as far as I can tell, they're neither inventing their own algorithms nor implementing existing algorithms from scratch. that's what "Don't roll your own crypto" supposed to mean, not "just use Bitlocker"
> ... neither inventing their own algorithms nor implementing existing algorithms ...
Even if you just cobble together existing primitives from battle tested libraries, if you don't fully grasp their properties or interactions, you can still shoot yourself in the foot pretty heftily.
Particularly, encrypting data at rest is an entirely different beast on it's own.
Personally, I don't really like blindly praying that old "don't roll your own crypto" mantra for this exact reason. It means so much more than "don't implement crypto primitives from scratch" which people seem to often interpret it as, but is IMO really poorly/vaguely phrased to convey that.
Well, I (and most security and cryptography experts I discussed this with) disagree, and I don’t think we’re going to find a canonical source for what the warning is supposed to mean.
Its broader version that includes protocols and formats easily applies here (although is also arguably defeated because it didn’t stop this project from being published without caveats and making it to the HN front page).
I should probably listen to that podcast, but to me the "It's gatekeeping" thing is entirely annulled by experiences like this HN post. If I went a few years without seeing people ignorantly doing this I would re-think my stance, but I don't think I ever go more than a few months and I'm not paying that close attention.
I feel like it belongs in the same category as "Don't eat wild mushrooms". I know some people who are really interested in fungi and they definitely don't see this as gatekeeping, they see it as fewer dead people. Bad cryptography is less immediately deadly than eating the wrong mushroom, but on the other hand even tremendous incompetence (e.g. feed housemates delicious mushroom soup you made, oops that was poison, they're all hospitalised) has narrower consequences than for software which can trivially be spread to millions of people.
I wrote some crypto example software as a demo for an acquaintance (I was going to write "friend", but given subsequent events lets go with "acquaintance") last century, and I made sure to cover it in "Not for production use" warnings, but how sure can I ever be that the warnings were still on it when anybody else saw it ? Perhaps I should rather have said "No".
The article is quite literally a[1] review of exactly how we might evaluate that, with evidence of people who got results.
[1] To be fair, way to wordy and blowhardated version. Alexander seems to be getting worse and not better. The core ideas here could be presented in about a third the space.
Ah, infotainment. Consumers love it, but the same is true of sugar and heroin. I write and help produce a podcast and we are constantly unhappy about the difference between what we think is important vs what people want to hear.
> The article is quite literally a[1] review of exactly how we might evaluate that, with evidence of people who got results.
the procedure seems more like a way to evaluate Anthropic-based AIs with different numbers of parameters, rather than a cross-the-board evaluation of fine-tuned chat AIs, and then those results are extrapolated to somehow say something about all AIs that are built similarly.
unless i'm missing some key here, it feels like a rather loose way to derive experimental data from the landscape.
It made sense to me - an Uninterruptible Power Supply should be sized according to the power draw of a computer. If these were power hungry CPUs, you would need a really beefy UPS. So that's what I thought they were trying to say!
...and China.
I wholeheartedly agree with (2), but this is not the way to do it, for a number of reasons.