Unfortunately, scams are incredibly common with both fake recruiters (often using the name of a legitimate well known company, obviously without permission from said company) and fake candidates (sometimes using someone’s real identity).

No or very few legitimate recruiters will ask you to install something or run code they provide on your hardware with root privileges, but practically every scammer will. Once installed, they often act as rootkits or other malware, and monitor for credentials, crypto private keys, Internet banking passwords, confidential data belonging to other employers, VPN access that will allow them to install ransomware, and so on.

If we apply Bayesian statistics here with some made up by credible numbers - let’s call S the event that you were actually talking to a scam interviewer, and R the event that they ask you to install something which requires root equivalent access to your device. Call ¬S the event they are a legitimate interviewer, and ¬R the event they don’t ask you to install such a thing.

Let’s start with a prior: Pr(S) = 0.1 - maybe 10% of all outreach is from scam interviewers (if anything, that might be low). Pr(¬S) = 1 - Pr(S) = 0.9.

Maybe estimate Pr(R | S) = 0.99 - almost all real scam interviewers will ask you to run something as root. Pr(R | ¬S) = 0.01 - it would be incredibly rare for a non-scam interviewer to ask this.

Now by Bayes’ law, Pr(S | R) = Pr(R | S) * Pr(S) / Pr(R) = Pr(R | S) * Pr(S) / (Pr(R | S) * Pr(S) + Pr(R | ¬S) * Pr(¬S)) = 0.99 * 0.1 / (0.99 * 0.1 + 0.01 * 0.9) = 0.917

So even if we assume there was a 10% chance they were a scammer before they asked this, there is a 92% chance they are given they ask for you to run the thing.

I think there is some value to MBFC, even though there are also cases where it is problematic - I don’t think a blanket rule would be right.

The issues (& mitigating factors):

• Some of the ‘mostly analytics’ sources still have ‘bias by omission’ problems or misleading headlines, even if the facts in the articles are accurate. But I think on the fediverse, we aren’t beholden to algorithms or their editorial choices in terms of the balance of what we see, so the impact of this is limited.
• Opinion pieces have a place, although arguably not on World News. At the very least, factual pieces from outlets that also publish opinion have a place. But MBFC downrates outlets for having an opinion at all even when clearly labelled as such.
• The attempt to categorise every bias on a left to right scale when really there are so many dimensions any bias could be along isn’t as helpful.

So I’d suggest:

• Only mentioning it when an outlet has a history of publishing things that are factually incorrect (or there is reasonable doubt over it). Not every fact can be verified from first principles (and sadly often articles don’t name their primary sources - in a better world having no source would reduce credibility, but it is often hard to find articles that meet the well-sourced bar). People deliberately muddying the waters create think-tanks to cite with fake facts, fake scientific journals, and cite other unreliable sources - fact checking often requires on the ground investigation, asking reliable experts, and so on; it is simply impossible to be in expert in everything you read in the news to spot well-executed fake news. I think of the approach like a tree - there are experts in an area who can genuinely apply critical analysis to decide if something is fact or bogus. But there are also bogus experts. Then there are aggregators of facts (journals and think-tanks, etc…) that try to only accept things reviewed by genuine experts. But there are also bogus aggregators. Then there are journalists and outlets that further collect things from genuine aggregators and experts, and refine them. But there are also bogus outlets. Sites like MBFC try to act like a root to the tree and help you identify the truthful outlets, who have a good record of relying on truthful aggregators, who rely on truthful experts.
• The left / right bias part means very little - I’d suggest ignoring it if you’re looking at a single article.
• Any of the higher tiers of factual reporting should be fine and not worth a mention.

If there are reliable sources countering some facts, posting those instead of (or as well as) complaining about the source is probably better.

to lose 100% of the court cases where they try this defense

I don’t think the litigants actually know this. The shady characters they are paying for the information probably know that, but represent that it will just work if they do it right.

Imagine you have some kind of legal problem, and you go to your lawyer, and your lawyer tells you they know what to do that will let you win. You’ll probably do it. Now for the litigants, it is the same thing, except instead of a lawyer, it is some person with an Internet and/or in real life following, who dazzles you with lots of fake formality that aligns to your preconceptions of the legal system based on TV. Of course, it is all just pseudolegal and a scam, but you don’t know that.

Now you might except that some critical thinking and/or research of authoritative sources like case law, or consulting a real lawyer might let the litigant see that it is a scam, but critical thinking skills are not as common as you might hope, and secondary education in many places doesn’t cover much about the law or how to do legal research.

Consider that 49.8% of voters in the 2024 US Presidential election voted for Trump, even after seeing the first term. Many people are easily hoodwinked into acting against their own best interests, especially if they are convinced there is a community of other people like them acting the same way (SovCit like groups do have some numbers), that people who endorse those theories get a lot of recognition / are influential (the leaders of the groups can create that impression), and that their theories have a long traditional backing (usually they make up a historical backstory).

That catholics should practice confession is a religious belief. But the confidentiality part is from canon law - i.e. in terminology of most other organisations, it is a policy. It is a long-standing policy to punish priests for breaking it, dating back to at least the 12th century, but nonetheless the confidentiality is only a policy within a religious organisation, and not a religious belief.

Many organisations punish individuals who break their policy. But if an organisation has a policy, and insist that it be followed even when following it is contrary to the law, and would do immense harm to vulnerable individuals, then I think it is fair to call that organisation evil - and to hold them culpable for harm resulting from that policy.

Even if the confidentiality itself was a core part of the religious belief itself, religious freedom does not generally extend to violating the rights of others, even if the religion demands it. Engaging in violent jihad, for example, is not a protected right even in places where religious freedom cannot be limited, even if the person adheres to a sect that requires it.

“Except for Claims (i) in which a party is attempting to protect its intellectual property rights (such as its patent, copyright, trademark, trade secret, anti-circumvention, or moral rights, but not including its privacy or publicity rights) …”

So in other words, the types of matters Nintendo thinks it might have a dispute against users, court and class actions are okay, but for everything that they think users might file against Nintendo, they think arbitration is best.

Easy! Why do you think it happened? Inadequate food regulation? Underfunded healthcare? Insufficient regulation of pollutants that can impact health and cause chronic disease?

I don’t know your individual circumstances, but given the state of the world right now, I’d bet it’s a combination of all three.

bootloader unlocking

I used to buy Xiaomi products because of the bootloader unlocking, but in practice it is a dystopian nightmare - they have built it so to unlock the bootloader you need a cryptographic signature from them, and they don’t give that out all that easily.

You have to sign up for an account with them, use a Windows-only tool to request unlocking, and they have a long wait period (deliberately imposed) to unlock, which sometimes randomly restarts. The wait period is different for different models, and can be weeks.

Their support are unwilling to help unlock immediately even for replacement devices where you want to get up and going quickly - if your device breaks (they are not the most durable phones IMO, as you note) and you get a replacement, you’ll have to wait the time again before you can restore a backup of a phone using a custom ROM.

It’s possible they have improved, but because of their attitude around what I can do with my own hardware, I’ve stopped buying Xiaomi gear.

To save on costs, QAs could be paid in exposure.

As an experiment / as a bit of a gag, I tried using Claude 3.7 Sonnet with Cline to write some simple cryptography code in Rust - use ECDHE to establish an ephemeral symmetric key, and then use AES256-GCM (with a counter in the nonce) to encrypt packets from client->server and server->client, using off-the-shelf RustCrypto libraries.

It got the interface right, but it got some details really wrong:

• It stored way more information than it needed in the structure tracking state, some of it very sensitive.
• It repeatedly converted back and forth between byte arrays and the proper types unnecessarily - reducing type safety and making things slower.
• Instead of using type safe enums it defined integer constants for no good reason.
• It logged information about failures as variable length strings, creating a possible timing side channel attack.
• Despite having a 96 bit nonce to work with (-1 bit to identify client->server and server->client), it used a 32 bit integer to represent the sequence number.
• And it “helpfully” used wrapping_add to increment the 32 sequence number! For those who don’t know much Rust and/or much cryptography: the golden rule of using ciphers like GCM is that you must never ever re-use the same nonce for the same key (otherwise you leak the XOR of the two messages). wrapping_add explicitly means when you get up to the maximum number (and remember, it’s only 32 bits, so there’s only about 4.3 billion numbers) it silently wraps back to 0. The secure implementation would be to explicitly fail if you go past the maximum size for the integer before attempting to encrypt / decrypt - and the smart choice would be to use at least 64 bits.
• It also rolled its own bespoke hash-based key extension function instead of using HKDF (which was available right there in the library, and callable with far less code than it generated).

To be fair, I didn’t really expect it to work well. Some kind of security auditor agent that does a pass over all the output might be able to find some of the issues, and pass it back to another agent to correct - which could make vibe coding more secure (to be proven).

But right now, I’d not put “vibe coded” output into production without someone going over it manually with a fine-toothed comb looking for security and stability issues.

Google released the stable version of Chrome, and funneled significant resources into marketing it. This was the first stage of their strategy - they focused on firstly making a good product, and the squeeze on users only came later (and is probably only just starting in the scheme of things).

By population, and not land area, certain more remote geographic places are well known but have quite a low population. ‘Everyone’ is a high bar, but most adults in Australia would know the following places (ordered from smaller population but slightly less known to higher population):

• Wittenoom, WA - population 0 - well known in Australia for being heavily contaminated with dangerous blue asbestos (which used to be mined there until the 60s), and having been de-gazetted and removed from maps to discourage tourism to it.
• Coober Pedy, SA - population 1437 - well known in Australia for its underground homes and opal production.
• Alice Springs, NT - population 25,912 - well known for being near the centre of Australia in the rangelands (outback) - most larger population centres in Australia are coastal.

TIOBE is meaningless - it is just search engine result numbers, which for many search engines are likely a wildly inaccurate estimate of how many results match in their index. Many of those matches will not be about the relevant language, and the numbers probably have very little correlation to who uses it (especially for languages that are single letter, include punctuation in the name, or are a common English word).

Votes on this comment:

1. Came from 14 different instances - many of them major. Of those instances, the instance with the most votes contributed was lemmy.world (i.e. your own instance), from which my instance has seen 14 votes for that comment.
2. Of the voters, I looked at the distribution of the person IDs assigned on my instance, which approximately represents the order they were seen by my instance (e.g. they voted on or interacted with another comment). If there was vote manipulation, I’d expect to see lots of IDs close together. However, there are not runs of IDs that are close together. To avoid this when manipulating votes, they’d need to have planned in advance, and made accounts and used them individually over time before finally deploying them to downvote you.

If there are instances that are a significant source of vote manipulation, and the local admins are unwilling to address it, there are options available to instance admins like defederation.

However - in the case of your comments, there is no meaningful evidence of vote manipulation.

The best option is to run them models locally. You’ll need a good enough GPU - I have an RTX 3060 with 12 GB of VRAM, which is enough to do a lot of local AI work.

I use Ollama, and my favourite model to use with it is Mistral-7b-Instruct. It’s a 7 billion parameter model optimised for instruction following, but usable with 4 bit quantisation, so the model takes about 4 GB of storage.

You can run it from the command line rather than a web interface - run the container for the server, and then something like docker exec -it ollama ollama run mistral, giving a command line interface. The model performs pretty well; not quite as well on some tasks as GPT-4, but also not brain-damaged from attempts to censor it.

By default it keeps a local history, but you can turn that off.

I think the most striking thing is that for outsiders (i.e. non repo members) the acceptance rates for gendered are lower by a large and significant amount compared to non-gendered, regardless of the gender on Google+.

The definition of gendered basically means including the name or photo. In other words, putting your name and/or photo as your GitHub username is significantly correlated with decreased chances of a PR being merged as an outsider.

I suspect this definition of gendered also correlates heavily with other forms of discrimination. For example, name or photo likely also reveals ethnicity or skin colour in many cases. So an alternative hypothesis is that there is racism at play in deciding which PRs people, on average, accept. This would be a significant confounding factor with gender if the gender split of Open Source contributors is different by skin colour or ethnicity (which is plausible if there are different gender roles in different nations, and obviously different percentages of skin colour / ethnicity in different nations).

To really prove this is a gender effect they could do an experiment: assign participants to submit PRs either as a gendered or non-gendered profile, and measure the results. If that is too hard, an alternative for future research might be to at least try harder to compensate for confounding effects.

I think (unless I misunderstood the paper), they only included people who had a Google+ profile with a gender specified in the study at all (this is from 2016 when Google were still trying to make Google+ a thing).

True, except the difference Israel is still taking occupied land and building settlements, and excluding the people born there from them.

The government at least needs to pick one of the two options to move forward (as well as acknowledging and making reparations for those with traditional connections to the land who were affected by past injustices):

1. The two state solution: Palestine is a genuinely separate sovereign state, with a right to self determination, airspace, control of their territorial waters and so on. Israeli government representatives only enter Palestine on invitation from the government. Anyone born on Palestinian land, even on a former settlement, is a Palestinian unless they find another state to accept them and renounce their citizenship. Palestinians have equal protection of the law, and are expected to follow Palestinian laws on Palestinian land, or face the Palestinian justice system. If they renounce their citizenship, they are subject to Palestinian immigration law and might have to leave Palestine.
2. The one state solution: The entire Israeli occupied ‘river to sea’ area is one state, and everyone born there is an Israeli citizen, with equal rights under the law, power to vote, etc…

The problem is the current right-wing extremists in power in Israel do not want either solution; they want to have it both ways - when it comes to ownership and control, they want to deny the existence of a Palestinian state. But when it comes to citizenship, they want to claim everyone born on the land they occupy is not Israeli so they can deny them rights and exploit them. Their life is substantially controlled by the Israeli state, but they get no say in the leadership of the state - undermining claims it is a democracy. They don’t have equal protection under the law - Israeli authorities protect settlers taking land against people with generational connections to the land.

None of this is new in history, as you point out. Most of the Roman Empire, most of the former British Commonwealth, etc… had similar things in the past, with massacres of the native people, lands confiscated, native people been treated as having fewer rights than the colonialists, etc…

What is different is that those are all past atrocities (although fair reparations have still not been paid in many cases, at least further atrocities are generally not continuing to anything like the same extent), while Israel continues to commit the same atrocities to this very day.

The government just has to print for the money, and use it for that

Printing money means taxing those that have cash or assets valued directly in the units of the currency being measured. Those who mostly hold other assets (say, for example, the means of production, or land / buildings, or indirect equivalents of those, such as stock) are unaffected. This makes printing money a tax that disproportionately affects the poor.

What the government really needs to do is tax the rich. Many top one percenters of income fight that, and unfortunately despite the democratic principle of one person, one vote, in practice the one percenters find ways to capture the government in many countries (through their lobbying access, control of the media, exploitation of weaknesses of the electoral system such as non-proportional voting and gerrymandering).

instead of bailing out the capitalists over and over.

Bailing out large enterprises that are valuable to the public is fine, as long as the shareholders don’t get rewarded for investing in a mismanaged but ‘too big to fail’ business (i.e. they lose most of their investment), and the end result is that the public own it, and put in competent management who act in the public interest. Over time, the public could pay forward previous generations investments, and eventually the public would own a huge suite of public services.

Yes, but the information would need to be computationally verifiable for it to be meaningful - which basically means there is a chain of signatures and/or hashes leading back to a publicly known public key.

One of the seminal early papers on zero-knowledge cryptography, from 2001, by Rivest, Shamir and Tauman (two of the three letters in RSA!), actually used leaking secrets as the main example of an application of Ring Signatures: https://link.springer.com/chapter/10.1007/3-540-45682-1_32. Ring Signatures work as follows: there are n RSA public keys of members of a group known to the public (or the journalist). You want to prove that you have the private key corresponding to one of the public keys, without revealing which one. So you sign a message using a ring signature over the ‘ring’ made up of the n public keys, which only requires one of n private keys. The journalist (or anyone else receiving the secret) can verify the signature, but obtain zero knowledge over which private key out of the n was used.

However, the conditions for this might not exist. With more modern schemes, like zk-STARKs, more advanced things are possible. For example, emails these days are signed by mail servers with DKIM. Perhaps the leaker wants to prove to the journalist that they are authorised to send emails through the Boeing’s staff-only mail server, without allowing the journalist, even collaborating with Boeing, to identify which Boeing staff member did the leak. The journalist could provide the leaker with a large random number r1, and the leaker could come up with a secret large random number r2. The leaker computes a hash H(r1, r2), and encodes that hash in a pattern of space counts between full stops (e.g. “This is a sentence. I wrote this sentence.” encodes 3, 4 - the encoding would need to limit sentence sizes to allow encoding the hash while looking relatively natural), and sends a message that happens to contain that encoded hash - including to somewhere where it comes back to them. Boeing’s mail servers sign the message with DKIM - but leaking that message would obviously identify the leaker. So the leaker uses zk-STARKs to prove that there exists a message m that includes a valid DKIM signature that verifies to Boeing’s DKIM private key, and a random number r2, such that m contains the encoded form of the hash with r1 and r2. r1 or m are not revealed (that’s the zero-knowledge part). The proof might also need to prove the encoded hash occurred before “wrote:” in the body of the message to prevent an imposter tricking a real Boeing staff member including the encoded hash in a reply. Boeing and the journalist wouldn’t know r2, so would struggle to find a message with the hash (which they don’t know) in it - they might try to use statistical analysis to find messages with unusual distributions of number of spaces per sentence if the distribution forced by the encoding is too unusual.

Or use it as a Progressive Web App. This could be a good thing for awareness of PWAs and for them being seen as a killer feature that people won’t buy a smartphone unless they support them well. A transition away from app stores to PWAs can only be good.

If they are doing TikTok, maybe they should do Facebook, Reddit and YouTube next.