The Jia Tan xz backdoor attack did get flagged by some automated analysis tools – they had to get the analysis tools modified so that it would pass – and that was a pretty sophisticated attack. The people running the testing didn’t catch it, trusted the Jia Tan group that it was a false positive that needed to be fixed, but it was still putting up warning lights.

More sophisticated attackers will probably replicate their own code analysis environments mirroring those they know of online, make a checklist of running what code analysis tools they can run against locally prior to making the code visible, tweak it until it passes – but I think that it definitely raises the bar.

Could have some analysis tools that aren’t made public but run against important public code repositories specifically to try to make this more difficult.

I don’t think that that’s a counter to the specific attack described in the article:

The malicious packages have names that are similar to legitimate ones for the Puppeteer and Bignum.js code libraries and for various libraries for working with cryptocurrency.

That’d be a counter if you have some known-good version of a package and are worried about updates containing malicious software.

But in the described attack, they’re not trying to push malicious software into legitimate packages. They’re hoping that a dev will accidentally use the wrong package (which presumably is malicious from the get-go).

I mean, this kind of stuff was going to happen.

The more-important and more-widely-used open source software is, the more appealing supply-chain attacks against it are.

The world where it doesn’t happen is one where open source doesn’t become successful.

I expect that we’ll find ways to mitigate stuff like this. Run a lot more software in isolation, have automated checking stuff, make more use of developer reputation, have automated code analysis, have better ways to monitor system changes, have some kind of “trust metric” on packages.

Go back to the 1990s, and most everything I sent online was unencrypted. In 2024, most traffic I send is encrypted. I imagine that changes can be made here too.

Not really a language-specific problem. Like, there are numerous languages that have distribution mechanisms for libraries that might potentially be malicious.

Only way I can think that the language might be a factor would be if a language were designed to only run in a restricted mode.

watches video

What the heck is that gigantic thing attached below the barrel of that rifle?

kagis

Hmm. Apparently about a decade ago, North Korea was showing off a helical magazine. Dunno if the video footage DW is using is current, though, so no idea if it’s still in use.

The North Korean military uses a 100- to 150- round helical magazine in the Type 88 assault rifle.

https://armamentresearch.com/north-korean-helical-ak-magazines/

Damn, that must be heavy as hell, moves a bunch of the weight on the rifle way forward.

looks further

It sounds like they aren’t using them in this deployment, though, that Russia has provided arms:

https://newsukraine.rbc.ua/news/first-north-korean-troops-come-under-fire-1730706704.html

According to Defense Intelligence data, Russia has equipped the North Korean military with:

• AK-12 assault rifles

https://en.wikipedia.org/wiki/AK-12

The timeframe is pretty short.

That might be doable down the line if there were serious aims at long-run cooperation, but I’ve also read some articles making a case that due to divergent interest, Russia and NK probably won’t stick tightly together post-war.

Guess we’ll see.

I’m guessing that they’re gonna either try to have NK forces operate together, or gonna put them in roles that involve minimal interaction with other forces.

I expect that it’s some degree of problem, no matter what.

One element that’s kinda important in US military theory is the idea of the OODA loop.

https://en.wikipedia.org/wiki/OODA_loop

The OODA loop (observe, orient, decide, act) is a decision-making model developed by United States Air Force Colonel John Boyd. He applied the concept to the combat operations process, often at the operational level during military campaigns. It is often applied to understand commercial operations and learning processes. The approach explains how agility can overcome raw power in dealing with human opponents.

https://www.google.com/search?q=%2Booda+site%3Amil

The basic idea is that the smaller that loop is, the more-quickly you can react to your opponent while they’re still trying to react to your prior actions, the greater the advantage. In some cases – think the Battle of France, where at a high level France had slow response time – it can lead to staggering differences in outcome.

Language barriers exacerbate that sort of thing.

In US military history, I remember that that was blamed for a lot of problems surrounding the Battle of the Java Sea, a serious Allied naval loss.

https://en.wikipedia.org/wiki/Battle_of_the_Java_Sea

The Allies had a scratch force of American, British, Dutch, and Australian ships.

Unfortunately, these didn’t use common cryptographic mechanisms to encode communications, and the operational command was with the Dutch, who at the time didn’t work in English.

As a result, you had stuff like American reconaissance planes who would encode and transmit encoded data in English to a ship, which would decode the information, which would – assuming no extra relays were involved, which would involve more decoding and encoding – hand off the information in plaintext to a translator who knew English and Dutch, who would relay the Dutch to the person in command, who would make a decision on response, which would hand that back off to a translator, who would translate that to English, and encode and send the orders to, say, a British ship, who would decode those and relay to the ship commander, who would order people to then do something.

One of the things NATO did was establish common communication hardware and standardize on a subset of English for operational stuff to cut into the length of that loop.

These projects would hinder Sweden’s defense by disrupting radar, sensor systems, and submarine detection, important for NATO’s newest member given nearby Russian threats.

Hmmmmm. Haven’t seen discussion on the radar or other sensor implications there. Be interesting to see The War Zone or similar run an article.

If one can viably use offshore wind farms as radar cover, that seems like it might be something to look into developing counters for more-generally, because those are probably going to become more widespread.

That’s probably especially true for Europe and some places in Southeast Asia, as they’re surrounded by shallow seas, where there may be a lot of offshore wind infrastructure showing up.

EDIT: Going the other way – China might be building offshore wind, and we probably have an interest in having subs be able to operate without being detected in the South China Sea, I wonder if it’s possible to synchronize submarine prop RPM to turbine RPM or something to maximize stealth.

EDIT2: For radar, might be able to use aerostat-based radars, see over turbines. Won’t help with microphone arrays or whatever, though. Could maybe stick sensors on the wind turbine bases, though. Add some cost, maybe, but then instead of a veil obscuring your view, you’ve got a lot of eyeballs.

EDIT3:

V Adm Didier Maleterre, the deputy commander of Nato’s allied maritime command (Marcom), told the Guardian in April: “We know the Russians have developed a lot of hybrid warfare under the sea to disrupt the European economy through cables, internet cables, pipelines. All of our economy under the sea is under threat.”

Yeah, that’s a whole 'nother ball of wax. As I pointed out back during discussions around Nord Stream 2, there is literally not even legal protection for pipelines, as things stand.

The only protection for cables today is a treaty negotiated in France in the 1800s intended to cover telegraph cables (like, they weren’t running HVDC lines then).

kagis

https://en.wikipedia.org/wiki/Convention_for_the_Protection_of_Submarine_Telegraph_Cables

That does not limit coverage just to data cables (despite the phrasing in the WP article I link to).

Dates to 1884. That’s the state of the art legally in the world in 2024, which is kinda mind-blowing.

My guess is that the US never had a strong reason to drive this, because the US is mostly surrounded by deep seas and doesn’t have anything important nearby across water, so not a whole lot of reason to build submarine infrastructure in relative terms or for it to be really critical for US security.

But the legal status is probably a lot more important for Europe, which has the Scandinavian penninsula, is mostly made up of penninsulas surrounded by shallow seas, has Africa across the Med, stuff like that. I think that there’s a good argument for the EU to have internal legal rules, like, Brussels-level powers to facilitate things like building pipelines and power lines overland rather than submarine. You had Spain trying to build critical infrastructure submarine around France to link the Iberian energy island to the rest of the EU rather than through France because France didn’t agree, which is a clusterfuck, but even if they do that, there are still some inescapable geographic realities – they’re probably going to still have more incentive for submarine infrastructure. So my suspicion is that Europe is likely to drive any change in the legal situation.

EDIT4: Potential areas of improvement might include:

• Legal requirements on where ships, or maybe large ships, can anchor. Anchor-dragging, “accidental” or not, can damage lines.

• Some mechanism for providing legal protection for infrastructure in international waters, especially pipelines.

• Some mechanism for quickly detecting and localizing damage to infrastructure. Possibly also detecting mechanical disruption, like dragging.

• Possibly the means to defend infrastructure. Part of the problem is that you can take out a lot of infrastructure at the depths they’re talking about with a COTS UUV from a surface ship that, last I looked around the Nord Stream 2 thing, was like $20k. That means that counters to something like a submarine, like lining your infrastructure with the equivalent of CAPTORs, isn’t gonna be economically effective; you can’t counter a group of 10 of those showing up at some point along the infrastructure. I have no idea if it’s even possible to reasonably counter attacks using current technology, even if they can be detected. Being able to attribute attacks to an attacker and deter them might be more realistic.

I would call Hades and pretty much anything people call an “action roguelike” a roguelite, but I have a hard time calling something not a roguelike for using graphics, even being pretty strict about the definition. Like, there are a number of originally-ASCII roguelikes that have tilesets. Those don’t functionally change the game in any way than other than directly dropping the tiles in. Does that mean that Nethack-family games or Dungeon Crawl: Stone Soup aren’t roguelikes?

My red lines are:

• Gotta be turn-based. Maybe I’d accept a purely forced-turn version of a turn-based roguelike, like Mangband.

• At least some element of procedurally-generated maps and loot that alters how one needs to play the game from run to run. I’d definitely call many games that still have many handcrafted maps – Tales of Mag’eyal 2 or Caves of Qud, say – roguelikes.

• At least the option for permadeath, and that that be the primary mode of play. Some Caves of Qud was originally permadeath-only, but added a mode that avoids it.

• Grid-based. Hex grid is fine, like Hoplite.

Those are Berlin Interpretation elements. In addition:

• Top-down view (or functionally-equivalent, like equivalent, like isometric). I wouldn’t call a first-person grid-based game – and there were a lot of 1980s and 1990s RPGs that used that structure – a roguelike.

• Only direct control of one character at a time. I wouldn’t rule out Nethack for indirectly-controlled pets or Caves of Qud for letting one switch which character the player’s “mind” is controlling.

I don’t think that I’d make it a hard requirement, but all good roguelikes that I’ve played involve a lot of analysis and trying to find synergies among character abilities or item or monster or map characteristics, often in nonobvious ways. That’s a big part of the game.

I dunno if it’s the worst relative to historical stuff for Lahore and Delhi, but India tends to be at about the back of the pack globally when I look at AQI maps.

kagis

https://waqi.info/#/c/6.168/6.699/3z

They’re gonna have some pretty hefty smog going on.

.io is especially popular because it resembles the computer term “input-output.” It is huge with start-ups and IT companies.

Well, those companies should also have the technical chops to know better.

I still think that most of opening up the TLD space was a mistake, not just the two-character stuff. Very few new TLDs have actually provided a lot of use, but they have created a “brand tax” on companies that don’t want confusing use of similar registrations and who then go register the equivalent domains.

.biz vs .com is a great example.

Another replied: “The real lesson to be learned here is that a lot of people would clearly attend a Halloween parade and Dublin City Council should organise one next year.”

It’s going to be kind of funny if a hoax announcement winds up becoming a self-fulfilling prophecy.

Kagi has an AI search option which IIRC is on by default – or at least was at one point – where it’ll try to also synthesize an answer and stick it in a box with the results, but you can just turn it off in your preferences. I have it off.

There may be a day when we have AI assistants that are so good that their summaries are better than looking at the original source, but I’d put a high bar on that, and think that we’ve got a way to go.

I mean, the problem is kind of fundamental. They have a competitive multiplayer game. Many competitive multiplayer games are vulnerable to cheating if you can manipulate the client software; some software just can’t really be hardened and still deal with latency and such reasonably. Consoles are reasonably well locked down. PCs are not, and trying to clamp down on them at all is a pain – there are lots of holes to modify the software. Linux is specifically made to be open and thus modifiable. You’re never going to get major Linux distros committing to a closed system.

Frankly, my answer has been “Consoles are really the right answer for competitive multiplayer, not PCs.” It’s not just the cheating issue, but that you also want a level playing field, and PCs fundamentally are not that. Someone can, to at least some degree, pay to win with higher framerates or resolution or a more-responsive system on a PC.

My guess is that the most-realistic way to do do games like this on the PC is to introduce some kind of trusted hardware sufficient to handle all the critical data in a game, like a PCI card or something, and then stick critical portions of the game on that trusted hardware. But that infrastructure doesn’t exist today, and it’s still trying to make an open system imperfectly act like a closed one.

I think that the real answer here is to use consoles for that, because they already are what game developers are after – a locked-down, non-expandable system. In the specific context of competitive multiplayer games, that’s desirable. I don’t like it for most other things, but consoles are well-suited to that.

My own personal guess is the even longer run answer is going to be a slow shift away from multiplayer games.

Inexpensive, low-latency, long-range data connectivity started to give multiplayer games a boost around 2000-ish. Suddenly, it was possible to play a lot of games against people remotely. And there are neat things you can do with multiplayer games. Humans are a sophisticated, “smarter game AI”. They have their own problems, like sometimes doing things that aren’t fun for other players – like cheating – but if you can rely on other players, you don’t have to write a lot of complicated game AI.

The problem is that it also comes with a lot of drawbacks. You can’t pause most multiplayer games, and even when you do, it’s disruptive. If you’re, say, raising a kid who can get themselves into trouble, not being able to simply stand up and walk away from the keyboard is kinda limiting. You cannot play a multiplayer game without data connectivity. At some point, the game isn’t going to be playable any more, as the player base falls off and central servers go away. You have to deal with other people exploiting the game in various ways that aren’t fun for other players. That could be a game’s meta evolving to use strategies that aren’t very much fun to counter, or cheating, or people just abusing other people. Yeah, you can try to structure a game to discourage that, but we’ve been working on that for many years and griefing and such is still a thing.

Writing game AI is hard and expensive, but I think that in the long run, what we’re going to do is to see game AI take up a lot of the slack. I think that we’re going to to see advances in generic game AI engines, the sort of way we do graphics or sound engines, where one company makes a game AI software package that is reused in many, many games and only slightly tweaked by the game developers.

Multiplayer games are always going to be around, short of us hitting human-level AI. But I think that the trend will be towards single-player games over time, just because of those technical limitations I mentioned. I think that where multiplayer happens, it’ll be more-frequently with people that someone knows – someone’s friends or spouse or such – and where someone specifically wants to interact with that other person, and where the human isn’t just a faceless random person filling in for a smart piece of game AI that doesn’t exist. That’d also hopefully solve the cheating problem.

Plus, there’s no point. Like, if you want to make a good KSP successor, lots of people were unhappy with what happened with KSP2 and would be happy to buy it. Why unnecessarily start a fight that risks the game?

EDIT: Hell, if someone made a good KSP successor, it’d be very near the top of my own purchase list. I really liked KSP.

Ah, the Canadian housing bubble Wikipedia article talks about some of the points I raised:

https://en.wikipedia.org/wiki/Canadian_property_bubble

Risks

Canada is a nation heavily dependent on the real estate industry which accounted for roughly 14% of its GDP in 2020[126] and over 20% in 2023.[127] There is a high risk that if investor sentiment changes, buyer demand may drop significantly, triggering a vicious cycle of prices declines that snowball.[128] Canadians hold increasing mortgage debt (almost $2 trillion in June 2021,[129] $2.16 trillion residential in 2023[130]) while unemployment rose and net employment fell in 2024.[131]

That “snowball” is referring to a bubble popping. And this also mentions the five-year mortgage factor:

Short-term fixed-rate mortgages are dominant in Canada,[132] typically with the interest rate locked in for five years. This contrasts with the United States, where most homeowners hold long-term fixed-rate mortgage contracts. If the reset rate in five, ten, or fifteen years is higher than in the past, there will be a large risk of default for Canadians with high amounts of debt. A July 2017 report noted that uninsured mortgages represent the greatest risk to the financial industry.[133] A decreasing number of Canadian mortgages are backed by insurance, from over 60% in 2012[134] to less than 22% in 2022.[135] Drops in home prices could cause homeowners to owe more on their mortgages than the house is currently valued, which is known as negative equity.[136][128]

Some 26 per cent of Canadians aged 18 to 34 own a home today, down from 47 per cent in 2021, according to the poll.

Not only that, but it sounds like homebuilders have been decreasing housing starts for several years, which seems counterintuitive if one has high housing prices.

https://www.reuters.com/world/americas/canada-homebuilding-down-third-year-housing-agency-predicts-2024-04-04/

TORONTO, April 4 (Reuters) - Canadian homebuilders are expected to dial back new construction for a third straight year in 2024 as elevated borrowing costs reduce the appeal of starting projects, Canada’s national housing agency said on Thursday.

Here’s my off-the-cuff understanding of the situation. I have not been closely following it.

In the wake of the global financial crisis, it looks like Canada cranked the central bank’s interest rate way down.

Shortly after Canada started bringing them back up, COVID-19 hit, and Canada slammed rates back down again. It wasn’t until inflation started to rapidly rise in mid-2022 that Canada started bringing them back up, at which point, Canada had had low interest rates for over a decade.

https://tradingeconomics.com/canada/interest-rate

My understanding is that one effect of running low interest rates is to create asset price bubbles. It’s cheap to borrow money, so people borrow a lot of money and dump a lot of it into housing, which blows the price of housing way up.

This has led to what is believed to be a housing price bubble considerably worse than the one that the US hit:

https://en.wikipedia.org/wiki/Canadian_property_bubble

In 2023 Canada’s nonfinancial debt exceeded 300% of GDP and household debt surpassed 100% of GDP, both higher than the levels seen in the United States before the 2008 global financial crisis. Canada’s housing investment as a percentage of GDP ratio peaked at 8.9% in 2022, whereas the US, at the peak of their housing bubble, only reached 7% in 2006.

This happened because it was cheap to borrow a lot of money under Canadian policy, and so what people did – looking at the rapid increase in Canadian housing prices – was to borrow a lot of money and buy housing with the expectation that it would continue to rise, and that by doing so with a lot of borrowed money, they’d increase their gains:

Investor activity (measured as the percentage of non-owner-occupied homes) increased both housing price appreciation and price collapse during the 2007–2008 financial crisis. Investor activity peaked in 2005, with over 29% of new mortgages in Las Vegas taken out for investment properties. At this time, 15% of mortgages across the US were for non-owner-occupied homes.[80] In 2020, in Toronto, 21% of all housing, and 56% of condos were investor owned. In Vancouver, nearly 48% of condos, and 33% of all housing was owned by investors.[81] Across Canada, 1 in 5 homes were investment properties. Investors were found to be increasingly crowding out prospective first-time buyers in a 2024 analysis.[82]

With Canada finally bringing interest rates up, house builders – expecting that they’re going to have a hard time selling houses – are having a hard time borrowing money to build more houses, so they pulled back on new construction. At that point, you have a lot of people with borrowed money that have soaked up a lot of housing, expecting it to continue to rise.

So I’d expect Canadian house prices to begin falling. When that happens, suddenly that investment in housing that seems like a really great idea because you’re using borrowed money to increase gains becomes a really bad idea, and you want to get out. But…you can’t sell that housing to anyone. So you potentially have a lot of people who want to dump housing all at once, which causes a bubble to pop.

Normally, when a buyer gets a mortgage, they have to make a down payment, though in the runup to the global financial crisis, a lot of US mortgage lenders were issuing a lot of mortgages with no money down. The purpose of this is to shield the lender from risk (and reduces interest rates from the borrower). Someone with a mortgage has $E equity in a house, the part that they own, and then $M that they borrowed from the bank. If someone defaults on their mortgage, because the house was pledged as collateral, then the lender can seize the house and sell it on the market to recover their $M, with their $M getting priority over the borrower recovering their $E.

Normally, that down payment is chosen by a mortgage lender large enough that even if house prices fluctuate and the price drops shortly after sale, the money can be recovered by the lender, so the risk is mostly on the borrower.

However, if house prices rapidly collapse far enough, then it may be that a house price isn’t high enough for a lender to recover the money they lent. That is, after sale prices go “underwater”, such that the borrower has lost all their equity and then the lender can’t even recover their loan if they seize the house and sell it, then the lender faces risk that the borrower will simply default on the mortgage, and the lender will not be able to fully recover the money they lent on the house.

That can lead to mass defaults by borrowers, which is what happened in a number of places in the US when housing prices rapidly dropped, which led to houses being seized and placed on the market, which further drove down housing prices.

My vague recollection – and I have not followed the Canadian housing situation closely; this is going from my memory of comparative housing policy back around the global financial crisis – is that Canadian mortgages are all recourse. In a minority – but important minority – of US states, mortgages are non-recourse (at least on the primary mortgage; this doesn’t apply to secondary mortgages, HELOCs, etc, at least in California, by my way of recollection). What that refers to is whether the lender has recourse if a buyer defaults on their mortgage. That is, can they try to seize other personal assets, garnish income, have some other forms of trying to recover their money in a default.

That will probably tend to make it less-likely for Canadians to walk away from debts…but I don’t think that it makes lenders immune. That is, if someone files for personal bankruptcy – which might be a good idea if they don’t have a lot of assets outside the house and they have borrowed an enormous amount to buy a house that is worth far less than they paid for it – I’d guess that the lender probably has no recourse, though I haven’t gone researching Canadian law on the matter. Or if someone is an overseas buyer – something that Canada has recently severely restricted – it may be hard to go after their other assets to recover loss if they default even if they don’t declare bankruptcy.

In general, Canada’s less-borrower-friendly, more-lender-friendly laws probably means that the Canadian banking system won’t get into as much risk of banks getting clobbered as the US, even if a bubble pops. But that doesn’t mean that people who buy houses can’t be considerably-worse-off than they otherwise would have been.

Another factor is that in the US, the most-common type of mortgage is a 30-year fixed-rate mortgage. As interest rates fluctuate, they don’t affect people who already have a mortgage rate locked in. That does mean that if interest rates rise, they may not be able to easily move; labor mobility will take a hit, which isn’t good. But they can probably continue to pay the mortgage on their existing home, as long as their income continues. Canadian borrowers, as I understand it, normally need to refinance their mortgage each five years, so their mortgage payments are affected by current interest rates. If interest rates rise, as they have their payments will also rise starting at some point in the next five years. Canadian interest rates have recently risen quite considerably.

One cause of high housing prices is if there just isn’t enough housing supply out there at all, like, construction can be constrained by zoning laws and such. Another is that the supply of housing is out there, but people are determined to purchase rather than renting. Potentially each is true to some degree, but a way to determine whether people are irrationally bent on purchasing is to look at the price-to-rent ratio. This, as a rule of thumb, is generally expected to hover in a vaguely-fixed range.

kagis for Canadian price-to-rent ratio data

https://www.zoocasa.com/blog/price-to-rent-ratios-across-canada/

https://www.zoocasa.com/blog/wp-content/uploads/2024/05/Townhouse-downpayment-1-1-768x1516.png

Based on that, the price-to-rent ratios in almost all of Canada are relatively high for detached homes. That means that at least part of the situation is people buying when they probably should be renting in terms of expected financial return. Unless what a Canadian is looking to live in is a unit in a multiunit building, I expect that it’s probably a good move for a Canadian to rent right now, avoid exposure to the real estate market. One would want to have their assets in something other than equity in single-family home real estate, like stocks or bonds or suchlike.

Thing is, your profit margin isn’t 100%, and this is gonna eat into this.

I’m sure they burn it off. I can see some reference to LNG tankers having the ability to use the LNG as fuel, so I assume that they just send it there.

Tankers bearing sanctioned Russian liquefied natural gas (LNG)

IIRC, you have to burn off a certain percentage each day to keep LNG on a tanker cool, so presumably, they’re going through their LNG supply.

kagis

https://www.quora.com/What-is-a-boil-off-gas-in-LNG

Despite LNG tanks being insulated due to natural evaporation and rolling of liquid due to sea conditions there is about 0.10 - 0.15 % of total amount of cargo evaporating daily.