> How many false positives did you go through to do that? You guys never say. You also never do live demos of your AI because you know it's going to hallucinate and make your company a laughing stock.
The false positive rate might be too big for a live demo to work. A 50 (for example) hour live demo of someone working with the AI to find a bug might look bad even though finding a 23 year old security bug in 50 hours with a human in the loop would still be impressive.
> Is there anything plug-and-play that can do a reasonable job of flagging/disconnecting massive outbound data transfers?
I don't know of such a tool but you'd have to run it everywhere you have data. If the LAPD's data was not on prem, which is expected (but not necessarily a good practice for sensitive data), it would be harder to both have an exfiltration monitor for the data they do have on prem and for the data they have in whatever hosting provider or "cloud" they stored it at. Maybe the bill for the egress transfers in the morning plays such a role to a certain extent.
Non-US citizens - what's the situation with cameras in public spaces where you live? In my town every 2nd hour or building entrance has a private camera pointed at the street. It's very depressing because the cops don't care - I've asked 2 in a patrol car when there was a mild case of vandalism I witnessed. Technically it's illegal, but nothing happens. The public cameras are on intersection and some bus stops. Too much, if you ask me, but the private cameras are everywhere.
In London cameras are everywhere, mostly private and they have been for years. Don't think I've seen anything like it in any European city I've visited.
Private cameras pointing to street can be lawful under GDPR, but in that case they are GDPR controller. That then requires them fulfill bunch of obligations which they probably aren't, e.g. giving proper Article 13 notice.
I don't know if it's criminal in any EU country, but it would be something that you could complain to DPA about. Or initiate civil lawsuit against the controller.
Worth noting is that in some cases the camera vendor might also be (joint) controller as they can determine means & purposes of the processing. If they are simply storing the video then it's unlikely, but if they for example use it for AI training that would likely bring them controller territory.
Japan is exporting it's AI-enhanced crime prediction platform across LatAm after successfully deploying it in Tokyo [0]. Japan is doing similar work to analyze financial transactions [1]. South Korea has also deployed a similar surveillance platform called Dejaview [2]. Even Finland has been deploying surveillance camera fusion centers [3]
The brutal reality is everyone is doing this and there's nothing you can do about it. National Security trumps all other concerns (even the GDPR exempts governments who argue their data collection is done for National Security reasons), especially in a world as unstable as today.
Societies that are strongly collectivist in nature tend to align closer with expanded state powers and don't view it as an affront.
The techno-individualist subculture that is common on HN and Reddit is that - a subculture.
Techno-individualism cannot coexist with collectivist culture where the primacy of the state is held as sacrosanct and supreme.
And now that countries like Russia [0], Iran [1], and China [2] have been expanding hybrid warfare capabilities across the West - especially now that Europe is now expeiencing the largest conventional war since WW2 - we need to recognize that we are no long in a state of peace.
> William Shockley another Nobel Prize...for inventing the transistor, probably the most consequential invention of the 20th century, could not recognize that touring college campuses promoting eugenics and forced sterilization was half-baked.
This seems different than the astrology or AIDS or cancer ideas mentioned above it as it's scientifically sound, just widely considered unethical.
It's obvious what GP meant - we can verify that the apps we download are the apps everyone else downloads.
We can't do this with Proton where our mail is supposedly end-to-end encrypted. They can easily view our mail if they can send us a different code when we load their site.
> That isn't what "sandboxed" means, it has nothing to do with checking hashes. And no, mobile apps are not really sandboxed
Apps ARE somewhat sandboxes and GP didn't mean than sandboxing == checking hashes. It was 2 sentences appearing one after the other.
>We can't do this with Proton where our mail is supposedly end-to-end encrypted. They can easily view our mail if they can send us a different code when we load their site.
That isn't a problem with how the web works vs how apps work, that's a problem with you trusting Protonmail.
If you really wanted to be secure sending an email or any communication, you wouldn't trust any third party, be it an app or a website - you would encrypt your message on an air-gapped system, preferably a minimal known safe linux installation, and move the encrypted file to a USB, and then insert the USB into a system with network access, and then send the encrypted file to your destination through any service out there, even plain old unencrypted http would work at that point, because your message is already encrypted.
The second you give your unencrypted message to any third-party on any device with an input box and a network connection, is the moment you made it public. If I had to be extremely sure that my message isn't read by anyone else, typing it into a mobile app or a web browser isn't the place I'd start - it would only be done as a last resort.
That is a problem with you not understanding how security works.
> If you really wanted to be secure
There is no such thing as "being really secure". There are threat models, and implementations that defend you against them. Because you can't prevent a bulldozer from destroying your front door does not mean that it is useless to ever lock it.
Even your air-gapped example is wrong, because it means that you have to trust that system (unless you are capable of building a computer from scratch in your garage, which I doubt).
Sending an encrypted over the Signal app is a lot more secure than sending an email over the ProtonMail website, which itself is more secure than sending it in a non-secret Telegram channel. It's a gradient, it can be "more" or "less" secure, it doesn't have to be "all or nothing" as you seem to believe.
>That is a problem with you not understanding how security works.
That's hilariously wrong.
>There is no such thing as "being really secure".
Sure there is. "Being really secure" isn't what I said at all, and it's a vague statement to make. You're reaching to create an internet argument, and I'm frankly bored of this, you're out of your depth.
>Even your air-gapped example is wrong, because it means that you have to trust that system
I'd trust a system that I set up. I'm not going to do it on a system that you set up, that much is for certain.
> (unless you are capable of building a computer from scratch in your garage, which I doubt).
I still have an EPROM burner, so yes, I could, and I have.
>Sending an encrypted over the Signal app is a lot more secure than sending an email over the ProtonMail website
If you really think that, then nobody should be taking security advice from you.
I'm really tired of this pointless internet interaction. Goodbye.
Well, you can verify that the code that you downloaded is the same that everyone else downloaded. Even if it contains webviews.
Now if it contains webviews, it brings the security issue of... the webapps, of course.
Personally, I want an open source app. You can audit an open source app and even compile it yourself. You can't really do that with a website. And I don't mean just mobile apps, that applies to desktop apps, too. I wouldn't run a web-based terminal, for instance (do people actually do that?).
>Well, you can verify that the code that you downloaded is the same that everyone else downloaded. Even if it contains webviews.
Not impossible to do with websites, if the need to do it was there. It would take about 15 minutes to create a browser extension that could make a hash of all the files loaded, to compare with other users with the extension installed - but honestly that's just not needed because if you're connecting via HTTPS, then you're getting the files that are intended to be served, presumably not malicious if you trust the source. And if you don't trust the source, then why are you loading it to begin with??
>Now if it contains webviews, it brings the security issue of... the webapps, of course.
Web applications are sandboxed in the web browser. Very little issue with that, outside of browser bugs/exploits, but bugs and exploits are found in every system ever.
>I wouldn't run a web-based terminal, for instance (do people actually do that?).
AWS has a web-based terminal for EC2 instances. It's not a problem, a lot of people use it.
> And if you don't trust the source, then why are you loading it to begin with??
I trust that Proton (for example) has implemented E2EE in their services. I wouldn't trust them to handle my unencrypted data - I wouldn't trust anyone for that. I don't trust that their security is perfect - no one's security is. So if they're breached, they could serve me malicious JS. I don't trust they're impervious to government pressure or blackmail. By making sure the files served to me are the same as the files served to anyone else, I can be relatively sure I'm not targeted personally. People could also review those files to make sure they're not malicious.
> It would take about 15 minutes to create a browser extension that could make a hash of all the files loaded, to compare with other users with the extension installed
You completely underestimate it. I am absolutely certain that you cannot create a browser extension that meaningfully solves this problem in 15 minutes.
> Web applications are sandboxed in the web browser. Very little issue with that
Except that when we are talking about end-to-end encryption, the sandbox has nothing to do with it. The sandbox defends against something else, not the server serving you an end-to-end encryption program abusing it.
> AWS has a web-based terminal for EC2 instances. It's not a problem, a lot of people use it.
I genuinely can't see if you just don't understand the point being discussed at all, or if you keep saying off-topic things as a way to divert the discussion.
>You completely underestimate it. I am absolutely certain that you cannot create a browser extension that meaningfully solves this problem in 15 minutes.
You are absolutely wrong. I write browser extensions, I can spin up a new one in a minute, and the code to monitor and hash all resources loaded by a webpage is trivially easy to do. It would be simple to set up a server to allow comparing the hashes, in a POC. I'm not talking about making this a robust service that everyone can use, I'm only talking about how easy it is to do in a general way. It's far easier than you think it is.
>>>I wouldn't run a web-based terminal, for instance (do people actually do that?).
>> AWS has a web-based terminal for EC2 instances. It's not a problem, a lot of people use it.
>I genuinely can't see if you just don't understand the point being discussed at all, or if you keep saying off-topic things as a way to divert the discussion.
You're right, I certainly don't understand the nonsense you're trying to convey.
I'm also tired of this pointless internet interaction. Goodbye.
> I'm not talking about making this a robust service that everyone can use
Right. So you cannot do it. Thank you.
> I'm also tired of this pointless internet interaction. Goodbye.
Seems to me that you don't enjoy discussing with people who behave like jerks, which I admittedly did, just for you). You may not have realised it, but you started it. I am happy to disagree in a respectful tone, but you broke it first. Maybe that's something to think about in your next totally meaningful internet interaction, though it sounds like you like telling others that you know better because you are older.
Now it only ensures that Cloudflare doesn't tamper with the WhatsApp Web code they serve, you still have to trust Meta.
I feel like reaching the same level as "checking the hash for the app" would be very hard in practice. I.e. the web is not built around doing that. Your extension would have to scan all the files you download when you reach a page, somehow make a hash of it, somehow compare it to... something, but then make the difference between "tampered with" and "just a normal update".
Also you just can't "download the sources, audit them and compile them yourself" with a webapp. If you do that, it's just "an app built with web tech", like Electron, I guess?
Being required to use an Android app sucks and is annoying, but an AOSP VM would solve the issue. Perhaps MITM-ing the app would be harder than MITM-ing a site without reversing the app. And not everyone has the hardware resources for an Android VM.
But for me the main issues with "you need our app" BS is that they don't give you the apk but tell you to download it from the Google Play Store. They don't give you the source for the apk as well, as if it's such a huge trade secret how some shitty API works. The worst offenders ask for all the attestation shit (unrooted phone and so on). That's what's wrong with apps vs sites, not just the format itself. We should fight for FOSS apks with no attestation if companies want to invest so heavily in apps.
> Computers screens have gotten wider and wider, and UIs bigger and bigger
Sadly, most websites forcefully limit the width of the text. It's like they pretend our monitors are oriented to be tall rather than wide. Even HN has unnecessarily big margins. So unless I try to cram another window in my FHD monitor, I have ~50% or more completely wasted space. Margins should be 2-3 pixels wide, not 20-30% of the screen.
The major difference is that in the era of print, it was pretty logical where a multicolumn wide layout could go like on a newspaper, but in an desktop experience the browser markup is theoretically endless.
Solution: rotate your monitor 90 degrees, and inform your OS that you have done so. Now your monitor is 1080x1920. You'll actually be amazed how much more of a document fits on screen without sacrificing readability.
Preach. I have 4 monitors and one is a vertical 1440x2560. Massive productivity boost - terminals running claude code, reading docs, IDE panes, anything with lots of scrolling. Highly recommend it!
I can resize my window easily if I wanted shorter text. Or used ctrl-shift-m on Firefox. But I can't easily make the text longer without userscripts or addons.
> actual user studies to show that wider text is harder to read
That may apply to most people, but not to everyone.
afaict it applies to literally everyone. there's a variable "sweet spot" of course, but once you get out to "extremely wide" it's reliably worse for everyone, and there are LOADS of computer monitors that qualify for that label.
margins to control the width of large blocks of text have a ton of research in their favor, it's not just "more whitespace = more gooder" UI design madness. there's some of that of course, but there's a sane core underneath it all.
> I personally find the idea of doing homework on my phone horrifying but I suppose kids today are either used to it and comfortable with it, or they've simply never used a computer and don't know what they're missing. Though I'd wager they probably aren't comfortable typing on a keyboard.
First hand from a couple of ~16 year olds I know. Definitely not a representative sample. Some know how to type at an acceptable speed. They're awful at shortcuts (alt-tab, many of the browser shortcuts that also present in many other programs (ctrl-w,-t,-s,-q) and most text-selection and movement shortcuts (ctrl-a,-x,-c,-v and (ctrl-)shift-left,-right)) so they navigate clumsily compared to us. They feel awkward when performing simple tasks but they do it faster than on a smartphone. They don't understand some of the terms and abstractions, likely because the smartphones keep that away from them.
Seeing them navigate things like homework or spreadsheets or multiple tabs in a browser from a smartphone is like watching a caveman trying to use a piece of brittle rock as a hammer. It will work in the end, but it's slow. I haven't looked at them closely enough, but I doubt they can comfortably keep more than 10 tabs open and navigate between them with the same speed as on a laptop or a desktop. I assume their browsing habits are qualitatively different than ours because of that. You can't really do adequate research on a smartphone.
My partner is a therapist and so I wind up in a lot of therapist groups and support groups for therapists. Many of them are youth therapists. I also coach kids and help coordinate youth athletics. My best friend is also a middle school teacher, along with his partner. So I think I have a decent grasp on where kids are at nowadays. At least in my area.
Most people I know who work with kids agree that the majority of children nowadays lack basic skills that will really handicap them in life. From a lack of basic reading/writing/typing/math skills to an ability to handle any kind of confrontation. The anti-social stuff is really, really bad and it compounds as life goes on, where kids never learn skills as they need to. Avoidance is really prevalent in people nowadays and this leads to never learning or atrophying basic skill sets. Then it also leads to not learning how to learn, or asking for help, etc.
Kids also lack the basic ability to put a series of tasks together to accomplish a larger goal. Critical thinking is severely lacking. Kids have grown up being able to ask a search engine a question or have an AI do tasks for them. The ability to understand how things work, then manipulate those things to meet a goal is just not there for a large amount of kids. I think we really need to bring back things like shop class, home ec, etc to get kids using their hands more. Kids need to be able to have an idea and then implement it in the real world. This is a skill I rarely see in kids nowadays. Way too often kids are told to avoid making mistakes and to get someone/something else to do things for them. The agency is just not there.
I really feel terrible for a lot of kids nowadays. Luckily, since I work with athletics and STEM kids, most of my tribe are eager to learn and move about. This is definitely not the norm nowadays though. My teacher friends are really struggling to feel like they're making a difference or benefitting these kids. It's sad because the problems are mostly related to their parents, not really the school system.
It kind of sound to me like you're surrounded by a lot of people who will tell you stories about kids, but only the ones who are having problems. Either because there's a selection that happened before they even encountered the kids (being a therapist), or because there's just no reason to talk about the ones that are doing fine (teacher)
Western society is made of the weaklings (I think the term nowadays is snowflakes) who will do anything to avoid fight/conflict, I realized it when I returned back after few years in China and saw everywhere these weak people. In China you have to be rude/fast to survive, ignoring other people's interests.
Same experience when I was kid before serving in military vs after serving in military, you really grow up fast over there from teenager.
They should be teaching assertiveness in the schools, western people will nowadays just complain on internet (internet heroes) or find excuse "oh it's just a dollar" to avoid conflict instead of complaining directly where it's suitable.
Interesting (I read this all) and wonder if it is a local issue vs a larger issue? Meaning are you seeing the influence of your local social economy class and how they parent?
I'm guessing this is a urban city area of upper middle class? I could be completely off.
> For that reason when I'm hiring I've stopped asking for someone's previous salary, and just ask them what they want instead.
Why don't you post what you're paying in the job ad/offer? Some people even skip ads without a salary or a salary range because of all the uncertainty. As a potential employee somewhere, you've obviously already calculated a range or a fixed number - so why ask the employee?
The false positive rate might be too big for a live demo to work. A 50 (for example) hour live demo of someone working with the AI to find a bug might look bad even though finding a 23 year old security bug in 50 hours with a human in the loop would still be impressive.
reply