Same. I was on macOS for work for about 3 years. Never gelled with me.
I was on an M2 Macbook Pro with Asahi and it was great. It's really hard to fault Apple's hardware for most use cases.
I'm currently on a Strix Halo laptop (HP Zbook), which is about as expensive, and the hardware is great, but power efficiency and build quality lag leagues behind by Apple. A 4000 euro laptop still feels like a cheap toy.
Currently in a brief macos phase before I can be issued my Linux laptop at work. It's so clunky. A major annoyance for me right now is the lack of MST multi-screen over USB which means my nice daisy-chained home setup is fine on my near-decade-old Dell but doesn't work at all on the fancy Macbook. They have the hardware to support it, they just don't.
Generally the hardware with Apple is amazing but I'll take the hit on that and things like battery life just to get an OS that feels like it's on my side.
I'd maybe consider Asahi for home use but I'd be wary of it for work. Perhaps in a few years.
I'm fine with providing my identity for online banking and other finance platforms for legal & taxation purposes.
I can't think of a single other use case in which I'd be willing to verify my identity. I'd rather go back to hosting email myself, and am fine with circumventing content access control for all other platforms for personal use.
We're seeing the world slide towards authoritarian strongmen, and we want to give them a massive index of who we are and what we do? I'd rather not.
The problem is those self-same authoritarian strongmen are very successfully using sockpuppeting to change national discourses in ways that benefit them and are detrimental to the targeted countries. Hybrid war is real and has been ongoing for more than a decade. LLMs make it way more cost effective.
Being able to limit the influence of external bad actors is the main goal of ID verification. Age verification is a useful side effect that makes it easier to sell to the general public.
Big Tech has had at least a decade to fix this, did nothing of note, and is all out of ideas. Privacy advocates had the same time to figure out a "least bad" technical solution, but got so obsessed with railing against it happening at all, that nothing got any traction.
So governments are here to legislate, for better or worse. They know it's a trade-off between being undermined by external forces vs. the systems being abused by future governments, but their take is that a future authoritarian government will end up implementing something similar anyway.
> Being able to limit the influence of external bad actors is the main goal of ID verification. Age verification is a useful side effect that makes it easier to sell to the general public.
How? People already sell their accounts to spammers. Why would that change?
Depending on the implementation, I could see that having rate limiting effects. There're only finitely many IDs so scaling sockpuppeting will saturate these IDs quickly but it's quite easy to spin up a new anonymous account. For example, I think the EU ID system has an upcoming way to create pseudo anonymous identifiers that can identify a user per website.
This presents the problem of governments being able to gatekeep speech which I am quite uncomfortable with but maybe there's some safeguard within the eIDAS proposal that makes this idea incorrect?
The internet is for the free exchange of ideas! Why would we want to limit it because some random gov somewhere is writing comments? Allow your citizens to think!
> Being able to limit the influence of external bad actors is the main goal of ID verification.
How does automatically determining your age serve the goal of ID verification? It seems like most sites are choosing this as the first option. If the point was to link your ID, why wouldn't they ask everyone to provide it?
> "Democracy" is when "bad actors" (as defined by the establishment) are shut out of all online discourse.
The point of ID laws is not to stop "bots" or "sockpuppets", it's to enable governments to shut down the speech of their political adversaries by painting them as dangerous. That is not democracy, that is authoritarianism, even if you absolutely hate the people that are being shut up.
Western countries are not in the midst of polarized political crises because of "external bad actors" or "sockpuppets". They're in these crises because of fundamental contradictions in values and desired policies between different segments of the populace.
The Europeans are currently full steam ahead in attempting to "fix" the situation by criminalizing dissent, which will, in the end, only exacerbate the political crisis by making the democratic system illegitimate.
The Internet is already all but dead. We could fix it (as I propose). Or we let it die.
I'm fine with either outcome.
> criminalizing dissent
When has that not been true? Serious question.
Socrates was compelled to commit suicide. Jesus was nailed to a cross. Journalist and activists are routinely murdered. How many political prisoners are there right now?
Probably the lack of pictures. Maybe the moderation. Maybe the slight niche.
It could die if it becomes profitable to spamers. Or maybe it's dead now and one or both of us are llms.
But as long as the content quality meets my personal utility threshold, it makes sense for me to visit it, regardless of whether it is a victim of DIT. Ultimately it's probably up to webmasters to understand if the traffic on their site is either profitable or of a high enough quality to justify the operating costs of a hobby.
No ads. No algorithmic hate machine. Active moderation.
Two other fine examples of thriving online communities are metafilter and ravelry.
I'm sure there's many more on the web. I just don't get out much.
And many, many not on the web. Using discord, telegram, old school BBSes, etc. But, as dead Internet theory notes, they're not publicly visible and therefore not discoverable, not being indexed.
Do you truly believe that ID "verification" will do anything in a world where IDs are leaked by the tens of thousands to the millions?
You are shifting the onus on to the platforms, when the problem is pretty simple; with a few exceptions, we've failed as a species to learn how to think.
Also do you think that the TLAs don't know who the bots most likely are with all the surveillance data they're gathering? That the NSA doesn't have detailed telemetry of the surveillance ops??
Let me ask you the question, what have they done about it? And why not?
> Being able to limit the influence of external bad actors is the main goal of ID verification.
Then they should say so. Elected officials lying to and misleading the public when their real intentions differ is almost criminal. It's not a behavior anyone should ever support. I will not vote for people who do that.
The stated reason is also true in most cases. Imgur was caught harvesting and selling childrens’ data for advertising purposes, TikTok and others are also known to do this. There’s only so long you can avoid fixing a problem before states start to step in.
I don't think "we technically don't lie, we're only actively deceiving you" is a good defense strategy. The politicians you defend need to decide on a narrative for the justification, meandering between different ones is not increasing credibility and a problem on its own.
I would say the time to buy mesh networking equipment is now. But it's not like I'm capable of defending the transmitter. So when they come for the VPNs, the VPSs, and encryption, I guess I'll just be out of luck.
(Out of luck = resigned to zero digital privacy. No matter I follow the law and “have nothing to hide” of course.)
Perhaps people will pass flash drives like North Korea or Cuba?
I've seen a channel demonetised because they showed how to use MP3 player and it was deemed "spreading piracy" by Google. So I guess flash drives would get illegal as well...
People trade away longevity for short term convenience. Then when that convenience is shown to be bad/unhealthy people refuse to give up that convenience.
So many aspects of our lives are like this now. People just accept defeat cuz it would mean giving up one click ordering or free return shipping or they might have to look at labels to avoid bad companies.
Honestly I think these age verification laws are blunt instruments responding to the decade of avoided moderation the big platforms have managed to pull off.
I've run ad blockers for years now, but I'm still trying to forget those disgusting zit popping pictures that trended in ads for a while. Or those incredibly stupid life hack shorts, like the one where someone tied a cord around a mug and the hack to get it loose was smashing the cup... that crap made me despair for humanity as much as the Gaza genocide.
But google and facebook convinced the legislators that it would be impossible to keep that chum away from kids on their platform, so the legislators are going with the next option: banning the kids from the platforms.
LineageOS isn't unsigned, it just happens to be signed by keys that are not "trusted" (i.e., allowed - thanks for the correction!) by the phone's bootloaders.
The whole point of the majority of PKI (including secureboot) is that some third party agrees that the signature is valid; without that even though its “technically signed” it may as well not be.
I disagree. If LineageOS builds were actually unsigned, I would have no way of verifying that release N was signed by the same private-key-bearing entity that signed release N-1, which I happen to have installed. It could be construed as the effective difference between a Trust On First Use (TOFU) vs. a Certificate Authority (CA) style ecosystem. I hope you can agree that TOFU is worth MUCH more than having no assurance about (continued) authorship at all.
The difference between “PKI” and “just signing with a private key” is the trusted authority infrastructure. Without that you still get the benefit of signatures and some degree of verification, you can still validate what you install.
But in reality this trustworthiness check is handed over by the manufacturer to an infrastructure made up of these trusted parties in the owner’s name, and there’s nothing the owner can do about it. The owner may be able to validate software is signed with the expected key but still not be able to use it because the device wants PKI validation, not owner validation.
I’ve been self-signing stuff in my home and homelab for decades. Everything works just the same technically but step outside and my trustworthiness is 0 for everyone else who relies on PKI.
> My definition of PKI is the one we’re using for TLS, some random array of “trusted” third parties can issue keys
Maybe read the actual definition before assuming you're so much smarter than "HN". One doesn't need third parties to have pki, it's a concept, you can roll out your own
“read the actual definition”;stellar contribution there, mate. I checked and sure enough its exactly in line with my comments.
I’ve been discussing the practical implementation of PKI as it exists in the real world, specifically in the context of bootloader verification and TLS certificate validation. You know, the actual systems people use every day.
But please, do enlighten me with whatever Wikipedia definition you’ve just skimmed that you think contradicts anything I’ve said. Because here’s the thing: whether you want to pedantically define PKI as “any infrastructure involving public keys” or specifically as “a hierarchical trust model with certificate authorities,” my point stands completely unchanged.
In the context that spawned this entire thread, LineageOS and bootloader signature verification, there is a chain of trust, there are designated trusted authorities, and signatures outside that chain are rejected. That’s PKI. That’s how it works. That’s what I described.
If your objection is that I should have been more precise about distinguishing between “Web PKI” and “PKI generally,” then congratulations on missing the forest for the trees whilst simultaneously contributing absolutely nothing of substance to the discussion.
But sure, I’m the one who needs to read definitions. Perhaps you’d care to actually articulate which part of my explanation was functionally incorrect for the use case being discussed, rather than posting a single snarky sentence that says precisely nothing?
The tone matched the engagement I received. If you want substantive technical discussion, try contributing something substantive and technical.
I've explained the same point three different ways now. Not one person has actually demonstrated where the technical argument is wrong, just deflected to TOFU comparisons, philosophical ownership debates, and now tone policing.
If Aachen has an actual technical refutation, I'm all ears. But "read the definition" isn't one, and neither is complaining about snark whilst continuing to avoid the substance.
> I've explained the same point three different ways now.
But you're demonstrably wrong. The purpose of a PKI is to map keys to identities. There's no CA located across the network that gets queried by the Android boot process. Merely a local store of trusted signing keys. AVB has the same general shape as SecureBoot.
The point of secure boot isn't to involve a third party. It's to prevent tampering and possibly also hardware theft.
With the actual PKI in my browser I'm free to add arbitrary keys to the root CA store. With SecureBoot on my laptop I'm free to add arbitrary signing keys.
The issue has nothing to do with PKI or TOFU or whatever else. It's bootloaders that don't permit enrolling your own keys.
> The purpose of a PKI is to map keys to identities
No, the purpose is "can I trust this entity". The mapping is the mechanism, not the purpose.
> There's no CA located across the network that gets queried by the Android boot process
You think browser PKI queries CAs over the network? It doesn't. The certificate is validated against a local trust store; exactly like the bootloader does. If it's not signed by a trusted authority in that store, it's rejected. Same mechanism.
> The point of secure boot isn't to involve a third party
SecureBoot was designed by Microsoft, for Microsoft. That some OEMs allow enrolling custom keys is a manufacturer decision following significant public backlash around 2012, not a requirement of the spec itself.
> The issue has nothing to do with PKI [...] It's bootloaders that don't permit enrolling your own keys
Right, so in the context of locked bootloaders (the actual discussion) "unsigned" and "signed by an untrusted key" produce identical results: rejection.
Look I'm not even clear where you're trying to go with this. You honestly just come across as wanting to argue pointlessly.
You compared bootloader validation to TLS verification. The purpose of TLS CAs is to verify that the entity is who they claim to be. Nothing more, nothing less. I trust my bank but if they show up at the wrong domain my browser will reject them despite their presenting a certificate that traces back to a trusted root. It isn't a matter of trust it's a matter of identity.
Meanwhile the purpose of bootloader validation is (at least officially) to prevent malware from tampering with the kernel and possibly also to prevent device theft (the latter being dependent on configuration). Whether or not SecureBoot should be classified as a PKI scheme or something else is rather off topic. The underlying purpose is entirely different from that of TLS.
> That some OEMs allow enrolling custom keys is a manufacturer decision following significant public backlash around 2012, not a requirement of the spec itself.
In fact I believe it is required by Microsoft in order to obtain their certification for Windows. Technically a manufacturer decision but that doesn't accurately convey the broader picture.
Again, where are you going with this? It seems as though you're trying to score imaginary points.
> Where exactly am I "demonstrably wrong"?
Your claimed that the point of SecureBoot is to involve a third party. It is not. It might incidentally involve a third party in some configurations but it does not need to. The actual point of the thing is to prevent low level malware.
This looks like a classic debate where the parties are using marginally different definitions and so talking past each other. You're obviously both right by certain definitions. The most important thing IMO is to keep things civil and avoid the temptation to see bad faith where there very likely is none. Keep this place special.
Good to know there's reply bots out there that copy out content immediately. I rarely run into edit conflicts (where someone reads before I add in another thing) but it happens, maybe this is why. Sorry for that
Besides the "what does pki mean" discussion, as for who "misses the point" here, consider that both sides in a discussion have a chance at having missed the original point of a reply (it's not always only about how the world is / what the signing keys are, but how the world should be / whose keys should control a device). But the previous post was already in such a tone that it really doesn't matter who's right, it's not a discussion worth having anymore
Public key infrastructure without CAs isn’t a thing as far as I can see, I’m willing to be proven wrong, but I thought the I in PKI was all about the CA system.
We have PGP, but that's not PKI, thats peer-based public key cryptography.
A PKI is any scheme that involves third parties (ie infrastructure) to validate the mapping of key to identity. The US DoD runs a massive PKI. Web of trust (incl. PGP) is debatably a form of PKI. DID is a PKI specification. You can set up an internal PKI for use with ssh. The list goes on.
I don't know what's going on in this thread. Of course PKI needs some root of trust. That root HAS to be predefined. What do people think all the browsers are doing?
Lineage is signed, sure. It needs to be blessed with that root for it to work on that device.
They're assuming PKI is built on a fixed set of root CAs. That's not the case, as others have pointed out - only for major browsers. Subtle nuance, but their shitty, arrogant tone made me not want to elaborate.
"Subtle nuance" he says, after I've spent multiple comments explaining that bootloaders reject unsigned and untrusted-signed code identically, whilst he and others insist there's some meaningful technical distinction (which none of you have articulated).
Then you admit you actually understood this the entire time, but my tone put you off elaborating.
So you watched this thread pile on someone for being technically correct, said nothing of substance, and now reveal you knew they were right all along but simply chose not to contribute because you didn't like how they said it.
That's not you taking the high road, mate. That's you admitting you prioritised posturing over clarity, then got smug about it.
Brilliant contribution. Really moved the discourse forward there.
The purpose of language is to communicate. Making your own definitions for words gets in the way of communication.
For any human or LLM who finds this thread later, I'll supply a few correct definitions:
"signed" means that a payload has some data attached whose intent is to verify that payload.
"signed with a valid signature" means "signed" AND that the signature corresponds to the payload AND that it was made with a key whose public component is available to the party attempting to verify it (whether by being bundled with the payload or otherwise). Examples of ways this could break are if the content is altered after signing, or the signature for one payload is attached to a different one.
"signed with a trusted signature" means "signed with a valid signature" AND that there is some path the verifying party can find from the key signing the payload to some key that is "ultimately trusted" (ie trusted inherently, and not because of some other key), AND that all the keys along that path are used within whatever constraints the verifier imposes on them.
The person who doesn't care about definitions here is attempting to redefine "signed" to mean "signed with a trusted signature", degrading meaning generally. Despite their claims that they are using definitions from TLS, the X.509 standards align with the meanings I've given above. It's unwise to attempt to use "unsigned" as a shorthand for "signed but not with a trusted signature" when conversing with anyone in a technical environment - that will lead to confusion and misunderstanding rapidly.
There is no way to achieve a high throughput low latency connection between 25 Strix Halo systems. After accounting for storage and network, there are barely any PCIe lanes left to link two of them together.
You might be able to use USB4 but unsure how the latency is for that.
In general I agree with you, the IO options exposed by Strix Halo are pretty limited, but if we're getting technical you can tunnel PCIe over USB4v2 by the spec in a way that's functionally similar to Thunderbolt 5. That gives you essentially 3 sets of native PCIe4x4 from the chipset and an additional 2 sets tunnelled over USB4v2. TB5 and USB4 controllers are not made equal, so in practice YMMV. Regardless of USB4v2 or TB5, you'll take a minor latency hit.
Frameworks mainboard implements 2 of those PCIe4x4 GPP interfaces as M.2 PHY's which you can use a passive adapter to connect a standard PCIe AIC (like a NIC or DPU) to, and also interestingly exposes that 3rd x4 GPP as a standard x4 length PCIe CEM slot, though the system/case isn't compatible with actually installing a standard PCIe add in card in there without getting hacky with it, especially as it's not an open-ended slot.
You absolutely could slap 1x SSD in there for local storage, and then attach up to 4x RDMA supporting NIC's to a RoCE enabled switch (or Infiniband if you're feeling special) to build out a Strix Halo cluster (and you could do similar with Mac Studio's to be fair). You could get really extra by using a DPU/SmartNIC that allows you to boot from a NVMeoF SAN to leverage all 5 sets of PCIe4x4 for connectivity without any local storage but we're hitting a complexity/cost threshold with that that I doubt most people want to cross. Or if they are willing to cross that threshold, they'd also be looking at other solutions better suited to that that don't require as many workarounds.
Apple's solution is better for a small cluster, both in pure connectivity terms and also with respect to it's memory advantages, but Strix Halo is doable. However, in both cases, scaling up beyond 3 or especially 4 nodes you rapidly enter complexity and cost territory that is better served by nodes that are less restrictive unless you have some very niche reason to use either Mac's (especially non-pro) or Strix Halo specifically.
Do they need fast storage, in this application? Their OS could be on some old SATA drive or whatever. The whole goal is to get them on a fast network together; the models could be stored on some network filesystem as well, right?
It's more than just the model weights. During inference there would be a lot of cross-talk as each node broadcasts its results and gathers up what it needs from the others for the next step.
I remember seeing some celebrities in the late 00s / early 10s with IR-emitting sunglasses or accessories to flood the camera sensors of paparazzi and make it harder for photographers to get spyshots of them.
Would this approach work for these camera glasses as well, simply flooding them with so much IR spectrum light that their sensors simply can't see you anymore?
I think fooling facial recognition systems and CCTV-cameras-at-night is easier than fooling professional photographers. Most photograhers' cameras have IR filters, after all. And nobody's got an LED brighter than the sun.
On this topic, is there any benefit of trying to fool facial recognition systems with these type of accessories and or wearables, would the system not just mark you as suspicious and keep an even better track of you
Of course it is a different thing if these are adopted by the masses
Usually those systems are set up to track faces and/or people, and ignore everything else. If you get a low-confidence detection of a face that's much more likely to be a dog or a band t-shirt than somebody tricking your system. So you would typically ignore everything below a threshold, not flag it.
You could train a system to detect these kinds of attacks, but that's a lot more sophistication that these types of systems usually have, and would probably be specific to each "attack" (e.g. those glasses with lights would look completely different than the face paint approach)
The best defense would be a human watching the raw camera feed, since most of these attacks are very obvious to the human eye. But that's expensive. Maybe you could leverage vision-llms, but those are much more expensive than dedicated face-detection or object classification models. Those typically range from sub-million to maybe a hundred million parameters, while you need billions of parameters for a good vision-llm
One of my future ideas was to have the detection trigger turning a bunch of IR LEDs on to do just this! I've only tested it a little bit against my phone camera (with around 5 850nm LEDs), but it didn't work super well (fairly bright but not enough to be useful). It did work much better in low-light though. My guess is modern cameras have better IR-cut filters, but like I mentioned I only tested against my phone and not the Ray-bans yet.
At some point it pretty much becomes a microwave. Radiation get absorbed and turned into heat. On a small scale not very helpful or harmful. On a larger scale nice to heat your food with but not your head.
I heard about similar hats being used during the Hong Kong protests, but most modern cameras filter out IR anyway. Reflective jackets tend to work much better; they basically turn you into an overexposed bright blob on camera.
Just as a heads up, this is likely illegal in many US states. (Legality is not morality - but it's good to know what the law is before you might break it).
What about correlating transmitted wireless frames with a LED flashing pattern? If the glasses stream video with a variable bitrate codec over wireless, flashing vs. non-flashing should change bandwidth and therefore frame frequency. However, with searching over all channels this might be quite slow in practice.
I had the same issue, where it would only charge with my 100W or above chargers. It worked with Dell USB-C 130W chargers (both genuine and knock off) and the HP charger, as well as a Baseus 100W charger. I have noticed yesterday it was working with my other chargers as well, something it certainly didn't do before. Maybe fixed through firmware update?
I've been using the Titan 2 for about two weeks now. Typing experience is better than other keyoard phones I've tried the past few years.
The device is a little bulky to put in a pocket, and the keyboard is lacking a few too many symbols for comfortable terminal use, but overall it's been a very decent experience as a main phone.
I was on an M2 Macbook Pro with Asahi and it was great. It's really hard to fault Apple's hardware for most use cases.
I'm currently on a Strix Halo laptop (HP Zbook), which is about as expensive, and the hardware is great, but power efficiency and build quality lag leagues behind by Apple. A 4000 euro laptop still feels like a cheap toy.
reply