What seems so strikingly pathetic is just how ordinary the attack is; but it sailed right through because "AI" hype seems to do some mixture of attracting drooling idiots and convincing people who ought to know better that if they don't abandon everything in the race for minimum viable product someone else will get to securitize the omnibrain forever.

Random guy just sent a pull request to Amazon's project and they were "OK, seems cool" and added it. That's how an idiot child would think a supply chain attack would work; except it turns out that it actually does.

And then, of course, they scrubbed it without a changelog or a CVE; because the memory hole is a totally viable communications strategy.

Does "The bias is in favor of clean athletes: that you can be clean and win' actually follow in any way from the discussion of various bike, itinerary, and diet optimizations that would presumably also be helpful to people shot full of veterinary hormones or whatever; or is this just Tygart saying what his job requires?

I'm definitely not a cycling strategist; but the various optimizations described sound like they are either neutral(like lower drag frames), or potentially even more helpful if you can find a way to sneak a few drugs in(like tighter diet control and better route planning that would potentially reward the ability to make quick metabolic adjustments under specific circumstances); none of those changes sound like they are skewed in favor of baseline users specifically.

> And during that time your car charges back up to 80%

In five minutes every four hours? Sounds like you're already in the future.

I don't drive 600 miles without stopping. I could, however, completely understand not refueling in that time.

I expect to stop after about an hour or two on the road to use the toilet. After that, about every 4 hours until I'm there. I don't know if you've done much driving in the US, but the vast majority of our highways don't have service plazas such as are common in most of Europe. You actually have to exit the highway and find a gas station (or, if EV, charger). The only Tesla Supercharger in my area is in a place that makes sense from the company's perspective (fringes of an outlet mall parking lot, ready access to high-power lines), and yes, we all have GPS now, but it's decidedly not a minor detour to get to. From getting into the exit lane from the highway to being at the charger is a solid five minutes' drive each way, during which time you will pass two large truck stops that have all the amenities that long-haul truckers need (showers, e.g.) as well as a large selection of snacks and drinks, which the Supercharger doesn't - you'll have to walk to the outlet mall's food court. And once you're at the charger, it's outside and uncovered. Enjoy baking your car in the sun or soaking yourself if it's raining.

Anyway, the whole point from my perspective about insane range isn't how often I use it fully. I don't use up the 600-mile range of my wife's car (what we use for trips) fully, but 600 miles at ~80 mph with air conditioning or heating on probably corresponds to an 800-mile theoretical max range (at most-efficient speed, no climate control used). It's that I can count on 3/4 of that without worrying about it. And since you're going to protect your battery by keeping it between 10-80% most of the time, you're already limiting yourself to 70% of total capacity for typical driving.

I agree that charging that was as fast as fueling an ICE car would go a long way to mitigating that issue, but I still don't want every single bathroom stop to be 15-20 minutes (exit highway, drive to station, fuel/charge, drive to highway, get back on) when they could be ~5 minutes at a rest stop that just has bathrooms, not gasoline. Nor, once I've settled in for some serious miles, do I want to be forced to stop every 2.5-3 hours.

Sharepoint is where documents go to die; so ransomware is more of a euthenasia policy than a real attack.

The only nice thing I can say about Broadcom's support portal(which is shit regardless of what 'entitlements' it thinks your account has) is that it treats the SHA hashes as being on the public side of the paywall for any downloads that require a signed in account and specific blessings of that account; rather than putting the SHA and the download link on the same paywalled page.

This makes getting the binary from someone more competent and then checking its legitimacy considerably easier.

Yeah, I was adding that note mostly because it is relevant to the "but what if they encrypted a hospital and people are dying right now?" case. If it were actually the case that you just needed a private key and 10 minutes to get things back up and running you would need to at least reckon with the "yes, we are in fact incurring more downtime now, with the consequences that probably entails, because we believe it will result in better ongoing results" issue. Since recovery tends to be fairly arduous even when people do pay up(and often relies in large part on the same capabilities you'd use for a rebuild or restore from backups) the questions about whether you'd really let patients die while the lab is down are often less compelling than they sound(not entirely fictitious, depending on the size of the population served by the lab and the urgency of their requirements even an hour's difference could easily be killing someone). It's still something you do because you think the ongoing equilibrium created by not paying will be better; but the option you are turning down is not necessarily particularly fast.

I'm really not sure why I'd want to risk helping fund a domestic authoritarian when I've got the option of spending less on a foreign one whose reach is less likely to include me.

There are absolutely Americans I could get behind buying hardware from; but, for some weird reason, naming your defense contractor after a Tolkien thing is a pretty reliable sign of being among the most degenerate flavors of reactionary techbro going.

That's true; I was speaking a bit too informally: my intended meaning was that, in terms of bandwidth, one of the contemporary Nvidia datacenter systems is very much set up to avoid bottlenecking on the CPU or the PCIe root complex. It's true that a lot of their marching orders have to be delivered from CPU to GPU; but the local NVLink and placement of RDMA infiniband or bluefield ethernet DPUs on the same PCIe switches as the GPUs is very much intended to minimize the amount of traffic where the GPU is directly in the critical path.

They don't seem to have done much in the direction of trying to cut the CPU out of the action entirely(I think some of their DPUs can act as PCIe roots if you really want them to; but that's kind of a niche thing); and it's probably not worth the effort when there are a competitive number of options for CPUs that have a big chunky memory controller for system RAM and enough PCIe and general maturity to handle miscellaneous peripherals and the housekeeping OS. They absolutely have done a fair amount of work to cut the CPU out of the critical path for high speed data transfer; with their NVLink-equipped parts being placed significantly higher up the performance ladder than the PCIe only ones(and even those aren't just sitting waiting for PIO all day); and GPUDirect RDMA on network interfaces for scaleout is considered an important feature.

They definitely don't exactly skimp on CPU in their own DGX units; so they aren't exactly vestigial; but the intent certainly appears to involve leaning as little on the CPU's capabilities as possible.

What seems most interesting about going RISC-V is that, while their attempt to buy the company didn't go so well, Nvidia already has pet ARM parts, both 'grace hopper' and in their DPUs. Not sure if that's a future option thing, or a china market thing.

"See how banning crime worked for you, lol" isn't quite false; but it's not really a terribly good analogy in this case. Banning stabbing is more of a parallel to banning cyberattacks; and obviously both of those bans neither prevent stabbings nor prevent cyberattacks.

This is an attempt to change the incentives: on the org side by removing "just pay up" as an implicit alternative to "do better DR", and hopefully getting IT more attention for security and DR work; and on the attacker side by creating a group of potential victims who are legally forbidden to pay; so hopefully are seen as less worth the trouble.

Purely malicious or political wipers won't give a damn; but the guys looking to get paid may well be influenced by the fact that the people they are looking to negotiate with can only get fired for bad IT; but could potentially see actual charges for paying them, and will be evaluating accordingly.

One thing to remember is that, depending on the attacker and the details of the attack, it's often the case that paying also doesn't allow a particularly quick restore(even if you are doing the crazy risky thing of just slapping what got owned back into production and calling it good).

Some threat actor groups are pretty sophisticated in offensive operations; but the quality of their decryptor tools and the 'support' side of the equation is often pretty variable; and, no matter the tools, the logistics of shoving updated config and data into a whole lot of broken endpoints is always going to suck; especially when IT staffing is pretty much universally cut right down to the number of people who can keep the fires to a minimum when all the RMM tools are working and it's mostly break/fix.

Given how absolutely terrible motherboard vendor software support tends to be(both timeliness, existence, and quality of firmware and BMC updates, and any of the awful OS-level utilities they provide) I'd be deeply unnerved at the thought of bringing them any further into the process; but you could probably get a lot of the same benefits by taking advantage of the fact that hypervisor support can be pretty safely assumed even on consumer tier hardware of late.

A sufficiently sophisticated attacker could probably do things that you could only stop if you did add some dedicated hardware control buttons(ideally not run through the same EC that handles OS-visible peripherals; those sorts of embedded processors are more obscure than hardened) to manipulate the hypervisor state; but (especially if it was a niche configuration) you could probably get a considerable percentage of the benefits on standard hardware with just one teeny guest that owns the SSD and presents a virtual disk to the primary guest that owns everything else and talks to the virtual disk; especially in environments where there's enough IT admin that "just don't let the user touch the hypervisor config" is a viable option; rather than the self-serve case where you would need an interface that the user can reach interactively but OS malware cannot.

Sort of a Qubes-like; but storage focused.

It's definitely interesting that Nvidia thinks RISC-V is big enough to be worth the port; but describing the CPU as 'central' to Nvidia's preferred design is deeply overselling it. The recommended layout is basically a bunch of GPUs chatting with one another over NVLink within the chassis; and using GPUDirect RDMA on Nvidia infiniband cards located on the same PCIe switch that the GPUs are for scaleout; with Nvidia ethernet DPUs handling the remaining high speed networking; and the CPU doing housekeeping.

Given that porting and maintaining on another ISA isn't free the fact that Nvidia bothered is certainly a vote of confidence is at least middling RISC-V options actually being attractive to enough potential buyers to be worth it; but the CPU is not intended to be a major player in a CUDA-oriented system, especially one of the larger ones.

Even if we take the claims about the quality of 'AI' tools at face value; it seems fundamentally contradictory to talk about the situation as though they can just keep making engineers more productive.

The exact multiple of the baseline 1x engineer isn't entirely clear; but at some point the ability of a human to act on outputs and provide further prompts in response is reached. Any further improvements in productivity would then have to come from they system being reliable enough that much of its output simply doesn't need a close look and it can complete much larger chunks without being talked through it repeatedly. That's certainly not inconceivable; but if the tool is reaching those levels of semi-autonomy the need for a hotshot engineer is now declining because you can mostly get away with just letting the bot do its thing.

It seems sort of like saying that machine tools and heavy industrial equipment will produce "100x blacksmiths". If you just look at nail output per person per hour it's probably more like 100,000x blacksmiths; but the secret to producing more nails was not better power hammers; it was the fact that we don't really use blacksmiths to produce nails anymore.

I wanted to like GATTACA; but it really ended up being almost the opposite of what it professed to be about(admittedly, in a way that seems very much like something we would do): the premise is supposedly that genetic engineering has allowed all men to not be created equal, and there are some lightweight examples of that being true(none of the engineered characters require corrective lenses; some of the naturals are identifiable by being contact lens users); but in important areas it just never actually seems to matter; the main character is supposed to have a serious cardiac condition that, um, never actually stops him from out-swimming his modified brother through the power of the human spirit or conducting astronaut training as long as he plays back the cardiac data from the suicidal athlete whose identity he assumed(apparently genetic optimization doesn't extend to psych coverage?)

And the society itself seems to realize that at some level: theoretically the premise is deeply troubling because what of a society where people are profoundly unequal by birth; but in implementation there's precious little sign of 'meritocratic' squeeze-out (there's the one woman in the astronaut training program who isn't going to make the cut because she uses glasses; but is still in the training program for some reason?): just people getting hired based on a genetic test and the ongoing battle by the protagonist to carefully cover all traces of his DNA with replacements from the guy he is impersonating because his job performance won't actually matter if the geneticops enforcing the haves/have-nots distinctions aren't doing performance based evaluations.

As noted; using relatively weak scientific evidence to justify treating people with wealthy parents as though they are better than the rest is absolutely something we would do; we'd love a blood test for legacy admits; but as a movie about genetic engineering making people unequal, rather than a movie about people running a caste system loosely justified by genetic engineering, it really doesn't go much of anywhere.