Notices by Mark T. Tomczak (mark@mastodon.fixermark.com)

@sparrows @mhoye This is another extremely good point. Sometimes people use the system in ways other than we anticipate because they have people in their lives that are inspecting the ways it's normally used.

@mhoye "But why is she keeping something mission critical to her health in her unpublished tiktok reels" fuck you is why. We don't actually get to decide how users choose to use the system, we get to provide it, provide soft incentives to use it the way we intended, and keep it running when they get creative.

Now, is she going to be able to show the doctor what she needs to show them or is it going to be on you that she can't?

The UK is trying to ban nudes (store, transmit, display) on smartphones owned or operated by kids under 18.

Is young people seeing nudes bad? Separate problem, and could be its own thread, but for the sake of argument let's say "yes."

Is the problem tractable? I think the answer is actually "probably" for a partial solution. It'll be expensive (Apple and Google's money and everybody's electricity and, of course, privacy), but I'm playing Evil Oracle in my head and I'm not seeing a defeat strategy for "cliient-side hash check routed to server for detailed confirmation and revocation of account on offense."

... But blocking seeing them at all? Intractably expensive in energy and time for anything approaching a 100% case when bright and motivated young people are in the loop.

@lauren I believe a bloom filter (or trained recognizer) on the video layer will generally be hard to subvert; Lord knows they'll try. That gives a rough cut of "probably porn," and the whine screen can then be passed to an online detector for verification and then follow up (notify parents, ban account, whatever). It's impractical to use that to prevent the image from being seen though, unless we want the kid phone experience to be total ass.

It would also be very expensive battery wide, depending on how frequently it's scanning the whole screen. And "your phone can screenshot what you are up to at any time and send it to the government" feels like it should be pretty viscerally horrifying, even to Brits.

(I don't think this is a good problem to try to solve; my noodling is on whether it's actually unsolvable and under what constraints it becomes so).

@haicen @soatok

@thomasfuchs This is true, even if their incentive to do so is market-driven (they're a hardware company; data mining their users' PII beyond things like "tracking app store purchases" just doesn't have benefit outweighing risk).

@sj I've always considered it a bit of a litmus test. If we're really getting the kind of freedom we wanted out of all of this open tech, there should probably be a couple of furries or anime mascots in it.

It's a little shibboleth I know, but... Seems to work? If you find yourself in an area completely devoid of anime mascots and furries, be ye warned... Ye may have wandered deep into corporate computing. ;)

@sundogplanets Even if the engineering is feasible, it's a plumb-stupid idea.

"You mean I can push my compute into a place where my only cooling solution is black-body radiation, and I get to deal with the computational errors introduced by unshielded cosmic rays... But if do both of those things, I get... a fraction of the compute power of an equivalent-sized terrestrial system at 100,000 times the up-front cost? Sign me the fuck up!"

Even Scott Manley, notorious (and delightful, this is not criticism) Liker Of Technically Complicated Engineering Things In Space, could only see one justification for this: it's only the cheapest solution if the kind of datacenter you want to build has been banned on Earth. They're hedging against the kind of mass uprising that, I hate to say, makes it risky to assume you can get something as vulnerable as a rocketship off the ground if people hate your product that much.

(And I think he was being generous. I can think of other reasons one might want to do this, but expounding on them would have gotten me banned on Facebook and Twitter and I choose to be more polite on Mastodon. 😉 )

@EuphoriaLavender @thomasfuchs On a lark, I tried throwing a locally-running Qwen at Common LISP using the CLSQL library.

It had no idea the API for the library and did not give me runnable code. But what was fascinating was it did give me syntactically-valid LISP (just trying to call nonexistent functions), and the shape of it matched the shape of the CLSQL API---function names were wrong, but arguments and even interrelationships like "make a connection and then use it to execute SQL" were mostly right.

... which suggests to me that at a fundamental level, the structure of SQL code is just a common pattern, so common that it could be extrapolated across language and library boundaries. And that means making code that talks to a backend via SQL should be automatable.

@thomasfuchs I basically concur. I should have saved the link to it, but someone did a blog post awhile back that was basically "LLMs work well on your code because your code is shit." I have observed that, notably, they struggle with common LISP (although that may also be a consequence of the training dataset).

But, I would extrapolate to observing that most code is shit because it doesn't actually pay to write deeply concise code. There has always been a tradeoff between "getting it done today" and "getting it done perfectly," and the people who want the machine to do the thing want today. In fact, if you don't know your problem domain perfectly, I'd argue that trying to make your code optimally concise is counterproductive.

For those reasons, we can expect LLMs to be a time-saver to the extent that they can execute on "Take this fuzzy pattern and apply it to the codebase" and I expect they will end up a permanent tool in the toolbox (though not in their current form; a whole datacenter to do a 'soft-grep' is overkill, my prediction is that the open source projects will succeed in condensing the tool down into "works 90% of the time on the most popular languages and fits on one or two graphics cards").

One of the more interesting aspects of the Ukraine war was the revelation of how badly compromised Russia's defense assets were. It was, honestly, a little startling to the public to learn that the feared Former Soviet State still had size on its side, but not a modern military; their tech was either out-dated or had been pillaged by corruption so badly that it couldn't be deployed as intelligence analysts had assumed it could be.

It is extremely fair to argue that Russia's greatest state-defense asset was perception and that the war in Ukraine damaged that and, in so doing, materially threatened the country's safety---that if they had simply never started a war, everyone would still perceive them as unassailable and incredibly dangerous to engage in combat and nobody would even think to try stochastic attacks, asymmetric drone warfare, or any other modern tactics under the assumption that such a grand superpower had a solution for all of that.

In short, all they had to do to keep everyone's perception of their strength was literally not start a war to test it.
Just a thing I'm thinking of right now for some reason.

https://www.cnn.com/2026/03/18/politics/us-ford-carrier-fire-iran-war

@thomasfuchs Ah, I don't disagree with this criticism, but I am old enough to remember that the reason half of us went to work at a place called Google or Grammarly or Amazon is that we already knew IBM, Microsoft, General Motors, Morgan Stanley, Boeing, Monsanto, etc. were stupid or evil or both.

... but yes, we were naive enough to think that it was because of the people, not the system itself, and this time... This time would be different.

@thomasfuchs It feels like there's a meme in here.

Small brain: yell at people making requests to do it themselves.

Galaxy brain: "That's an interesting idea and I can see why you would want that! Unfortunately, I think it ends up in the priority queue somewhere around the year 2039. We are willing to review pull requests though!"

@soatok I'm curious your thoughts on usability in the space. You've shared some of them, but I tripped over something this week and I thought you might be interested.

I tried adding scope to an API token I had Atlassian generate for me, and the scoped token wouldn't work. I bashed my head against the problem for awhile: peeled apart the library I was using to find the actual URLs it was hitting, confirmed the scopes I'd assigned should match that URL, confirmed an unscoped token worked... It finally turned out that the issue was if you're using a scoped token, you have to hit an entirely different hostname and top-level path in the URL; they have a slightly different API for the requests with scoped tokens.

At that point I gave up and used an unscoped one because nobody in IT was forcing me to use scoped, I just liked the idea that my token intended to read JIRA tickets couldn't also delete them, but I don't care enough to rewrite my API library.

How do we balance security and usability? Is there even a rule of thumb?

(Also, if you ever hear what the first twelve characters in an Atlassian API token mean, I'd love to find out. I had to generate five tokens while testing this problem, and they all started with the same twelve characters... My guess is it's a customer-identifier specific to my company, but I haven't had time to pin down a coworker long enough to have them generate a token to compare with).

@skinnylatte Y'know, I never thought about it until you said it, but probably same. I never screamed for fun as a kid, and I also don't like loud noises in general. Never occurred to me the two might be related.

@soatok Wait... Are people complaining that you published the exploit list now so now they're going to have to work over the summer to fix issues in their Matrix deploys?

Wow. Unless I've misunderstood you, that's.... That's something is what that is.

@david_chisnall There is a hilarious possible future where the government fails to do anything about monopolies but Cloudflare has a de-factor competition increase effect because it makes it so onerous for everyone to use one site that people start self-selecting to use other sites.

@david_chisnall I like this one specifically because the Cloudflare gate is there to address the problem of "Too many visitors."

@thomasfuchs Yep, this is pretty SOP for autonomous systems in uncontrolled environments (or controlled environments, for that matter... All of the rail switching in Pennsylvania's main lines is controlled and monitored from two redundant switch houses, if memory serves)

@dalias @lauren Unfortunately, that process is extremely broken because it results in us only having access to truth proportional to the integrity of our peer groups.

If I, the ignorant, have to evaluate which of my peers has domain expertise (and, more importantly, a compulsion to be correct, not just seem correct)... Well actually, that explains a lot about where we are now, does it not?