It's odd how vilified Holmes has become, and how gleeful people--even in these comments--are at her lengthy prison sentence for a nonviolent crime.
She faked it until she (didn't) make it--a strategy praised in other startup narratives. Most of that faking involved secretly running blood tests on traditional test equipment instead of her in-development devices.
I believe there were a handful of tests done on their development devices that returned questionable results for actual patients, which I'm hoping is where all the angry people are focused. But to that point, how accurate and responsible are traditional testing facilities? I personally have had my bloodwork mixed up with someone else's, causing quite a lot of anxiety and extra work from me to sort out.
There are countless instances of labs forging results[0][1], making mistakes[2], and issues with equipment[3] (citations are just the most easily at hand).
Some of the stories cited resulted in criminal convictions, like 3 years for someone who faked thousands of drug-test results leading to false convictions. Compared to what Holmes did, it's hard to see how 11 years (and our society's complete fascination and vilification of her) is appropriate.
Um, they hounded at least one person to suicide, and produced erroneous results for people with life threatening conditions. I'm not sure how you get to "non violent" from there, but you do you.
"Nonviolent" does have a pretty straightforward definition that I think you can differentiate from your examples if you were inclined to judge impartially.
When you're predisposed to an opinion, it's easy to come up with justifications. Often those result in misreading/misinterpreting information and then spreading that misinformation for more folks to use as justification.
I don't want to draft a speculative narrative about someone else's life (or its sad end) but I will say that your first allegation sounds like a misinterpretation of the events, at least from reading the Wikipedia article about who you're referring to.
A decade is very reasonable for intentionally, knowingly committing hundreds of millions of dollars worth of fraud and attempting to sustain it across many years of time.
She's little more than a highly skilled, pathological con-artist that worked over a very affluent system (Silicon Valley primarily).
It's not odd how vilified she has become. She appears to be severely deranged, has shown zero remorse for the crimes she committed, and has tried every trick in the bag to try to get out of taking responsibility legally for what she did.
> She faked it until she (didn't) make it--a strategy praised in other startup narratives.
That is not what she did. Holmes committed outright financial fraud by lying to - intentionally misleading - the investors and employees in just about the most epic way you could. She attempted to cover it up repeatedly, keeping the extent of their failures even from the board members whenever possible.
And last but not least, it's the highly regulated healthcare field (everyone here grasps the difference), not a little text search engine (eg Excite was a famous example of faking it until you make it during the dotcom bubble, they bid on a Netscape search deal, for promotion of their service, before they had the money to pay for it, on the basis that they could raise the money if they had the deal; however it's not usually a crime to commit to buy something before you have the money to do so).
It's one thing "faking it until you make it" where consumer trinkets and timewasterish websites are concerned, it's a whole other matter where people's health and lives are at risk. That isn't an arena for faking it.
The first things I think of with "fake it til you make it" are Tesla FSD[0] and Reddit[1]. To this day, if you visit Reddit while logged out it makes the claim that it's a place for "empathy"[2].
Reddit is a hotbed of harassment, targeted abuse, political extremism, celebration of violence, and encouragement of health disorders. Depending on Tesla's self driving technology has gotten people killed. Let me know if you want any citations for those claims but I think you probably know examples of what I'm referring to in each case.
I would posit that people's health and lives are more at risk in both examples, but nobody is being imprisoned for it. Both companies are well aware of the risks but choose to profit off it rather than take responsibility.
The original tweet author eventually realized this didn't decrease tokens. In most cases it actually increases them compared to just asking GPT to summarize while retaining all functional data. If a word == 1 token, a related emoji will also == 1 token.
The gnarly thing is that common dictionary words are usually 1 or 2 tokens (a whole word, or a stem + a suffix), while things like emojis end up as _3_ tokens.
The string "The GPT family of models process text using tokens" is 10 tokens.
Feeding that string to the "compressor" results in "GPT models: process_text(tokens)", which is...12 tokens. The OP site incorrectly estimates that this is 8 tokens, likely using a naive word boundary regex or something similar.
This is because stuff like punctuation are their own token, and complex words or abbrevations are broken down into one token per piece in the dictionary. The string "ABCDEFGHIJKLMNOP" (16 characters) is 8 tokens (consisting of the bigrams AB, CD, EF, etc), while the string "Counterintuitive" (also 16 characters) is a whopping 2 tokens (likely the tokens for "counter" and "intuitive").
Fewer characters doesn't equal fewer tokens, and in fact, the more esoteric the string, the more likely it is that it consumes an unintuitively large number of tokens.
> My polish grandmother has it as a painting in her house (a jew counting coins). She bought it few years ago. She says the jew brings good luck. She is absolutely not racist nor antisemitic.
> Even today despite global jews being less than 0.2% of world population are 20% of Forbes 200 richest, e.g. 5 of the 10 richest americans are jews.
While I don't know your grandmother, your representation of yourself reads very antisemitic to non-Polish audiences. You may want to take a minute of introspection as to what shared cultural influences led to your grandmother's art choices and your insistence that antisemitic stereotypes are valid. There might be a connection there. That said, you probably wouldn't want me painting all Poles as insensitive oblivious racists.
This is a low quality article that would lead people to believe incorrect information. The headline is incorrect, as they won't be "fixing" the problem.
The latest news that I believe accompanied the statement quoted is that they are giving out (or reimbursing) steering wheel locks (as in "The Club") to some customers,[0]. Steering wheel locks are very frustrating to use and easily defeated.
They're also not adding immobilizers but rather connecting the fob buttons to the engine via software:[1]
> The software upgrade modifies certain vehicle control modules on Hyundai vehicles equipped with standard “turn-key-to-start” ignition systems. As a result, locking the doors with the key fob will set the factory alarm and activate an “ignition kill”
This software update will require a service visit and isn't yet available for most affected vehicles.
And to put things in perspective:
> 96 percent of vehicles had engine immobilizers as standard equipment in 2015, the feature was standard on only 26 percent of Hyundai and Kia models [up through 2021].
It's naive to think the danger is in self-aware evil AI. AI is a tool, and can be used as a weapon.
There's a functional power difference between a knife, an assault rifle, and a nuke. Everyone owns knives--they're in your kitchen--they can't cause much trouble. Access to assault rifles has turned out to be a dangerous problem to society, and is a contentious issue as such. Nukes are obviously too dangerous for people to own willy-nilly.
The issue is where along that spectrum AI will fall into in 6mo, 1yr, 5yrs, etc.
It's troubling to think anyone, especially on a technical forum like HN, believes GPT-4 doesn't have arms or legs (anyone can hook it up to any machinery/robotics) or can't think very fast. Its training set is a good chunk of human knowledge, and it outperforms most humans already.
Even if you assume AI won't be very clever (which seems unwise given its development pace), consider just its ability to perform thoughts and actions at the speed of a computer compared to a human. There are quite a few examples of modern military engagements where a larger, weaker, and less-well-trained force overcame better-equipped opponents, like Mogadishu, Vietnam, Iraq, Afghanistan, etc.
It's a lot easier and faster to destroy than to defend. To defend, you need to know what you're defending against, develop the defense, and then roll it out, all reactively post facto.
If a computer has the ability to quickly make millions of novel viruses, what antidotes are you hoping for to be rolled out, and after how many people have been infected?
Also, if you follow the nuke analogy that's been popular in these comments, no country can currently defend against a large-scale nuclear attack--only respond in kind, which is little comfort to those in any of the blast radii.
1. I've not seen anyone explain whether this could be exploited by anyone with access to phone lines (i.e. Twilio users) or not and if it would be trivial to try the vuln with every phone number you could find in any DB. If those things are the case, it seems like the chances would be very high that this would be or has already been exploited and affecting every unpatched phone.
2. It seems like Project Zero mistakenly thought that Google devices were already patched when they made their announcement ("affected Pixel devices have received a fix"). Whoops! Thanks for giving attackers a heads up.
3. When contacting Google support (specifically Fi) multiple CS reps told me repeatedly this was all fake news and that Project Zero was unaffiliated with Google. They assured me there was no problem, and if there was a vulnerability, it would be communicated on the Fi website (which has no service status or security pages and has never published any outages or vulnerabilities in the past).
4. The delayed March update for Pixel 6 phones doesn't even show up when you open the software update panel (which shows a checking animation that I assume does nothing). You have to manually check again. Who knows when the folks who are unaware of this vulnerability will actually be prompted to install the patch.
Google have guaranteed at least one person and their family to never purchase another Google product or service.
> When contacting Google support (specifically Fi) multiple CS reps told me repeatedly this was all fake news and that Project Zero was unaffiliated with Google.
I hate CS reps. I used to work as one but I never lied. If I didn’t know something and I couldn’t find it in my knowledge base I contacted the on-site staff to relay the caller’s question/concern.
> It seems like Project Zero mistakenly thought that Google devices were already patched when they made their announcement ("affected Pixel devices have received a fix"). Whoops! Thanks for giving attackers a heads up.
Do you have a source for the fact that Pixel devices don't yet have a fix? The post we're commenting on is actually just blogspam, with its only real source being the initial project zero disclosure [0], which still asserts this to be the case...
The blog post was published on the 16th.[0] Pixel 6 and 6a started the update rollout on the 20th.[1] The March security update was scheduled for earlier but was delayed for 6/a for some reason, and it seems like the Project Zero team didn't check on the actual status of the rollout.
> Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number.
I read that as well, and either it's unclear or I lack the technical understandings to apply that to my question.
What does "at the baseband level" mean in terms of remote attack vector? Do they need to be physically nearby with an antenna or could they be across the world connecting through VOIP?
And why do they need to know a phone number? If it's that they need a nearby antenna + knowledge of a phone number, it sounds like this vulnerability might not be a big deal, and it would be great if they communicated that clearly. Alternatively, if the vulnerability is accessible from any remote phone connection, knowledge of a phone number wouldn't matter because attackers would spam the attack against millions of numbers.
In effect, it means if they can call you, they can exploit you. The description given was what an attacker needs to hack you in particular, which means they need your phone number to determine which device to target. If they want to spam a million users they could do that too, although these kinds of things are typically not done this way because that is very noisy and reduces the effective life of the vulnerability.
> If they want to spam a million users they could do that too, although these kinds of things are typically not done this way
That seems like a convenient assertion not based on evidence.
Without trying to sound confrontational, it appears as if you are a current employee of Google, which might have colored your comment and should probably have been disclosed.
No offense taken, I’ve seen confrontational and it can be far worse than this ;) I do work for Google; in fact I work on detecting malware for Android. I have no special knowledge of these bugs, in fact I would be surprised if I even have access to them by default. Project Zero typically handles discovery of zero days internally, and this kind of thing requires working with partners and whatnot, so it’s pretty out of the way. What I know for these bugs is summarized by the blog post. If the bug ends up being exploitable from an app, or it’s been a couple months, I might see what is going on with them, but we’re definitely not there right now. And information about specific bugs and how they are being exploited is generally NTK so I wouldn’t talk about that publicly anyways until they are disclosed officially or the patch is public.
With that out of the way, and the obvious “please ask before quoting me in a news article and absolutely do not treat this as any sort of official Google thing”, this bug is quite serious and of the kind you would typically see in a targeted attack. As I mentioned above, you don’t really want to be noisy with how you’re using an exploit because then people will catch on and try to defend against it. Plus, you generally want a specific thing from the person you’re targeting. Hacking into a million phones and getting value out of it is pretty hard. For targeted attacks things like personal information and specific assets are valuable. On a wide scale, what are you going to do? Steal credit card numbers and wallet keyphrases for a handful of popular clients? Why not just try to pwn the app itself, or phish people, which is a lot less effort?
I don’t want to sound like I’m making this claim because it sounds better if it’s not used for widespread attacks. It absolutely can be used for this, which is why its capabilities are very concerning. But the reasoning behind this is based on what the market for exploits looks like, not just speculation. Large-scale uses of them are typically cheap reuses of n-days by unsophisticated attackers (which is something I do actually deal with personally). In the very rare cases you see actual 0-days used (I can actually mention one now, search for “Pinduoduo”!) they are not of the baseband variety but typically sandbox escapes and abuse of APIs that allow for background execution, accessibility access, and the like.
Thanks for your thoughtful reply. Maybe Google could benefit from having you train customer service for a few days ;)
> you don’t really want to be noisy with how you’re using an exploit because then people will catch on and try to defend against it
My initial reaction was that the vulnerability was already published so why would they care, but I can also imagine how the actual payload could be something to hide as well. That said, couldn't an exploit simply turn off security updates? It sounds like this vuln has full access to everything on the phone.
> In the very rare cases you see actual 0-days used
But that's the issue--it's not a 0-day. It was publicized before the patch went out for millions of users. Was the patch force-updated for everyone else? If not, that number of unpatched users is probably an order of magnitude greater.
This isn't an issue of some state-level actors sitting on a secret 0-day, it's a use-it-or-lose-it moment for anyone who's heard about it straight from Google's mouth.
Full access to SMS 2fa and email accounts seems like everything. That gives you access to most people's bank accounts. You could search emails for crypto accounts and MITM non-SMS 2fa apps if you have root access to the phone. Sending money requests to contacts using real names. I could think of a million ways to use root access. I don't know the cost of exploiting this vulnerability, but I know that sort of access is valuable to a lot of people.
Why wouldn't this have been a goldrush to exploit by unsophisticated attackers? Maybe I'm missing something?
> Maybe Google could benefit from having you train customer service for a few days ;)
Customer service? What customer service? :P
> That said, couldn't an exploit simply turn off security updates?
Sure, but I was thinking more along the lines of if you have a widespread issue then people will write about it and how to restart the device to clear the infection, turn off remotely exploitable surface area, etc. For example I know a lot of people would turn off iMessage when the effective power stuff was going on since it was so easy to exploit and used widely to troll.
> Why wouldn't this have been a goldrush to exploit by unsophisticated attackers? Maybe I'm missing something?
Right, this isn’t an 0-day anymore, because Google knows about it. Some of the bugs also have patches available, making those effectively public. Apparently, some are not fixed yet and also easy to exploit, for which Project Zero has made a rare exception for and not disclosed.
In general, if an exploit remains unpatched for a while, it will actually start being exploited by opportunistic attackers. Some exploits are actually really easy to launch, because they are simple or someone left a PoC online. Those can and do get spammed en masse by things like ad networks and generic malware.
For more complex exploits, or partial patches, you’ll often need a sophisticated attacker to actually design the exploit once the bug is known. Those ones are not generally in the business of hacking a million people and trying to get their credit card information. Top vulnerability developers are frighteningly fast in how quickly they can make a working exploit out of a patch that they diffed to my knowledge it’s more reliably lucrative and safer for them to sell it to people who use them for targeted attacks, so that’s what they do.
Anyways, here I suspect the answer is “the ones that are public are hard to exploit” and “the ones that are not public might actually be dangerous and were withheld for exactly that reason”.
> Google have guaranteed at least one person and their family to never purchase another Google product or service.
They did that when they waited more than a month to patch the phone call bug in Pixel 6 series. What if someone has an emergency? Nope, Google thought that can wait.
Since I don't think anybody's linked it yet, there was a lot of press about the anti-fire foam the airforce uses in drills (and actual fires) being toxic and leaking into the water systems in every base.[0]
They said they'll phase it out by 2024,[1] so if you're planning on enlisting, you should wait to enlist until then so you can be part of the next cohort for this study. Also, if you live near an airbase, you might want to wait to have any future children until then too, as it affects people around all the bases, as well.
In the Netherlands there's also been a big scandal about Chrome-6-based paint used on F-16s. Apparently the Dutch DoD knew this could cause serious health issues but they just continued to use it with inadequate PPE. I wonder if this applies to the US as well, after all these are American fighters (though the ones in Holland were built locally at Schiphol airport)
And there's of course the high use of depleted uranium in the US, for bullets and armor.
Related to Listerine: I have a memory of reading a study that had people use mouthwash (possibly Listerine) the night before taking a cognitive test. The mouthwash group did worse than the control group for some reason.
I'd really love to find the study again if anyone else knows where it is (my googling is apparently not good enough)
> The mouthwash group did worse than the control group for some reason.
I give it higher odds that the study's results were based on bad statistics, or an insufficient sample size, than that there's an actual notable difference here.
The reproducibility crisis has made this, I think, a reasonable default assumption for old studies of this sort.
I wonder if it's the Sucralose, a chemical completely unrelated to sucrose(table sugar) and was originally developed as a pesticide. I used Listerine for many years before I developed a severe allergy to Sucralose. It started with the skin inside my mouth peeling slightly, it wasn't painful at all just kind of weird. Eventually I began getting hives and rashes on my hands and arms and slowly it kept getting worse and worse. If I use mouthwash or use toothpaste with Sucralose today I'll have very bad hives all-over hives that'll persist for a couple days. Ingesting any via food/snacks means a week of hives and needs a round of predisone to feel somewhat normal until it's all gone from my system.
> Sucralose, a chemical completely unrelated to sucrose
Seeing as how it is made directly from the sucrose, I'm not sure how you can say it is "completely unrelated". It is identical to sucrose except for the substitution of three chlorine atoms for hydroxyl groups.
Have you seen an allergist about your reaction? They should be able to do a skin test to confirm the allergy, and I'm sure they would be quite interested, as there seem to be no reports in the medical literature of sucralose allergies.
One morning, as Gregor Samsa experienced the pesticidal effects of a sweetener used in his mouthwash, he discovered that he had been changed into a monstrous verminous bug.
I had to look up that reference to Gregor Samsa, lol. Btw, I ordered the complete Far side in hardcover immaculate condition that came in 2 giant books for around $50 a few years ago from someone on ebay. For any Gary Larson fans it's a great library addition though it's more like $75-100 these days, and I imagine they'll only get more expensive.
Many stores also won't carry it due to shoplifting concerns. I've seen many drug stores with signs posted on the door that they carry only alcohol free Listerine.
Well that is quite interesting. I have never seen a store or sign like that. I thought the ethanol has been denatured with various agents to make it unpleasant to consume for that very reason. I guess the consumer has degenerated so much that he is willing to suffer the consequences of its consumption?
It strikes me that this cannot really be a good sign for society in general when the degeneration is breaking through even the measures to inhibit degenerative detrimental behaviors. It also appears we are accumulating such conditions at an alarming rate all across the western world in particular, emanating and spreading out from a few specific points.
I work in a hospital in a large city (>1 million). I review admitting diagnoses on a regular basis, it's very common to see 'listerine ingestion' or 'hand sanitizer ingestion'. We have policies about where we place hand sanitizer in the hospital and evaluating patients that are at risk of ingestion. Unfortunately we have had many adverse events related to patients drinking it while admitted to hospital. An unfortunate part of our society is that some people are in the position where they drink these products.
Might be related, but mouthwash use is correlated with a drop in systemic nitric oxide levels due to the negative impact on the oral microbiome. You can find a review here:
At Bristle (oral microbiome testing) we advocate against broad antimicrobial mouthrinses as they can negatively impact your oral health similar to how antibiotics cause dysbiosis in the gut.
It’s been a while since I’ve used listerine, but anecdotally, the only option that left a seemingly cleaner mouth was the ‘original’ formula/flavor. I doubt it’s actually original. It also has the worst flavor.
I can't say if it's right or wrong, but in relation to your specific example, there are "adverse possession" laws that grant legal rights to the occupier of land in the US.[1]
It's the receiver, so it's more like, you're asserting your right to leave your door wide open on a street that is suddenly much more busy.
De facto possession of spectrum was heavily litigated in the early days of radio. There basically is none (not legal advice!), essentially no one has a claim on spectrum in the USA that is not assigned or regulated by the FCC. You have to sign away any claim to spectrum from before the establishment of the FCC to get a ham license or similar radiotelephone licenses. Nobody is around anymore that was operating then anyway. The language is blandly bureaucratic but in context that is what it means: "The Applicant/Licensee waives any claim to the use of any particular frequency or of the electromagnetic spectrum as against the regulatory power of the United States because of the previous use of the same, whether by license or otherwise, and requests an authorization in accordance with this application."
There is probably some similar language in the applications for other licensed bands.
She faked it until she (didn't) make it--a strategy praised in other startup narratives. Most of that faking involved secretly running blood tests on traditional test equipment instead of her in-development devices.
I believe there were a handful of tests done on their development devices that returned questionable results for actual patients, which I'm hoping is where all the angry people are focused. But to that point, how accurate and responsible are traditional testing facilities? I personally have had my bloodwork mixed up with someone else's, causing quite a lot of anxiety and extra work from me to sort out.
There are countless instances of labs forging results[0][1], making mistakes[2], and issues with equipment[3] (citations are just the most easily at hand).
Some of the stories cited resulted in criminal convictions, like 3 years for someone who faked thousands of drug-test results leading to false convictions. Compared to what Holmes did, it's hard to see how 11 years (and our society's complete fascination and vilification of her) is appropriate.
[0] https://www.nbcnews.com/news/us-news/epic-drug-lab-scandal-r...
[1] https://www.theguardian.com/australia-news/2022/dec/13/scath...
[2] https://www.bbc.com/news/uk-england-63795285
[3] https://en.wikipedia.org/wiki/Phantom_of_Heilbronn