Septimaeus
@Septimaeus@infosec.pub
- Comment on *confused flatfish noises* 4 hours ago:
This joke only works in Spanish.
- Comment on I dunno 16 hours ago:
Implications or assignment? They didn’t specify notation.
- Comment on Cutting-edge research shows language is not the same as intelligence. The entire AI bubble is built on ignoring it. 1 day ago:
Because what we call intelligence (the human kind) usually is just an emergent property of the wielding of various combinations of fist or second-hand experience by “consciousness” which itself is…
What we like to call the tip of a huge fucking iceberg of constant lifelong internal dialogues, overlapping and integrating experiences all the way back to engrams/assemblies/memories so deep we can’t even summon them any longer but are still measurable, still there.
Humans continuously, reflexively, recursively tell and re-tell our own stories to ourselves all day, and even at night, just to make sense of the connections we made today, how to use them tomorrow, to know how they relate to connections we made a lifetime ago, and how it fits in the larger story of us. That “context integration window” absolutely DWARFS even the deepest language model, even though our own organic “neural net” is low-power, lacks back-propagation, etc etc, and it is all done using language.
So yes, language is not the same as intelligence (though at some point some would ask “who can tell the difference?”) HOWEVER… The semantic taxonomies, symbolic cognition, and various other mental tools that are enabled by language are absolutely, verifiably required this massive context integration to take place.
- Comment on Hyundai car requires $2000, app & internet access to fix your brakes - what the actual f 5 days ago:
New York or Disney World
Got me
- Comment on Devs gripe about having AI shoved down their throats 1 week ago:
For example the tools for the really tedious stuff, like large codebase refactoring for style keeping and naming convention adherence, those tools have become a lot more powerful than what I remember from a decade ago.
While I’ve only experimented a little with some the more explicitly generative LLM-based coding assistant plugins, I was impressed (and a little spooked) at how good they often were at guessing what I was doing way before I finished doing it.
I haven’t used the prompt-based LLMs at all, but I’ve watched nearby devs use them for stuff like manipulating a bunch of files in a repeated pattern, breaking up a spaghetti method into reusable functions, or giving a descriptive overview of some gnarly undocumented legacy code. They seem pretty useful, but I don’t think I’ll be able to use them fluidly until I can host them locally.
- Comment on Devs gripe about having AI shoved down their throats 1 week ago:
I’ll admit, some tools and automation are hugely improved with new ML smarts, but nothing feels dumber than finding problems that fit the boss’s solution.
- Comment on The Patent Office Is About To Make Bad Patents Untouchable 1 week ago:
It seems like the US patent system today is rarely anything but a solution to its own problem. In most cases a patent is little more than an expensive troll ward or a way to demonstrate due diligence to investors. What’s taken its place is time to market. If that’s true, the patent system should either be replaced with something that serves its intended purpose or that office should stop accepting applications.
- Comment on Jeff Bezos reportedly launches new AI startup with himself as CEO 1 week ago:
Haha, I see where you’re coming from. It’s a fairly old and ongoing debate: the importance of classical humanities in the curricula of primary and secondary education. To illustrate, at one point children were not only taught literature from the Greco-Roman period, but also the languages they were written in.
In fact, that’s one of the key reasons for all the institutional Greek and Latin usage you see in higher ed. That was the tradition. These were languages only the educated knew. The effects of that on society were mixed, in my opinion. Fast-forwarding to today, the recent trend has been to prioritize knowledge more relevant to the modern era, including STEM subjects and practical trade-related skills.
That’s the reason for the lingering notion, among older generations especially, that classical works are foundational knowledge, a common intellectual inheritance that everyone should know. While I’m more used to thinking this way, and can probably make some convincing arguments for it, I recognize that in many ways and for many individuals, it fails the test of relevance. So maybe it really is for the best that it’s only taught in the optional extension of higher ed.
Yes, zero expectation from me to read that book, but if you ever become curious, mythologies are often short, fun, and memorable stories to read. And once familiar with them, you’ll see references to them basically everywhere, including the names of blockbuster films and spaceships, like the Apollo.
- Comment on Jeff Bezos reportedly launches new AI startup with himself as CEO 1 week ago:
You’re good. I upvoted. People downvoting are leery of anti-intellectualism (not without good reason).
But I don’t see that in your comment. You simply didn’t know something and admitted it.
In addition, your guess that the majority who recognize the name associate it with something from pop culture rather than classical mythology is also likely be true. Those who received extra education, or who had the resources at hand to educate themselves, often forget that in most of the world education remains a privilege, whereas the right to pay for entertainment is nearly always guaranteed.
If you’d like to know more about classical myths, here is a free book I would recommend. It is also available as a free audiobook.
- Comment on Passkeys Explained: The End of Passwords 2 weeks ago:
Yeah I have a few of those for the most secure stuff. Hard to beat! The USB-C one is the newest and I debated the choice but damn these days it’s great how it works with everything.
- Comment on Passkeys Explained: The End of Passwords 2 weeks ago:
If we cut and run every time a big corporation “embraces” a new standard, just to lessen the pain of the day it’s inevitably “extinguished,“ we’d miss out on quite a lot.
This standard was open from the start. It was ours. Big corps sprinted ahead with commercial development, as they do, but just because they’re first to implement doesn’t mean we throw in the towel.
Also:
- Bio auth isn’t necessary. It’s just how Google/Apple do things on their phones. It’s not part of the FIDO2 standard.
- It works with arbitrary password managers including FLOSS and lots of hardware options.
- Passkeys can sync to arbitrary devices, browsers, device bound sessions, whatever.
- Comment on Passkeys Explained: The End of Passwords 2 weeks ago:
Yeah the moods in this thread, like
“[I don’t understand this]!”
“[I don’t trust this]!”
“[It doesn’t fix everything]!”
“[This doesn’t benefit me]!”
“[What’s wrong with old way]!?”
And like, all valid feelings… just the reactions are a bit… intense? Especially considering it’s a beta stage auth option that amounts to a fancy version of the old sec key industry standard, not the mark of the beast.
- Comment on Passkeys Explained: The End of Passwords 2 weeks ago:
Yeah the counter-interoperability of the proprietary expansions on the FIDO standards sounds very much like embrace extend extinguish to me. I know engineering standards generally require field revisions but these big corps have a track record of this behavior.
I can see how the FIDO standard’s dID requirement might be an issue at the org level, but even in the case of a fully custom/unknown rooted device they have provisions for using traditional security keys attached to one or more associated devices via USB/BT/NFC. Megacorp platforms might be first to facilitate adoption but the spec absolutely accommodates open provider integration.
I need to experiment with personal security passkey registration and authentication workflows to know how difficult it actually is in practice, but it looks like the equivalent of self-signed certificates are possible anywhere the user controls the stack like self-hosted intranetwork suites that are popular around here.
Thanks again for the write up!
- Comment on Passkeys Explained: The End of Passwords 2 weeks ago:
I could see that. I’ve only found a few in the wild (mostly just enterprise, niche tech-related, and big platform web apps) but there’s probably some clunky implementations out there I haven’t suffered through yet.
For one, there seems to be this idea that if you lose your passkey you get locked out of your account forever.
True, plenty in this thread even. IIRC there’s usually a recovery key process same as a typical authenticator MFA, sometimes other routes in addition like combining multiple other MFAs or recovery contact assignment. Regardless, completely losing PW manager access across devices would presumably be the more immediate crisis for most.
- Comment on Passkeys Explained: The End of Passwords 2 weeks ago:
Thanks for the great article! I had a question re: the top disadvantage you mention (lock-in).
Background: Although the on-device integration for Apple, Google, etc. use their cloud for E2E sync between devices, it appears KeePassXC using their passkey interception, discovery, and import procedures accomplish the same cross-device passkey implementation without needing a particular vendor cloud lock-in. As best I can tell, this meets the original standard’s sync fabric requirements (whether or not the big providers like it) and relies on platform-specific APIs mostly for interoperability.
Question: If KeePass has been able to implement their own sync this way, and the FIDO standard accommodates non-OS providers (e.g. browsers or PW managers), what is currently the biggest technical hurdle remaining for FOSS-based passkey providers?
- Comment on Passkeys Explained: The End of Passwords 2 weeks ago:
KeePassXC has begun rollout of their own implementation, and I’m pretty sure they’re considered FOSS.
From a quick scan of the white paper, it appears they’re currently using on-device passkey discovery and otherwise “intercepting” passkey registration workflows, which I take to mean they aren’t originating the request as a passkey registrar. This may be the easiest method to satisfy FIDO’s dID requirements.
- Comment on Passkeys Explained: The End of Passwords 2 weeks ago:
This is a big one. Lock-in and the threat of provider blacklisting means it will remain a shortcut like SSO (“sign in with ____”), albeit higher security, until we’ve established federated providers with open standards.
- Comment on Passkeys Explained: The End of Passwords 2 weeks ago:
The passkey options I’ve come across so far are as close to push-button as I can imagine.
Do you mean from the developer perspective, like the complexity of the API/workflow?
- Comment on Passkeys Explained: The End of Passwords 2 weeks ago:
Slow is smooth, and smooth is fast.
Haha that’s the one ;)
- Comment on Passkeys Explained: The End of Passwords 2 weeks ago:
Yeah you get it. I just have a bone to pick with colleagues that embrace anti-user methods needlessly. Convenience = security is a “slow = fast” type of spiel.
- Comment on Passkeys Explained: The End of Passwords 2 weeks ago:
You still need 2fa I think most passkey implementations incorporate multiple factors already. The session factor is considered distinct from the device factor, even if it’s all on the same device.
Which isn’t super different from the traditional USB key procedure, where a user would activate a FIDO biometric after clearing an SSO portal, or what have you.
- Comment on Passkeys Explained: The End of Passwords 2 weeks ago:
I’m not really concerned about the security of it. Moreso the inconvenience…
Honestly, convenience is security (change-my-mind lol) insofar as it measurably impacts rate of user adoption/adherence and thus outcomes.
It’s the annoyance you describe that leads most users to forego opt-in 2FA until it’s forced on them, for example.
Device-based PassKeys are the only near-universal mass-adoptable solution to that problem of convenience that I’ve heard proposed so far, although implementation has lagged until very recently.
- Comment on Mullvad Leta shutting down 3 weeks ago:
I doubt they’re referring to feature parity WRT machine learning summaries and the like. “Less useful over time” is more likely a gentle way of saying ungraceful performance degradation.
Escalation in the SEO wars is accelerating. Various culprits but obviously generative NLP technologies designed specifically to sound human are nukes in this metaphor.
Any index developer that isn’t willing or can’t afford to continue fighting the war must choose:
- host a legacy product that rapidly enshittifies
- pull the plug now while it still works
If the index is the developer’s only product, the only real risk of option 1 is damaging their street cred.
In OP’s case, the index was not even their core product, so option 2 was the wiser decision.
- Comment on The Big Short Guy Just Bet $1 Billion That the AI Bubble Pops 3 weeks ago:
Pretty sure they meant “[have been] loaned” but you that’s an interesting point
- Comment on Google removes Gemma models from AI Studio after GOP senator’s complaint 3 weeks ago:
Lowkey for real though.
One of the trigger issues expediting their antitrust case during the first administration was their lack of responsiveness to old yam tits’ demands re: their “biased” search index results (they included critical news articles) and while the major consequence of the case (breakup) was recently prevented (by the current administration) now, coincidentally, they’re happy to play ball.
- Comment on 'The Truth Is Paywalled.' Internet Vets Lament the State of the 'Open' Web 3 weeks ago:
Agree. To take some burden off contributors, maybe we could automate some of that?
Most of us have seen bots used for routine post processing like:
- converting AMP links
- finding/generating archive pages
- exposing original AP/Reuters source
- adding DOI source for pop sci
- alt frontend links
- content-aware wiki refs and the like
We wouldn’t necessarily need traditional bot comments since our software is open. Content helpers could run during post creation, for example. My point is just that there’s existing logic for this kind of stuff.
- Comment on OpenAI signs $38 billion compute deal with Amazon, partnering with cloud leader for first time 3 weeks ago:
Oh that’s the one in the back.
/j they’re about 2.5T
- Comment on YSK before you buy a replacement for your cellphone that has stopped charging, buy the $10 cleaning kits and spend the time deep cleaning the phone's charging port. 3 weeks ago:
I’ve always used wooden toothpicks because
- Common
- Made from cheap soft wood: more likely to deform or destruct against metal than most plastics
- Cut with the grain: especially soft to anything raking against the sides (like delicate pins)
- The uneven “splintery” sides happen to be pretty good at snagging tiny fibers of lint to pull them out as one big ball, requiring fewer swipes
More techniques:
- clean with port facing straight down to get gravity assist
- blow across the opening of the port: mild negative pressure + agitation inside cavity vs blowing directly into port (which is generally warned against explicitly)
- focus on “pinning” lint up against each of the two corners and holding gentle pressure during extraction: these corners of the port have no exposed pins, and happen to be where lint tends to accumulate anyway
- Comment on 'Forget subsidies': Solar-battery hybrids can deliver 'incredibly competitive' power for big industry 3 weeks ago:
Oh I see. For a minute I imagined a hybrid pv panel product with integrated batts controller etc and was intrigued by the all-in-one concept lol.
- Comment on How do i get my nails to stop stinking faster 3 weeks ago:
UV cure gel polish FTW!
If it’s been a while, check out the cool new magnetic (ferrous) polish.
Also, cheap fun hack: save money by just mixing mica powders into base polish colors. Endless varieties of iridescent colors, dimensional effects, etc.