• 1 Post
  • 531 Comments
Joined 11 months ago
cake
Cake day: July 14th, 2023

help-circle





  • hedgehog@ttrpg.networktoTechnology@lemmy.world*Permanently Deleted*
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    2
    ·
    6 days ago

    Tons of laptops with top notch specs for 1/2 the price of a M1/2 out there

    The 13” M1 MacBook Air is $700 new from Best Buy. Better specced versions are available for $600 used (buy-it-now) on eBay, but the base specced version is available for $500 or less.

    What $300 or less used / $350 new laptops are you recommending here?


  • ultimately the market is behaving as if the threats are sincere so whether or not Valve would follow through is irrelevent to whether the presence of a policy is an exhibition of monopolistic power

    Courts have interpreted the anti-monopoly portion of the Sherman act, which governs antitrust law in the US, to mean that monopoly is only unlawful if the power is used in an unlawful way or if the monopoly was acquired through unlawful means.

    The need to see an actual example of a game being delisted for violation of the policy is a weirdly high standard of evidence

    As a smoking gun, I don’t think it’s unreasonable to ask for something like that.

    If it’s a policy Valve denies and the only evidence of it existing is a single reply in a forum somewhere, then yes, I’m skeptical. And given that there are examples of companies that were willing to break explicit, defensible policies, why aren’t there examples of companies who broke these? Unless the plaintiffs bring in multiple witnesses to testify that this was the policy communicated to them or something along those lines, I can’t see the evidence that they did have this policy being more compelling than the fact that there’s a complete lack of evidence that they ever acted on it.

    To be clear, I’m not saying Valve needs to have said that was the reason. But it certainly needs to look like that was the reason. If Valve can’t provide a valid reason for the termination, then that’s very compelling, and even if they can, it’ll come down to which is more believable.


  • Thank you! That document is exactly the sort of thing I was looking for. Just realized (after writing most of this comment) that it’s for Wolfire and not Vicki Shotbolt’s case, but the commentary’s still relevant, I think.

    There’s enough there that they may have a legitimate case, but there’s also a lot that is, as far as I know, completely acceptable for Valve to do. The specific items you listed, as well as a couple before / after them, are the most promising, IMO, but even so, there are a couple different counter-arguments that I could see Valve making.

    The first counter-argument would be that the comments in 204-205 were in the context of publishers who had already received Steam keys for the games in question and did not apply to games where the publisher had not received Steam keys.

    The second counter-argument would be that Tom Giardino was not speaking to Valve’s actual policy and/or that he was making empty threats that he didn’t have the power to enforce. Tom’s still with Valve (according to https://www.valvesoftware.com/en/people) so they wouldn’t be able to show that he was fired for giving publishers incorrect information, but it would be feasible for them to have record of him having gotten disciplinary action or something along those lines. Without something like that it’s much less credible stance, but not unbelievable - they’d basically have to be admitting negligence since this is a record of the actions of a representative their company. My gut says they were at least complicit.

    200 says Valve “insisted” a publisher change their price on the Discord Store but doesn’t indicate any enforcement action was taken. At first glance, 209 appeared to apply, but it, too, involves the sale of Steam keys. 230 goes into a bit more detail about 209.

    I read through the filing and still don’t see any instances of a game being delisted because it was being sold for cheaper elsewhere, when Steam keys weren’t in play. A lack of enforcement action against publishers not using Steam keys who set a different price in another storefront would go a long way toward showing that Valve’s policy was only relevant when the publishers were using Steam keys.

    In either case, Valve will need to make the argument that it is not anti-competitive to require publishers to agree to these terms when requesting free Steam keys.

    The arguments regarding DLC exclusivity (172-184) are another area where Valve might be found to be anti-competitive. That said, I don’t think exclusive DLCs benefit consumers and I would expect Valve to argue that the intent and impact of requiring DLC be published on their platform is for consumers’ benefit. I think proving something here would be dependent on the pricing angle.

    I still think Valve could argue that the intent and impact of their pricing decisions are to the benefit of consumers. The specific enforcement actions brought up were all in relation to the price of Steam keys on third-party storefronts, which I think will be held to a much lower standard than restricting the price of the game on other platforms. After all, the benefits of Steam keys aren’t intrinsic to Steam, and other platforms are free to offer a similar benefit to game publishers.

    In 191, the plaintiff shows that a publisher could set the price on a rival platform at 20% less and make more profit than on Steam. However, there aren’t any examples of enforcement actions where the discount on a rival platform did not exceed a 20% difference. Ultimately, if they don’t have at least that - optimally for a game whose publisher didn’t ever receive free Steam keys - the singular statement of one of their representatives might be the only concrete evidence they have. And at that point, the argument that Tom was just making empty threats has a lot more weight.


  • theoretically they can

    Is this a purely theoretical capability or is there actually evidence they have this capability?

    it’s already been proven that they can tap into anyone’s phone

    Listening into a conversation that you’re intentionally relaying across public infrastructure and gaining access to the phone itself are two very different things.

    The use of proprietary software in literally everything

    1. Speak for yourself. And let’s be real, if you’re on Lemmy you’re 10 times more likely to be running Linux.
    2. Proprietary != closed source
    3. Do you really think that just because something is closed source means that it can’t be analyzed?

    the amount of exploits the NSA has on hand

    How many zero-day exploits does the NSA have? How many can be deployed remotely and without a nontrivial action by a user?

    what’s stopping the NSA from spying this much?

    Scale, capacity, cost, number of employees

    —-

    I’m not saying we shouldn’t oppose government surveillance. We absolutely should. But like another commenter pointed out, I’m much more concerned with the amount of data that corporations collect and have.


  • The article also says

    The first point is one we’ve heard repeated many times before, but there’s never been any proof on it. Which perhaps the Wolfire lawsuit and this may actually bring to light. An accusation doesn’t necessarily mean they’re right though. Something people get confused on often is Steam Keys, which are completely separate to Steam Store purchases.

    Saying “Don’t sell Steam keys off-platform for more than X% less than the game is priced for on Steam” and “Don’t sell your game elsewhere for more than X% less than the game is priced for on Steam“ are very different things. Steam openly does the former; I’ve never heard a reputable report of them doing the latter. The Wolfire lawsuit is explicitly about the former practice, for example.

    The press release for this lawsuit reads like it’s about the latter, but I suspect that’s solely for optics. I reviewed the website dedicated to the lawsuit (steamyouoweus.co.uk) and thought they might have some more concrete evidence - nope, nothing. Under the first question in FAQs they have a link to their key documents, but the documents are “coming soon.”

    Until they actually substantiate their claim, this lawsuit is just noise.



  • reasonable expectations and uses for LLMs.

    LLMs are only ever going to be a single component of an AI system. We’ve only had LLMs with their current capabilities for a very short time period, so the research and experimentation to find optimal system patterns, given the capabilities of LLMs, has necessarily been limited.

    I personally believe it’s possible, but we need to get vendors and managers to stop trying to sprinkle “AI” in everything like some goddamn Good Idea Fairy.

    That’s a separate problem. Unless it results in decreased research into improving the systems that leverage LLMs, e.g., by resulting in pervasive negative AI sentiment, it won’t have a negative on the progress of the research. Rather the opposite, in fact, as seeing which uses of AI are successful and which are not (success here being measured by customer acceptance and interest, not by the AI’s efficacy) is information that can help direct and inspire research avenues.

    LLMs are good for providing answers to well defined problems which can be answered with existing documentation.

    Clarification: LLMs are not reliable at this task, but we have patterns for systems that leverage LLMs that are much better at it, thanks to techniques like RAG, supervisor LLMs, etc…

    When the problem is poorly defined and/or the answer isn’t as well documented or has a lot of nuance, they then do a spectacular job of generating bullshit.

    TBH, so would a random person in such a situation (if they produced anything at all).

    As an example: how often have you heard about a company’s marketing departments over-hyping their upcoming product, resulting in unmet consumer expectation, a ton of extra work from the product’s developers and engineers, or both? This is because those marketers don’t really understand the product - either because they don’t have the information, didn’t read it, because they got conflicting information, or because the information they have is written for a different audience - i.e., a developer, not a marketer - and the nuance is lost in translation.

    At the company level, you can structure a system that marketers work within that will result in them providing more correct information. That starts with them being given all of the correct information in the first place. However, even then, the marketer won’t be solving problems like a developer. But if you ask them to write some copy to describe the product, or write up a commercial script where the product is used, or something along those lines, they can do that.

    And yet the marketer role here is still more complex than our existing AI systems, but those systems are already incorporating patterns very similar to those that a marketer uses day-to-day. And AI researchers - academic, corporate, and hobbyists - are looking into more ways that this can be done.

    If we want an AI system to be able to solve problems more reliably, we have to, at minimum:

    • break down the problems into more consumable parts
    • ensure that components are asked to solve problems they’re well-suited for, which means that we won’t be using an LLM - or even necessarily an AI solution at all - for every problem type that the system solves
    • have a feedback loop / review process built into the system

    In terms of what they can accept as input, LLMs have a huge amount of flexibility - much higher than what they appear to be good at and much, much higher than what they’re actually good at. They’re a compelling hammer. System designers need to not just be aware of which problems are nails and which are screws or unpainted wood or something else entirely, but also ensure that the systems can perform that identification on their own.




  • And when you’re comparing two closed source options, there are techniques available to evaluate them. Based off the results of people who have published their results from using these techniques, Apple is not as private as they claim. This is most egregious when it comes to first party apps, which is concerning. However, when it comes to using any non-Apple app, they’re much better than Google is when using any non-Google app.

    There’s enough overlap in skillset that pretty much anyone performing those evaluations will likely find it trivial to configure Android to be privacy-respecting - i.e., by using GrapheneOS on a Pixel or some other custom ROM - but most users are not going to do that.

    And if someone is not going to do that, Android is worse for their privacy.

    It doesn’t make sense to say “iPhones are worse at respecting user privacy than Android phones” when by default and in practice for most people, the opposite is true. What we should be saying is “iPhones are better at respecting privacy by default, but if privacy is important to you, the best option is to put in a bit of extra work and install GrapheneOS on a Pixel.”






  • That’s still a single point of failure.

    So is TLS or the compromise of a major root certificate authority, and those have no bearing on whether an approach qualifies as using 2FA.

    The question is “How vulnerable is your authentication approach to attack?” If an approach is especially vulnerable, like using SMS or push notifications (where you tap to confirm vs receiving a code that you enter in the app) for 2FA, then it should be discouraged. So the question becomes “Is storing your TOTP secrets in your password manager an especially vulnerable approach to authentication?” I don’t believe it is, and further, I don’t believe it’s any more vulnerable than using a separate app on your mobile device (which is the generally recommended alternative).

    What happens if someone finds an exploit that bypasses the login process entirely?

    Then they get a copy of your encrypted vault. If your vault password is weak, they’ll be able to crack it and get access to everything. This is a great argument for making sure you have a good vault password, but there are a lot of great arguments for that.

    Or do you mean that they get access to your logged in vault by compromising your device? That’s the most likely worst case scenario, and in such a scenario:

    • all of your logged in accounts can be compromised by stealing your sessions
    • even if you use a different app for your 2FA, those TOTP secrets and passkeys can be stolen - they have to be on a different device
    • you’re also likely to be subject to a ransomware attack

    In other words, your only accounts that are not vulnerable in this situation solely because their TOTP secret is on a different device are the ones you don’t use on that device in the first place. This is mostly relevant if your computer is compromised - if your phone is compromised, then it doesn’t matter that you use a separate password manager and authenticator app.

    If you use an account on your computer, since it can be compromised without having the credentials on device, you might as well have the credentials on device. If you’re concerned about the device being compromised and want to protect an account that you don’t use on that device, then you can store the credentials in a different vault that isn’t stored on your device.

    Even more common, though? MITM phishing attacks. If your password manager verifies the url, fills the password, and fills your TOTP, then that can help against those. Start using a different device and those protections fall away. If your vault has been compromised and your passwords are known to an attacker, but they don’t have your TOTP secrets, you’re at higher risk of erroneously entering them into a phishing site.

    Either approach (same app vs different app) has trade-offs and both approaches are vulnerable to different sorts of attacks. It doesn’t make sense to say that one counts as 2FA but the other doesn’t. They’re differently resilient - that’s it. Consider your individual threat model and one may be a better option than the other.

    That said, if you’re concerned about the resiliency of your 2FA approach, then look into using dedicated security keys. U2F / WebAuthn both give better phishing resistance than a browser extension filling a password or TOTP can, and having the private key inaccessible can help mitigate device compromise concerns.