@ryanc So, C?
Notices by David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Friday, 09-May-2025 00:27:53 JST David Chisnall (*Now with 50% more sarcasm!*)
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Monday, 05-May-2025 17:16:24 JST David Chisnall (*Now with 50% more sarcasm!*)
Judge Vince Chhabria pushed back on Meta attorneys arguing that the company's Llama AI models posed no threat to authors in their markets
Even if this were 100% true, it doesn't matter. The DMCA established statutory damages in addition to actual damages for copyright infringement. You don't have to show that you lost money as a result of copyright infringement, only that the infringement occurred. I'm not a fan of this, given how it's been abused, but if the law is going to be enforced against poor people it should be enforced against multi-billion-dollar corporations.
The argument that I'd love to see them make is that training a neural network is a form of lossy compression (they can easily find expert witnesses to testify this). If training a neural network is not copyright infringement then a camera recording of a cinema is not and neither is creating an H.264 rip of a DVD. And that's really not a precedent anyone wants to set.
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Monday, 05-May-2025 05:19:36 JST David Chisnall (*Now with 50% more sarcasm!*)
It's been over 20 years since audio made me switch from Linux to FreeBSD.
The new version of OSS is proprietary, what shall we do?
FreeBSD: Well, the old version is still BSDL, I guess we'll just fork it and add low-latency in-kernel sound mixing and extend it with the features OSS 4 added.
Linux: Rip that stuff out of the kernel and replace it with ALSA, which doesn't do software mixing in the kernel at all!
KDE: Wait, now two apps can't go 'ping' on Linux. Let's write a sound daemon.
GNOME: Wait, now two apps can't go 'ping' on Linux. Let's write a sound daemon.
KDE and GNOME: Oh, now KDE and GNOME apps can't go 'ping' at the same time. I guess we should agree on some standards.
PulseAudio: Hi everyone! I have come to save you from the perils of usable sound! But now you can have sound move from your speakers to USB headphones when you plug them in! Maybe! If you get the config right.
Everyone: Nooo, someone let Lennart Poettering write some code! We're doomed!
Hans Petter Selasky: Wait, that thing with moving audio sounds useful. Rewriting all of your software to do it? Less so. *Writes virtual_oss to provide a layer that lets you send audio to USB devices with userspace drivers or to different in-kernel devices*.
PipeWire: Okay everyone, we can all agree PulseAudio was a bad idea, but we've rewritten all of the code and have a migration path. I guess we're good now?
FreeBSD: Curses, hps just died. I guess he won't be fixing all the things anymore. We'll need to start maintaining virtual_oss and integrate it with the base system. Should probably also fix a bunch of issues in the kernel drivers and make sure low-latency sound mixing is reliable and robust with new hardware. By the way, software that you wrote 20+ years ago still works fine with the kernel and userspace drivers and has low-latency mixing.
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Saturday, 03-May-2025 21:33:52 JST David Chisnall (*Now with 50% more sarcasm!*)
Does anyone still click on links to YouTube? If I wanted to be bombarded by ads, I'd move to the USA and buy a TV.
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Friday, 02-May-2025 20:02:10 JST David Chisnall (*Now with 50% more sarcasm!*)
I remain confused by the 'it's not a Nazi salute, it's a Roman salute' defence. Oh, sorry, I didn't mean to associate you with a genocidal imperial regime that put people in death camps, when you actually meant to be associated with the genocidal imperial regime built on slavery that just murdered people without transporting them anywhere first and then enslaved their families. My mistake?
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Thursday, 01-May-2025 17:32:59 JST David Chisnall (*Now with 50% more sarcasm!*)
@whitequark I use Vivado on a Mac using Docker and Rosetta with a load of LD_PRELOAD things to stop it crashing on launch. Is there a non-cursed way of running this nightmare of a program?
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Thursday, 01-May-2025 02:22:05 JST David Chisnall (*Now with 50% more sarcasm!*)
@gothpanda @colinstu Also, this code was released 32 years ago and made its way into a lot of places. Being permissively licensed (public domain being the most permissively license [or, technically, lack of license] possible) enabled this and is a big part of the reason that the web was a success.
There are a lot of examples of protocols with permissively licensed reference implementations becoming ubiquitous. There are very few examples of GPL’d ones. If you want a protocol to take off, make sure that there’s a permissively licensed reference implementation.
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Thursday, 01-May-2025 02:17:57 JST David Chisnall (*Now with 50% more sarcasm!*)
Never attribute to AI that which can be adequately explained by poor management.
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Thursday, 01-May-2025 00:30:45 JST David Chisnall (*Now with 50% more sarcasm!*)
@0xabad1dea 100% of my code is generated by software.
Compilers are still software, right?
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Wednesday, 30-Apr-2025 14:37:53 JST David Chisnall (*Now with 50% more sarcasm!*)
@golemwire Wait, just to confirm:
You're trying to contradict an article in Nature, the most prestigious Biology journal, written by biologists, by citing a dictionary?
I bet you also 'did your own research' and concluded that the Earth if flat as well.
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Tuesday, 29-Apr-2025 04:47:37 JST David Chisnall (*Now with 50% more sarcasm!*)
In the wake of a Supreme Court judgement ruling that references to sex in the Equality Act, it’s worth remembering that, in February 2023 the Daily Telegraph published an article by Ellen Pasternack, an Evolutionary BiologyPhD student at Oxford, aggressively misrepresented the science and claimed that there were exactly two biological sexes. She used the reputation of #OxfordUniversity to make claims that inflame bigotry and which have no basis in science. Almost everything in her article was directly contradicted by this piece in Nature seven years earlier which, given it directly related to her field of study, she has no excuse for not reading.
At the time, I wrote to Tim Coulson, the head of the Biology department, to point out that the 20th century has a long history of people misrepresenting biology to push an agenda that marginalised or killed people. If they have learned anything from history, I asked that the department publish an official correction or ask the student to retract her article.
Professor Coulson argued that this was a free speech issue and refused to take any action.
With this in mind, I would urge anyone considering a PhD in #Biology, or attending any events to avoid #Oxford. They clearly value bigotry more than they value science and so do not deserve a place in the scientific community.
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Monday, 28-Apr-2025 19:53:43 JST David Chisnall (*Now with 50% more sarcasm!*)
@amy I learned that accidentally. I was discussing how to adopt a security feature in NT and someone on that team casually mentioned third-party drivers (including antivirus) running things in interrupt handlers. The more I learned, the more horrified I was. On FreeBSD and XNU, interrupt handlers do one thing: wake a thread (or some work-queue equivalent). The thread is then preemptive. A small number of things run with interrupts disabled but it’s very rare in drivers or subsystems outside the very core parts of the OS. In Windows, the driver model seems to encourage people to just do the real work in interrupt handlers. So your USB camera is stalling a core (and whatever thread is currently trying to run there) for ms at a time, and so are a load of other kernel things.
Even FreeRTOS discourages this kind of thing, and it’s designed for a use case where it isn’t a terrible idea.
In CHERIoT RTOS we formalise it and bind interrupts to futexes, so the only thing that happens in an interrupt handler is that one or more futexes get woken and then we may make a scheduling decision if any of the woken threads are higher priority than the one that woke (on our chips, we have designed the interrupt controller so that it can avoid raising an interrupt if it wouldn’t result in a scheduling decision).
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Saturday, 26-Apr-2025 06:42:38 JST David Chisnall (*Now with 50% more sarcasm!*)
I know people like to make fun of niche operating systems, but for the five years I was at Microsoft I used Windows (10 then 11) as my daily driver. It’s much less stable than a professional OS, but it does kind-of work. I wouldn’t say it’s ready for the desktop. The UI is inconsistent and changes randomly between releases, a load of common software is basically useable only in a VM, it lags and freezes periodically (unlike an OS designed for interactive use, random drivers run a load of things directly in interrupt handlers, so you get latency spikes that you wouldn’t see in a more mainstream desktop OS) and the update process can hose the system, so it’s mostly of interest to people who like tinkering with their machines than people who actually want to get work done. Oh and a load of random bits of the OS have ads, but that’s what you get from a free ad-supported system instead of one developed by an active open-source community.
I don’t think I’d recommend anyone use it as their daily driver or in a work setting, but it’s not totally unusable. It’s not at the level of maturity than you’d expect from, say, Linux or FreeBSD, especially not for client workloads. If you do have to use it, I recommend that you install FreeBSD in a Hyper-V VM for real work. That’s what I did and it works quite well.
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Friday, 25-Apr-2025 21:17:58 JST David Chisnall (*Now with 50% more sarcasm!*)
'But you're always the one organising social activities!'
Yes, because then I am more in control of what's happening and it's less stressful.
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Friday, 25-Apr-2025 16:30:52 JST David Chisnall (*Now with 50% more sarcasm!*)
I think we need to talk about the real problem with immigration.
First a few people come here from somewhere and everything is fine.
But then shops open to sell them the food that they’re used to.
And then I learn what things are supposed to taste like and develop standards.
And then I can no longer tolerate the low-quality version that all the supermarkets sell because now I know how bad it is.
Immigrants: They make food shopping more stressful.
Is improving the economy and enriching our culture really worth that?
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Friday, 25-Apr-2025 01:19:50 JST David Chisnall (*Now with 50% more sarcasm!*)
@dalias @guardianproject @signalapp @fdroidorg
Okay, I am not going to argue any more. Allowing a third party to inject arbitrary code is literally what you do when you link a closed-source binary with no sandboxing.
If you think it's bad-faith criticism to state a fact, I am just going to mute you. Especially when you follow it up with 'usually promoting scammy fake secure messengers', which is something I was definitely not doing (and, if you pay attention to my previous posts, you'll see that I have encouraged people to use Signal rather than other things).
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Friday, 25-Apr-2025 01:12:31 JST David Chisnall (*Now with 50% more sarcasm!*)
@dalias @guardianproject @signalapp @fdroidorg
When you are making a claim of security as a result of being open source, the fact that that you allow someone else to provide a binary and then inject it into your final build is a problem.
I can only assume that you're arguing for the sake of arguing, rather than making a real point.
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Thursday, 24-Apr-2025 22:33:55 JST David Chisnall (*Now with 50% more sarcasm!*)
@dalias @guardianproject @signalapp @fdroidorg The libraries are arbitrary (binary) code provided by a third party. I'm not sure what you think is a myth.
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Thursday, 24-Apr-2025 22:17:54 JST David Chisnall (*Now with 50% more sarcasm!*)
@guardianproject @signalapp @fdroidorg
'Our secure messenger is open source and auditable, except for the fact that we allow a data-mining company to inject arbitrary code into our binaries and don't provide a build that doesn't do that' is somehow a less compelling argument than it may first appear.
-
Embed this notice
David Chisnall (*Now with 50% more sarcasm!*) (david_chisnall@infosec.exchange)'s status on Tuesday, 22-Apr-2025 19:51:03 JST David Chisnall (*Now with 50% more sarcasm!*)
When I was a PhD student, around 20 years ago, some folks in my lab were working on visualisation for CT and scan data. CT scans take a load of cross-sectional images and the traditional way of looking at them is to scan through one slice at a time. This needs a lot of training because it's not how the human visual system evolved to see things.
Some folks in my lab were working on using techniques from volumetric rendering (a CT scan is basically a volumetric data set) to improve this. They had some demos at the time (using real CT scan data) that could:
- Give you a 3D image that you could rotate or zoom the images.
- Use isosurfacing to remove contiguous blocks of identical tissue, so you could remove skin, bone, and so on from the image and just see the organ that you were interested in.
- Use similar techniques to apply false colour to highlight things (e.g. seeing blood in a different colour to blood vessels). This included translucency, so you could make different kinds of tissue translucent.
At the time, this needed a fairly beefy desktop GPU. Today, the exact same code would run on an iPad without warming it up too much.
So I was incredibly disappointed when I saw a specialist looking at a CT scan in hospital a few weeks ago and they were still doing the scan-through-slices visualisation.
When someone talks about how 'AI will revolutionise health care', remember that there are old bits of well-understood IT that are not deployed in the health profession even after feedback from clinicians saying that it would definitely make their lives easier. Even getting records digitised so hospitals have instant access to patients' medical history is still not completely finished and that's based on 1960s technology.