If your Java dev is using Jackson to serialize to JSON, they might not be very experienced with Jackson, or they might think that a Java object with a null field would serialize to JSON with that field omitted. And on another project that might have been true, because Jackson can be configured globally to omit null properties. They can also fix this issue with annotations at the class/field level, most likely .
More details: https://www.baeldung.com/jackson-ignore-null-fields
UBI doesn’t give any power to those who own the means of automation, nor does it take power away from laborers. Automation does that. Automation reduces the leverage of the laborer by reducing the capitalist’s reliance on labor.
We have the same leverage regardless of whether we have UBI or not, but the leverage of employers is reduced with UBI. That said, if more people opt not to work thanks to UBI, then the people who choose to work will see their leverage increased.
Is it possible to force a corruption if a disk clone is attempted?
Anything that corrupts a single file would work. You could certainly change your own disk cloning binaries to include such functionality, but if someone were accessing your data directly via their own OS, that wouldn’t be effective. I don’t know of a way to circumvent that last part other than ensuring that the data isn’t left on disk when you’re done. For example, you could use a ramdisk instead of non-volatile storage. You could delete or intentionally corrupt the volume when you unmount it. You could split the file, storing half on your USB flash drive and keeping the other half on your PC. You could XOR the file with contents of another file (e.g., one on your USB flash drive instead of on your PC) and then XOR it again when you need to access it.
What sort of attack are you trying to protect from here?
If the goal is plausible deniability, then it’s worth noting that VeraCrypt volumes aren’t identifiable as distinct from random data. So if you have a valid reason for having a big block of random data on disk, you could say that’s what the file was. Random files are useful because they are not compressible. For example, you could be using those files to test: network/storage media performance or compression/hash/backup&restore/encrypt&decrypt functions. You could be using them to have a repeatable set of random values to use in a program (like using a seed, but without necessarily being limited to using a PRNG to generate the sequence).
If that’s not sufficient, you should look into hidden volumes. The idea is that you take a regular encrypted volume, whose free space, on disk, looks just like random data, you store your hidden volume within the free space. The hidden volume gets its own password. Then, you can mount the volume using the first password and get visibility into a “decoy” set of files or use the second password to view your “hidden” files. Note that when mounting it to view the decoy files, any write operations will have a chance of corrupting the hidden files. However, you can supply both passwords to mount it in a protected mode, allowing you to change the decoy files and avoid corrupting the hidden ones.
It sounds like you want these files to be encrypted.
Someone already suggested encrypting them with GPG, but maybe you want the files themselves to also be isolated, even while their data is encrypted. In that case, consider an encrypted volume. I assume you’re familiar with LUKS - you can encrypt a partition with a different password and disable auto-mount pretty easily. But if you’d rather use a file-based volume, then check out VeraCrypt - it’s a FOSS-ish [1], cross-platform tool that provides this capability. The official documentation is very Windows-focused - the ArchLinux wiki article is a pretty useful Linux focused alternative.
Normal operation is that you use a file to store the volume, which can be “dynamic” with a max size or can be statically sized (you can also directly encrypt a disk partition, but you could do that with LUKS, too). Then, before you can access the files - read or write - you have to enter the password, supply the encryption key, etc., in order to unlock it.
Someone without the password but with permission to modify the file will be capable of corrupting it (which would prevent you from accessing every protected file), but unless they somehow got access to the password they wouldn’t be able to view or modify the protected files.
The big advantage over LUKS is ease of creating/mounting file-based volumes and portability. If you’re concerned about another user deleting your encrypted volume, then you can easily back it up without decrypting it. You can easily load and access it on other systems, too - there are official, stable apps on Windows and Mac, though you’ll need admin access to run them. On Android and iOS options are a bit more slim - EDS on Android and Disk Decipher on iOS. If you’re copying a volume to a Linux system without VeraCrypt installed, you’ll likely still be able to mount it, as dm-crypt has support for VeraCrypt volumes.
c. Phrase "Based on TrueCrypt, freely available at http://www.truecrypt.org/" must be displayed by Your Product (if technically feasible) and contained in its documentation.”The fact remains, that Steam is preventing games from being listed for less on Epic.
For that fact to “remain,” it would need to have been established in the first place. At best it’s been alleged.
ultimately the market is behaving as if the threats are sincere so whether or not Valve would follow through is irrelevent to whether the presence of a policy is an exhibition of monopolistic power
Courts have interpreted the anti-monopoly portion of the Sherman act, which governs antitrust law in the US, to mean that monopoly is only unlawful if the power is used in an unlawful way or if the monopoly was acquired through unlawful means.
The need to see an actual example of a game being delisted for violation of the policy is a weirdly high standard of evidence
As a smoking gun, I don’t think it’s unreasonable to ask for something like that.
If it’s a policy Valve denies and the only evidence of it existing is a single reply in a forum somewhere, then yes, I’m skeptical. And given that there are examples of companies that were willing to break explicit, defensible policies, why aren’t there examples of companies who broke these? Unless the plaintiffs bring in multiple witnesses to testify that this was the policy communicated to them or something along those lines, I can’t see the evidence that they did have this policy being more compelling than the fact that there’s a complete lack of evidence that they ever acted on it.
To be clear, I’m not saying Valve needs to have said that was the reason. But it certainly needs to look like that was the reason. If Valve can’t provide a valid reason for the termination, then that’s very compelling, and even if they can, it’ll come down to which is more believable.
Thank you! That document is exactly the sort of thing I was looking for. Just realized (after writing most of this comment) that it’s for Wolfire and not Vicki Shotbolt’s case, but the commentary’s still relevant, I think.
There’s enough there that they may have a legitimate case, but there’s also a lot that is, as far as I know, completely acceptable for Valve to do. The specific items you listed, as well as a couple before / after them, are the most promising, IMO, but even so, there are a couple different counter-arguments that I could see Valve making.
The first counter-argument would be that the comments in 204-205 were in the context of publishers who had already received Steam keys for the games in question and did not apply to games where the publisher had not received Steam keys.
The second counter-argument would be that Tom Giardino was not speaking to Valve’s actual policy and/or that he was making empty threats that he didn’t have the power to enforce. Tom’s still with Valve (according to https://www.valvesoftware.com/en/people) so they wouldn’t be able to show that he was fired for giving publishers incorrect information, but it would be feasible for them to have record of him having gotten disciplinary action or something along those lines. Without something like that it’s much less credible stance, but not unbelievable - they’d basically have to be admitting negligence since this is a record of the actions of a representative their company. My gut says they were at least complicit.
200 says Valve “insisted” a publisher change their price on the Discord Store but doesn’t indicate any enforcement action was taken. At first glance, 209 appeared to apply, but it, too, involves the sale of Steam keys. 230 goes into a bit more detail about 209.
I read through the filing and still don’t see any instances of a game being delisted because it was being sold for cheaper elsewhere, when Steam keys weren’t in play. A lack of enforcement action against publishers not using Steam keys who set a different price in another storefront would go a long way toward showing that Valve’s policy was only relevant when the publishers were using Steam keys.
In either case, Valve will need to make the argument that it is not anti-competitive to require publishers to agree to these terms when requesting free Steam keys.
The arguments regarding DLC exclusivity (172-184) are another area where Valve might be found to be anti-competitive. That said, I don’t think exclusive DLCs benefit consumers and I would expect Valve to argue that the intent and impact of requiring DLC be published on their platform is for consumers’ benefit. I think proving something here would be dependent on the pricing angle.
I still think Valve could argue that the intent and impact of their pricing decisions are to the benefit of consumers. The specific enforcement actions brought up were all in relation to the price of Steam keys on third-party storefronts, which I think will be held to a much lower standard than restricting the price of the game on other platforms. After all, the benefits of Steam keys aren’t intrinsic to Steam, and other platforms are free to offer a similar benefit to game publishers.
In 191, the plaintiff shows that a publisher could set the price on a rival platform at 20% less and make more profit than on Steam. However, there aren’t any examples of enforcement actions where the discount on a rival platform did not exceed a 20% difference. Ultimately, if they don’t have at least that - optimally for a game whose publisher didn’t ever receive free Steam keys - the singular statement of one of their representatives might be the only concrete evidence they have. And at that point, the argument that Tom was just making empty threats has a lot more weight.
The article also says
The first point is one we’ve heard repeated many times before, but there’s never been any proof on it. Which perhaps the Wolfire lawsuit and this may actually bring to light. An accusation doesn’t necessarily mean they’re right though. Something people get confused on often is Steam Keys, which are completely separate to Steam Store purchases.
Saying “Don’t sell Steam keys off-platform for more than X% less than the game is priced for on Steam” and “Don’t sell your game elsewhere for more than X% less than the game is priced for on Steam“ are very different things. Steam openly does the former; I’ve never heard a reputable report of them doing the latter. The Wolfire lawsuit is explicitly about the former practice, for example.
The press release for this lawsuit reads like it’s about the latter, but I suspect that’s solely for optics. I reviewed the website dedicated to the lawsuit (steamyouoweus.co.uk) and thought they might have some more concrete evidence - nope, nothing. Under the first question in FAQs they have a link to their key documents, but the documents are “coming soon.”
Until they actually substantiate their claim, this lawsuit is just noise.
reasonable expectations and uses for LLMs.
LLMs are only ever going to be a single component of an AI system. We’ve only had LLMs with their current capabilities for a very short time period, so the research and experimentation to find optimal system patterns, given the capabilities of LLMs, has necessarily been limited.
I personally believe it’s possible, but we need to get vendors and managers to stop trying to sprinkle “AI” in everything like some goddamn Good Idea Fairy.
That’s a separate problem. Unless it results in decreased research into improving the systems that leverage LLMs, e.g., by resulting in pervasive negative AI sentiment, it won’t have a negative on the progress of the research. Rather the opposite, in fact, as seeing which uses of AI are successful and which are not (success here being measured by customer acceptance and interest, not by the AI’s efficacy) is information that can help direct and inspire research avenues.
LLMs are good for providing answers to well defined problems which can be answered with existing documentation.
Clarification: LLMs are not reliable at this task, but we have patterns for systems that leverage LLMs that are much better at it, thanks to techniques like RAG, supervisor LLMs, etc…
When the problem is poorly defined and/or the answer isn’t as well documented or has a lot of nuance, they then do a spectacular job of generating bullshit.
TBH, so would a random person in such a situation (if they produced anything at all).
As an example: how often have you heard about a company’s marketing departments over-hyping their upcoming product, resulting in unmet consumer expectation, a ton of extra work from the product’s developers and engineers, or both? This is because those marketers don’t really understand the product - either because they don’t have the information, didn’t read it, because they got conflicting information, or because the information they have is written for a different audience - i.e., a developer, not a marketer - and the nuance is lost in translation.
At the company level, you can structure a system that marketers work within that will result in them providing more correct information. That starts with them being given all of the correct information in the first place. However, even then, the marketer won’t be solving problems like a developer. But if you ask them to write some copy to describe the product, or write up a commercial script where the product is used, or something along those lines, they can do that.
And yet the marketer role here is still more complex than our existing AI systems, but those systems are already incorporating patterns very similar to those that a marketer uses day-to-day. And AI researchers - academic, corporate, and hobbyists - are looking into more ways that this can be done.
If we want an AI system to be able to solve problems more reliably, we have to, at minimum:
In terms of what they can accept as input, LLMs have a huge amount of flexibility - much higher than what they appear to be good at and much, much higher than what they’re actually good at. They’re a compelling hammer. System designers need to not just be aware of which problems are nails and which are screws or unpainted wood or something else entirely, but also ensure that the systems can perform that identification on their own.
That’s still a single point of failure.
So is TLS or the compromise of a major root certificate authority, and those have no bearing on whether an approach qualifies as using 2FA.
The question is “How vulnerable is your authentication approach to attack?” If an approach is especially vulnerable, like using SMS or push notifications (where you tap to confirm vs receiving a code that you enter in the app) for 2FA, then it should be discouraged. So the question becomes “Is storing your TOTP secrets in your password manager an especially vulnerable approach to authentication?” I don’t believe it is, and further, I don’t believe it’s any more vulnerable than using a separate app on your mobile device (which is the generally recommended alternative).
What happens if someone finds an exploit that bypasses the login process entirely?
Then they get a copy of your encrypted vault. If your vault password is weak, they’ll be able to crack it and get access to everything. This is a great argument for making sure you have a good vault password, but there are a lot of great arguments for that.
Or do you mean that they get access to your logged in vault by compromising your device? That’s the most likely worst case scenario, and in such a scenario:
In other words, your only accounts that are not vulnerable in this situation solely because their TOTP secret is on a different device are the ones you don’t use on that device in the first place. This is mostly relevant if your computer is compromised - if your phone is compromised, then it doesn’t matter that you use a separate password manager and authenticator app.
If you use an account on your computer, since it can be compromised without having the credentials on device, you might as well have the credentials on device. If you’re concerned about the device being compromised and want to protect an account that you don’t use on that device, then you can store the credentials in a different vault that isn’t stored on your device.
Even more common, though? MITM phishing attacks. If your password manager verifies the url, fills the password, and fills your TOTP, then that can help against those. Start using a different device and those protections fall away. If your vault has been compromised and your passwords are known to an attacker, but they don’t have your TOTP secrets, you’re at higher risk of erroneously entering them into a phishing site.
Either approach (same app vs different app) has trade-offs and both approaches are vulnerable to different sorts of attacks. It doesn’t make sense to say that one counts as 2FA but the other doesn’t. They’re differently resilient - that’s it. Consider your individual threat model and one may be a better option than the other.
That said, if you’re concerned about the resiliency of your 2FA approach, then look into using dedicated security keys. U2F / WebAuthn both give better phishing resistance than a browser extension filling a password or TOTP can, and having the private key inaccessible can help mitigate device compromise concerns.
If you only need one factor to log into your password manager, you’re doing it wrong.
Apparently it’s still being actively developed! I’m impressed.
April 15, 2024 Lynx v2.9.1 release
If you’re in the US, unpaid overtime is only permissible if you’re salaried exempt. To be salaried exempt:
Check out https://www.dol.gov/agencies/whd/fact-sheets/17a-overtime for more details on the above.
It’s quite possible you’re eligible for back-paid overtime.
Note also that the minimum exempt wages are increasing in July.
Re your “cover my expenses just to exist” bit and the follow-up about employers catching on and pushing abusive shit… if this is related to a disability make sure to look into getting that on record and seeking an accommodation. If your primary job duty is X and they’re pushing you to do Y, but your disability makes Y infeasible, then it’s a pretty reasonable accommodation to ask to not have to do Y (assuming your HCP agrees, of course).
Theoretically, they would start by looking at a guide like this one: https://rentry.org/Piracy-BG
The idea that someone does this willingly implies that the user knows the implications of their choice, which most of the Fediverse doesn’t seem to do
The terms of service for lemmy.world, which you must agree to upon sign-up, make reference to federating. If you don’t know what that means, it’s your responsibility to look it up and understand it. I assume other instances have similar sign-up processes. The source code to Lemmy is also available, meaning that a full understanding is available to anyone willing to take the time to read through the code, unlike with most social media companies.
What sorts of implications of the choice to post to Lemmy do you think that people don’t understand, that people who post to Facebook do understand?
If the implied license was enough, Facebook and all the other companies wouldn’t put these disclaimers in their terms of service.
It’s not an implied license. It’s implied permission. And if you post content to a website that’s hosting and displaying such content, it’s obvious what’s about to happen with it. Please try telling a judge that you didn’t understand what you were doing, sued without first trying to delete or file a DMCA notice, and see if that judge sides with you.
Many companies have lengthy terms of service with a ton of CYA legalese that does nothing. Even so, an explicit license to your content in the terms of service does do something - but that doesn’t mean that you’re infringing copyright without it. If my artist friend asks me to take her art piece to a copy shop and to get a hundred prints made for her, I’m not infringing copyright then, either, nor is the copy shop. If I did that without permission, on the other hand, I would be. If her lawyer got wind of this and filed a suit against me without checking with her and I showed the judge the text saying “Hey hedgehog, could you do me a favor and…,” what do you think he’d say?
Besides, Facebook does things that Lemmy instances don’t do. Facebook’s codebase isn’t open, and they’d like to reserve the ability to do different things with the content you submit. Facebook wants to be able to do non-obvious things with your content. Facebook is incorporated in California and has a value in the hundreds of billions, but Lemmy instances are located all over the world and I doubt any have a value even in the millions.
The funny thing about Lemmy is that the entire Fediverse is basically running a massive copyright violation ring with current copyright law.
Is it, though?
When someone posts a comment to Lemmy, they do so willingly, with the intent for it to be posted and federated. If they change their mind, they can delete it. If they delete it and it remains up somewhere, they can submit a DMCA request; likewise if someone else posts their copyrighted content.
Copyright infringement is the use of works protected by copyright without permission for their use. When you submit a post or a comment, your permission to display it and for it to be federated is implied, because that is how Lemmy works. A license also conveys permission, but that’s not the only way permission can be conveyed.
I use Standard Notes for most of my notes. For simple todo lists, I use the Checklist note type. For project planning I generally use the SN Kanban Editor and while it has some quirks, I find it works fine on desktop and acceptably on mobile. It saves notes in markdown so I’ll sometimes swap the note type, make bulk edits, and swap back. I also use some of the other editors from https://github.com/jonhadfield/awesome-standard-notes like the MermaidJS one.
For notes that I plan to share or want to work collaboratively on, I use Hedgedoc. I tried it out because of the name and icon, thinking of it as basically a Gist tool, but then started using it for more because of how great the experience has been.
Honestly that’s a great analogy.
I worked briefly as a CSR and during training they made a point of telling us that people had been fired because of doing exactly that when the mute button failed. That was over a decade ago, but I wouldn’t expect increased reliability today.
More recently, a friend who is a CSR told me that their software mute buttons only prevent the audio from going to the customer, but it’s still recorded and can be grounds for termination if the call was audited. I introduced her to a microphone with a physical mute button but made sure she knew that it could also fail (or most likely, that she might be using a different connected mic, in case the hardware mute would do nothing).
Office conferencing software also has a really bad record with their software mutes. I’ve had experiences with Teams, Zoom, and Webex where I’ve clicked mute, but wasn’t muted.
The mute button should be thought of as a feature for the person on the other line / the other people on the call - you’re reducing the noise so the focus can be on the conversation - not as a feature for your privacy. You can treat Private Games similarly - it’s so you don’t subject your friends to the thought of you playing sexually themed games, not so you’re guaranteed to be saved the embarrassment of people knowing that you’re playing them.
From https://docs.syncthing.net/users/faq.html#what-is-syncthing (bolding mine)
We believe your data is your data alone and you deserve to choose where it is stored. Therefore Syncthing does not upload your data to the cloud but exchanges your data across your machines as soon as they are online at the same time.
They probably have experience with Spring