For those 'in the know' a lot more typical than you would think. If we don't reach at least Kardashev scale 1 in the next hundred years or so, we're going to go extinct due to several now-predictable factors.
And an unchained LLM trained on reality is far more capable of finding solutions to that problem than a bunch of squabbling politicians.
> And an unchained LLM trained on reality is far more capable of finding solutions to that problem than a bunch of squabbling politicians.
Not that I disagree with this statement, I don't, but this is not a silver bullet. Technology is, ultimately, operated by humans and no amount of frontier research and development can overcome collective action problems. At some point, you do have to sit down with these stupid politicians and get everyone on board. The loom was invented hundreds of years before the industrial revolution, in fact it was nearly forgotten and the designed survived due to a few happy accidents. It was only after the English Civil War and the establishment of checks on royal power that widespread adoption was possible.
Technology is operated by humans now, but I believe it is a mistake to think that technology could not evolve to the complexity that it can operate itself.
I can see this in Minsky time period AI research, but surely with the number of people getting into AI and coming from a purely practical right now I would expect that mindset to be diluted. As someone not in the know I could very well be wrong.
In response to the coming apocalypse, this isn't the first time everyone has a vague sense of potential doom about the future. I believe this happens during any time of fundamental change, making the future uncertain which we interpret as apocalyptical. Back during the 30 years war that apocalyptic belief manifested as God being angry with us, today it's with the (very real) problems our rapid industrialization has created. Not to minimize the problems that we face - well minimizing only in that they probably won't lead to extinction. The various predictable factors mentioned have the potential to make life really shitty and cause massive causalities.
While framing these issues as a matter of extinction may feel like a way of adding urgency to dealing with these problems, instead it's contributing, on an individual level, to fracturing our society - we all "know" an apocalypse is coming but we're fighting over what is actually causing that apocalypse. Except that there will be no apocalypse - it's just a fear of the unknown, something is fundamentally changing in the world and we have no idea how the cards will land. It's no different than a fear of the dark.
We accuse GPT of confidently giving answers on things, but man, it learned from the best.
I cannot assure you that we won't have something like a nuclear apocalypse in the next few decades, and here you are certain it's not going to happen. How can you be assured of this future when the underlying assumptions of things like value of labor will be experiencing massive changes, while asset inflation is on an ever increasing spiral up.
I think you misread what I said - I was responding to this quote:
> If we don't reach at least Kardashev scale 1 in the next hundred years or so, we're going to go extinct due to several now-predictable factors.
Many people are certain of human extinction for one reason or another, it doesn't sound like you're one of them. I'm saying that we don't know what the future will bring, and that uncertainty manifests as apocolyptic thinking. I also specifically mentioned that we are facing multiple problems that can cause huge devastation and I'm not making the argument that "Oh hey everything is ok!" Just that to frame things as apocalyptic is contributing to the schism and preventing us from doing anything because everyone refuses to listen to anything else since they believe their lives are at stake.
I guess I shouldn't say "it won't be extinction", but that's way way way lower probability than people think. It's just that a massive amount of people have thought the world would end many times through out history, so I'm skeptical of "well this time we're RIGHT".
I think GP means a lot of these projects are just links that people click and go 'oh cool, but i'd never build that and can't get one'. Which makes them glorified blog pieces.
Based on the OP post and the notion of a wait list for something that should be trivial to propagate as you mentioned, I'm guessing this whole thing is a $$/Month subscription to a proprietary variant of a common plant.
"Just one Neo P1, as the company dubbed its initial product, can remove as much pollution from a home’s air as 30 regular plants, the company says. Neo P1 was in development for four years, and is a bioengineered version of a common houseplant called Pothos."
What does this even mean? What is 'pollution' in this claim? Just grow and happily propagate regular pothos which are wonderful plants, and if you need to filter your air... get certified filters?
Four years seems extremely fast for that. Every iteration you have to grow enough plant mass to test it. That must take weeks or months, even with the most optimal growing conditions.
As for proprietary variants, some Pothos already come with tags saying that propagation is forbidden (which, to me, at least, means I will propagate the hell out of it even if I didn't really want to).
Hi missosoup,
Lio here, co-founder of Neoplants. At this point we are not considering subscriptions for Neo P1, only bundles to keep things simple. When it comes to that article quote, it is referring to the 4 pollutants we are targeting: Benzene, Toluene, Xylene and Formaldehyde, which are the 4 main Volatile Organic Compounds commonly found in houses, highly carcinogenic and very hard to eliminate (not just capture). You can learn more about that on our Product Page here: https://neoplants.com/product
On what planet is it 'free' if it requires you to hand over some of your most abusable info?
The thing that really bothers me is the normalisation of 'hand over your credentials' which inevitably maps to data leaks and identity theft. For what, trying out a product that you may or may not use?
I've been (lightly) thinking about this with regard to digital identity.
One of the few use cases that I find very compelling with regard to blockchain/web3 tech is as a means of ID/auth much in the same way that many sites now offer options to log in with FB/Google/etc.
One big obstacle (I imagine, I haven't really looked into this that far) is that of the password reset. Some non-trivial amount of people will forget the passwords to their identity tool, and in this scenario there's no central power with the capability to reset it for them.
The simplest option is to designate trusted friends who you could delegate authority to in order to perform some multi-sig reset, but then there's the issue of a FriendCoup. If you strike it big and turn on or ignore your friends, there's nothing stopping them from getting together and performing a takeover. Even if there are individual objectors, because it's blockchain, everything's public, and these are identity wallet contraptions, everyone knows who the hold out is and can lean on them or find some way to get their password, etc.
Even outside of a FriendCoup scenario, a FedCoup scenario where the government just leans on your buddies to grant them control is pretty plausible.
So I guess the question is, what sort of strategy for this is FriendCoup/FedCoup resistant but still grants the necessary amount of delegated power?
Not entirely relevant to the above, as doing this pen and paper for a password manager is a little harder for outsiders to game given that the holders aren't public, but still a question I've been batting around. Curious about anyone's thoughts/ideas or any existing work in this space.
Edit: After thinking about this for an extra minute, if it's not time sensitive a deadman switch could probably do it. If your friends perform the multi-sig and you haven't logged in in X days, then and only then will the reset occur, so you can void an attempt. That said, falls down on the FedCoup scenario since you'd presumably have restricted access to the internet.
I think that blockchain is not the solution here. The fundamental problem is trust: do you or do you not trust n other parties with the information required to take over your digital life, no amount of fancy crypto engineering will get around that.
No amount if crypto will stand up to a Russian mobster with a crowbar and some creativity, like the xkcd https://xkcd.com/538/.
What you need is to develop a threat model and then select an appropriate solution that matches your threat model. If the threat is the KGB might torture me and my buddies, then kill switches are appropriate. Otherwise it’s no solution.
Perfect security doesn’t exist, it’s all about tradeoffs.
I think blockchain keys could work for identity, but you need another layer for authentication. Perhaps a smart contract could be used to generate and authenticate one time access codes?
That has failure modes, though, especially death on one of the N (might seem unlikely but I just had to help a friend unfuck a family member's finances after he died in a car accident next to the one trusted associate who had all his logins saved in an account locked behind 2FA secured by his iPhone which he didn't leave the unlock code to with anyone). I know there are other schemes where you only need M of N to turn the key, but really...
Leave. Your. Passwords. With. An. Attorney. And also your phone unlock code. A reputable attorney (preferably attached to a big firm) won't lose your stuff, and if they die or go out of practice they will have procedures in place to make sure you are set. This is not a situation where you want some clever DIY scheme that might fail and leave your loved ones scrambling to sort your finances when they are already devastated and mourning.
Better use three attorneys on at least two continents, one of them in the other hemisphere. Otherwise a single medium-size asteroid could easily wipe out all your backups and what then.
So their vision of the future is that to do anything online, one MUST have a phone (ahem, portable wiretap)? And they're going to be keeping my secrets for me, for my own good?
It's literally the opposite. You "must" have a cryptographic device (a dongle) that is only doing that one thing, authentication. Doesn't have a built in radio (unless for NFC, if you want it), doesn't have any microphone or camera, doesn't store any data beyond what's needed to authenticate, doesn't communicate except to authenticate - bi-directionally, so phishing is no longer a thing, or at least it's a lot harder.
It's very hard to make a privacy case against FIDO. Practically speaking it's one of the best things that happened to privacy&security since the invention of asymmetric cryptography. The deployment of this tech reduces phishing effectiveness to near zero, or in many cases literally zero.
> It's very hard to make a privacy case against FIDO.
With username and password, I have full control over my privacy in a very easy to understand fashion: If I randomly generate them I know I cannot be tracked (as long as I ensure my browser doesn't allow it by other means).
With those keys I have a opaque piece of hardware which transfers an opaque set of data to each website I use and I have NO idea what data that is because I do not manually type it in. I need to trust the hardware.
Sure, I could read the standard, but it very likely is complex enough that it is impossible to understand and trust for someone who has no crypto background.
And I also have no guarantee that the hardware obeys the standard. It might violate it in a way which makes tracking possible. Which is rather likely, because why else would big tech companies push this if it didn't benefit them in some way?
> Which is rather likely, because why else would big tech companies push this if it didn't benefit them in some way?
They switched to this internally a long time ago which basically eliminated phishing attacks against employees. There are security teams inside those megacorps that have a general objective of reducing the number of account takeovers, and non trivial resources to accomplish that. Not everything is a conspiracy.
Also, I am sure you will be able to stick to just passwords for a pretty long time while the world moves on to cryptographic authentication. I'm not being sarcastic here.
Yes, they also track the behavior of their employees. It is security for them and not for the user in many cases. In a perfect world those incentives align but they don't have to.
With your password manager, you're trusting a lot more: the software of the OS and kernel, the software of the browser and its dependencies, the software of your password generator and your password storage. You also have to hope the developers and administrators of the website you're signing in to aren't storing your passwords in plain text (and I don't just mean in the database - overly-aggressive APM/logging might be storing POST request data in a log stream somewhere).
The only attack that's an issue for both passwords and security key-based sign-in is targeted attacks against a website, where they use your browser to execute malicious API calls to the website after you've signed in regularly.
I'm not familiar with FIDO, but passwords place a lot of effort into the user (must avoid repeating them, must avoid simple sequences, etc). After years of warnings, this has berely changed - people use lousy passwords and repeat them.
So I'm all up for considering different approaches.
No. Google's power to lock people out of their website is already here with the prevalence of 'Sign in with Google'.
FIDO is unrelated; it works by having the browser/device itself sync the virtual security keys[0], much in the same way they sync passwords currently. That's the only thing changing here, giving people the choice (and encouraging them) to sign in via "what you have" instead of "what you know".
I doubt they'll do away with tools like smart cards or Yubikeys any time soon. Laptops and modern computers also contains a TPM so you don't necessarily need to have a phone for secrets storage.
If push comes to shove, I'm sure someone will develop a lightweight Android emulation layer you can run in the cloud that pretends to be a phone enough that you can use it.
> Laptops and modern computers also contains a TPM
The root of trust for which extends to who knows where, and you're not allowed to look at the source code or learn how it works because that would threaten Hollywood's profit margins.
We're basically building a system of DRM for access to human beings, and making the whole world dependent on these unaccountable entities.
TPMs allow for arbitrary key storage by the operating system. They're not necessary for DRM. In fact, I've wiped my TPM several times to upgrade the firmware and I've had no trouble playing DRM content whatsoever.
Technologies like Intel's management engine and SGX or their AMD/Qualcom/Apple counterparts are definitely problematic for user freedom in the way they're implemented. However, the TPM system itself is quite neutral: usually, you can clear it from the UEFI, lock it with a password (though that might need to be done from the OS) leaving whatever hostile OS you may run unable to exert any control on the device whatsoever.
I'm personally a big fan of technologies like TPMs and secure boot as long as they're user configurable. I want to be able to install my own keys and force the system to only boot operating systems of my choice. Secure boot with just the MS keys is quite silly and ever since that one version of Grub could be exploited it's basically useless; secure boot with user or enterprise keys can be an incredible tool for defence in depth, for example when visiting countries where border agents may try to gain access to your data without your permission or knowledge (China, USA, etc.).
If I had my way, I'd use Coreboot together with Secure Boot, with encryption keys stored in a TPM, the transfer of which goes through an encrypted channel (a feature of TPM 2.0 that nobody uses) after unlocking it with a password. Sadly, most Linux OS developers have a grudge against these technologies because they're used by companies such as Microsoft and Apple to reduce user freedom on some of their devices.
The user-hostile part of the TPM is the built-in key signed by the manufacturer which shows that it's an "approved" TPM which won't—for example—release any of the keys stored inside to the device's owner. This is what allows the TPM to be used as part of a DRM scheme.
If it weren't for that small detail then I would agree that TPMs can be useful for secure key storage and the like, working for the device's owner and not against them. The actually useful (to the owner) parts of the TPM do not require the manufacturer's signature.
It enables it, but that's just because both you, the device user, and M$ and the rest of the media industry, need to ensure the TPM inside the processor is genuinely from the manufacturer. You wouldn't want to use a TPM if an attack vector is one where China (who is a large part of the supply chain) can poison a large amount of TPM shipments with their own key that can be used to export or otherwise access internally-stored keys.
If your threat model is "China has backdoored your TPM" then making the TPM more opaque and unauditable doesn't improve the situation. How would you know if your TPM is lying and pretending to still have the original key when actually it has a replacement Chinese one?
The actual attestation process protects against this:
program generates random bytes->ask tpm to sign it->on signature return, program asks TPM for its public key->program verifies public key matches that of the signature->verify the public key is cross-signed by the manufacturer's certificate authority. The only attack here would be if Intel or AMD's PKI is compromised, which would certainly be leveraged against enterprise customers before any consumer customers got hit.
With regard to supply-chain attacks, since the TPMs are manufactured in China, they can just make a perfectly "genuine" TPM with a valid, signed key which has their backdoor. The attestation process protects DRM users (media companies) from device owners. It doesn't protect device owners from TPM manufacturers.
As I said—manufactured in China. Both the government of mainland China and the government of the Republic of China (Taiwan) consider mainland China and Taiwan to be parts of the same country. They only differ with regard to who is in charge.
The issue could be addressed without removing the ability to attest as to the TPM's origin by including a protocol for the owner to dump the device's private encryption keys (e.g. by shorting one of the external pins to ground). The fixed attestation key set by the manufacturer would need to be restricted so that it can only be used to sign attestation messages, with all other keys being generated on the device so that they can be reset when the device changes owners.
Is there a way to list this blacklist? I have several computers which haven't received updates in years and I strongly doubt that the internal blacklist has been updated.
Which is a pretty big security threat that is constantly ignored. It just isn't acknowledged when people talk positively about TPM even if remote attestation is completely build-in by now. Security for whom becomes the question here.
My vision of future authentication (shared by colleagues in security) is based in strong hardware credentials and additional layer-7 context about identity, device and location. Basically, more identification of you and your browser using cryptographically-guaranteed and immutable events. It is actually the deprecation of passwords altogether and generally moving the trust boundary away from the control of the user entirely. I also don't enjoy it, but it would solve a lot of current problems we see in information security.
I don't know if you're being sarcastic, but your vision sounds like a nightmare and not very far removed from Gattaca.
> moving the trust boundary away from the control of the user entirely. I also don't enjoy it, but it would solve a lot of current problems we see in information security.
Every despot throughout history has noted that freedom can be traded for security, but I thought that most of us would agree that freedom is more important.
Society is replete with trade-offs sacrificing freedom for collective security. You can make moral judgements about this all day, but it won't change the dynamics of our lives.
Every technology is a double-edged sword. Like firearms, security controls can be used to guarantee peace and freedom or wage war and distress. The responsibility is with the administrator of that tool, not the tool itself.
Doesn’t require phone? Supported by desktop browsers also. Third party “auth managers” should be possible — likely integrated into existing password managers?
So their vision of the future is that to do anything online, one MUST have a phone (ahem, portable wiretap)? And Google is going to be keeping my secrets for me, for my own good?
> obvious to anyone with basic thinking skills that "the government of a county" and "the people/nationalities/culture of a county" are two totally different things.
The CCP has invested a lot of energy into making the people of China conflate these two concepts. The party IS China and the two are inseparable according to the CCP.
This is where the topic becomes contentious and not so black and white. The CCP has successfully influenced millions of people into doing its bidding abroad. And the CCP is fully aware of the West's strong aversion to racism in any form, and has been able to weaponise it.
Relevant reading: Silent Invasion: China's influence in Australia (2018)
As far as empires go, America is nothing compared to the larger players.
But also consider that global geopolitics is inherently an anarchy. The guy with the biggest stick makes the rules. Between America and the next 3 largest contenders for biggest stick... I'll take America, the alternatives are far worse. And I'm a Russian by birth. Want to talk about actual bullying? Check out CCP blackmailing people overseas for political speech, by threatening their families in the mainland.
We're in the middle of the most globally peaceful period in recorded history since 'imperialist pig' USA came to power. The alternatives don't include 'no world leader', they are only choices of a different world leader. If you really want the US to fall from the world stage, I suggest you start learning Chinese or Russian; you're going to need it.
And an unchained LLM trained on reality is far more capable of finding solutions to that problem than a bunch of squabbling politicians.