- A New York lawyer used ChatGPT to write a filing with references to fake cases. After a human told him they were hallucinated, he asked ChatGPT if that was true (which said they were real cases). He then screenshotted that answer and submitted it to the judge with the explanation "ChatGPT ... assured the reliability of its content." https://www.courtlistener.com/docket/63107798/54/mata-v-avia... (pages 19, 41-43)
- (2020)
- It’s less of a switch and more of an upgrade. The hub will continue to work with Zigbee devices, it just adds Matter support to those devices you already have.
- I'm seeing a lot more of these phishing links relying on sites.google.com . Users are becoming trained to look at the domain, which appears correct to them. Is it a mistake of Google to continue to let people post user content on a subdomain of their main domain?
- At $WORK traffic between zones ($REGION-DataTransfer-Regional-Bytes) is our second largest cost on our AWS bill, more than our EC2/EKS cost. It adds up to mid six figures each year. We try to minimize this where it is easy to do so. For example, our EKS pods perform reads against RDS read replicas in the same AZ only, but you're out of luck for writes to the primary instance. To reduce this in any significant way can eat up a lot of time, and for us, the cost is enough to be painful but not enough to dedicate an engineer to fixing.
This is precisely how Amazon's bread is buttered. An outage affecting an entire AZ is rare enough that I would feel pretty happy making all our clusters single-AZ, but it would be a fool's errand for me to convince management to go against Amazon's official recommendations.
- This makes Ruby Central look even worse. TFA is only concerned with the root user, and the timeline ends at September 30, but Arko was able to confirm as late as October 5 that he had access to _other_ accounts with production access. Ruby Central doesn't seem interested in the article to mention that even after being notified about unauthorized access they still hadn't rotated all relevant credentials almost a week later.
- This was my understanding as well, but earlier I couldn't find any documentation to prove this so I never wrote a comment.
CloudTrail can be configured to save logs to S3 or CloudWatch Logs, but I think that even if you were to disable, delete, or tamper with these logs, you can still search and download unaltered logs directly from AWS using the CloudTrail Events page.
- I believe this is a scenario where AWS recommends multiple accounts.
1. Create another "management" AWS account, and make your other AWS account a child to that.
2. Ensure no one ever logs in to the "management" account, as there shouldn't be any business purpose in doing so. For example, you should require a hardware key to log in.
3. Configure the "management" account to force children account to enable AWS Config, AWS CloudTrail, etc. Also force them to duplicate logs to the "management" account.
Step 2 is important. At the end of the day, an organization can always find a way to render their security measures useless.
- I recently learned Go for the first time and I have played almost 50 games of 9x9 on Online Go Server so far. I’m finding it a lot of fun but it has been very humbling.
I learned chess in 7th or 8th grade and was easily able to get to about 700 Elo on chess.com after barely learning the rules, which is about the 60th percentile on the site. I only play a couple games a year now but can still hold my own against 1200 Elo opponents, which is in the 90th percentile.
I feel like I have put in just as much effort into learning Go. I bought a book and have been doing exercises. But I’m still in the 0.1 percentile on the site! (Yes, that’s not a typo.)
I’m sticking with it because it’s fun and that’s all that matters. But I definitely have a lot to learn.
- He's accused Luis Paulo Supi (Brazillian grandmaster) a few times after losing to him, and he accused Andrew Tang after losing to him. The latter was criticized in some online circles because it was seen as bullying a then 14 year old.
I don't know many other notable cases of Nakamura accusing players of cheating. Many players dislike how Nakamura conducts himself on stream and how he interacts with the chess community and this leads to exaggeration. It's simply wrong to compare him to Kramnik, who has dedicated many hours over the last couple years to accusing players.
- It’s a good first step, but a significant number of GitHub Actions pull a Docker image from a repository such as Docker Hub. In those cases, the GitHub Action being immutable wouldn’t prevent the downstream Docker image from being mutated.
- It's pretty clear the developer blocked him from the @iceblock.app account because of the blog post criticizing him, and then blocked him from the other account after he said to not respond but got a page of text back instead. It had nothing to do with the vulnerability report.
Now, the blog post seems to be reasonable criticism to me so I don't think the developer should have blocked him for it. But I don't know, no one has ever written a blog post about me, and I'm not receiving death threats and being threatened by the federal government.
At the end of the day, the author is trying to frame this interaction along the lines of, "Sensitive user data is at risk, and I was blocked for no reason other than for letting the developer know" -- the first part has not been proven to be true, and the second is obviously not true.
- The author says "it might be trivial for anyone to hack your server." "Might" is doing way too much heavy lifting here. Actually, the author has no idea if there is any actual exploitable vulnerability on the server. They just Googled a version number and fired off a "vulnerability report," which "might" be worth as much as the dozens of emails I get a month about "huge vulnerabilities" related to my SPF record, or those CVEs that boil down to "if someone has root on the machine they could do something bad on the machine."
I can't help but feel that the author's motivation was to get some sort of reaction, and now they've gotten it. If this vulnerability was so vital to be patched, why would it be bundled into a "by the way" DM on Twitter along with a post heavily criticizing the app developer? Both people involved can be idiots here.
- It took me a couple reads of the PDF but I think you're right. The author creates an HTTP request Promise, and then immediately returns a response thereby shutting down the Lambda. They have logging which shows the background HTTP request was in the early stages of being sent to the server but the server never receives anything. They also have an error handler that is supposed to catch errors during the HTTP request but it isn't executed either. The reason for both seems quite obvious: it's completely expected that a Lambda being shutdown wouldn't finish making the request and it certainly wouldn't stick around to execute error handling code after the request was cancelled.
As an aside I find it strange that the author spent all this time writing this document but would not provide the actual code that demonstrates the issue. They say they wrote "minimal plain NodeJS functions" to reproduce it. What would be the reason to not show proof of concept code? Instead they only show code written by an AWS engineer, with multiple caveats that their code is different in subtle ways.
The author intends for this to be some big exposé of AWS Support dropping the ball but I think it's the opposite. They entertained him through many phone calls and many emails, and after all that work they still offered him a $4000 account credit. For comparison, it's implied that the Lambda usage they were billed for is less than $700 as that figure also includes their monthly AWS Support cost. In other words they offered him a credit for over 5x the financial cost to him for a misunderstanding that was his fault. On the other hand, he sounds like a nightmare customer. He used AWS's offer of a credit as an admission of fault ("If the platform functioned correctly, then why offer credits?") then got angry when AWS reasonably took back the offer.
- At work I use Datadog, but it's very expensive for a homelab: $15/mo per host (and for cost I prefer using multiple cheap servers than a single large one).
NewRelic and Grafana Cloud have pretty good free plan limits, but I'm paying for that in effort because I don't use either at work so it's not what I'm used to.
- I've tried this on a RCL ship and it didn't work, so YMMV
- "Minor" was a poor word choice, I'm not sure what word would have been better. My intention was to say that I don't see how a non-lawyer could have any reasonable opinion on how a legal document is drafted. That is also why I don't agree with the author about replacing that with AI. They absolutely should weigh in on overall strategy because you need to consider factors such as your company's finances, risk tolerance, etc. In the same way that you might decide with your doctor that you want a surgery done but you have to trust them to do the surgery properly.
- My reading of the article is that it has nothing to do with the author's trust or lack thereof for their lawyer. I think the author would agree that you have to find a lawyer you trust, just as you need a doctor you can trust.
I trust my doctor, and if it's a minor issue like needing antibiotics for something I just accept whatever they prescribe. But if it was a life or death situation I am not going to blindly follow their advice without any questions. I ask my doctor for their recommendations but I make the final decision. They may disagree with that decision but ultimately it's my life at risk and I'm the one who suffers the consequences. As long as you are reasonable and not trying to cure cancer with fruit I hope that the majority of doctors are going to support this.
When it comes to drafting contracts or other minor issues you should just trust your lawyer. But if the lawsuit has the ability to completely end your company I think it would be a mistake to do the same. But I'm not a founder so maybe my opinion isn't worth anything here. I've only hired a lawyer once for a landlord-tenant dispute, my lawyer gave their recommendations, I disagreed with it, and they said alright it's your money, but it ultimately worked out so we were both happy. I find it interesting that the author had trouble at first finding a lawyer who would agree to this arrangement because that wasn't my experience.
If you're going to do this, you need to do your own research beforehand. In my case I read all the relevant tenant laws before I even met with the lawyer. Today I might use AI to help with that, but I would be wary of hallucinations. I think the majority of the article is about this: just using AI to help with research before meetings with your lawyer.
At the end of the article the author says they are now using AI to draft legal documents and I don't agree with that but that's just me.
https://www.theverge.com/news/704468/bluesky-age-verificatio...