink sizes, body weight, utilities, land area...), even though they theoretically converted to metric. Canada is similar.
The origin of US Customary units is British, even if the US, Liberia and Myanmar are the last countries still using it. The UK has almost entirely adopted metric (yards and miles are still used for measuring distances on roads and pints are still used for milk and beer, and the last government made the eccentric decision to permit pints for wine, which no producer used because they couldn't get the bottles), but these systems of units have identities beyond whether or not they're in use anywhere. EDIT/CORRECTION: Milk is sold in multiples of 568 mL, so while the quantities are pints, the measurement is metric.
Beer and cider are the only drinks that are legally not sold by metric volume in the UK. They have to be served by the pint, 2/3, 1/2 or 1/3. Every other drink has to use metric.
Yes. Americans/Canadians famously can't pour beer properly. If you are pouring a pilsner or really any lager, a head of at least 2 inches is actually correct and absolutely desirable. The way it's poured in Canada (no head) is borderline undrinkable to me. https://www.youtube.com/watch?v=dggKezrSQxI
How do you measure the head through the red solo bubba cup? Really, no self-respecting Canadian would drink beer out of anything except directly out of the bottle, can, or keg.
In Canada (and I’m sure elsewhere) there are surprise inspections where government inspectors show up at petrol stations and see if the pump actually gives you what it claims. I volunteer for the pub equivalent of this.
I don't want my beer to taste like gasoline though.
Cyber.mil serving file downloads using TLS certificate which expired 3 days ago (cyber.mil)
TD bank, in Canada, has had their cert expire several times in the past 10 years. It blows me away that a bank can't afford to do for themselves what Certbot and Lets Encrypt does for me, for free. Like, pay a guy a whole week to automate this and it will save you the 12hrs losses every time your cert expires.
Turns out ”bank-grade security” is not something to strive towards. In the case of TLS certificates, most banks still believe they need EV certs, even though browsers stopped making any visual distinctions for EV certificates around 2018-2019.
Certificate/key renewal was a mess in every enterprise environment I worked in. My suspicion is that corporations in general don‘t handle tasks well that need to follow an exact timeline and can‘t be postponed by a week or two.
Anyone who thinks this is that trivial has never worked in enterprise IT. Automated certificate renewal is maybe supported by 10% of services I operate where I work. And we're pretty modern. An organization with more legacy platforms is likely at "nothing supports automated renewal". We are a decade or two out from 47 day expiry being a sane concept.
That's why I suggested that a week of dev time woule be reasonable for automating the task. I work in a multinational nightmare corp, we still have a mission critical Win95 machine.
Can confirm. Have encountered many on-prem and lift-and-shift solutions with no automated means of updating certs. The worst contenders are usually 1) executables on windows server (version 2012, of course), 2) old, obscure or very outdated database servers and 3) custom hardware firewalls. They are the worst. To make things easy they usually all use different cert formats as well, requiring you to have an arsenal of conversion scripts ready.
What do you mean? You see nothing on the website? I captured the full page, you can view it here: https://wormhole.app/MbljK6#qfysvKJOQh1whLcMz9JXxw
This is the screen on my phone. https://wormhole.app/9Xv0p0#Hsq0fhLpWsr8ndJDktt2YQ You see the little "Red hat Enterprise" at the bottom? That's the whole scrollable area. The rest is fixed and stays at the top.
I think you underestimate the number of people who accidentally have their https carts expire. Instead of blaming the people running these systems on why they let it expires, it would be more productive to improve the system to make this less likely to happen.
ACME [1] has been a thing for more than 10 years and has been a stable specification for 7 years. There were similar vendor-specific implementations that preceded it. The DoD has employed none of these solutions for their flagship infosec public web presence. If they were going to automate this then they surely would have done so by now. The reasons why are opaque but people who have experience working in this space might be able to make an educated guess. [1] https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment
Is there anything inherently insecure about an expired cert other than your browser just complaining about it?
You're training users to click away error messages.
... what are the revocation tickets about then? how is it even a question whether to put a cert on the CRL? either the customer wants to or the key has been compromised? (in which case the customer should also want to have it revoked ASAP, no?) can you elaborate on this a bit? thank you!
From my experience the biggest complaints/howlings are when the signing key is compromised; e.g., your cert is valid and fine, but the authority screwed up and so they had to revoke all certs signed with their key because that leaked. E.g., collateral damage.
Study: 'Security Fatigue' May Weaken Digital Defenses (albany.edu)
I have seen this phenomenon especially at a couple of FAANGs over the past couple of years. Things are getting locked down so much, and so many special permissions are required that now people ask for permissions to systems or procedures preemptively. Because by the time they know if they will need it or not, it's too late. And no one in the security business seems to consider the overall burden of yet another step. Each of which is simple in by itself, but cumulatively they are a giant hassle, and so people look for workarounds.
> And no one in the security business seems to consider the overall burden of yet another step. Each of which is simple in by itself, but cumulatively they are a giant hassle, and so people look for workarounds. This is certainly not true. I personally consider how much friction things introduce for users, things like normalizing having to reenter your password too much making phishing easier, and so on. It's well understood that you will get shadow IT, which is worse, if you make doing things the right way too difficult. I regularly advocate for streamlining processes and procedures, introducing more user-friendly systems, hosting office hours where the security team is available for any question or concern you have making us more available to the company, etc. What's the issue? Well, for one, there's a ton of incompetent people in the field, so they'll just do whatever to make themselves look like they're working. Two, most security departments are criminally understaffed, so even if you have competent people they just have to put things together quickly and can't clean it up. Three, there's tons of idiotic regulatory and legal requirements that take forever to modernize. And finally, half of security is playing politics and arguing with the rest of the company, meaning that half the time the solutions you get are a slop of compromise with which nobody is happy. TL;DR we aren't psychopaths without empathy, we struggle for the same reasons you developers have tech debt and other things that suck even though you would prefer not to.
It's a very handy fea-ccccccvklhfgjhckcnkdnhgkcdgbruuhlfbuednrjgjr-ture
You know what's funny is that, at least by default, these strings have some information in them that tells you the serial number and model of the key, among other things.
Why'd you just type a bunch of asterisks?
You all have made me realize that bash.org is no longer around. Thanks for the trip down memory lane :)
My pet peeves. One of the top 5 was fake. It had a typo in the server message.
iPhone 17 Pro Demonstrated Running a 400B LLM (twitter.com)
I can't understand why this is a surprise to anyone. An iphone is still a computer, of course it can run any model that fits in storage albiet very slowly. The implementation is impressive I guess but I don't see how this is a novel capability. And for 0.6t/s, its not a cost efficient hardware for doing it. The iphone can also render pixar movies if you let it run long enough, mine bitcoin with a pathetic hashrate, and do weather simulations but not in time for the forecast to be relevant.
"400 bytes should be enough for anybody"
The 'B' in 400B is billion, not bytes. And the quote '640k ought to be enough for everyone' doesn't have evidence supporting Bill G said it: https://www.computerworld.com/article/1563853/the-640k-quote-won-t-go-away-but-did-gates-really-say-it.html . That said, it'd be a fun quote and I've jokingly said it as well, as I think of it more as part of 'popular' culture lol
The heat problem is going to be the real constraint here. I've been running smaller models locally for some internal tooling at work and even those make my MacBook sound like a jet engine after twenty minutes. A 400B model on a phone seems like a great way to turn your pocket into a hand warmer, even with MoE routing. The unified memory is clever but physics still applies.
This has a simple pragmatic solution though: https://duckdb.org/2024/12/06/duckdb-tpch-sf100-on-mobile#a-song-of-dry-ice-and-fire
The compute needs for MoE models are set by the amount of active parameters, not total.
Apple’s unified memory architecture plays a huge part in this. This will trigger a large scale rearchitecture of mobile hardware across the board. I am sure they are already underway. I understand this is for a demo but do we really need a 400B model in the mobile? A 10B model would do fine right? What do we miss with a pared down one?
Compared to a 400b model, a 10b is practically useless, it's not even worth bothering outside of tinkering for fun and research.
What do we miss? Tl;dr a lot, model is much worse (Source: maintaining llama.cpp / cloud based llm provider app for 2-3 years now)
> Apple’s unified memory architecture plays a huge part in this. This will trigger a large scale rearchitecture of mobile hardware across the board. I am sure they are already underway. Putting the GPU and CPU together and having them both access the same physical memory is standard for phone design. Mobile phones don't have separate GPUs and separate VRAM like some desktops. This isn't a new thing and it's not unique to Apple > I understand this is for a demo but do we really need a 400B model in the mobile? A 10B model would do fine right? What do we miss with a pared down one? There is already a smaller model in this series that fits nicely into the iPhone (with some quantization): Qwen3.5 9B. The smaller the model, the less accurate and capable it is. That's the tradeoff.
> Putting the GPU and CPU together and having them both access the same physical memory is standard for phone design. > Mobile phones don't have separate GPUs and separate VRAM like some desktops. That's true. The difference is the iPhone has wider memory buses and uses faster LPDDR5 memory. Apple places the RAM dies directly on the same package as the SoC (PoP — Package on Package), minimizing latency. Some Android phones have started to do this, too. iOS is tuned to this architecture which wouldn't be the case across many different Android hardware configurations.
> The difference is the iPhone has wider memory buses and uses faster LPDDR5 memory. Apple places the RAM dies directly on the same package as the SoC (PoP — Package on Package), minimizing latency. Some Android phones have started to do this, too. Package-on-Package has been used in mobile SoCs for a long time. This wasn't an Apple invention. It's not new, either. It's been this way for 10+ years. Even cheap Raspberry Pi models have used package-on-package memory. The memory bandwidth of flagship iPhone models is similar to the memory bandwidth of flagship Android phones. There's nothing uniquely Apple in this. This is just how mobile SoCs have been designed for a long time.
It will be funny if we go back to lugging around brick-size batteries with us everywhere!
A backpack full of batteries! https://www.youtube.com/watch?v=MI69LUXWiBc
Okay, then don't kill CUDA, just sign CUDA drivers on macOS instead and quit pretending like MPS is a world-class solution. There are trillions on the table, this is not an unsolvable issue.
Admittedly, my use of CUDA and Metal is fairly surface-level. But I have had great success using LLMs to convert whole gaussian splatting CUDA codebases to Metal. It's not ideal for maintainability and not 1:1, but if CUDA was a moat for NVIDIA, I believe LLMs have dealt a blow to it.
This is awesome! How far away are we from a model of this capability level running at 100 t/s? It's unclear to me if we'll see it from miniaturization first or from hardware gains
It will never be possible on a smart phone. I know that sounds cynical, but there's basically no path to making this possible from an engineering perspective.
I think you're ignoring the inevitable march of progress. Phones will get big enough to hold it soon.
Instead of slapping on an extra battery pack, it will be an onboard llm model. Could have lifecycles just like phones. Getting bigger (foldable) phones, without losing battery life, and running useable models in the same form-factor is a pretty big ask.
Looked at a certain way it's incredible that a 40-odd year old comedy sci-fi series is so accurate about the expected quality of (at least some) AI output. Which makes it even funnier. It makes me a little sad that Douglas Adams didn't live to see it.
42 wasn't a low quality answer. The joke revolves around the incongruity of "42" being precisely correct.
Stupid question: can i run this on my 64GB/1TB mac somehow easily? Or this requires custom coding? 4bit is ~200GB EDIT: found this in the replies: https://github.com/Anemll/flash-moe/tree/iOS-App
Running larger-than-RAM LLMs is an interesting trick, but it's not practical. The output would be extremely slow and your computer would be burning a lot of power to get there. The heavy quantizations and other tricks (like reducing the number of active experts) used in these demos severely degrade the quality. With 64GB of RAM you should look into Qwen3.5-27B or Qwen3.5-35B-A3B. I suggest Q5 quantization at most from my experience. Q4 works on short responses but gets weird in longer conversations.
I've tried a number of experiments, and agree completely. If it doesn't fit in RAM, it's so slow as to be impractical and almost useless. If you're running things overnight, then maybe, but expect to wait a very long time for any answers.
That's not what this test shows. It's just loading the parts of the model that are used in an on-demand fashion from flash. The iPhone 17 Pro only has 12GB of RAM. This is a -17B MoE model. Even quantized, you can only realistically fit one expert in RAM at a time. Maybe 2 with extreme quantization. It's just swapping them out constantly. If some of the experts were unused then you could distill them away. This has been tried! You can find reduced MoE models that strip away some of the experts, though it's ony a small number. Their output is not good. You really need all of the experts to get the model's quality.
The writeup from the earlier experiment (running on a MacBook Pro) shows quite clearly that expert routing choices are far from uniform, and that some layer-experts are only used rarely. So you can save some RAM footprint even while swapping quite rarely.
I understand, but this isn't just a matter of not caching some experts. This is a 397B model on a device with 12GB of RAM. It's basically swapping experts out all the time, even if the distribution isn't uniform. When the individual expert sizes are similar to the entire size of the RAM on the device, that's your only option.
"Individual experts" is a bit of a red-herring, what matters is expert-layers (this is the granularity of routing decisions), and these are small as mentioned by the original writeup. The filesystem cache does a tolerable job of keeping the "often used" ones around while evicting those that aren't needed (this is what their "Trust the OS" point is about). Of course they're also reducing the amount of active experts and quantizing a lot, AIUI this iPhone experiment uses Q1 and the MacBook was Q2.
A year ago this would have been considered impossible. The hardware is moving faster than anyone's software assumptions.
/FIFY A year ago this would have been considered impossible. The software is moving faster than anyone's hardware assumptions.
If the bottleneck is storage bandwidth that's not "slow". It's only slow if you insist on interactive speeds, but the point of this is that you can run cheap inference in bulk on very low-end hardware.
> If the bottleneck is storage bandwidth that's not "slow" It is objectively slow at around 100X slower than what most people consider usable. The quality is also degraded severely to get that speed. > but the point of this is that you can run cheap inference in bulk on very low-end hardware. You always could, if you didn't care about speed or efficiency.
You're simply pointing out that most people who use AI today expect interactive speeds. You're right that the point here is not raw power efficiency (having to read from storage will impact energy per operation, and datacenter-scale AI hardware beats edge hardware anyway by that metric) but the ability to repurpose cheaper, lesser-scale hardware is also compelling.
Cyberattack on vehicle breathalyzer company leaves drivers stranded in the US (techcrunch.com)
We need a software building code. This wouldn't be allowed to happen with non-software. The fact that anyone can build any product with software, make it work terribly, and when it fails impacts the lives of thousands (if not millions), needs to be stopped. We don't allow this kind of behavior with the electrical or building code. Hell, we don't even allow mattresses to be sold without adding fire resistance. The software that is critical to people's lives needs mandatory minimum specifications, failure resistance, testing, and approval. It is unacceptable to strand 150,000 people for weeks because a software company was lazy (just like it was unacceptable to strand millions when CrowdStrike shit the bed). In addition to approvals, there should be fines to ensure there are consequences to not complying.
There are lots of "software building codes" IEC-62304, MISRA, DO-178C, etc. Problem is that the vast majority of software doesn't fit into those categories. And as you mention, since you can build any product with software, you would have to have categorization for any new standards to make sense.
I have no idea why you'd been downvoted. Everything you said is common sense. I guess this is a case of "it's hard to get a man to understand something if his paycheck depends upon him not understanding it."
EU has the NIS2 directive, the CRA (cybersecurity resiliency act), and a few sector specific ones (DORA for financial, MDR/IVDR for medical/diagnostical, and there's probably a bunch more) these are slowly but surely pushing manufacturers/sellers/distributors to try to do the right things it requires transparency about support period commitment, a bug tracker program, issuing updates (I guess in case there's a CVE), doing risk assessment during development, etc., and requirements kick in based on turnover (or headcount). and it seems like the correct approach, these are already things good products come with
If “car brained” means recognizing how great cars are for improving our lives, by letting us get to places quickly, then I don’t see anything cowardly or broken about it. Just seems rational.
I once read a claim that once you remove the distance that exists between places because of cars (large set-backs, unusable "green space", wide freeways including the medians and buffer around them, giant parking lots, et c.) cars are only an improvement for most car owners for day to day travel before a city adjusts to widespread car ownership, and adds all that stuff. Add in the time you spend working just to pay for the car (depreciation, fuel, insurance) and it's not a great deal at all. After that, it's only consistently a benefit if you can afford a driver. For most, it's a wash with bicycling, if not worse (in the hypothetical world that hadn't bloated way apart to account for tons of cars) except now you also need to schedule separate time to work out to stay healthy. This seemed implausible, so I ran the numbers for my situation at the time that involved car costs and a commute distance that were both below median for my city, plus well above-median household income. Sure enough! It worked out just the way they claimed, if only barely. For the median worker in my city though, it was very true.
Even in cities with public transit cars have a very high mode share in rich countries. Some of it is 'trades' that need to carry tools and parts with them, but a lot could take transit but don't for unknown reasons
"Being able to live car free is pretty much limited to (expensive) major cities and some (expensive) mid-sized college towns" I live in the UK (hardly a bastion of public transport) in a town of under 10k, and have a car. The main requirement for a car is to take my youngest to Drama club in the next town where it finishes at 9pm, well after buses have stopped. There is a drama club in the town, but as we only just moved we didn't want to move him. Likewise we're driving him to his old school until the end of July as he'll move school then. I used to live in a village of 300 people, and sure you need a car there. Sure it was nice to drive the 4 miles to the garden centre at the weekend rather than take the hourly bus, but it's not a requirement. For a town of 10,000 people, let alone 50,000, to say you can't live car free is nonsense. Of course America is different. Their towns are far less dense, they don't even have "sidewalks", they are consciously built so you have to drive everywhere, but that's unique to the time American towns were built. So again, what towns in Europe with a population of 50,000 have no public transport.
Wouldn't it be better to take the alcohol away?
The US tried this in 1920 and rolled it back a decade later - https://en.wikipedia.org/wiki/Prohibition_in_the_United_States
I assume you're joking, Either way. One morning when I took the bus to work the bus driver had repeated problems getting the bus to start due to the breathalyser. I heard him complain to the passenger behind him, about it malfunctioning. The passenger volunteered to test this theory, by also blowing into the device. The driver handed him the hose, the passenger gave it a go, the bus started, and the driver shrugged his shoulders, and off we went, only slightly delayed. I'm not sure if this is preventable.
If it's as flaky as my experience upthread suggests, maybe it was just that. At least, that's what I hope, for the sake of those on the bus
I think they shouldn’t be driving in the first place. Suspend DL for one year and move on.
The person I mentioned in my story upthread had the one-year suspension followed by the interlock requirement for another year
Someone who drives drunk ought to drive with the interlock for life. Generally driving drunk is a sign of addiction.... And that can come back anytime, and killing bystanders is clearly a worse outcome.
Nothing specific yet, but the legal groundwork has been laid both in the US and in the EU. Starting in July, all new cars sold in the EU will need to be able to fit after-market alcohol interlocks. In the US, interlocks are already mandatory for convicted DUIers in most states, but new cars will also have to come with factory installed drunk driving prevention technology in the coming years. We just don't know how far that mandate will go eventually.
There is no security protocol though. It will be trivial to buy an interlock which always returns 'ok to drive'.
I guarantee that basically nothing will come out of this. People dont willingly put these alcohol breathalyzer interlocks on their vehicles. They're 100% court mandated, as a punishment for, usually, drunk driving. This country is so hell-bent on making criminals' lives worse and worse as a never-ending punishment. So what 150k people cant use their cars. 'They did something wrong and deserve it', is the usual motto in the USA. Now, lets have a discussion about software liability....
You think USA punishes criminals too much?!?! You mean like this? https://komonews.com/news/nation-world/minnesota-judge-sarah-west-slammed-for-overturning-conviction-of-pair-involved-in-medicaid-fraud-new-york-healthcare-media Or like that?? https://www.kiro7.com/news/local/seattle-man-who-shot-killed-pregnant-stranger-found-not-guilty-by-reason-insanity/FYUG52UAOZCCFEZK4LGOKCA6IY/
I'm not sure there's a technological solution to a social problem. The problem is decision making when intoxicated. The solution might be to take the weapon (car) away from those who misuse it. Consider guns. A felon cannot be in possession of guns legally, and the doctrine of constructive possession means that a prohibited person can be charged with unlawful possession of a firearm if a lawful owner in a household leaves a gun accessible to the prohibited person. Perhaps it should be a serious crime for a convicted drunk driver to be in or around a car where the ignition device could be in the prohibited person's possession.
> The solution might be to take the weapon (car) away from those who misuse it. My technological ideas were along those lines. Basically allowing them to continue to own their automobile, but not to drive, and perhaps not to buy one, because forcing them to sell their cars is hard to implement (though maybe worth it). And also preventing them from operating cars owned by other people that are stored in their residence or workplace.
America tells private firms to "hack back" (economist.com)
State sponsored cyberattacks by China should be considered an act of war by the US government. Telling private firms to hack back isn’t a solution. Unfortunately Trump has been spineless and weak on China, as we have seen in the tariff debacle and in the TikTok ban debacle.
If a company's already been hacked, what makes them think they have the knowledge/expertise to fight back?
Exactly. They don't even have the know-how to defend themselves -- there is no hope of them getting on the offensive, at least not without extensive external help.
That made sense when it was just businesses defending their own operations from criminals, akin to banks having to use armed guards to move cash and bullion around. But when it's businesses defending against state-sponsored actors in the context of an actual shooting war, that's very different.
> That made sense when it was just businesses defending their own operations from criminals, akin to banks having to use armed guards to move cash and bullion around. That's a rather crude analogy which misses the major dangers of vigilante hacking. A better analogy is allowing private guards to shoot you on suspicion of you having stolen their money based only on a claim that the money found in your wallet might be theirs . To understand the problem, think of vigilante justice where some person/group assumes the roles of police, judge and executioner, circumventing due process which is due for a reason. What happens if a corp doesn't like what you have on your website, spoofs some logs as if coming from it and then hacks the site to disable your ability to communicate? Well, in that case you're toast. You may go to the judge, pay lawyers and waste your life on lawsuits fighting against a corp with a lawful reason to hack you because if this becomes law, you will be guilty until proven innocent - that's very costly and hard to do. Your chances of successful will be virtually zero meaning the corps get a license to silence you with impunity.
Student beauty and grades under in-person and remote teaching (sciencedirect.com)
The HN submission title (EDIT: The title is “ Attractive students no longer receive better results as classes moved online ” as I write this, in case it gets updated) isn’t from the paper and isn’t entirely accurate. The paper actually found that male students who scored higher in the beauty ratings continued to get higher grades as well: > On the contrary, for male students, there was still a significant beauty premium even after the introduction of online teaching. So the submission title’s claim that attractive students no longer receive better results when teachers can see their face isn’t true. The result was only detected for female students. The fact that there is a discrepancy doesn’t give me a lot of confidence in the results. When you can only find a significant change after you start subdividing the group into different sub-groups it’s getting a little too close to p-hacking for my comfort. That’s not to say there isn’t a gender effect here, but the fact that males rating high on the beauty scores also got higher grades should suggest that this isn’t as simple as teachers biasing their grades based on what the students looked like.
That seems like a pretty reasonable subdivision to me. Culturally there are differences in what it means to be attractive as a male or female, so it follows that the effects could be different.
A couple things here: 1. This should have a 2022 tag 2. This is ripe "red pill" fodder and many of the comments here are "red pill" coded.
Hi, sorry, what's a 'red pill'? Don't really keep up with the slang, sorry..
With all empathy that sucks and is not fair - but should office hours be removed because one student could not attend? Many of the professors I have worked with that I respect have different methods for helping these students- for example sending them an email after class, offering explicit direct help & advice. Or connecting them with a better job, or a research position.
No, office hours shouldn't be removed. Perhaps professors should just not reward people who come to office hours beyond the extra instruction that is given. Eg no special knowledge communicated solely in office hours("this question is going to be on the test next week"), and no special treatment ("this student got the wrong answer but I know from office hours they're trying really hard so I'll give them some extra points")
We are evolutionarily programmed to like attractive people, which excludes most visibly overweight people.
"Attractive" is something evolved as well though, so that just passes the buck. It's culturally determined as well of course.
Taiwan and Korea have even "fairer" systems. In China different provinces got different test problems. Especially students from Beijing, Shanghai and Tianjin get completely different ones. In Taiwan/Korea everyone takes the exact same test. However I've never met anyone from these countries who have a high opinion of their systems. Personally I do think our standardized exams cause massive 'overfitting' issue (borrowed from machine learning). The exam is not as brutal as Korean one though. YMMV.
The systems may not be held in high regard, but their education systems produce workers responsible for great innovation, productivity and economic growth.
Chinese education is also extremely constrained by the practice of "teaching to the test" to the point that the Gaokao indirectly stands in the way of innovation and reform in education. Schools doing interesting things to improve the quality of education are historically not very competitive on the Gaokao anyway (e.g., some unusual rural schools where students historically have bad prospects anyway and parents are overburdened or indifferent) or explicitly trying to carve something out outside the college track (e.g., private tech/entrepreneurship schools created by big tech companies). There may be some good things about the Gaokao but having spoken to some (Chinese) teachers in China, it's also a limiting factor for education prior to university in a lot of ways, limiting the freedom of teachers and driving up risk aversion in parents. (It's also effectively graded on a regional curve, which might be a good thing but isn't meritocratic in the straightforward way you suggest.)
So what are aspects of being well educated not reflected in the Gaokao? How could those aspects be assessed as objectively and unbiased as possible?
I don't know this specific exam, but most of these can be gamed in the sense of learning to the test. So depending on what training resources someone has available (e.g. rich parents who can afford tutors), I'd consider them only partially meritocratic.
Can you learn to the test without actually learning the material?
The question is what you're measuring. You can have a test that gives you whatever distribution of scores you like. But is the thing it measures competency in the subjects it tests, general intellectual ability, familiarity with the test format, etc.? The worst negative outcome is usually subordination of learning itself to preparing for the exam, which can happen even when the gatekeeping function of an exam still works perfectly.
Then what’s a better, unbiased method of assessing students?
A lot of those correlate with intelligence and “grit.” Being good at selling to people absolutely requires intelligence. So do many entertainment fields, and athletic achievement more than you might expect. Investing consistently in an index fund over 20 years requires a bit of intelligence and a lot of grit.
I defined intelligence up-front as IQ points. IQ isn't perfect but it's the best single measure of raw cognitive ability we have. Grit is basically conscientiousness. Conscientiousness is not correlated to intelligence. [1] This is why the stereotype of the dim but methodical plodder exists. Sales ability is obviously a thing, since there are successful and unsuccessful people. But being able to connect with people (EQ) is crucial to be good at sales. Likeable people make more sales than unlikeable people. Being likeable is orthogonal to IQ. I'm not denigrating successful entertainers' and athletes' cognitive abilities. They are brilliant in their fields. That's not the necessarily same thing as IQ. I'd expect the IQ distribution among that population be the same as the general population. That means some of them are high-IQ individuals in addition to being world-class singers or swimmers or actors, but most are average IQ. https://www.sciencedirect.com/science/article/abs/pii/S1041608015001740
Intelligence correlates highly with not having anti-social behaviors. So a lot of the time, it's not "being smart" that carries you to wealth, its avoiding the "disastrously stupid things" that stops you from being poor.
> Intelligence correlates highly with not having anti-social behaviors. If we're talking about IQ, then there isn't strong evidence for this.
They are studying it, while you are drawing your own conclusions from a cursory understanding. Your claim that “wealthy people are more intelligent” is so incredibly problematic on so many levels, starting with the fundamental methodological problem that we do not have any reliable way to actually measure intelligence. Add to this the extremely obvious fact that some rich people have no other qualifications than being born with a trust fund, and some poor people face extreme obstacles to reaching their potential. This world view is total, utter dogshit, completely removed from reality.
What studies support your critiques?
Tutors barely move exam scores, particularly if they're only hired for test prep. You can crush tests without cramming, tutors or any of that if you just pay attention in class and do all optional homework.
Yeah grades are mostly about grit.
Well nothing is truly meritocratic - even with free tutoring, kids will still have different genetics, different home environments, different upbringings etc.. Colleges in the US that removed standardized testing from their applications, in the pursuit of trying to be more meritocratic, found that fewer students from underrepresented backgrounds got in, not more. In hindsight (and to some in foresight) this makes sense because now schools leaned more heavily on grades and extracurriculars, both of which can be gamed by wealthy families far more easily than a standardized test.
You are confusing meritocracy with egalitarianism.
I think the point is that some start with an advantage when it comes to earning merit because by luck of birth they were born to parents with a lot of wealth. I don't think you can have a truly meritocratic system unless everyone starts on a level playing field with the same access to resources. That is not a system that exists anywhere on this planet.
To achieve that you need to implement some kind of Harrison Bergeron system.
Someone rich spending a lot of money to obtain tutoring will make their score higher if they have any kind of aptitude. Likewise if they have easy access to books, extra study resources, a quiet space for study, no family distractions or challenges, and so on. Poor people typically have none of those extra resources. Some poor people with extreme talent will be able to overcome the challenges of relative poverty, but others with equal talent won't. It's extremely hard to create a true meritocratic system, and Gaokao certainly isn't it.
It’s still meritocratic in the sense of picking the people most capable of performing well in a higher academic setting. It’s unfair. But nonetheless true that students who were better able to prepare due to superior resources are nonetheless better prepared.
So wouldn't it then be fairest to punish kids with high income or high wealth parents? Say set median household income. If parents make double this the score is automatically halved. If they make half it is doubled. Same on gross wealth. More wealth there is bigger the cut. This would mean that says Musk's kids would need to get sufficiently higher scores than children of someone with no wealth.
This would just result in admitting students who weren’t prepared to handle the material.
> Someone rich spending a lot of money to obtain tutoring doesn't necessarily make their score higher, and there's also diminishing returns. Someone poor who do not afford private tutoring can also receive good score due to their natural talent and/or hard work in self-teaching/practicing. If these are outliers it isn't really meritocratic. If there 100 desired spots that are allocated by the exam, and 1000 students, and wealth (tutors/extra time etc) moves the needle enough to make a meaningful difference, it's basically nepotistic just the in-group is who's parents can afford it. Depending on where you are this can compound each generation.
In the US at least most schools take into account both test scores and social economic factors.
That it tends to become a caste system with extra steps (which steps provide a defense of the system as “fair”) is one of the chief criticisms of meritocracy (and criticism of the idea is where we got the term itself)
So as a society do we want to have people performing tasks based on demonstrated aptitude to perform those tasks, or to have people performing tasks based on achieving certain social and political outcomes?
Well I happen to have a phd in that broader domain. It's not censorship, as you imply, but IQ is just way fuzzier a concept than people outside of this area of research think. The popular view is IQ is an objective thing, exactly measurable and so on (the metaphor of brains being computers, essentially). In reality you can put a 14 year old from a bad environment into an optimal environment and their IQ increases by up to 20 points over a view years.
IQ is highly heritable, so I don't think there is any environmental factor that has this big an impact, except in extreme cases like severe malnutrition. Also note that IQ increases with age roughly into early adulthood independently of environment, so the IQ of a 14 year old increasing is a perfectly normal part of the heritable parts of development.
 Top