Readit News logoReadit News
drdaeman commented on The warning signs the AI bubble is about to burst   telegraph.co.uk/business/... · Posted by u/taimurkazmi
verbify · 2 days ago
The article claims that:

a) AI is a bubble

b) It's about to burst

This is based on a study that "just 5pc of integrated AI pilots are extracting millions in value, while the vast majority remain stuck with no measurable P&L [profit and loss] impact".

I think the conclusions (while possibly true) are not supported here. By comparison, in the stock market in general, just a handful of stocks provide most of the returns over the past few decades. This does not mean the stock market is a bubble or about to burst.

drdaeman · 2 days ago
Article talks about "AI" as a buzzword. My understanding is that "AI" here means something much more closer to "market virtue signalling" when every product now has "AI", rather than "cutting-edge ML research".

It's the kind of "AI" I see when I walk by the TVs at Costco and see that every box that used to feature the word "smart" now has "AI" prominently written on it, even though in practice no one knows for sure what it possibly means or does. In this sense - sense of companies slapping "AI" (whatever it means to them) for the sake of having "AI" looks like a bubble/fad/hype.

I have no idea about any possible economical outcomes of that hype declining (for a better term than "bubble" "bursting"), but I'm skeptical it's gonna be anything huge. My whole life I've seen endless examples of companies realizing their "hot topic" marketing strategy stopped working (or never worked at all) and they just pivot for different strategies without any severe impacts. As long, of course, as the company had actually useful product and the issue was merely with the marketing.

drdaeman commented on Code formatting comes to uv experimentally   pydevtools.com/blog/uv-fo... · Posted by u/tanelpoder
charliermarsh · 2 days ago
To clarify, `ruff` and `uv` aren't being merged. They remain separate tools. This is more about providing a simpler experience for users that don't want to think about their formatter as a separate tool.

The analogy would be to Cargo: `cargo fmt` just runs `rustfmt`, but you can also run `rustfmt` separately if you want.

drdaeman · 2 days ago
Isn’t there `uv tool run ruff` already for this? Or `uv run ruff` if it’s a proper dependency? I’m not sure what’s the point of a special shortcut command, unless there are plans to make it flexible so it’ll be an abstraction over formatters (unifying ruff, black, etc).

Deleted Comment

drdaeman commented on M5 MacBook Pro No Longer Coming in 2025   macrumors.com/2025/07/10/... · Posted by u/behnamoh
sys_64738 · 15 days ago
Is anybody buying x86 based laptops nowadays? It seems that there are few advantages over ARM based Windows/Linux or the M-series laptops.
drdaeman · 15 days ago
I do. Wanted a discrete GPU and ability to run all the games I love on the go, including those that may want a little bit of GPU performance and don't have a macOS port. Can't realistically do this on non-x86.
drdaeman commented on Cursor CLI   cursor.com/cli... · Posted by u/gonzalovargas
zarzavat · 16 days ago
Never. It's a marketing strategy. Some percentage of users will check these files into their repos, and some percentage of repo browsers will think "what is this X.md?" Given how much money people are spending on these things the value of having a unique filename must be enormous.
drdaeman · 16 days ago
It’s a marketing strategy that works here and now, but “never” is a very long time. What could be seen as pioneers claiming names today could be also seen as retrogressive stubbornness tomorrow and lose its marketing value.
drdaeman commented on Emailing a one-time code is worse than passwords   blog.danielh.cc/blog/pass... · Posted by u/max__dev
charcircuit · 17 days ago
>You’re falling for the exact “better security” fallacy

How is it a fallacy? The rate of account compromises is a real metric that is affected by how good security there is for accounts.

drdaeman · 16 days ago
I've tried to explain it in my comment above.

Yes, the rate of account compromises is a metric we can define. But attestation doesn't directly or invariably improve this metric. It may do so in some specific scenarios, but it's not universally true (unless proven otherwise, which I highly doubt). In other words, it's not an immediate consequence.

It could help to try to imagine a scenario where limited choice can actually degrade this metric. For example, bugs happen - remember that Infineon vulnerability affecting Yubikeys, or Debian predictable RNG issue, or many more implementation flaws, or various master key leaks. The less diverse the landscape is, the worse the ripples are. And that's just what I can think of right away. (Once again, attestation does not guarantee that implementation is secure, only that it was signed by keys that are supposed to be only in possession of a specific vendor.)

Also, this is not the only metric that may possibly matter. If we think of it, we probably don't want to tunnel vision ourselves into oversimplifying the system, heading into the infamous "lies, damned lies, and statistics" territory. It is dangerous to do so when the true scope is huge - and we're talking about Internet-wide standard so it's mindbogglingly so. All the side effects cannot be neglected, not even in a name of some arbitrarily-selected "greater good".

All this said, please be aware that I'm not saying that lack of attestation is not without possible negative effects. Not at all, I can imagine things working either way in different scenarios. All I'm saying that it's not simple or straightforward, and that careful consideration must be taken. As with everything in our lives, I guess.

drdaeman commented on Emailing a one-time code is worse than passwords   blog.danielh.cc/blog/pass... · Posted by u/max__dev
charcircuit · 17 days ago
You don't, but with one services have a better guarantee that they are.
drdaeman · 17 days ago
You’re falling for the exact “better security” fallacy I was trying to warn about. Security is not a rating, “better security/guarantee” is not a really meaningful phrase on its own, even though it’s very tempting to take mental shortcuts and think in such terms.

Attestation provides a guarantee that the credential is stored in a system controlled by a specific vendor. It’s not “more” or “less” secure, it’s just what it literally says. It provides guarantees of uniformity, not safe storage of credentials. An implementation from a different vendor is not necessarily flawed! And properties/guarantees don’t live on some universal (or majority-applicable) “good-to-bad” scale, no such thing exists.

This could make sense in a corporate setting, where corporate may have a meaningful reason to want predictability and uniformity. It doesn’t make sense in a free-for-all open world scenario where visitors are diverse.

I guess it’s the same nearsighted attitude that makes companies think they want to stifle competition, even though history has plenty of examples how it leads to net negative effects in the long run despite all the short term benefits. It’s as if ‘00s browser wars haven’t taught people anything (IE won back then - and where is it now?)

drdaeman commented on Emailing a one-time code is worse than passwords   blog.danielh.cc/blog/pass... · Posted by u/max__dev
t_mann · 17 days ago
Passkeys are in their infancy. You don't go about rolling out such patterns when most users haven't even switched yet and big players like Apple are still resisting attestations (last time I checked). The problem is that the feature is there and can be (ab)-used in this way, so it should be rejected on principle, irrespective of whether it's a problem right now.

I understand the value of attestations in a corporate environment when you want to lock down your employees' devices. But that could simply have been handled through a separate standard for that use case.

drdaeman · 17 days ago
At the very least the spec should be painstakingly insistent on not requiring attestation unless implementors have really thought and understood the reasons why they need the security properties provided by attestation in their particular use case. And that it has to be something more meaningful than “be more secure this way” as security is not a rating (even though security ratings exist) but a set of properties, and not every possible security guarantee is universally desirable (please correct me if I’m wrong here, of course), and at least some are not without downsides. Maybe even strongly recommend library authors to pass the message on.
drdaeman commented on NetBird Is Embracing the AGPLv3 License   netbird.io/knowledge-hub/... · Posted by u/braginini
graemep · 18 days ago
> There needs to be a license that enables your customers to use you freely, but not your competitors from reselling your hard work.

There are such licenses. They are just not open source.

drdaeman · 18 days ago
> that enables your customers to use you freely [...] There are such licenses

There are such licenses only if you change the definition of "freely" to fit the narrative. Historically, "freely" (as in "free software") means granting end-user four essential software freedoms:

- The freedom to run the program as you wish, for any purpose (freedom 0).

- The freedom to study how the program works, and change it to make it do what you wish (freedom 1). Access to the source code is a precondition for this.

- The freedom to redistribute copies so you can help others (freedom 2).

- The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.

If I can't redistribute ("resell") software, or can't run it and let others access it for a fee - it's not "use freely" anymore.

drdaeman commented on Passkeys are just passwords that require a password manager   danfabulich.medium.com/pa... · Posted by u/dfabulich
Garrrrrr · 19 days ago
stuff like this makes me wish Firefox supported serial communication like Chrome does :/. I haven't run into this since I don't have a hardware passkey, but the Circuit Python website makes it super easy to communicate and flash over serial... expect I have to use Chrome for five minutes
drdaeman · 19 days ago
For DIY interaction with USB Webauthn/Passkey hardware tokens, you don't want serial (USB CDC), you want USB HID protocol. Those are two different things.

This was briefly possible with WebUSB, but all mainstream browser vendors have a stoplist of certain USB devices for security reasons.

d

u/drdaeman

KarmaCake day7910August 16, 2010
About
Just lurking around for news and other gossip.

Contacts: https://zhukov.al/, mailto:public@zhukov.al

This is a personal account that I have for myself, not someone else. So, the views expressed herein blah-blah-blah - the usual disclaimer applies. I may refer to something as "we had this or that" with "we" being the reference to my past or present employers, relatives, acquaintances, imaginary friends or anyone else. This does not make me speak for anyone else but myself, though. Unless otherwise is stated very explicitly.

NOTE: "drdaeman" is preferably spelled all-lowercase. There's no structure or meaning to this nickname.

[ my public key: https://keybase.io/drdaeman; my proof: https://keybase.io/drdaeman/sigs/JhJF8esTqUTZYBHtpsr_KCev-o6kQmS19KzV07pGL3M ]

View Original