Remember a little while ago when the AI shills announced the latest AI doom, doom, dooooom, DOOM.
A new model was really really great at finding and exploiting security holes. But, of course, in actual reality it could not do this on its own. An actual security researcher or actual hacker would have to go through the list of alleged holes and find those very very few of them that were actually holes.
Well, to my considerable surprise, it actually was very good at finding holes.
A bug has been found in linux that allows any process to gain root privileges. Which means you are at risk from malicious code in containers, it breaks out of containment. And it also means that remote code execution attacks, which you will probably get if you are running npm, can escalate from remote local user attack to remote root attack. And coding agents are also a risk — when they read the internet, which they frequently do, they are apt to treat instructions from the web page as instructions from the user, including instructions in hidden text, and local agents are allowed to run local user mode programs in user mode. The longer any single session runs, the more the agent is apt to be confused by things in the web pages that it has read.
You generally run npm and a coding agent as an unpriviled local user that can be easily and cheaply recreated for this reason, or as a container that can be easily rolled back. But now that local user can run at OS level.
The bug allows the attacker to modify the contents of files in memory, without effecting the file on disk. Including the data and code of operating system files running with unlimited privilege, and he can thus cause a system executable to grant him a root shell.
The kernel released a fix, but only now are the distributions finally updating.
Check your kernel name with uname -r
7.0, 6.19.12, 6.18.22, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254 have been fixed.
Debian was among the first to issue the fix. Do an upgrade if running Debian.
Incorrect mitigation measures are being circulated, it will take a while to reliably know what actually works. Don’t believe what the AI tells you, it is likely to confidently propose a known bad mitigation. But if you have a fixed kernel version, no mitigation is needed.
The way you fix this is by formally modeling your system and making a correct by construction proof that your system excludes all the behavior you do not want. This of course cannot fix attacks on the hardware itself, like Spectre et al, but that is much harder to exploit at scale than a major kernel bug such as this.
The cryptographers were already about halfway here, and if they port the LLM harnesses to their already-made formal language systems, of which there are many, they can get the rest of the way. This is not a standard practice already mostly due to cognitive labor cost; it takes a lot of time and effort to make airtight logical models of the math we use in cryptography, and composing models to make a protocol is not trivial work. If we can automate this, at least partially, becomes cheaper. You can extend this from modeling protocols alone to modeling the behaviors of programs. You cannot prove everything about arbitrary programs but you should be able to prove certain behaviors such as “this subroutine does not access memory outside this bound.”
We should be taking this as a signal that the linux kernel is too much of a monolithic blob for modern practices being forced by LLMs, but the replacements, pragmatic hybrids between mono- and micro- kernels where certain operations like networking get direct kernel access and others like your USB driver devices do not, are not quite ready for general purpose hardware.
Jim, on the bitmessage rewrite:
I left it halfbaked some weeks ago. I could finish it, and faithfully reproduce all the data flows, but I am not willing to port anything to a formal model that can prove anonymity sets, that metadata does not leak, etc. Too much work for a system I won’t personally be making use of. What I can do is prove that the individual data flows are matched against the python reference implementation, and that the behavior looks identical from the outside. I wouldn’t be personally combing through much of the code, instead relying on behavioral tests, property tests, strong typing and leaning on extant libraries for cryptographic operations, and some finite state machine model checking.
I have a working specification extracted from the wiki, whitepaper, and code (including concrete datatypes, python functions for generating test vectors, etc), and a testnet composed of dockerized daemons of the python reference implementation. I was working on breaking the architecture components down and deciding on what tests to use and why when I moved on to something else.
Would you actually find use for this? You would have to go over my models and tests in order to decide if it is faithful enough to the reference to bother with. If you would actually use the new codebase and develop it further, I’ll return to working on the reproduction. If you would find it untrustworthy and not use it, I wont. Just let me know.
I am allergic to python. It is a great language for moderate sized programs where you mostly care getting working code up in a hurry. It is a lot less effort to bring it up in python. But for normal sized programs, forget it. Once it reaches a certain size, it is hopeless. The code becomes unmaintanable and incomprehensible. Also ever less portable, a problem that has been addressed by creating a separate environment for every python program, because it no longer runs except it is own python, or by running it in containers based on the original maintainer’s machine, because he can no longer getting running on another machine with the same operating system and the same python environment — once it reaches a certain size, the obstacles to running it on other machines become greater and greater.
im glad im a dumbfag who is sticking with windows 10 despite lack of updates then…
That’s worse. Lack of updates means lack of hole-patching when bugs like this are discovered. Microsoft is already extremely unreliable on product side. They have very smart people and teams at the company, but they are not allowed to actually guide any processes or push any projects; that privilege is for the jeet class only. I expect windows to break down severely as they are unable to respond to this acute security crisis.
Really, just don’t put anything on your PC you’re not willing to have leaked and you’ll be fine. This is relevant for people with crypto keys and more, not casual computer use.
I am also sticking with Windows 10, and I agree with Fidelis that one should expect anything on one’s PC to be fair game for hacking, but there’s no reason to make things easier for the hackers by forgoing updates.
Microsoft offers a free year of “ESU”, extended security updates for Windows 10, but you have to give up your personal information. Instead I am getting three years of extended support for free, by following the first option at https://massgrave.dev/windows10_eol . It’s a method maintained by disaffected Russians who could no longer get Windows updates due to globohomo’s sanctions. No guarantee it won’t cease to work at some point; but in that case I would be no worse off than I am now without any updates. The Cominator and others may like to check it out.
> https://massgrave.dev/
Things disappear all the time, don’t let that happen.
Make and keep backups/mirrors (git/wget/rsync/yt-dlp, zfs).
Redistribute archives (torrent/ipfs/onion/i2p).
https://git.activated.win/
The OG…
https://forums.mydigitallife.net/
Many install iso’s are still freely downloadable from microsoft official site, no real keys obviously, just isos.
There was a bios tsr that worked great for win7.
winxp had pirate vlk’s.
What you need is Windows 10 IoT Enterprise Edition, which has end of life 2032.
It comes, for obvious reasons, pre-debloated, and telemetry disabled. Updates are infrequent, and fast, indicating that niney nine percent of update content is for bloat, which is why stuff you remove from regular windows keeps coming back.
So GitHub is in death throes, massive outage and disappearing users code,
What the cause, is this due to diversity DEI or AI agent code?
Something of both — with AI agents, diversities are apt to think themselves capable of coding, and are more likely to deceive a supervisor who wishes to be deceived.
When I us an ai coding agent, I try a short prompt, similar to that which a newbie would type. Then after interacting with the AI a couple of times, I take the trace, and edit into more detailed prompt, then start a new session. And by the time I get what I want, the new prompt is many screenfulls of detailed algorithmic instructions and specific code fragments. Programming is not typing, its figuring out algorithms and expressing these algorithms in the specific coding language. And an AI agent can do quite a lot of the grunt work of expressing the algorithm in a specific language and finding the right api call, though they are to hallucinate api calls. They also tend to generate a lot of api calls that serve no useful purpose, mindless copying stuff from other people’s code into your code.
Diversities generally cannot do this, cannot think through the algorithm and intelligibly express it.. You have to wind up prompting the AI with a high level code description.
“When I us an ai coding agent, I try a short prompt …”
I also do it like this , if I give too much it will lose itself and became unmanageable.
Also i noticed quiet difference between AI agent , each one you have to start from the beginning and if you have to move from one to the other you can mess the code because each agent has it “own” paradigm.
I have been interested in Local AI agents.
I read somewhere about
PLLM , Personal Language Model.
Where the LLM is specifically build to your preferences and know and memorize your patterns and thinking.
If it done right it can replace even OS / internet.
A local AI can be moderately useful if you have 16 gig of vram. But you really need 32 gig, which gets very expensive. My workaround is to use the intel arc igpu, which has a unified memory model, and at which point some local AIs become quite useful, and can do good code if you ride herd on them. But an AI agent requires a large context window, and thirty two gig no longer suffices.
However, people are working on small models doing agentic workflow locally. But they require an agent specifically adapted for the model, that keeps the context under control, and are only now now being released.
openclaw on mac mini M4 seem very popular , that mac mini M4 has been sold out.
The mac mini can have 64GB of unified memory.
Are people running openclaw with local llm, and if they are, how much memory do they need?
People run openclaw on as low as 16gb and hook it to Something like Claude opus , but get burned on tokens.
To run an actual LLM you have to do 64gb or Mac studio, but then it expensive and still hallucinations and the context window limit problem
Overall it just hype, you can get a good setup at half the price
Personal Language Model requires continuous LORA. Which is doable, but very expensive. No one that I know of is doing it.
It is not a solved problem. Hard to keep them stable as you pile on updated information. Cost is not a factor here, algorithmic understanding is.
We are still rather early into the evolution of these constructs. I am struck by the lack of creativity of those that play with these things, read huggingface forums for a while and people will go through heroic efforts to make a terrible compression of a Qwen model instead of trying to make fine tuning or knowledge extraction more sane and targeted. If you poke at a compressed model, it’s obvious naive compression is the absolute worst way to make a model run a task on smaller hardware. You might as well make a coal miner fit in smaller tunnels by chopping off his limbs; totally gimping the capabilities for no reason whatsoever. There’s probably some simple-in-retrospect way to get extract the subset of capabilities you want, but instead people are doing the equivalent of smashing the thing with a hammer to fit into a smaller box.
For this reason I expect that letting the latest coding models recursively run a heuristic algorithm search on finding ways to accomplish both of these, some level of easy-updating and sane distillation/compression methods, will find you several bushels of low hanging fruit. Most humans are not that creative or talented, and the ones that are are being paid millions to billions of dollars to serve some MoE model at 0.01% less electricity cost.
99% certain copy fail is a zero day already known to NSA/CIA/Mossad,China,Russia. Probably inserted by one of them. Maybe AI will get us to trustable systems.
Because am Linux dunce…
Need to put 10,000 clickable traces, each alotted a slightly different color, all in one monster chart on a 4k 50″ monitor, 10,000 numerical points per trace. Linear time series… like temperatures/prices/quantities.
Needs to have a scrollbar at the bottom, adjustable in both its horizontal position and width (number of points from 1 to 10k).
I can plot with gnuplot, but need compressor like rrd, but still need to zoom in to the raw… so now need a real UI for this.
I may pre-sort and regen the traces into vertical order given the chosen scroll span, but the order changes with the zoom-scroll time period and position… so more realtime backend computation.
And am a dunce about how to make them clickable and scrollbar-zoomy.
Actually won’t have the screen resolution to be individually clickable.
So need to be able to draw a selection box that then dumps all those selected trace-id’s to a file, or zoom’s in on those selected traces, or filters them… yeah, so a vertical scrollbar and trace filters too.
Any suggested UI language to do this in???
Like I kindof need an interactive “stock chart” type tool.
But am pretty sure trying to use those would crash trying to shove just 100 traces around the screen, lol.
Someone has to have a tool.
So estimation…
It’s 100M raw backend datapoints even in black and white (max 200M because trace count could hit 20k someday).
So obviously a “browser” isn’t going to handle this.
Backend will need to compress the data realtime to fit a 4K (3840*2160) UI, so down to 7M datapoints plus widgets.
And will probably have to limit it to 32 color… so up to 3.2G raw datapoints on the backend working set compressed to feeding the 7M realtime-manipulation UI (maybe 6.4G @ 20k traces).
Going to have to be a Linux tool, direct library to X windows screen, because Windows will fucking crash just like a browser would.
Ideas?
You are still on moderation.
I use wxWidgets. It is good UI environment, though it does not automagically make your boxes pretty. Because it is designed to run on any windowing system, it does not easily give you access to all the cool things in that environment.
A lot of people use Electron, I am told it is great, and seems to be very good, but the code whose activities I want to display are necessarily in C++, which is the native language of wxWidgets and the native language of Electron is Typescript.
For compression and decompression, use the zstd library, RFC 8878, whose native language is C.
I think things might be uphill doing a zoom in Typescript when you have to recompute what is to be displayed. For obvious reasons, Typescript is bereft of bit bashing and number crunching libraries.
Any thoughts on Iraq taking credit for DDosing Canonical, either in general or on the day this was announced?
I suppose this bug is a lot worse than dirtyCOW, I don’t see that it’s much worse than heartbleed though. Still it’s interesting to see that containorizing things is not the be all and end all of system protection. I didn’t think it was but this is a big knock against the perception of security containorizing provides.
I just did an update and the vulnerability went away.
Before the update it would escalate me to root user:
(By the way, the C version on its own never worked on its own. I’d have to run the python version first. But then all the C version was doing was running “su” anyway, which I could just do from the terminal. It seems the python version is the only one that actually corrupts the page cache.)
After the update, the python script failed loudly:
I guess the update simply disabled the “authencesn” crypto algorithm altogether:
Looks like they whacked the next mole here. I don’t know if they did anything more fundamental to prevent the general technique of writing over a page cache.
any advice about trading in binance /coinbase .
I know about their scummy behaviour and government targeted attack
future prospects?
how trading in jim rhocoin will look like ?
Trading is a bad idea. Most traders are trading in highly manipulated markets and lose their shirts to insiders.
The Bitcoin market is not manipulated, but it is unpredictable. Hodl. Blockchain analysis suggest that lettuce hands have generally lost money. The people who buy on the dip appear to be primarily hodlers.
Jim, does this dude have a point?
https://no01.substack.com/p/if-nothing-changes-btc-is-finished
You should assume that unless your source is highly technical and very heated discussion in some mailing list, that whatever information you think you are gaining is outweighed by the ticker price. You nor I are better informed than the people with millions and billions on the line, and they will bail first and bail hard if they are convinced that whatever FUD this is has merit. Clearly that is not happening, ipso facto this is nonsense, I don’t even need to read it.
He is an idiot, or, more likely, a shill. I don’t want to explain, because I have a policy of not responding to the shills (they get a bonus for engagement) but since he got to you, I have to explain.
Miners earn money in two ways — the mining reward, and the fee per transaction for ordering the transactions. The Bitcoin design was that as it became actual money used for actual transactions, the fee would become the dominant, and gradually the only, reward. Will this work? We did not know at the time, It depends on transaction usage becoming large. Well, transaction usage has become large.
The premise is that he was smarter than Satoshi. No one is smarter than Satoshi. He solved the consensus problem, cheerfully ignoring the proof that it was insoluble for a large open population of participants.
Thanks Jim. At some point I am going to have to study the technical aspects of Bitcoin myself
[*Deleted. All your cryptography and crypto currency posts are deleted under the policy that ignorant shall not comment on cryptography*]
Woes to you. You deleted the link to research paper and model of what happens to Bitcoin when the txn fees dominate the minted block reward.
Not a research paper, shill spam. Either you cannot tell the difference, or your posting was malicious. Since you are trying to pass demonic religious doctrines off as Christian, probably malicious.
[*deleted*]
You claimed to speak for Satoshi and you claimed to speak for God, attributing equally outrageous positions to both of them.
Is this the IPFS freedom guy on Kinetic Force?
@AllumBokhari/status/2054699305722663329
Linux Age Verification?
UrsulaVonDerLeyen: “The entire tech world must now adopt the EU’s COVID ID system to verify users’ ages.”
^shit these lunatic bitches say^
not White Civ, not same
AJ Cahil of the Irish People party says multicultural societies are “chaotic, low-trust” and “high-violence”, and says many issues in modern society are due to a lack of Christian values.
@griptmedia/status/2054635172197273927
So many babies “adopted” to faggots, deaths soon be a new category, the Altman-Buttigieg Problem:
Infant who died while in the care of two gay men had bruises on the back of his throat and died as a result of asphyxiation, a court has heard.
https://github.com/Nightmare-Eclipse/YellowKey
tards still using windows
Not news.
Bitblocker has always been known to be backdoored. I had never heard of Bitblocker until I heard it was backdoored, and that was something like twenty years ago.
Why is github increasingly stalling out over the last few months? Have to keep killing and restarting client connections.
You are on moderation for failure to comply with the moderation policy, but allowing this through because an on topic question asked in good faith.
Github is failing because Microsoft bought it and it is now infested with Microsoft engineers.
Bill Gates, whatever his failings a human being might have been, was a great engineer. He hired great engineers, and provided an environment where they could accomplish good things.
When he got bored and retired, he was replaced by a vile disgusting faggot, because the board wanted to check the Diversity, Equity, and Inclusion boxes.
The vile disgusting faggot promoted people on the Diversity, Equity, and Inclusion list, and mostly promoted on the ability to give head.
These people hired engineers, not for talent, but for their ability to give head at gay orgies, and their inside connections with Child Protective Services, an organization as pervert infested as the Boy Scouts and for the same reasons.
Microsoft is full of faggots with money and drugs, Child Protective Services is full of faggots with access to other people’s children, they meet at gay orgies and get along together very nicely.
And that is why Github keeps going down on you — because the engineers are going down on each other and on children abducted by Child Protective Services, and most of them are stoned and hung over, and those of them that are relatively sober are cheap H1B slave labor. The H1B immigration pipeline is corrupt at both ends, the American end and the Indian end, because both ends want to do human trafficking, not engineering.
H1B for Chinese engineers can actually get you good engineers, because the Chinese end filters people for engineering competence so that they can steal your intellectual property, but the Indian end is just for cheap slave labor. You don’t have to worry about them stealing your intellectual property and sending it back to India, because incapable of comprehending it, but you do have to worry about them plotting together against the white engineers, the white board, the white shareholders, and the white customers. Indians are way more racist against whites than Jews are. Chinese are racist, but considerably less racist than Jews, let alone Indians.
The Indian engineers are cheap because human garbage. The Chinese engineers are cheap because they expect to get a good job back in China for a business that is making exactly the same product or service as you are, only better and cheaper.
Github is a funny place.
Zero day Microsoft exploits posted on a Microsoft platform all because they allegedly jilted a white hat by denying a bounty.
https://github.com/Nightmare-Eclipse
Hmm, Steve Ballmer has a wife and kids, bought a pro sports franchise, and never struck me as light in the slippers. Jim, are you perhaps mixing up Gates and Steve Jobs, who was indeed succeeded by a gay?
Yes I did, but there is something gay at Microsoft, perhaps merely a side effect of DEI.
Or maybe it is just that the entire younger generation of programmers goes gay in the vain hope of not being fired for toxic masculinity.
Interesting Veritasium video on a Linux backdoor hack that compromised OpenSSH, and almost succeeded in getting into regular distribution. It was not discovered by the people tasked with looking for such things, but serendipitously by a 3rd party noticing something slightly odd in delta version performance metrics, and investigating. Unknown threat actors invested years in this hack, in both software and social engineering.
https://www.youtube.com/watch?v=aoag03mSuXQ
Grokipedia description
https://grokipedia.com/page/xz_utils_backdoor