Paypal claims "decreases the cost of transactions by up to 90% when compared to credit card processing" ("Comparison of Pay with Crypto transaction rate and direct credit card processing fees for international sales including currency conversion fees by leading payment processor")

Given the relatively high costs of doing 'crypto' transactions(I think I've seen some of the ones that are most aggressive about trying to be actually usable to transact rather than just hoard claiming to be roughly on par with conventional transaction costs, more computationally expensive but less conventional org overhead; most significantly worse); does the alleged 90% savings just mean that they are counting cost of the transaction from when they receive the coins, not the gas fees that got them there; or picking a particularly grievously overpriced provider of credit card linked currency exchange?

That's precisely the encouraging part. If only the first hit is free there's the hope that simply not paying will make them go away and stop hitting you.

It's always great news that some 'feature' isn't going to be free; because that means it isn't being fast tracked toward obnoxious mandatory default.

I'd be a bit curious what the distribution of 'middle and top level' titles looks like. It's not like venture capital is 100% a confidence game; but there definitely seems to be an element of prestige involved(both in terms of obtaining capital to VC with and in terms of being a name that gets shouted from the press releases if it is involved in a funding round). That seems like the sort of environment where there would be an incentive for basically everyone who puts their name directly only a deal to be classified as at least midlevel to senior; because titles are cheap and having your funding round handled by "junior loser for rookie numbers" just doesn't look as good.

You probably can't get away with an employee directory that is nothing but 'senior master of the universe'; but to the degree that prestige matters there would be an incentive to have a sharp jump between the people who don't put their names directly on deals who can be classified as various flavors of analyst and the people who do, where you might as well just have them jump immediately to being classified as midlevel with a specific area focus or senior.

You know that someone has a couple of screws loose when they are treating "sufficiently wealthy that working hard is optional" as some kind of disaster.

Isn't that the whole point of being wealthy? Sure, if your hobby is making line go up you do you; but for most people money is a means to an end, not an end in itself, so if you've already got the money why would you keep grinding away when you could be pursuing your ends instead?

What seems so strikingly pathetic is just how ordinary the attack is; but it sailed right through because "AI" hype seems to do some mixture of attracting drooling idiots and convincing people who ought to know better that if they don't abandon everything in the race for minimum viable product someone else will get to securitize the omnibrain forever.

Random guy just sent a pull request to Amazon's project and they were "OK, seems cool" and added it. That's how an idiot child would think a supply chain attack would work; except it turns out that it actually does.

And then, of course, they scrubbed it without a changelog or a CVE; because the memory hole is a totally viable communications strategy.

Does "The bias is in favor of clean athletes: that you can be clean and win' actually follow in any way from the discussion of various bike, itinerary, and diet optimizations that would presumably also be helpful to people shot full of veterinary hormones or whatever; or is this just Tygart saying what his job requires?

I'm definitely not a cycling strategist; but the various optimizations described sound like they are either neutral(like lower drag frames), or potentially even more helpful if you can find a way to sneak a few drugs in(like tighter diet control and better route planning that would potentially reward the ability to make quick metabolic adjustments under specific circumstances); none of those changes sound like they are skewed in favor of baseline users specifically.

Sharepoint is where documents go to die; so ransomware is more of a euthenasia policy than a real attack.

The only nice thing I can say about Broadcom's support portal(which is shit regardless of what 'entitlements' it thinks your account has) is that it treats the SHA hashes as being on the public side of the paywall for any downloads that require a signed in account and specific blessings of that account; rather than putting the SHA and the download link on the same paywalled page.

This makes getting the binary from someone more competent and then checking its legitimacy considerably easier.

Yeah, I was adding that note mostly because it is relevant to the "but what if they encrypted a hospital and people are dying right now?" case. If it were actually the case that you just needed a private key and 10 minutes to get things back up and running you would need to at least reckon with the "yes, we are in fact incurring more downtime now, with the consequences that probably entails, because we believe it will result in better ongoing results" issue. Since recovery tends to be fairly arduous even when people do pay up(and often relies in large part on the same capabilities you'd use for a rebuild or restore from backups) the questions about whether you'd really let patients die while the lab is down are often less compelling than they sound(not entirely fictitious, depending on the size of the population served by the lab and the urgency of their requirements even an hour's difference could easily be killing someone). It's still something you do because you think the ongoing equilibrium created by not paying will be better; but the option you are turning down is not necessarily particularly fast.

I'm really not sure why I'd want to risk helping fund a domestic authoritarian when I've got the option of spending less on a foreign one whose reach is less likely to include me.

There are absolutely Americans I could get behind buying hardware from; but, for some weird reason, naming your defense contractor after a Tolkien thing is a pretty reliable sign of being among the most degenerate flavors of reactionary techbro going.

That's true; I was speaking a bit too informally: my intended meaning was that, in terms of bandwidth, one of the contemporary Nvidia datacenter systems is very much set up to avoid bottlenecking on the CPU or the PCIe root complex. It's true that a lot of their marching orders have to be delivered from CPU to GPU; but the local NVLink and placement of RDMA infiniband or bluefield ethernet DPUs on the same PCIe switches as the GPUs is very much intended to minimize the amount of traffic where the GPU is directly in the critical path.

They don't seem to have done much in the direction of trying to cut the CPU out of the action entirely(I think some of their DPUs can act as PCIe roots if you really want them to; but that's kind of a niche thing); and it's probably not worth the effort when there are a competitive number of options for CPUs that have a big chunky memory controller for system RAM and enough PCIe and general maturity to handle miscellaneous peripherals and the housekeeping OS. They absolutely have done a fair amount of work to cut the CPU out of the critical path for high speed data transfer; with their NVLink-equipped parts being placed significantly higher up the performance ladder than the PCIe only ones(and even those aren't just sitting waiting for PIO all day); and GPUDirect RDMA on network interfaces for scaleout is considered an important feature.

They definitely don't exactly skimp on CPU in their own DGX units; so they aren't exactly vestigial; but the intent certainly appears to involve leaning as little on the CPU's capabilities as possible.

What seems most interesting about going RISC-V is that, while their attempt to buy the company didn't go so well, Nvidia already has pet ARM parts, both 'grace hopper' and in their DPUs. Not sure if that's a future option thing, or a china market thing.

"See how banning crime worked for you, lol" isn't quite false; but it's not really a terribly good analogy in this case. Banning stabbing is more of a parallel to banning cyberattacks; and obviously both of those bans neither prevent stabbings nor prevent cyberattacks.

This is an attempt to change the incentives: on the org side by removing "just pay up" as an implicit alternative to "do better DR", and hopefully getting IT more attention for security and DR work; and on the attacker side by creating a group of potential victims who are legally forbidden to pay; so hopefully are seen as less worth the trouble.

Purely malicious or political wipers won't give a damn; but the guys looking to get paid may well be influenced by the fact that the people they are looking to negotiate with can only get fired for bad IT; but could potentially see actual charges for paying them, and will be evaluating accordingly.

One thing to remember is that, depending on the attacker and the details of the attack, it's often the case that paying also doesn't allow a particularly quick restore(even if you are doing the crazy risky thing of just slapping what got owned back into production and calling it good).

Some threat actor groups are pretty sophisticated in offensive operations; but the quality of their decryptor tools and the 'support' side of the equation is often pretty variable; and, no matter the tools, the logistics of shoving updated config and data into a whole lot of broken endpoints is always going to suck; especially when IT staffing is pretty much universally cut right down to the number of people who can keep the fires to a minimum when all the RMM tools are working and it's mostly break/fix.

Given how absolutely terrible motherboard vendor software support tends to be(both timeliness, existence, and quality of firmware and BMC updates, and any of the awful OS-level utilities they provide) I'd be deeply unnerved at the thought of bringing them any further into the process; but you could probably get a lot of the same benefits by taking advantage of the fact that hypervisor support can be pretty safely assumed even on consumer tier hardware of late.

A sufficiently sophisticated attacker could probably do things that you could only stop if you did add some dedicated hardware control buttons(ideally not run through the same EC that handles OS-visible peripherals; those sorts of embedded processors are more obscure than hardened) to manipulate the hypervisor state; but (especially if it was a niche configuration) you could probably get a considerable percentage of the benefits on standard hardware with just one teeny guest that owns the SSD and presents a virtual disk to the primary guest that owns everything else and talks to the virtual disk; especially in environments where there's enough IT admin that "just don't let the user touch the hypervisor config" is a viable option; rather than the self-serve case where you would need an interface that the user can reach interactively but OS malware cannot.

Sort of a Qubes-like; but storage focused.