Does it? It says “We won’t use this data to train new Claude models”. Couldn’t the wording “new Claude models” allow them to use it on their existing ones? It’s vague enough to me, at least.
That helps. I must've just missed it when it said 4.7. Most articles just state 4.7 (or 4.8) though a few are now saying "preliminary magnitude of 4.7." By the time I saw it, it said M 4.8 mwr with uncertainty ± 0.0.
So far, every time I use bard it gives me an incorrect answer. But I am happy with how fast it returns it, at least. I haven't had that problem with Bing chat (at least in the past few months), which has pretty much changed the way I search.
That being said, I hope Bard improves drastically. It would be nice to have more competition from them in this space.
I find that Bard does a pretty good job when I query it against my GMail (using @gmail, what is on my schedule?) and Google Docs. Too bad it is not integrated with Google Calendar.
I attended a seminar on the office binary file formats about 10 years ago at MS. The reason it was done was for performance reasons, including the wonky layout that made it quicker to save and read the file from slow media like floppy discs.
> The file format is contorted, where necessary, to make common operations fast. For example, Excel 95 and 97 have something called “Simple Save” which they use sometimes as a faster variation on the OLE compound document format, which just wasn’t fast enough for mainstream use. Word had something called Fast Save. To save a long document quickly, 14 out of 15 times, only the changes are appended to the end of the file, instead of rewriting the whole document from scratch. On the hard drives of the day, this meant saving a long document took one second instead of thirty. (It also meant that deleted data in a document was still in the file. This turned out to be not what people wanted.)
The underlying file format, COM Structured Storage, is basically filesystem-in-a-file, and works much like FAT. So, bits of deleted data would be floating around even without any performance hacks used by the app itself.
> If you find password protected zips in the release the password is probably either "Intel123" or "intel123". This was not set by me or my source, this is how it was aquired from Intel.
Can't say I'm surprised, people are lazy.
Another large tech company I used to work for commonly used an only-slightly more complex password. But it was never changed, so people who had left the team still could have access to things if they knew the password. It was an entry point into the system more than the company's Red team.
Password protection may have been used to bypass antivirus and other filters. While you should treat dumps like this with a lot of suspicion, treat password protected zips with a heaping dose of care as they may have been used to evade automated defenses.
Antivirus are some crazy shit that may trigger on any random action and will teach people to follow the most unsafe procedures without questioning, so they can get anything done.
I've heard it put this way: If you force users to trade convenience for security, they will find a way to obtain convenience at the expense of security.
> If you force users to trade convenience for security
I _wish_ it was better security they were making the trade for. It often isn't though. These programs are large, expensive, and don't do much most of the time. I feel there's a perverse incentive for developers to make their AV products as noisy as is possible to justify their own existence.
And yet.. even with full AV rollouts locked down at the highest level, bad actors still get into networks and exploit them. So, to me it feels like our users are trading away their convenience for our misguided CYA policies.
The truth is, you don't need much in the way of AV software if you are willing to outright block certain types of files.
In most large corporations you are basically not allowed to send anything that could even potentially hide a virus except for maybe Office files (nobody yet built a compelling alternative to Powerpoint and Excel).
Typical rules already block all executable binaries, scripts and password protected archives (because they could hold binaries or scripts), etc. As a Java developer I have recently discovered my company started blocking *.java files.
A lot of this stuff (AV software) is getting deployed at all different layers of the environment. Firewalls are getting better at dynamic file analysis and file blocking, the endpoints are loaded with user behavior/analytics, av and dlp tools. AV is so omnipresent because it's in a decent amount netsec appliances these companies stand up
I could be mistaken on this, but wasn't this basically the sales pitch for Spotify? Basically saying "you'll never get rid of piracy, but you can compete with it".
This was the sales pitch for iTunes and the iTunes store:
"We approached it as 'Hey, we all love music.' Talk to the senior guys in the record companies and they all love music, too. … We love music, and there's a problem. And it's not just their problem. Stealing things is everybody's problem. We own a lot of intellectual property, and we don't like when people steal it. So people are stealing stuff and we're optimists. We believe that 80 percent of the people stealing stuff don't want to be; there’s just no legal alternative. So we said, Let's create a legal alternative to this. Everybody wins. Music companies win. The artists win. Apple wins. And the user wins because he gets a better service and doesn't have to be a thief."
Another point of reference: because they had no legal ground to stand on, HBO targeted Canadian torrenters of Game of Thrones with an e-mail saying, among other things, "It's never been easier to [watch Game of Thrones legally]!"
This was true, it had never been easier. It had also never been harder. For the entire time that Game of Thrones was being aired, the only legal way for Canadians to watch it was to pay about a hundred dollars per month for cable and the cable packages that would give them HBO. You could buy it on iTunes, but only as a season, after the season was over.
So yeah, I kept torrenting it, everyone I know kept torrenting it, and everyone hated (or laughed at, or both) HBO the whole time.
Here in the UK, Sky offer a cheap 'over-the-top' streaming alternative to their satellite offerings, [0] so you could watch Game of Thrones for £8/month, provided you didn't mind the inferior video quality.
I meant HBO! I think GoT season 1 is the only season that's had a release at that res so far.
I was really hoping to get an HDR version of the "The long night", to address some of the banding and other visibility problems present in the episode, and maybe see a bit more of what went on. But there isn't one yet. So I watched it with the lights out so that my eyes adjusted :)
But yeah, you're probably right, NowTv has massive potential to undercut their main offering.
It's true, and often it's not laziness - corporate security measures are often focused only on denying access, and they're so overbearing that, were they followed to the letter, they could easily shut the company down. It's through workarounds that actual work gets done.
Sounds like a large organizational incentive intergration failure where subpieces are at odds such that they care more about dodging blame and outside of their domain it isn't their problem. "Not My Fault/Not My Problem" as a toxic approach making balancing decisions worse.
I remember having issues with a corporate email system where base64/uuencoded data would fail to get through with a very rough dependency on size - large files had a smaller chance of getting through but it was clear that there wasn't a hard size limit. Eventually someone twigged that the problem was a "rude word" scanner, and that beyond a certain size you would hit the "scunthorpe" problem, and forbidden words would appear in the ASCII text randomly.
The thing is, usability is security. People will do anything to be able to do their job (because people like being able to, you know, eat and stuff). Things that stop you doing your job are bad for security.
I wish more of the security industry would get their frigging heads around this. PGP did less for messaging security over decades of availability than iMessage and Signal did in a few weeks of availability.
This 100%. I recall many a fun night at $BIGCORP burning the midnight oil, receiving the warning emails that my "unauthorised software" had been reported to my manager, and that it had been quarantined away for my own safety and convenience. Given that $BIGCORP was a tech firm my manager would be intensely delighted that they would receive regular midnight notifications that I was doing my job. Whatever that damn thing cost it would have been cheaper to let the malware do its thing.
Windows development seems to be fun as of recently. Didn't touch it for couple of decades.
Sometimes I think that modern Windows is a nice platform already, even comfortable. (Like, you know, C++17 is very unlike C++98.) But then I'm reminded of the necessity to run an antivirus in front of it in a corporate environment.
I intensely dislike corporate "security product" culture. For whatever reason, every IT department thinks that you have to ruin Windows with tons of invasive antivirus and monitoring software. I've seen zero evidence that these performance-killing tools are necessary. It's all theater. Microsoft itself doesn't do this shit to Windows, and neither should anyone else.
There was a discussion in our IT Security department about how to install McAfee on CoreOS servers. (For the uninitiated, CoreOS is a Linux distribution that comes without a package manager. It's intended as a base to run containers on, so you would deploy all software via container images.)
I remember someone suggesting to put McAfee into a fully isolated container that only exposes the port where it reports compliance, allowing it to scan itself to death all day long.
At one company, Symantec would also quarantine the compiler and build system. It certainly made builds exciting to have the antivirus playing Russian roulette with the entire toolchain.
Every time I went to configure a toolchain on Jetbrains' CLion, Cmake would create some test files and compile them. Windows Defender deleted every file and even the embedded toolchain. Fun :)
"You must exclude our program sub directory because temporary files are created containing interpreted code and your antivirus will ether block it outright, or lock the file so long you get application time outs"
In February, I e-mailed a python script to one of our developers to help debug an issue with their SSL configuration.
Two days ago, I needed the script again but couldn't find it. Went to our e-mail thread and it said "the following potentially malicious attachments were blocked", showing mine, but... even from my outgoing mailbox? That seems ridiculous and problematic, considering that it sent fine at the time.
I know that e-mail shouldn't be used as a replacement for Sharepoint or Dropbox or whatever, and I should have a local copy of what I need, but it just seems annoying and arbitrary.
Anyway, I just logged into Outlook Web and downloaded it from the message there. Problem solved.
If I had to deploy AV for mail, I would absolutely scan outgoing mail as well. Imagine if some compromised mail account in my org sends malware to accounts in other companies. These companies could then sue my company for negligence if they can show that we did not scan our mail for viruses on outbound (which could potentially be done by examining mail headers).
This has happened to me with gmail. Zipfiles I had sent in the past are no longer allowed to be downloaded from my sent items folder through the standard interface.
To be fair, emailing binaries (apart from known types such as images, PDFs, etc.) is a rare enough use case for legitimate purposes and an easy enough way of spamming malware to clueless random people that it's probably a reasonable default for gmail.
Having an option to allow them might be okay though. (I barely use gmail so I don't know if it has one or not.)
For not sending binaries by email - there is no shame to being young in this case as it means never developing the bad habits.
Before Dropbox and similiar it was far more a norm and various file sharing systems like SharePoint may wind up not actually used. Non-computer technical people often do so in companies all the time and practically use it as an ersatz version control system to the cringe of IT.
We just rename our files with .novirus on the end. I assume the main point is to stop executables from outside running with a click, or internal forwards of the same by compromised users which is why it's so easy to bypass.
Yes. Whenever I email or transfer a zip via any method really I always put a basic password on it.
I've been bitten way too many times by dumb filters that pick some file out of the zip and declare that it is malicious. I also don't trust messenger apps to not pull my files out and do who knows what with them. A basic password prevents this junk 99% of the time for almost no effort.
It won't stop a determined system from cracking the password. But that isn't what I'm trying to defend against.
This brings back happy memories of a college (senior high for the Americans in the audience) computing teacher finding a friend and I had been writing irritating malware instead of doing actual work, and his only comment being “if you’re going to email that to yourself change the extension so it doesn’t get flagged for IT support”.
Gmail won't even let you send a JAR file, or a zip you made out of a project where it happens to be a .jar file somewhere deep in some random subdirectory.
I have left Intel couple of years ago, that's exactly what passwords were used for. It was pretty annoying to try to send files and putting them in encrypted archive wast the most convenient method.
It was not just for binaries but for scripts, html, etc.
I was an admin for a medium sized company and handled their websites. Almost all of them (about a dozen or so) were hosted on Go Daddy. Plus they had about two dozen reserved domains they were sitting on like www.yourcompanysucks.com and others.
I left the company 5 years ago. Just checked the login to see if it still worked.
Yeap.
Any disgruntled employee could change the password, lock them out of all of their sites (including several e-commerce sites that amount for a large chunk of revenue) and then if they really wanted to, delete all of them.
I remember talking the main network guy about any backups when a lot of the ransomware stuff was making the rounds. The big, really big stuff on their network (mostly ERP stuff) was backed up in two or three places. Their web stuff? Yeah. . . NOPE.
Pretty scary how lazy people are about stuff like that.
I wonder if a malware should just grep for "pw:" or "password:" and then try the string it finds against anything encrypted. Or forward it to the control center.
I worked for a company that made servers. In the on board management system's source code I remember seeing "base64 encryption". I think they removed it by the time I left, but still.
A company I know insists on rotating passwords fairly often. Everybody just increases the number at the end of their favourite password, i. e. intel1255
I once worked at a place that required passwords to be changed every month and contain at least one upper and lower case letter, digit, and punctuation, and not match any previous password.
So the password for August, 2020 would be “August, 2020”.
This is super common, to the point where Microsoft used a similar password scheme as an example when talking about password spraying attacks at an RSA conference presentation
It's why I'm advocating within my organisation to get rid of password expiration and enforce 2FA for clients, but there's a lot of inertia to push against with some of them. At least uptake of 2FA is consistently increasing.
If you need backup, NIST standards agree with you.
Scheduled password expiration weakens security by encouraging users to make predictable passwords, and by entrenching password resets as a routine and unscrutinized process.
Many DoD websites are the same. It's so annoying. I use a password manager at home but at work I don't have that luxury (installable software is tightly controlled and very limited).
Also, the passwords are listed in docs that appear to be alongside the encrypted files. That's a bit like leaving the keys to your house _on top_ of your front doormat.
It's kinda like hiring a security guard for insurance purposes, even though they have strict instructions to never do anything, under any circumstances, other than call emergency services.
It's kinda like hiring a security guard for insurance purposes, even though they have strict instructions to never do anything, under any circumstances, other than call emergency services.
at my first job they used a similar password as their go-to "temporary" password for users etc. I found later when I got to work with the users that they rarely changed this password even when "forced" to, and in many cases had it up on post-its next to their monitor.
and in many cases had it up on post-its next to their monitor.
These days a post it is probably the best way to secure your password.
99.9999999% of password hacks come over the wire now, from people in other cities, states, or nations. If someone is in your building, in front of the computer, even without the post-it, you're probably toast.
I agree! I particularly liked the one using a two-way plastic mirror and webcam, so that you can maintain eye contact when you're video calling someone. Similar principal to a teleprompter.
Yeah, I didn't understand and jumped straight to the comments to see if there was an easy explanation here. Guess I should have clicked "How?" at the top.
Even after reading that page, I didn't understand that this was a suggestion to start regularly archiving old versions of the site and only sending visitors there if their link didn't point to anything on the current site. Instead, I thought the idea was that, for software reasons I don't understand, web developers commonly changed the subdomain name for the main site and this was just a method for reducing the number of broken links when such a change was made.
