retrorangular's comments

> I also think the US is going to ban all non-US LLM providers from the US market soon for "security reasons."

Well Trump is interested in tariffing movies and South Korea took DeepSeek off mobile app stores, so they certainly may try. But for high-end tasks, DeepSeek R1 671B is available for download, so any company with a VPN to download it and the necessary GPUs or cloud credits can run it. And for consumers, DeepSeek V3's distilled models are available for download, so anyone with a (~4 year old or newer) Mac or gaming PC can run them.

If the only thing keeping these companies valuations so high is banning the competition, that's not a good sign for their long-term value. If you have to ban the competition, you can't be feeling good about what you're making.

For what it's worth, I think GPT o3 and o1, Gemini 2.5 Pro and Claude 3.7 Sonnet are good enough to compete. DeepSeek R1 is often the best option (due to cost) for tasks that it can handle, but there are times where one of the other models can achieve a task that it can't.

But if the US is looking to ban Chinese models, then that could suggest that maybe these models aren't good enough to raise the funding required for newer, significantly better (and more expensive) models. That, or they just want to stop as much money as possible from going to China. Banning the competition actually makes the problem worse though, as now these domestic companies have fewer competitors. But I somewhat doubt there's any coherent strategy as to what they ban, tariff, etc.

Yeah, many users choose weak passwords, re-use passwords, etc. Maybe most people can't be trusted with creating and using passwords. But probably even fewer users can be trusted to actually print off their MFA backup codes and store them in a separate place from where they live. A single instance of theft, fire, or flood, or other unfortunate events, could permanently destroy someone's digital life, which has major impacts on their real life (e.g. many banks are online only.)

Text message 2FA has the advantage that recovering your phone number is pretty achievable since carriers have physical stores you can go to with a photo ID (probably more difficult but not impossible with online-only MVNOs.) SIM swapping attacks through social engineering is definitely a risk for some people, but probably not most. Unfortunately with SS7 vulnerabilities, basically any text message 2FA code can be intercepted, so it's really unideal. I think SMS alone should not be enough for account recovery or login, but as a second factor, maybe for many people the benefits might outweigh the costs.

Password managers largely fix the issue of weak passwords and password reuse. If that's too complicated, one-time use email magic links also fixes the issue. Those have their own downsides, but if a site has a "forgot my password" feature that gets reset through email, you're not losing out on a ton of security through magic links.

Of course, the downside of that is that if you lose access to your email account, you're truly screwed. In the past, when email addresses were not given freely and people got email addresses through their ISPs, if you did lose access, maybe your ISP had some way for you to prove your identity (since you pay them each month) and regaining access to it. But there's effectively no customer support for free Gmail, Yahoo, Outlook, etc. accounts. Even if you own your own domain, that's just moving the issue to your domain name registrar, which also likely doesn't have a physical location you can go in person to verify at.

If there was some guaranteed official way of proving your identity and regaining access to your email account, then I think that'd fix a lot of issues. Unfortunately that'd come with privacy risks, as it'd require having a real ID associated with your email. But MFA through hardware authentication devices (e.g. Yubikey) or through software MFA (e.g. Authy, Google Authenticator, etc.) could remain an option for privacy concerned users if they wished to avoid using a real ID for account login/recovery.

Unfortunately no perfect solutions so far, but I think Microsoft's approach here (quite similar to many other companies) may be too risky for the general population. I think companies, universities, etc. should fully lean into secure MFA, as they can easily resolve the problem if an employee or student loses their phone or hardware authentication device. But that option doesn't exist for personal email and other user accounts. There's a huge number of people in the developing world with only a single device (a phone, no other computer) and no printer for printing off backup codes (I guess you can write them down by hand, but in practice very few people anyplace will do that.) I'm not sure Microsoft (or other companies') passwordless by default approach fits that scenario. A strong, unique password for email, and then magic links for other accounts, might be a better approach for consumer accounts.

To what benefit though? People in the US currently provide advanced services such as software sold to people everyplace, and people in developing nations are manufacturing cheap goods, sold to people everyplace.

After tariffs, people in the US are (maybe) manufacturing cheap goods, sold mostly only here, and developing nations continue to manufacture cheap goods for the rest of the world, and fewer people are providing advanced services such as software.

Overall, the world just becomes poorer and has fewer useful services provided. Yes, the US becomes less dependent on the rest of the world, but the rest of the world also becomes less dependent on the US. Material wellbeing of everyone is worse off.

But that's assuming all went to plan. In practice, it's hard to see how they would even achieve bringing manufacturing here through tariffs. Crashing the stock market is a sure-fire way to ensure the next administration (3.5 years away) will revoke them. You could install a dictatorship, but that makes it even less likely for companies to invest in the US. In practice, this will likely just make Americans poorer, but not bring any meaningful amount of manufacturing jobs back. Pretty much the epitome of "cutting off your nose to spite your face."

Many here are anti-war, not pacifist. They disliked the US starting wars. Likewise, they dislike Russia starting wars. That's neither astroturfing nor people turning violent. Quite the opposite: many abhor violence, and letting people invade other countries without consequence does not lead to a world with less violence.

People don't want the US to interfere with domestic politics in Ukraine, they want it to help the national government that has overwhelming support from the local populace fend off an invasion from a foreign nation. They're not in favor of overthrowing the government, they want to prevent that very thing from happening.

The tool could include all known open source fonts, and for the rest, maybe could have a model recreate missing fonts for non-patented fonts, as while font files (.ttf, .otf, .woff, etc.) are copyrighted, styles usually do not have design patents, so tracing and re-creating them is usually not an issue as far as I'm aware (not a lawyer.) [1]

Though if it accidentally "traces" one of the few exceptions, then you've potentially committed a crime, and the big difficulty in typeface detection you mention increases those odds. That said, there are so few exceptions that even if the model couldn't properly identify a font, it might be able to identify whether a font is likely to have a design patent.

I do think getting an AI to create a high quality vector font from a potentially low-res raster graphic is going to be quite challenging though. Raster to vector tools I've tried in the past left a bit to be desired.

1. https://www.copyright.gov/comp3/chap900/ch900-visual-art.pdf

> As a general rule, typeface, typefont, lettering, calligraphy, and typographic ornamentation are not registrable. 37 C.F.R. § 202.1(a), (e). These elements are mere variations of uncopyrightable letters or words, which in turn are the building blocks of expression. See id. The Office typically refuses claims based on individual alphabetic or numbering characters, sets or fonts of related characters, fanciful lettering and calligraphy, or other forms of typeface. This is true regardless of how novel and creative the shape and form of the typeface characters may be.

> There are some very limited cases where the Office may register some types of typeface, typefont, lettering, or calligraphy, such as the following:

> • Pictorial or graphic elements that are incorporated into uncopyrightable characters or used to represent an entire letter or number may be registrable. Examples include original pictorial art that forms the entire body or shape of the typeface characters, such as a representation of an oak tree, a rose, or a giraffe that is depicted in the shape of a particular letter.

> • Typeface ornamentation that is separable from the typeface characters is almost always an add-on to the beginning and/or ending of the characters. To the extent that such flourishes, swirls, vector ornaments, scrollwork, borders and frames, wreaths, and the like represent works of pictorial or graphic authorship in either their individual designs or patterned repetitions, they may be protected by copyright. However, the mere use of text effects (including chalk, popup papercraft, neon, beer glass, spooky-fog, and weathered-and-worn), while potentially separable, is de minimis and not sufficient to support a registration.

> The Office may register a computer program that creates or uses certain typeface or typefont designs, but the registration covers only the source code that generates these designs, not the typeface, typefont, lettering, or calligraphy itself. For a general discussion of computer programs that generate typeface designs, see Chapter 700, Section 723.

The antidote to XKCD 538 can be steganography. They won't beat you with a $5 wrench if they don't suspect you of doing anything at all. End-to-end encryption can become illegal, but as long as you can run arbitrary code on your machine, you can hide and decode messages with steganography. JavaScript can do the job, so even locked down mobile devices will work if you go to CodePen, JSFiddle, JSBin, etc.

Steganography isn't some magic shield to avoid surveillance though. If authorities are already monitoring you for some other reason, then they can burn a zero-day exploit and see anything you do on your device. And if your entire city is covered in cameras with facial recognition, well... you can have your secret messages but I don't know what kind of resistance you're going to be putting up. So to some degree you're right that you can't fully ignore policy and politics.

Not sure how to get most of the public to care though. I get most people have more immediate concerns in there lives, and crime is a legitimate issue, but even a cursory knowledge of history will show the hell life can be under authoritarian governments. I think far too many people think "it can't happen here", which seems insane considering how often it has occurred even in liberal democracies (Spain, Portugal, Germany, Italy, Argentina, Chile, and many more.) In less liberal and less stable democracies, it has happened even more times. I'm not sure why people have some unfounded faith that their government could never become authoritarian and oppressive.

I'm not saying take down every CC camera and get rid of intelligence agencies -- they are important tools for fighting crime. But there's a difference between a few traffic cameras and CC cameras in places people would presumably commit a crime, and burning targeted exploits for surveillance of truly notorious criminals, and just mass surveillance through banning end-to-end encryption. With zero-day exploits, the government is inherently limited in the surveillance they can do, so it's a limiting factor on their potential for abuse, as the more they use it, the more likely they are to be discovered and patched. But with no end-to-end encryption, the potential for abuse is limitless.

Ironically, I couldn't access this page while using Tor. Reading it from another device though, it seems like a great announcement, I love the idea.

I also would be interested in a service like this for attestation on other sites. Device attestation has chilling privacy implications, but if you could have a paid service with a presumably trusted entity like Kagi attest that you are a legitimate user (but hide your identity), maybe more of the Internet could be browsed anonymously, while still minimizing spam.

I get why many sites currently block Tor and VPN users, or even users in incognito or without a phone number, as the Internet is essentially unusable without anti-spam measures. That said, I do think anonymity has its place (especially for browsing, even if commenting weren't allowed), and maybe ideas like this could allow for anonymity without the Internet being riddled with spam.