First, read what I already said up-thread. The organisers clearly took a risk, it didn't pay off. If they did not understand the risk they were taking on, that's on them.
Second, Google the agreement referred to in that Twitter post. It was a standard China Belt and Road Financing thing, so super common in Africa that it's barely news.
I really don't think you seriously can pin the Chinese theory on this one.
To be fair, I think the organisers are mostly to blame here.
The linked article states "certain invited speakers and participants remain subject to pending administrative and security clearances, which have not yet been concluded".
I have friends who organise conferences as a $dayjob, including in countries where political and government clearances are required for conferences attended by speakers and participants from external countries.
These clearances are typically required for BOTH the event AND each foreigner individually (and the foreigner will often be unable to even apply for, let alone obtain their visa until they have the clearance).
Lets just say that organising a Human Rights Conference in such a country would probably not be the smartest idea in the world.
Even for an uncontroversial conference, the clearance process is excruciatingly painful. I dread to think what it would entail for a Human Rights conference !
They took the risk. It didn't pay off.
Hope they had solid events insurance to cover all the costs.
To be honest, the blog post is quite a lot of self-indulgent waffle. But I forgive you for that, "each to their own", as they say.
What I won't forgive you for is writing such a long blog post and then completely missing the bottom-line.
Do not write "I'll share more details about where the Ghostty project will be moving to in the coming months".
If you're going to make me read such a long blog post, then at least have an answer ready-to-go for the critical question that everybody is going to ask !
I read the post yesterday, and read it again today before commenting, and it's not really self-indulgent waffle.
Ghostty might be an open source and free product, but that doesn't mean that Mitchell in particular, that works on it, treats it any differently to how a for-profit company would treat its own software.
If you're using a SAAS that offers a product to both companies and individuals with the same feature set, and it's uptime is anything less three-nines, it's not fit for purpose.
Frankly, I'm amazed companies aren't walking away and giving the same reasons.
Well that's a cute explanation, but strictly speaking the UN adopted the new spelling in 2022 and the ISO swiftly followed with a revision to ISO 3166.
If your "they asked nicely" was true then by that argument the people of Taiwan who constantly "ask nicely" regarding the removal of "(Province of China)" from their ISO 3166 entry would have had their wishes granted by now ... ;)
Because Türkiye is a widely recognized sovereign state, while Taiwan (or more formally, the Republic of China) is not. Taiwan is also not a member of ISO.
> Think, ingesting call transcripts where those calls may include credit card numbers or private data. The call transcripts are very useful for various things, but for obvious reasons we don't want to ingest the PII.
Credit card numbers are deterministic. A five year old could write a script to strip out credit card numbers.
As for other PII ? You're seriously expecting an LLM to find every instance of every random piece of PII ? Worldwide ? In multiple languages ? I've got an igloo I'd like to sell you ...
I think this is a bit dramatic of a comment. Credit card numbers relayed over the phone are not deterministic...
"four three uh let's see sorry my vision is bad six eight..."
Easy versions of problems are easy. But reality is messy.
And no, neither I nor anybody else is expecting a 50B parameter model to find every instance. But finding 90% or 95% or 99% is pretty good, and sufficiently good for many use cases.
> Credit card numbers relayed over the phone are not deterministic...
I don't know the last time you relayed card details over the phone, but the last 100 times I did it, the agent did one of two things:
(a) Said "Please wait while I turn off recording"; or
(b) Transferred the call to an automated system that read the card details via the phone keypad input and then took back control of the call afterwards.
Relaying card details over the phone is a problem that has been comprehensively solved. You don't need an LLM for it !
> But finding 90% or 95% or 99% is pretty good
I would humbly suggest that you are over-estimating the capabilities of an LLM. ;)
> shell access with a touch based key just means the attacker has to wait for you to auth
And if you want to be EVEN more pedantic, on most touch-based keys, you have to touch within 10–15 seconds otherwise it times out.
So it is not a waste of effort at all. First the need to touch at all eliminates a large chunk of attacks. Second the need to touch within 10–15 seconds eliminates a whole bunch more.
There would have to be some heavy-duty alignment of ducks going on to get past a touch requirement.
Even more if the target has touch AND PIN enabled.
> Is it just the 6 digit code that Apple sends to verify iCloud access?
No. It is unrelated to Apple ID 2FA.
If its what I'm thinking of, it used to be a user-visible thing[1] back in the day.
But now with the need for increased security posture in the modern environment it is now not user visible but held locally and encrypted using the local device secure enclave key. So you would typically now see a prompt for the device password so the enclave can be accessed to access the key to setup/renew iCloud access tokens.
As far as I am aware the only user-visible string still available in the Apple world is (for obvious reasons) the FileVault recovery key on macOS devices. Which is only visible once ... shown to you when you first enable FileVault.
If its what I'm thinking of, it used to be a user-visible thing[1] back in the day.
It used to be user-visible, yes, but I wonder if TFA isn’t a little out-of-date, as the UI flow that used to work in order to see this (settings/icloud/keychain/advanced) isn’t there anymore on Mac or iOS. And random poking around indicates that they didn’t move it.
When one would be prompted to create a new code, the dialog said something about “changes to the servers” or something similar. Now, having read TFA, I wonder if that doesn’t mean an HSM got compromised somehow.
> I wonder if that doesn’t mean an HSM got compromised somehow.
I think the point is there are multiple HSMs in multiple locations under the control of different groups of people and a majority of HSMs have to agree...
> Or maybe the government should not require companies to KYC you for every little stupid thing
Actually....
Say what you like about the French today, but one good thing they have is an electronic service[1] where you can generate single-use KYC ID:
- That only discloses minimum information required
- For a specific recipient organisation
- For a specific duration
- For a specific use-case by that organisation
More countries should provide this sort of KYC tool.
It looked great and I wanted to try it, but it doesn't work on the web and my smartphone is rejected with no clear explanation ("missing some security mechanisms"); probably because I'm running LineageOS with MicroG.
I'm not exactly sure of the details, but isn't this similar to DigiD in NL? There too you can "prove your Identity and log in" via the govt app. The server side of the 3rd party has to handle the rest (eg user account information etc.), nothing is shared beyond "this is the guy who's signing in, verified by the govt".
Wish entities who handle Aadhar in India be required to accept the one-time Virtual Aadhar. Its a quick online and SMS-only process. Seems everybody forces you to hand over your permanent Aadhar, including the ID verification partner for Paypal.
I'm tired of having to connect on EDF' shitty website to get a new PDF every three months.
I just set it up!
A bit bumpy because login on Ameli/Impôts wasn't working on Orion so I had to go on Safari, but otherwise its done.
I even have colored pictures on the virtual CNI/Permis!
Thanks!
EDIT: Why do the put three stats about trains on your linked page?!
Look, I'm no defender of China but ....
First, read what I already said up-thread. The organisers clearly took a risk, it didn't pay off. If they did not understand the risk they were taking on, that's on them.
Second, Google the agreement referred to in that Twitter post. It was a standard China Belt and Road Financing thing, so super common in Africa that it's barely news.
I really don't think you seriously can pin the Chinese theory on this one.
reply