TheJach.com

Jach's personal blog

(Largely containing a mind-dump to myselves: past, present, and future)
Current favorite quote: "Supposedly smart people are weirdly ignorant of Bayes' Rule." William B Vogt, 2010

Negative definitions can be useful

Some things are hard, perhaps "impossible", to define, and some properties are hard to demonstrate. The one I was thinking of just now was "consciousness". If someone tells you, "demonstrate to me that you are conscious", what can you do? We don't even fully know what conscious means, how can we demonstrate it?

We can work at it instead with progressive narrowing, either in the positive or negative case. We can all agree some random rock is not conscious, that excludes a lot of the possibility space. Are trees? No? That excludes even more and prevents an easy "has DNA" filter. I do have an easy filter though: I would tentatively accept a simple statement of "I am conscious" as strong demonstration of consciousness, and failure to do so a strong indicator of lacking consciousness. This rules out most animals, which, fine, and also rules out brain damaged humans who don't seem to comprehend speech let alone produce it, again, fine.

There's the interesting edge case of when a computer program says the same, is it conscious? No in general, I argue, because for most programs a programmer could go in and easily have it say whatever the programmer wants. Ok, it's a more sophisticated program like GPT3, and suppose it said that? GPT3 is rather complex, you can't easily go in and edit its output to be whatever for an input. So is it conscious? No again, but admittedly this can be considered breaking my filter and so I'd have to use a different criteria to rule it out. (The related negative "Thinking is what computers can't do yet" works well and it narrows year by year.) Still, it's a useful filter in most cases! Besides, I don't want to rule out consciousness from silicon anyway since even if somehow AIs can never have it, human ems surely would. At that far point, the filter can still be useful, for instance it would accept the character Data as conscious simply because he declared himself to be so and there's no easy way to make him as-a-program declare otherwise.

See Full Post and Comments

Recent Site Downtime

Sorry for the recent downtime. Did a big system update of my server, then left it overnight and didn't check it until recently. Apache crashed because it was trying to load multiple PHP versions at the same time, and the new update to PHP 8 broke a few things. (__autoload is no more, and using curly braces for string indexing is no more. And my config now lives in /etc/php/apache2-php8.0 instead of 7.4, so I had to port over my settings for sendmail_path, upload_max_filesize, and error_log.) Everything should be fixed now, at least here.

One more point in favor of rewriting away from PHP...

See Full Post and Comments

Why ASDF is confusing

At some point on everyone's Common Lisp journey, they're going to reach a point where they want to create a program composed of more than one file. They might even want to create a library! Unfortunately this can quickly become a head-banging exercise in frustration and confusion.

At the root of any confusion I think is a lack of familiarity with the way Lisp gets code into memory for executing -- and for good reason, because hardly anything else does things similarly, at least at the level of exposure that Lisp requires. If I'm right then working through the details and comparing with other languages should help with making ASDF (or the choice of not using it) less confusing. I'm even repeating some very basic things that are probably understood by any potential readers already.

The key difference is LOAD. I don't want to get into the subtleties of loading a source file vs. compiled file and the behavior of eval-when, though those are important for further understanding/avoiding other headaches, here I'm just bringing it up because LOAD is essentially the only way to bring in new code. From the description, it "sequentially executes each form it encounters". Intuitively you can picture this as sequentially EVAL'ing each form, so EVAL under the hood is doing the work, but LOAD is your user interface. Every sort of "package management" or "library management" or "code module management" system is just built on managing LOADs.

See Full Post and Comments

Technical Debt is just messiness

It's the time of year for people to share their reframings of technical debt.

Yossi Kreinin has two takes I like, from https://twitter.com/YossiKreinin/status/1431748651571896320 and https://twitter.com/YossiKreinin/status/1341741855214546949 respectively.

Much of "technical debt" isn't - it wasn't done to ship quickly at the cost of more work in the future. It was just a shitty job that you're now stuck with, that never helped ship anything quickly. If programmers were plumbers, we'd spill shit all over your room & call it "debt"

See Full Post and Comments

Fixed an embarrassing security bug...

Earlier tonight I started getting some error emails as a result of some requests from 5.188.62.214 who started POSTing to /admin/post/new, which as revealed in my notes is the URL this blog uses when I submit a new post. I knew I had to deal with this immediately because the error message was PHP aborting because of an undefined index in a map -- the bot using that IP wasn't sending the expected new post form parameters.

This is odd to me since the HTML form is part of the response payload and all the needed inputs are in there, including one that the bot did send. That one ended up being the only type="hidden" one, too, which makes it more bizarre. It reminds me of some people filtering requests from dumb bots by setting a hidden input and then setting it to something else with JS, or unsetting it, and catching bots that aren't JS-aware. Apparently many still aren't. The bot also sent some parameters from other forms on the page, like the hidden sitesearch param for the google search box, and the pw param for the login form, with guesses as brilliant as 123456, admin, admin123, and gw44444 (what's that from? too many 4s...) -- with variants gw111111 and gw66666666.

But all that's beside the point, because what is an unauthenticated request doing getting this far into the handler of an admin page, which is supposed to be restricted to admin users (i.e. me)? And after a bit of investigation I found to my horror that a plain curl on that URL would serve the form...

See Full Post and Comments

What is customer trust?

My last job often championed "trust" as its number one value, though sometimes it was a bit nebulous about what was meant by it. Having not worked there for over a year, even I have started to forget what exactly is meant by it. But thinking about it again, it's actually really simple, and the company says as much in various places if you look.

Trust is simply whether people trust you or not, and maybe how much. Trust you with what? With anything they possibly could. If you're a business, and you want trust, you typically want to be trusted to do the right thing, to have a product that does something useful in a good way and in line with customer expectations, to be upfront and honest and transparent about your mistakes instead of burying them (and try hard not to make mistakes). This trust extends beyond your customers and includes your employees, too. Part of why I left was a loss of trust between myself and the company -- so many pieces of information were learned via public news instead of an internal announcement, for instance. Trust, once broken, is really hard to re-establish.

Another thing about trust is that what people do or do not trust you in changes from person to person, which is why it can be a bit nebulous. Is it reasonable for me, a simple IC, to expect that the details of firing a security pair moments after giving a talk at Defcon would be provided in news articles and public forums and totally ignored internally and talked around when brought up in a company all-hands? Maybe, maybe not, but that was an early loss-of-trust moment for me, and even a rage-quit-in-solidarity moment if I was part of the security team.

See Full Post and Comments

It's hard to write with no audience

This blog has long been for my own benefit, and that's not really about to change soon... but I'm also reflecting a bit on why I started blogging in the first place. Part of it was a desire to become better at writing.

But, like I tried to say in my last post about programming, just doing a lot of something doesn't necessarily make you better at it. I still have this idea that when I've written one million words on this blog, I'll "archive" everything so links still work but otherwise fundamentally redesign the site so that it's just a categorized collection of stuff, like Gwern's site, and maybe some old stuff can be salvaged or lightly rewritten as "best hits". I'm currently at only ~400k words, though.

But if you include my Hacker News comments, plus my private journal, I'm at ~900k words! So surely I've long passed the "million words" point as far as lifetime output is concerned. So as far as redesigning this blog goes, part of it's just laziness. Besides, I'm not looking for a job right now, so I don't need to be overly concerned about easy-to-find cringe (which this blog is full of).

See Full Post and Comments