Since this is an unencrypted binary, I'm sure it won't be difficult to reverse engineer. And it will definitely be open source sooner or later. But first, we'll try to convince Rockchip to open source it. Especially since the RK3576 has other proprietary parts, such as OP-TEE and some registers. Also it has a Cortex M0 core, which is also not documented.
Our wifi chipset MT7921AUN has an open driver in the mainline. Of course wifi firmware is binary. But you can use the whole system without a wifi. Main idea is to make the platform open, so you don't need blobs to boot and use the system.
We're currently negotiating with Rockchip and will first try to convince them to open source. This particular binary isn't a problem right now. I'm sure it will be open source sooner or later. All efforts are currently focused on hardware validation, and software is being developed only in areas where hardware verification is required.
Since this is a portable battery-powered device, rather than first pushing to open-source the DDR training blob, which is non-resident in memory after it's done it's job and a fairly small binary (less chance for hiding bugs), I'd say it's more important to get open-sourced the support in the BL31 Trusted Firmware for dynamic voltage and frequency scaling of DRAM, and support for maximum power savings in suspend mode.
Rockchip have not fully open-sourced the DRAM DVFS support in BL31, but it's key to achieving full run-time battery life on portable devices - see https://xnux.eu/log/083.html
And the system suspend implementation that Rockchip did open-source in upstream BL31 lacks some functionality compared to their binary BL31, mostly about powering off as many peripherals as possible to save power.
I'm not saying don't bother opening the DDR training, just that these two things are much more important for a portable battery-powered device.
It’s a bizarre feeling isn’t it? Sorry you’re having to defend the act of thinking.
The problem is you can’t defend it right? Someone could say your evidence came from a prompt:
“Take this article and reverse engineer a hypothetical unpolished first draft written in a mix of Russian and English”
I’m not sure what the right answer is here. Fwiw I have no doubt you wrote it unassisted.
I've seen many people on reddit use AIs to translate their text. Given that it clearly puts the "default AI voice" on top of their text, it makes me think that it is a fairly inaccurate translation. I suspect something like Google Translate is still better for most people, because it seems to do better at maintaining the voice. Of course in the limit, what I'm calling "voice" simply can't be translated between languages, but you can certainly do much better than slamming "default AI voice" on top of people's writing. I'm sure under the hood Google Translate is a whole bunch of LLMs too now, but special-purpose translation LLMs without the agent refinement can do a lot better. It's unfortunate that people think this is an easy way to translate but the chatbot LLMs, while capable of understanding multiple languages and superficially translating them, probably shouldn't be used for this purpose.
It may be possible to prompt the chatbots to also use a certain style in the target language to get it out , but I'm not fluent enough in a second language to know if it worked and I'm yet to see any of the several people I've suggested this to try it, so I'd be interested if anyone knows if this works.
In my experience, Google Translate is still so much worse than even free ChatGPT at translating that it is unusable for anything you want to put out and have it seem at least somewhat professional.
Especially the voice, ChatGPT seems to infer the formality and overall tone much better than Google Translate. YMMV.
Bummer. I'm sure someone could build a fantastic translator with our current AI stack but I can't argue with them that the return would not be worth it compared to training another general-purpose AI. But the general-purpose AIs impose way too much of their own voice on the translated results.
Chain of trust from RFID chips embedded in their fingertips that authenticated to their keyboard, proving that at least their fingers grazed the keys that formed the message.
But what if they're reading off of a pre-written message?
On one hand, you’re right. On the other, it’s normal that humans want to gauge the authenticity of the things they interact with. Some sort of uncanny valley thing.
And still, those humans would go outside and check when they heard an odd noise, so they could ascertain if it was a threat or not. This is more of this.
I have trouble understanding this. I don't see anyone complaining that we use microwaves and ovens instead of going for lit wood to cook or using search engines instead of crawling through libraries, or using Google Maps instead of using paper maps. These are tools. If output of an LLM conveys the ideas to be told, then what is the problem?
You are paying restaurants for food to be prepared in the way you want. But this is not the same. Someone created some content the way they want. You haven't ordered that content. And you complain it's not prepared the way you like.
One related problem I see, is the avoidance of accountability and responsibility thats prevalent. When people use AI words and don't check they actually match their intent or voice, and then if something was incorrect or didn't stand the test of scrutiny they avoid accountability and can say "The AI wrote it and I didn't check it closely". It seems similar to what we see in leadership chains in some organizations, we are struggling to hold those people accountable so we lash out on whomever and whatever we can so IMO thats part of the emotional undertone of the whiplash we see on AI content here.
Edit: Since this is possible, I think it's important to start to ask "did you use AI and disclose it?" as it sets the tone better.
"Translation tools" is AI, so it's correct that our AI-sensors went off.
Edit: Also, speaking as a trans person, the analogue would be looking at a trans person and noticing that they are trans. Which is not a transvestigation. (You wouldn't normally announce that said person is trans, because it's usually not relevant. It often is relevant if an article is written with AI.)
Ive been using translation tools a bunch these last few years. Nobody seemed to have any hate for better accessibility.. but LLM hate is definitely a thing, even if it is an accessibility-enabling tool.
It's obviously subjective, but I have a feeling this community has descended into hardcore cynicism and cheap meta analysis of most article I care about. Maybe it's the times we live in.
I barely spend much time in the comment sections nowadays - once I stopped visiting this website I started following a bunch of makers on youtube and printables, and got looped into some discord groups and meetups. It was a breath of fresh air - would definitely recommend.
Phoronix is so much worse... but in general I think it's mostly a problem with older tech "experts". They have developed a jaded, egotistical world view where only their own opinions can matter, and everyone else is wrong.
I never spent much time there but I have heard people say that. A part of me worries that I might have become the old "get off my lawn" type of person in some ways.
I just don't relate to a lot of the upvoted content here, so instead of singing my soul trying to make sense of things, I moved on. Perhaps it's not my place to be any more. These new places I have joined are much easier for me to talk in, and there are no upvotes/downvotes so people tend to be pretty chill and genuine, even if it causes friction sometimes.
Sorry but I call bullshit. There’s em-dashes all over, even in your original text. Were the editors or translators an AI? Did the editors use AI to “polish” it?
The emojis used in the bullet points (which are missing from your original text, but were added in at some point) are also dead giveaways that AI was involved here.
The em dash "gotcha" is so fucking tiring at this point.
It is perfectly possible, and even easy, to write e[nm] dashes manually. With compose key sequences it's barely more effort than typing a normal dash/hyphen, even. (Just compose key + `-.` for en dash, and `--` for em dash.)
I can't understand why people defend improper typography. If you're writing a proper, professional-looking blog post, they think you now should use double-minus -- instead of em-dash to make it look non-AI like, only for that reason?
In Russia, we have many typography keyboards/addons, because, well, it historically looked very silly to use double-minus or "-quotes instead of «»-quotes.
I've no idea how some countries got their typography standardized on the PCs and have it from the very beginning (Germany with their quotes for example), but the other countries need to setup external software and configuration. Apparently, US also didn't got their "third level" keyboard as a standard.
I used em-dashes before Gen AI was a thing and I refuse to stop using them. Doing so is admitting the AI companies won. I am not going to change the way I write just to appease some terminally online folks who lack the ability to understand that LLMs learned to write from our writings.
Ignoring references, just in article text:
5800 words (spaces);
78 em dashes (1.3%);
0 en dashes;
90 hyphens (1.5%).
English version of same timeframe:
16000 words;
0 em dashes;
32 en dashes (0.2%);
262 hyphens (1.6%).
> The emojis used in the bullet points
They're used in one list, where sub-projects are listed. Emojis used in that list are consistent with ones used for same sub-projects on Wiki https://docs.flipper.net/one
Someone thought it would be better than plain text, that's it.
For those who work from home, we have made it possible to hang the device on the door so that no one knocks on your door when you are on call. Also, by integration with the BUSY App it can automatically block notifications on phone and desktop when you are in focus mode.
Side note to people reading this: in general, when suspecting a scam, don't blindly trust anyone who says "I'm ... and I confirm this is OK". This may be the same very person who you're suspecting of original scam ;). Not a theory, I have cases looks this every other week in my dayjob.
It might ring better for the cypherpunks here that zhovner has verified their HN account ownership with their keybase GPG key, which can only be done by editing an account's profile description to include a specific signature (or by defacing HN / breaching the account). And the same key is also used to prove ownership of their Github account and website.
Idea of Flipper Zero was to lower our guard and trust their company with security, while actually shipping hardware with backdoors -- which the Flipper Zero will, for some reason, not be able to detect.
The Flipper Zero is the backdoor, on the Day of Reckoning everyone's Flipper will emit a signal that will drive people into a murderous rage and detonate all nukes while "zhovner", if that is his real name, hides in a mountain lair with a selection of hand-picked people that he has Chosen to repopulate the earth with. Once the billions have perished, his buddy Musk will launch his fleet of Starships full of handpicked seed ships to spread throughout the solar system and galaxy to spread humanity across the universe like a disease.
More important note to people reading this: use your brain. Is it likely that a scammer will create an extremely professional website and product, and then their scam is that ride the coat tails of another brand and try to keep that scam up with Hacker News comments?
(I think lots of HN people have issues with reality so just in case the answer is: absolutely not.)
Yes, actually. Well, everything except the last point. If you're unfamiliar with UFO 50, it's a recent collection of games inspired by 80s-esque computer game design. The reason why I bring this up is because there's a website (ufo50.net) which is actually fake and completely unrelated to the actual ufo50 site (50games.fun) which is designed to be SEO-bait so that it can absorb traffic from search engines.
Same, except the last point, I feel like I've seen that pattern multiple times. And it's not like it's expensive to do (presumably unless you get sued or something).
Well that's not the same is it? They aren't creating a whole new extremely professional product and just saying "made by OtherBrand"; they just cloned a website (probably using an LLM).
So yes except for the last point, and also the other points...
Yes. Someone had their iphone stolen. They got a text message on their partner's phone from Apple saying that their phone had been located; they followed the link and ended up on a professional, Apple designed website, showing a map pointing to a distant country where the phone was located, and they prompted the user to type in the phone's pin code in order to lock the phone or something like that.
They only caught themselves while halfway filling in the code, and I'm sure that was captured too.
However, the original inventor of the Pomodoro technique explicitly advocates a "low tech" approach - a mechanical kitchen timer, because he argued that the tactile and auditory elements (i.e., the turning moves and ticking sounds) get associated with the elements of the techniques in the human brain.
It would be interesting to evaluate both variants of the approach in a scientific experiment.
This product (1) is not just for Pomodoro and (2) has nice tactile hardware.
I think hardware that can "passively" be more useful with sensors and similar are easy wins. No reason it has to disrupt a timer, it just hides sensors you'd want within a device that would already be sitting out in your home/office.
Ahh, the inevitable slippery slope of feature requests. Making hardware for geeks is a tough business because they’ll always say they’d buy it if it had just one or two more features, but by the time you add all of the feature requests they complain that it’s too expensive.
You can get a good CO2 sensor for less than $50 [1]. For large-batch orders the whole device can be less than $50 [2]. Where are you getting an almost $300 addition to the base price?
I think it should also have NVMe and SFF-8644 for external disk shelves. At least 6x 10GbE, with 4 on SFPs and 2 on copper. A GPU with excellent hardware transcoding, and slotted VRAM for that local LLM fun. Plus an 8k projector for movie nights at the office.
And a pony; every single one of these fucking kitchen timers must also come with a pony.
I think you're missing the obvious play to subsidize the price by making that LLM enabled with a mic and then selling all of that training data. The price could then come down to $19.99.
It looks gorgeous, especially the hardware. I think the typeface on the hardware and the retro busy text could be further refined, but it is very very cool overall.
A version of this that would be useful for WFH or private offices is an 'on air' device that you could mount outside your office door, which means it's not connected to your computer and could potentially run on a battery for a week+ or run on usb power directly.
People want to come in sometimes to access a closet, but they don't know if your in a meeting, so it would also need to detect if your in a meeting, and the microphone being on or off is not enough because people often mute themselves. Calendar access is also not enough because sometimes you start a meeting without a calendar thingy, and also knowing if your 'on air' with an open door can tell them if they have to be worried if they could be on camera if they walk by the door.
It could be a very simple LED, it just needs a good agent on your desktop. Also a 'yellow light' for an upcoming meeting in a couple minutes (so this is where calendar access is useful) or an orange light for camera & microphone off.
I'd love for this thing to be feature-flexible enough to use it for the exact opposite: running TV/screen/videogame timer for the kids!
Looks great, love the dial/switch big button combo, and the opportunity to buy something attractive that's a "hackable screen with buttons" is very high for me.
Another likely use is to be a controller for audiobooks or music in our rumpus if I ever get a hold of one. Again, drivable by kids and oldies who visit is a huge plus.
Funnily, the way I used to check Keybase profiles is to check Twitter because a blue checkmark there was usually a good indication of them being "the famous person" but thanks to Twitter Blue that feature is no longer usable.
I understand Keybase allows you to link up a bunch of accounts, but it doesn't prevent you from making all of those accounts say you are the CEO/CTO of some company unfortunately.
> but it doesn't prevent you from making all of those accounts say you are the CEO/CTO of some company unfortunately
At least a GitHub profile link can usually be used to validate that this account actually has write access to a GitHub organization, so you can somewhat see it's the right person. Requires them to have pushed any public commits to within that organization though.
> What are the odds of a kit version woth a lower pricetag and some assembly required?
Or even better, a version that ships with everything besides "the brain" and allows us to use our Flipper Zero as the brain :) Looking at the old blog articles about the project, it seems it got started with using Flipper Zero as the brain, so maybe it's not that far-fetched.
>The attacker managed to issue multiple SSL/TLS certificates via Let’s Encrypt for jabber.ru and xmpp.ru domains since 18 Apr 2023
Why is it even possible to issue more than 1 certificate on the same domain via Let’s Encrypt? Shouldn't the previous certificate be revoked when a new one is issued?
It's fairly common for people to obtain multiple certificates for different machines or services, so they can be selectively revoked and they don't have to share keys across machines.
More use-cases:
- You might obtain a new certificate, but deploy it gradually, so you want the old one to remain valid while you do that.
- One certificate may cover different sets of domain names. If you have a certificate for "example.com, foo.example.com" and then request a certificate for only "foo.example.com", should the earlier one be revoked? (leaving "example.com" without a certificate).
> Why is it even possible to issue more than 1 certificate on the same domain via Let’s Encrypt?
it commonly used in a "normal" way all the time
- e.g. when there are multiple data-center for the same domain (e.g. using geo-location based routing) it's a good practice to give them different certs so that if you need to revoke one the operation in other regions is unaffected
- or when rolling over from on cert to another
- or when moving certs into hardware security keys/module (HSK) you preferably do have one per HSK (so that if e.g. hardware breaks and gets replaced you can just revoce the cert for the affected HSK module not all of them), you also normaly do not keep backups to make sure it can't be leaked at all (as long as the HSK isn't hacked which is normally quite hard)
- or losing access to a cert (e.g. in the case above a HSK breaks)
Lastly the whole CA system is in the end designed to provide good security for the industry while having the backdoor of issuing certs the legal organs to allow the police some degree of wiretapping (oversimplified, it's slightly more complex then that).
You should always have more than a single certificate for your domain honestly.
Cloudflare for example, tries to optimize certificate delivery (and have backup certificates available for you just in case a CA needs to revoke theirs).
Also, on distributed systems its less safe to share private keys between the various frontends.
This is actually a great suggestion and ACME providers should provide it as an opt-in feature via CAA record. Not even the provider having access to system memory could issue a mitm cert without you noticing.
You could sync certificates across hosts for this purpose, though. The advantage of multiple certificates is being able to revoke a subset of certificates if you can determine only a subset of your hosts have been compromised.
you could, but unfortunately the LE certs have a very short lifetime, and renewals are a thing
so you need a master server to handle the renewals, periodic sync, and to handle the case when the master goes away
this would be considerably more complicated than having a second independent certificate (assuming you've automated the entire frontend provisioning process)
> Why is it even possible to issue more than 1 certificate on the same domain via Let’s Encrypt? Shouldn't the previous certificate be revoked when a new one is issued?
First, you want to have to have some leeway so you don't need to rotate certs at exact second the old one expires
Second, you might want to have cert-per-server rather than cert-per-domain, as that's frankly easier to implement vs having common store for certs+key
