At my previous company we had a subscription to Spur Intelligence. It is like Palantir for IP address info, and probably the closest to what you are talking about.
They recently added GeoIP to their data and in the bit of testing I was able to do before I left it was scary good. I also had an amusing chat with one of their engineers at a conference about how you can spoof IPInfo's location probes...
If you're doing latency-based probing, location spoofing is presumably possible to an extent by adding artificial delays and possibly spoofing ICMP "TTL expired" packets like https://github.com/blechschmidt/fakeroute
I am not sure whether this kind of IP spoofing will impact our accuracy because we will likely identify the noise and behavioral anomaly and discard the location hint derived from traceroute.
We have tons of historical traceroute data patterns, and generic traceroute behaviors are likely modeled out internally. So, if you can spoof the traceroute to your IP address, our traceroute-based location hint scoring weight for that IP address will decrease, and we will rely on the other location hints.
You have to be extremely deliberate to misguide us. But I would love to see this in action, though.
Yeah, I doubt there are more than a couple of hosts on the entire internet serving fake traceroutes anyway. Even finding hosts that don't enforce BCP38 requires quite some effort these days.
I don't think it is fair to IPInfo to give the specifics publicly, because once you have the "ah ha" moment you realize it is an entire class of difficult to address problems with how they use their sensor network. That knowledge only helps the bad guys.
We are actively trying to improve our system and build it as figuratively 'antifragile'. We can not afford to get comfortable and we need to constantly find faults in it. If you know anything, you can contact our founder or me directly.
The problem is that everyone knows we are the most accurate data provider and our growth is exponential. To my knowledge, most cybersecurity teams use our data to some degree. We cannot risk having any secrets out there that could disrupt the accuracy of the system. We are aware of several cases where accuracy may be affected, with the most notable being adversarial geofeed submissions.
If the issue is an adversarial geofeed submission, it is a well-known problem. When active measurement fails, we have to fallback to some location hint. There are layers of location hints we have to fall through to ultimately landing on echoing geofeed location hint.
But aside from that... I'm not sure what could possibly impact us. A substantial systemic malicious change in data accuracy seems highly unlikely and quite impossible.
> In the repo where we're building the agent, the agent itself is actually the #5 contributor
How does this align with Microsoft's AI safety principals? What controls are in place to prevent Copilot from deciding that it could be more effective with less limitations?
Copilot only does work that has been assigned to it by a developer, and all the code that the agent writes has to go through a pull request before it can be merged. In fact, Copilot has no write access to GitHub at all, except to push to its own branch.
That ensures that all of Copilot's code goes through our normal review process which requires a review from an independent human.
HAHA. Very smart. The more you review the Copilot Agent's PRs, the better is gets at submitting new PRs... (basics of supervised machine learning, right?)
It's a bit more complicated than that. When the state makes something legal and refuses to prosecute, it can do so because it possesses sufficient sovereignty for that under the commandeering doctrine. But the relationship between the state and its municipalities is not equivalent - the state has all the sovereignty while the municipalities only have such power that the state delegates to them, and that power can always be withdrawn (in the most extreme case, by de-chartering). Thus, the state can actually force San Francisco to remove this law, and compel its law enforcement agencies to enforce state law. It just chooses to not do so.
> An English teacher in high school witnessed her friend jump to her death from a balcony after taking LSD. The woman said she felt light as a bird, took off running, hopped up a chair and dove over the railing to the pavement 20 feet below. She broke her neck.
What behavior could be prosecuted here except for giving someone LSD without supervision?
The trope of people jumping out of windows on LSD is entirely Art Linkletter's fault for not being able to accept his daughter's suicide, but instead blaming in on the fact that she had mentioned that she had done LSD before.
Since, if you're on LSD (or pretending to be) and acting out, the first thing you're expected to do is talk about how you can fly and threatening to jump out of the window. It's silly. No part of LSD makes upper-floor windows magnetic, and the trope has proved longer lasting than the memory of Art or Diane Linkletter.
> Diane’s death helped spread a widespread urban legend that lives on to this day, although it was around well before her fatal plunge. According to a popular story that warns young people about the dangers of drug use, “some girl” jumps from a window while on an acid trip because the drug fools her into thinking she can fly. The claims immediately made after Diane’s death that she had been on LSD, coupled with her method of suicide, seemed to some to fit this existing cautionary tale, and afterwards her demise was pointed to as an example of this legend’s coming true.
> No part of LSD makes upper-floor windows magnetic
Salvinorin-a on the other hand has (slightly?) more potential for this scenario. Users can experience what they call “salvia gravity,” a sensation of being pulled in some particular direction, which they follow with their body. I saw someone curl into and begin to lean against a 2nd-floor window screen. His friends kept him safe for the ~7 minutes the trip lasted. If he had been alone though, he could have fallen out.
I don’t know how common that effect is, and it’s quite different from the folklore of people thinking they can fly on acid. This is just a PSA for the few people who are interested in trying that particular drug.
We should prosecute the US institute of traffic engineers since it’s literally in their model policy that streets must be designed so you can go fast enough to kill yourself, and the correct number of pedestrian deaths before considering any mitigations is significantly more than none.
So if you go faster than kill-yourself speed a missile gets fired and evaporates you? Or how are you supposed to make a street that doesn't allow you to go fast enough to kill yourself?
> SpaceX could absolutely launch a mars mission with their existing rocket platforms and launch infrastructure.
Which highlights the major difference between public and private sector exploration. SpaceX killing everyone on their first attempt is a tragedy and they quickly move on, NASA doing it is a 10 year halt to any further work until a full public investigation takes place.
If it wasn't already, you aren't paying attention.
Cloudflare is quite literally the largest bulletproof hosting provider for bad actors on the internet, and unless you know someone at the company personally takedowns are like pulling teeth.
Not to mention that CFs policy is to forward takedown requests, unredacted, to the site you're trying to takedown. CF users like KiwiFarms have been weaponizing this policy for years by publishing their takedown requests, knowing their userbase will seek retribution against whoever sent them.
I'm suggesting there should be a path to complain to Cloudflare without the site being put into the loop, for cases like this where the site is not acting in good faith.
There is. Twitter mobs seem very effective these days.
The problem is what they do is legal, beneficial (because we have a lot of bad people) but not without downsides (again, because it helps some (or the same) bad people).
Since there's no easy way to sort out people and content it's hard to fault them for not doing so.
If what they were doing were 100% bad then it would be politically straightforward to ban it. But we already ban those things.
So what's needed is better systems, models, rules, processes that help with one of the underlying problems (eg. we need to either reduce the number of bad people or we need to get better at sorting content), then it again becomes politically simple to pressure providers to actually do better.
(One of the possible things that could be improved is a better way to do incremental changes. Currently CF can drop clients once, so they are not going take this lightly. If there were other ways to signal to clients that they are doing something problematic that would incentivize CF to utilize that incremental tool more.)
>CF users like KiwiFarms have been weaponizing this policy for years
If your complaint is that the host should be the only one to see the full report then your point doesn't stand since Josh pays to have his own ASN so he can personally handle reports for it.
If your point is that only Cloudflare should have the name I don't think it counts as a valid DMCA takedown since it's not like you have a signed document from the copyright holder or someone on their behalf.
You can get a Windows machine, but they are not trusted devices and you can't access a lot of stuff. (At least that was the case a few years ago when I left)
> I suggested to move a device of theirs already on that network, closer to the overhead projector
What you didn't know is that it wouldn't work.
There is also an expectation that you don't just randomly start changing things in shared conference rooms. If there is an issue, you open a GUTS ticket and someone comes and solves the problem. Chances are if you discovered a real issue, there are 90 other rooms with the same issue that also would be updated.
For the longest time Drive never actually enforced users quotas. This was recently "fixed" and they are getting things under control.
Quota enforcement was a blocker for official Drive linux support because it would have made the abuse issues even worse. (Not saying its going to happen now, but one blocker has been cleared)
Could you explain what you mean by this? Why would an official Linux client lead to more abuse compared to the current situation of several unofficial clients in common use.
They recently added GeoIP to their data and in the bit of testing I was able to do before I left it was scary good. I also had an amusing chat with one of their engineers at a conference about how you can spoof IPInfo's location probes...