> based on the unquestioned premise that delaying disclosure for the operational convenience of system administrators is a good thing. There are reasons to question that premise!
Care to mention these reasons?
With "convenience of system administrators", I'm guessing you mean that there's a patch available that sysadmins can install, ideally before the vulnerability is disclosed? What else are sysadmins supposed to do, in your opinion? Fix the vulnerability themselves? Or simply shutdown the servers?
With the various copyfails of recent, it at least was possible to block the affected modules. If that were not the case, what would you have done, as a sysadmin?
Presumably you also have positive downstream effects in mind: when "taking the availability hit" feels like more of a live choice, operators feel the pain of running insecure designs more. Do what you describe a couple times, and you'll naturally start thinking things like "dammit, we need to finally get away from shared kernels; this is insane", "maybe we should figure out a way to do this that doesn't involve running software that runs in God mode", or even "we should see what it takes to port our application to a platform that is more secure by design".
When you can't imagine or pretend that when a major vuln is disclosed (a) you've been secure up until the point of disclosure or (b) all you need to do now is apply a patch without thinking too much about what your blast radius just was, you might actually have stronger incentives to think about the design of the overall system so that when similar issues come up, you can avoid having to sweat those outages.
It's interesting that "defense-in-depth" gets cited and repeated all the time but the standard attitude about patching still seems to be "what do you mean?? isn't patching the only thing we can do?". How about designing systems so that you can more quickly and easily throw up other kinds of mitigations when you need to? What about designing systems with robust enough notions of graceful degradation that when something crops up for a certain feature you can "just" say "okay, let's turn only that part off for a couple days"? How about getting really, really good at CI/CD so you can more confidently add and deploy mitigations to your application code, or redeploy with a feature flag that lets you temporarily drop an unpatched-and-vulnerable dependency?
If you can manage to build a system without the assumption that just patching is always on the table, you might simply end up with better software, which would be pretty cool.
"Taking an availability hit" is also an "in the limit" case that mostly serves to illustrate the falsity of "disclose or patch" as a binary. Much more commonly: a fully disclosed vulnerability arms systems teams with enough information to mitigate; pull kernel modules, change permissions, that sort of thing.
Maybe some corporations like the "just patch" playbook because it takes less skill to execute or articulate. It might be as much a deprofessionalizarion/commoditization of labor thing as much as anything else.
With "availability hit" I'm assuming you mean to simply stop operations until patches are rolled out, so possibly for days? That would at least explain what's happening at GitHub...
The best convenience is that by the time of disclosure, the patch was already merged perhaps months prior and so sysadmins following a routine update schedule would have already updated to a version including the patch and thus have nothing to do. This relies on an assumption that a patch or series of patches aren't equivalent to a disclosure, so that a disclosure can be delayed from the patch, which is basically untenable in modern times.
> I've got 25 years of loops that basically to finish them need better arrangements
Welcome to the club. You need to learn how to actually finish a track, which is the most difficult but also the most rewarding part. Why would you use AI for that? I mean, just listen to that demo track Codex made in the above repo, you surely don't want that.
There's a good book about this, published by Ableton, you can read it for free here:
To be fair, the demo track was one of the first I had it make, and I didn't put much effort into it because I thought it was especially funny with the macos "say" command vocals.
It's a garbage-in, garbage-out situation. If you give it more musical direction you will get more out of it.
It's not just that the track is garbage (the "say" vocals are actually the least of its problems). Even if AI would make a good track: why use AI for creating your arrangements in the first place? Why this resistance to actually getting good at something? I can understand if your livelihood depends on it and you just need to be fast, but why for stuff you do for fun?
The book I mentioned has a good suggestion when struggling with arrangements: just copy. Take a track you really like, put it into your DAW, sync the speed and replicate its structure. You'll see that in many genres, structure is often exactly the same anyway. This can be an eye opener, and once you've realized this, you'll be able to experiment with structure in ways you couldn't do before. That's the fun part.
I agree that having an MCP Ableton can make total sense. After many years of use, I would say I know Ableton quite well, but nowadays, I regularly ask ChatGPT if certain things could be done differently/more efficiently, and it often surprises me with new ways of doing things. For instance, sometimes Ableton has gotten new features over the years I'm not aware of. It surely would be nice to have this integrated via MCP.
I think you would get much better feedback if you'd focus on these use cases: flattening the learning curve for newcomers, and new ideas for experienced users, rather than creating tracks completely by AI. Because in that case, why even go through a DAW and not use Suno directly?
Thank you for the feedback, I'll record some more co-creating examples! And yea, it's also fun to take stuff out of Ableton and run it through Suno, to get real vocals and such.
A cool thing about this MCP is you can ask Codex Ableton questions and it will go and read the state of your current Live Set and answer based on that. You don't have to have it change anything for you if you don't want.
They had the most emotion because I didn't know what I was doing. Then for any ten years I got lost trying to make it sound technically good. Now I must make stuff and there technical part happens automatically
> Welcome to the club. You need to learn how to actually finish a track
I don't think you understand. I've got thousands of songs.
Why would I use Ai to generate arrangements... Maybe for ideas?
Maybe because certain things I'm lazy about?
Maybe because I've got thousands of songs?
It's not actually difficult to finish a song if your output is high enough. Sometimes the songs just come out without any struggle. But most of the time they don't.
I wrote and finished my first song around 1996. Using Cakewalk plugged into a midi keyboard.
HN is full of people who think using AI means you are lazy or can't do something. The fault is yours not mine. Adapt
> It was extremely irresponsible to share the exploit with the world before the distributions shipped the fix.
Yes, this was clearly a marketing stunt to promote Xint code.
I, for one, will never use Xint code and will advise everyone to never use it. To anyone working there: enjoy your 15 minutes, I hope this backfires right in your face.
External security research happens for one of only a few reasons typically:
1) hobbyists who are learning or just like to do it for fun
2) bug bounties (good luck with those in most open source)
3) marketing for security companies
4) non-public research going to CNO/CNE
If you want to kill 3, the output of 1 will not come close to 4 and the public is NOT better off with fewer public bugs.
"The Witness" was fine but I found its overly pompous philosophizing unbearable and pretentious. Rather play "Taiji" instead, which is clearly inspired by TW, but without the grandstanding, and at least IMHO, the puzzles are also better.
The Witness is one of my favorite games of all time, but yeah the first thing I say to anyone thinking of playing it is to skip all the audio logs. Those things are straight up embarrassing trash and I can understand anyone unfortunate enough to click on them dropping the game down into "don't recommend" territory. Also, given his extremely stinky personality, I probably won't be buying any future games by Blow.
> There is a tension between empiricism and fundamentalism with much of medical science focusing on fundamentalism.
This is a deeply unfair statement, and also a false dichotomy. Medical science is of course empiric. What you call "fundamentalism" is that compounds need to undergo a rigorous regiment of empiric testing before they are given to potentially millions of people. And no, it's not just because of Thalidomide. Many, many compounds fail clinical trials because of severe side effects, like liver toxicity, severe immune reactions or heart problems. Then there's of course increased risk of cancer, which can take many years to manifest itself empirically. You argue that you prefer living with these uncertainties rather than ME/CFS, and that's of course entirely understandable, but disparaging the field of medical science as focused on "fundamentalism" because we do not give large patient cohorts untested compounds is polemic. I understand where you are coming from, and I'm sorry that you suffer from this terrible condition, but likewise, you should try to understand the other side.
Doctors have been maligning ME/CFS as psychosamatic for decades and generally still do despite a large amount of modern evidence to the contrary. If you have it it’s clearly not, you can get good and bad days that are clearly not dependent on psychological state. In addition I have it due to hEDS which is a condition that is almost never diagnosed due to aforementioned blind spots. Most doctors still think the prevalence rate is 1/50K despite continued research raising that number to 1/15K and 1/500. It takes a long time for this information to percolate through the system.
Doctors, like many professions, have institutional blind spots, I studied these in my search because I was looking for something that had not been found. Most doctors have to consider all people and all conditions, I only have to be concerned with one.
Notably they only recently adopted Bayesian statistics for medical trials despite that math being around for hundreds of years.
I completely understand your frustration with the lack of knowledge and research in ME/CFS. It's a scandal, given the prevalence and seriousness of the condition. Unfortunately, after Covid, ME/CFS was even more politicized as part of the long-Covid discussions and got caught up in the culture wars. I have several friends with ME/CFS and they basically say the same things you do - ignorant doctors, high cost due to medication usually being off-label and not covered by insurance, and even friends don't take the condition seriously.
ME/CFS research is severely underfunded. The reasons for this are not simple, it's partly due to the complexity of the disease which, as cynical as it is, does not make it an attractive research topic for ambitious scientists. Same goes for "Big Pharma". Clinical trials for ME/CFS are extremely complicated, and hence expensive, due to the myriad of symptoms in how the condition can appear. It makes research in this area very difficult and expensive. There's very little funding for ME/CFS research, and that needs to change. Unfortunately, especially in the US, this is not going to happen for Kennedy reasons.
The Bayesian statistics thing is a bit of red herring, though. While your are correct that the math is old, the needed compute resources for doing Bayesian modeling on large trials was simply not there until recently. But it is also correct that it also took a long time until there were official rules regarding this from FDA and EMA. These regulatory things move very, very slowly.
Unless you’ve had ME/CFS you cannot understand how bad it is, I’ve had it and I still have a hard time comprehending how bad it was, I am occasionally reminded and it’s easy to forget. While it won’t kill you it’ll destroy your life until you’re ready to kill yourself.
The UK led the world with explicit psychologizing of it in large part to prevent insurance companies being liable for such an expensive and debilitating condition. A legacy that continues to this day, the main people responsible are still very influential. Fauci was instrumental in diverting research away from the autoimmune aspect and preventing a lot of important research. The $1B set aside for LongCovid appears to largely have been wasted. The official classification for hEDS was explicitly changed to reduce the number found so that it could remain a rare disease and continue to have access to specific funding for rare diseases (goal seeking). I could go on and on. It is a highly dysfunctional industry with many perverse incentives pulling it in all sorts of directions. There was the healthy at any size movement despite obesity being a massive cause for mortality, perhaps the only stronger signal would be smoking and consider how long it took them to figure out smoking.
There have been insanely impressive improvements to medical science but this seems to be largely due to tooling and access to information rather than the lumbering bureaucracy which appears to do very little of benefit.
I don't really understand where you are going with the fundamentalist vs. empiricist holy war narrative. Medical science is very empiricist, but it is conservative.
Yes they will miss rare cases or where symptoms aren't quantifiable or where no understood biological mechanism exists. Yes you can take on research and treatment yourself with the risk associated. No a bunch of anecdotal evidence on experimental treatments do not substitute for structured research. No you won't come back here in 3 years if you develop serious side effects that would have been identified in clinical trials and tell everyone you were wrong.
’fundamentalist’ has religious connotations which I did not intend, I meant deduction from first principles not foundational orthodoxy. My expression was there was tension not completely discrete factions, there is clearly some empiricism used in medicine. One of the difficulties in getting published is defending a position and it’s easier to do this with a mechanism of action which I think slows things down too much. The pace of progress on my conditions might as well be none at all. Still no cure for a condition that’s been known about since Hippocrates.
So I’ve been doing this for over 4 years now, and commenting on this with this account for a bit less than that, so far no serious unwanted side effects other than the usual ones for semaglutide which went away. Of course that has a survivorship bias but in the forums people do often tell others what they’re about to try and we would notice if they stopped showing up.
> My expression was there was tension not completely discrete factions, there is clearly some empiricism used in medicine. One of the difficulties in getting published is defending a position and it’s easier to do this with a mechanism of action which I think slows things down too much.
There is always tension between objectives in real-world systems. There are essentially two frontiers in our healthcare system--a core of educated professionals that are conservative and move slowly with ample evidence behind decisions, and a wide range of laymen who are comfortable with personal risk (e.g. bodybuilding community). I have respect for both, and they work together. The core will always have too many false negatives and the horizon group will have too many false positives. Saying the balance right now slows things down too much needs more support as an argument, there will always be things on the roadmap for medicine and there will always be edge cases that can't get addressed perfectly
From what I've seen medical researchers are champing at the bit for new areas of treatment that they think are promising and they just need the smallest amount of convincing evidence to research. If they don't have it for something you think is valuable, collect the information in a systematic way and find someone to send it to.
>compounds need to undergo a rigorous regiment of empiric testing before they are given to potentially millions of people
Particularly when the mechanism behind most of these peptides comes down to "promotes more rapid cell growth". The intent may be to repair the skin, muscles, or ligaments, but biology is rarely that specific.
I think the grandparent meant "fundamentalism" as "mechanistic", and lots of things we can know (as you say using the scientific method) to be useful long before we have a good mechanistic explanation of how they work.
Some examples: aspirin (willow bark used for thousands of years, drug synthesized in 1897 and mechanism explained almost 100y later), or general anesthesia used again since mid 1800s and the mechanism is quite still debated.
This is not to downplay all the long term, or developmental, risks that using something novel can result in. But we can empirically know something about the effects without having good mechanistic models.
But it is usually not necessary for approval of a compound to be able to describe how it works on a molecular or cellular level. What you need to show are three things: efficacy, safety and quality, so basically: the compound has the intended clinical benefit, has an acceptable safety profile and can be produced with a consistent manufacturing quality. Most compounds fail because of lack of efficacy (roughly half), and roughly a third because of lack of acceptable safety.
The vast majority of drug candidates don’t make it to the trial stage. Much of the research has to be defensible prior to the trial and what makes them defensible is having a mechanism for action. Of course once a drug is being used off label there starts to be some empirical data which can be used for trials, and it seems that we’ll get lucky with GLP1-As.
You are entirely correct. New compounds for trials do not come out of thin air, you usually derive them from compounds you already know how and why they work. For instance, we know very well how Semaglutide works, same goes for many other peptides that are currently being studied. However, you are correct that we do not understand why they would help for ME/CFS, simply because we do not understand ME/CFS in the first place. As I've written above, it's a severely neglected disease.
Anyway, I don't think we really disagree, I rather misunderstood your original post. It's good to hear that these new peptides are helping with your condition, and I wish you all the best!
Thanks for the feedback, I’m noticing that ‘fundamentalism’ didn’t translate properly and I should have referred to first principles and mechanisms of action. I need better words for these and I will try to find them.
As a fun aside, consider the effect of the birthday paradox on empiricism, as the pool of candidates grows larger the probability of a match increases substantially as potential matching candidates increases quadratically.
I think I would need to see testing on a control group of housebound patients with other conditions to believe this. It's easy for ME testing to pick up markers for being housebound and limited exercise for an extended period of time.
You sound exactly like the tens of doctors that misdiagnosed my aunt (who passed away through euthanasia after her symptoms got too bad to live with late last year).
I understand that the symptoms of ME/CFS might be similar to being obese/depressed or housebound, but the problem is that doctors often jump to that conclusion too quickly and don’t take efforts to diagnose ME/CFS leading to situations like my aunt’s. She was also obese and depressed and has been struggling with those symptoms for about 30 years and has constantly been misdiagnosed the entire time because doctors didn’t figure out that those were symptoms of ME/CFS and not two unrelated conditions coming from two different diagnoses.
Thanks to long-covid putting the symptoms of ME/CFS on the forefront lately, there’s finally been some much needed research into the disease and people like my aunt finally get the diagnosis they should have been getting many years ago.
Sorry to hear about your aunt. My condolences. I think your misinterpreted my intent, I would dearly love a good diagnostic test for ME/CFS and agree research has been hugely underfunded.
I have followed closely the research for many years and there has been false promise of good diagnostic tests previously. What I'm arguing for is that we need a test that is specific for ME/CFS. E.g. it will test positive for a patient with ME/CFS regardless of they are obese or not, but more importantly it will not test positive for everyone who is obese. This is known as the sensitivity and specificity of the test.
What I've seen in the past is some previous ME/CFS tests show positive for groups with related symptoms but who don't have ME/CFS. This then becomes a worthless diagnostic tool. For example this would not have helped your aunt.
Well, reading the study, I'm not sure more patients could rescue it from methodological bias. They assumed the premise basically -- we should find a biomarker, which is kind of what this thread is discussing. Then they went trawling for biomarker in a sea of millions of biomarkers. They did this by training an model that produced the desired result, using a grid search for hyper parameters that even further expanded the available degrees of freedom here beyond what they had from the biology. No pre-registration; There are millions of places where the researchers could have made a different decision -- would they still have gotten a publishable result? Oh plus the authors mostly work for the company whose data they use, which is hoping to sell a diagnostic test.
I'm giving you a thorough response because I'm detecting a cavalier anti scientism which I think is sadly becoming more common. This stuff is hard; are you sure you understand it enough to have an informed opinion?
> outside of lacking attribution / retaining copyright, I don't see a problem?
That's a bit like a shoplifter saying "well, outside of not paying for it, I don't see a problem?".
Apache 2.0 clearly says you must include the license, include copyright, state any changes you've made and include the NOTICE file. None of that was done, so this is a pretty clear violation of the license. The copyright holders can demand that this is fixed immediately, seek at least an injunction if that does not happen, and maybe even claim profits made from selling the software while violating the license.
Also, Microsoft regularly sends me legitimate emails regarding "Microsoft Rewards" that are absolutely indistinguishable from phishing, like "Total Prize Drop is here! Your chance to win 1,000,000 USD cash grand prize or one of three customizable Mercedes-Benz cars!", complete with links to login pages and everything. So like this one, just as mail: https://xcancel.com/bing/status/2034720189003231410
The first time I got those I couldn't believe these were legitimate. Thank you Microsoft for teaching your customers how to fall for scams!
I’m a lucky duck, because Microsoft ONLY sends me emails in Spanish. Password reset? Spanish. Ad? Spanish. ToS update? Spanish. When I log in, it’s English, and I’ve never been able to find any setting anywhere in my account saying to use English. It’s so funny, I can’t even understand their ads.
Care to mention these reasons?
With "convenience of system administrators", I'm guessing you mean that there's a patch available that sysadmins can install, ideally before the vulnerability is disclosed? What else are sysadmins supposed to do, in your opinion? Fix the vulnerability themselves? Or simply shutdown the servers?
With the various copyfails of recent, it at least was possible to block the affected modules. If that were not the case, what would you have done, as a sysadmin?
reply