Damn. I would probably try a more mainstream distro for Optimus support, like Pop_OS! or Debian/Ubuntu with non-free repos enabled.
I remember Bumblebee was a thing back in 2013, but it seems that it hasn’t been updated since then: https://www.bumblebee-project.org/
Optimus as in Nvidia Optimus? I remember struggling with that under Linux in 2013. I would have thought it was supported by now. (Unless of course it’s another “Optimus”, in which case just ignore me.)
Your point is valid regardless but the article mentions nothing about AI. (“Algorithm” doesn’t mean “AI”.)
so it’s probably just some points assigned for the answers and maybe some simple arithmetic.Why yes, that’s all that machine learning is, a bunch of statistics :)
I know, but that’s not what I meant. I mean literally something as simple and mundane as assigning points per answer and evaluating the final score:
// Pseudo code
risk = 0
if (Q1 == true) {
risk += 20
}
if (Q2 == true) {
risk += 10
}
// etc...
// Maybe throw in a bit of
if (Q28 == true) {
if (Q22 == true and Q23 == true) {
risk *= 1.5
} else {
risk += 10
}
}
// And finally, evaluate the risk:
if (risk < 10) {
return "negligible"
} else if (risk >= 10 and risk < 40) {
return "low risk"
}
// etc... You get the picture.
And yes, I know I can just write if (Q1) {, but I wanted to make it a bit more accessible for non-programmers.
The article gives absolutely no reason for us to assume it’s anything more than that, and I apparently missed the part of the article that mentioned that the system had been in use since 2007. I know we had machine learning too back then, but looking at the project description here: https://eucpn.org/sites/default/files/document/files/Buena practica VIOGEN_0.pdf it looks more like they looked at a bunch of cases (2159) and came up with the 35 questions and a scoring system not unlike what I just described above.
Edit: I managed to find this, which has apparently been taken down since (but thanks to archive.org it’s still available): https://web.archive.org/web/20240227072357/https://eticasfoundation.org/gender/the-external-audit-of-the-viogen-system/
VioGén’s algorithm uses classical statistical models to perform a risk evaluation based on the weighted sum of all the responses according to pre-set weights for each variable. It is designed as a recommendation system but, even though the police officers are able to increase the automatically assigned risk score, they maintain it in 95% of the cases.
… which incidentally matches what the article says (that police maintain the VioGen risk score in 95% of the cases).
The crucial point is: 8% of the decisions turn out to be wrong or misjudged.
The article says:
Yet roughly 8 percent of women who the algorithm found to be at negligible risk and 14 percent at low risk have reported being harmed again, according to Spain’s Interior Ministry, which oversees the system.
Granted, neither “negligible” or “low risk” means “no risk”, but I think 8% and 14% are far too high numbers for those categories.
Furthermore, there’s this crucial bit:
At least 247 women have also been killed by their current or former partner since 2007 after being assessed by VioGén, according to government figures. While that is a tiny fraction of gender violence cases, it points to the algorithm’s flaws. The New York Times found that in a judicial review of 98 of those homicides, 55 of the slain women were scored by VioGén as negligible or low risk for repeat abuse.
So in the 98 murders they reviewed, the algorithm put more than 50% of them at negligible or low risk for repeat abuse. That’s a fucking coin flip!
I don’t think there’s any AI involved. The article mentions nothing of the sort, it’s at least 8 17 years old (according to the article) and the input is 35 yes/no questions, so it’s probably just some points assigned for the answers and maybe some simple arithmetic.
Edit: Upon a closer read I discovered the algorithm was much older than I first thought.
The article mentions that one woman (Stefany González Escarraman) went for a restraining order the day after the system deemed her at “low risk” and the judge denied it referring to the VioGen score.
One was Stefany González Escarraman, a 26-year-old living near Seville. In 2016, she went to the police after her husband punched her in the face and choked her. He threw objects at her, including a kitchen ladle that hit their 3-year-old child. After police interviewed Ms. Escarraman for about five hours, VioGén determined she had a negligible risk of being abused again.
The next day, Ms. Escarraman, who had a swollen black eye, went to court for a restraining order against her husband. Judges can serve as a check on the VioGén system, with the ability to intervene in cases and provide protective measures. In Ms. Escarraman’s case, the judge denied a restraining order, citing VioGén’s risk score and her husband’s lack of criminal history.
About a month later, Ms. Escarraman was stabbed by her husband multiple times in the heart in front of their children.
It also says:
Spanish police are trained to overrule VioGén’s recommendations depending on the evidence, but accept the risk scores about 95 percent of the time, officials said. Judges can also use the results when considering requests for restraining orders and other protective measures.
You could argue that the problem isn’t so much the algorithm itself as it is the level of reliance upon it. The algorithm isn’t unproblematic though. The fact that it just spits out a simple score: “negligible”, “low”, “medium”, “high”, “extreme” is, IMO, an indicator that someone’s trying to conflate far too many factors into a single dimension. I have a really hard time believing that anyone knowledgeable in criminal psychology and/or domestic abuse would agree that 35 yes or no questions would be anywhere near sufficient to evaluate the risk of repeated abuse. (I know nothing about domestic abuse or criminal psychology, so I could be completely wrong.)
Apart from that, I also find this highly problematic:
[The] victims interviewed by The Times rarely knew about the role the algorithm played in their cases. The government also has not released comprehensive data about the system’s effectiveness and has refused to make the algorithm available for outside audit.
I read every single word of it, twice, and I was laughing all the way through. I’m sorry you don’t like it, but it seems strange that you immediately assume that I haven’t read it just because I don’t agree with you.
This is such a fun and insightful piece. Unfortunately, the people who really need to read it never will.
I get notifications for calls (obviously), SMS messages (of which I receive an average of 1 per month) and IMs from my immediate family. Everything else I check up on when I actually feel like I have the time for it. This has dramatically reduced the number of emails and other things I forget to reply to/act on, because I see them when I want to and when I have the time to actually deal with them; not when some random notification pops up when I’m doing something else, gets half-noticed and swiped away because I’ll deal with it later.
The headline is supposedly CISA urging users to either update or delete Chrome — it’s not Chrome/Google itself. However, I’m having trouble finding the actual CISA alert. It’s not linked in the article as far as I can tell.
Ah, cool. I do have WSL installed on every Windows box I use regularly, but it’s good to know for when I run into a more locked down machine.
Seems a bit excessive to install WSL just to get an SSH client.
Using a password manager I’d have to copy-paste or remember each password. Not all have a web interface.
Then pick one that has a web interface or a CLI, Bitwarden has both and is free. KeePass databases can be hosted on your NAS and accessed to CLI tools. There are plenty of options. Or use passphrases (which are just as good as—or better than—complex passwords) and just type them? I use Bitwarden for literally each and every password/lock code/PIN that I have, and I have plenty of Pis and other things that don’t let me easily log into Bitwarden, but finding “Excentric4-Waxing-Adopted-Giraffe” on one device, and typing it in another really isn’t much of a hassle. (Also, why not just SSH into your Pis? Then you only need to worry about accessing a password manager on the machine you’re opening the SSH connection from.)
From the comments on this post it seems that you’re mostly looking for validation of the idea you originally had rather than actual feedback on how secure that idea is. You’re obviously free to manage your passwords exactly as you want, but this idea of a “base password” is objectively less secure than the alternative put forward by many people in these comments, namely to use the Yubikey to log into a good password manager that then handles all the different (completely unique) passwords.
There are always instances where doing things the best and most secure way is more cumbersome, and it’s up to you to decide if you want all of your passwords to be poor (and difficult to change, in this case) just because you occasionally need to log into something that doesn’t neatly integrate with a password manager.
Why not use the Yubikey for the master password on a KeePass DB (or another password manager) and then use actual different passwords—not just prefixed ones—saved in said password manager for your logins?
It doesn’t matter if your base password is a 255 character high-entropy annoying-to-type-manually-on-a-phone-keyboard or a 16 character string of alphanumeric characters if you reuse it in a slightly predictable manner. For it to be somewhat secure, the prefix would have to be completely random, which kinda defeats the idea of you being able to remember them. A “base password” is, to be frank, only one small step up from using the same password everywhere.
And as someone else pointed out, it makes it very difficult to change passwords, which also should be a huge red flag.
Take a look at the leaks on Have I Been Pwned and see how many of them include either clear text passwords or extremely weakly hashed (perhaps even unsalted) passwords. If you show up in just one or two of those, then you’re in a significantly worse position than you would be had you just used different passwords.
A little more info in the title than just the CVE number would make these posts a lot more useful.
As I said, I skimmed through it and wasn’t sure exactly what I was looking for.
I’ve skimmed through the whole thing, but I’m unsure what you’re referring to. A little help, please?
Odd. I replied to this comment, but now my reply is gone. Gonna try again and type up as much as I can remember.
Regardless, an algorithm expecting binary answers will obviously not take para- and extralinguistic cues into account. That extra 50 ms hesitation, the downwards glance and the voice cracking when answering “no” to “has he ever tried to strangle you before?” has a reasonable chance to get picked up by a human, but when reducing it to something that the algorithm can handle, it’s just a simple “no”. Humans are really good at picking up on such cues, even if they aren’t consciously aware that they’re doing it, but if said humans are preoccupied with staring into a computer screen in order to input the answers to the questionnaire, then there’s a much higher chance that they’ll miss them too. I honestly only see negatives here.
Arguably a piece of paper could solve that problem.
Seriously. 55 victims out of the 98 homicide cases sampled were deemed at negligible or low risk. If a non-algorithm-assisted department presented those numbered I’d expect them to be looking for new jobs real fast.