CINXE.COM

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><script type="text/javascript">/* <![CDATA[ */_cf_loadingtexthtml="<img alt=' ' src='/cf_scripts/scripts/ajax/resources/cf/images/loading.gif'/>"; _cf_contextpath=""; _cf_ajaxscriptsrc="/cf_scripts/scripts/ajax"; _cf_jsonprefix='//'; _cf_websocket_port=0; _cf_flash_policy_port=0; /* ]]> */</script><script type="text/javascript" src="/cf_scripts/scripts/ajax/messages/cfmessage.js"></script> <script type="text/javascript" src="/cf_scripts/scripts/ajax/package/cfajax.js"></script> <script type="text/javascript" src="/cf_scripts/scripts/cfform.js"></script> <script type="text/javascript" src="/cf_scripts/scripts/masks.js"></script> <script type="text/javascript" src="/cf_scripts/scripts/cfformhistory.js"></script> <title>ACMQ Site - ACM Queue</title>  <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-P52H78L');</script>  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut icon" href="favicon.ico" /> <link rel="stylesheet" type="text/css" media="all" href="/css/style.css" /> <link rel="stylesheet" type="text/css" media="print" href="/css/acmq_print-cachekey1777.css" /> <script type="text/javascript" src="/js/jquery-1.2.6.min.js"></script> <script type="text/javascript" src="/js/jquery.validate.min.js"></script> <script type="text/javascript" src="/js/global.js"></script>  <link rel="alternate" type="application/rss+xml" title="All Queue Content RSS 2.0" href="/rss/feeds/queuecontent.xml" /> <link rel="alternate" type="application/rss+xml" title="Curmudgeon RSS 2.0" href="/rss/feeds/curmudgeon.xml" /> <link rel="alternate" type="application/rss+xml" title="Opinion RSS 2.0" href="/rss/feeds/opinion.xml" /> <link rel="alternate" type="application/rss+xml" title="Kode Vicious RSS 2.0" href="/rss/feeds/kodevicious.xml" /> <link rel="alternate" type="application/rss+xml" title="ACM TechNews RSS" href="https://www.infoinc.com/acm/TechNews.rss" /> <link rel="alternate" type="application/rss+xml" title="Washington Updates RSS" href="https://usacm.acm.org/weblog2/?feed=rss2" /> <link rel="alternate" type="application/rss+xml" title="RISKS Forum RSS" href="/rss/feeds/risksforum.xml" /> <link rel="alternate" type="application/rss+xml" title="AI RSS 2.0" href="/rss/feeds/ai.xml" /> <link rel="alternate" type="application/rss+xml" title="API Design RSS 2.0" href="/rss/feeds/apidesign.xml" /> <link rel="alternate" type="application/rss+xml" title="Bioscience RSS 2.0" href="/rss/feeds/bioscience.xml" /> <link rel="alternate" type="application/rss+xml" title="Blockchain RSS 2.0" href="/rss/feeds/blockchain.xml" /> <link rel="alternate" type="application/rss+xml" title="Business/Management RSS 2.0" href="/rss/feeds/business/management.xml" /> <link rel="alternate" type="application/rss+xml" title="Compliance RSS 2.0" href="/rss/feeds/compliance.xml" /> <link rel="alternate" type="application/rss+xml" title="Component Technologies RSS 2.0" href="/rss/feeds/componenttechnologies.xml" /> <link rel="alternate" type="application/rss+xml" title="Computer Architecture RSS 2.0" href="/rss/feeds/computerarchitecture.xml" /> <link rel="alternate" type="application/rss+xml" title="Concurrency RSS 2.0" href="/rss/feeds/concurrency.xml" /> <link rel="alternate" type="application/rss+xml" title="Cryptocurrency RSS 2.0" href="/rss/feeds/cryptocurrency.xml" /> <link rel="alternate" type="application/rss+xml" title="DSPs RSS 2.0" href="/rss/feeds/dsps.xml" /> <link rel="alternate" type="application/rss+xml" title="Data RSS 2.0" href="/rss/feeds/data.xml" /> <link rel="alternate" type="application/rss+xml" title="Databases RSS 2.0" href="/rss/feeds/databases.xml" /> <link rel="alternate" type="application/rss+xml" title="Debugging RSS 2.0" href="/rss/feeds/debugging.xml" /> <link rel="alternate" type="application/rss+xml" title="Development RSS 2.0" href="/rss/feeds/development.xml" /> <link rel="alternate" type="application/rss+xml" title="Distributed Computing RSS 2.0" href="/rss/feeds/distributedcomputing.xml" /> <link rel="alternate" type="application/rss+xml" title="Distributed Development RSS 2.0" href="/rss/feeds/distributeddevelopment.xml" /> <link rel="alternate" type="application/rss+xml" title="Education RSS 2.0" href="/rss/feeds/education.xml" /> <link rel="alternate" type="application/rss+xml" title="Email and IM RSS 2.0" href="/rss/feeds/emailandim.xml" /> <link rel="alternate" type="application/rss+xml" title="Embedded Systems RSS 2.0" href="/rss/feeds/embeddedsystems.xml" /> <link rel="alternate" type="application/rss+xml" title="Failure and Recovery RSS 2.0" href="/rss/feeds/failureandrecovery.xml" /> <link rel="alternate" type="application/rss+xml" title="File Systems and Storage RSS 2.0" href="/rss/feeds/filesystemsandstorage.xml" /> <link rel="alternate" type="application/rss+xml" title="Game Development RSS 2.0" href="/rss/feeds/gamedevelopment.xml" /> <link rel="alternate" type="application/rss+xml" title="Graphics RSS 2.0" href="/rss/feeds/graphics.xml" /> <link rel="alternate" type="application/rss+xml" title="HCI RSS 2.0" href="/rss/feeds/hci.xml" /> <link rel="alternate" type="application/rss+xml" title="Managing Megaservices RSS 2.0" href="/rss/feeds/managingmegaservices.xml" /> <link rel="alternate" type="application/rss+xml" title="Mobile Computing RSS 2.0" href="/rss/feeds/mobilecomputing.xml" /> <link rel="alternate" type="application/rss+xml" title="Networks RSS 2.0" href="/rss/feeds/networks.xml" /> <link rel="alternate" type="application/rss+xml" title="Object-Relational Mapping RSS 2.0" href="/rss/feeds/object-relationalmapping.xml" /> <link rel="alternate" type="application/rss+xml" title="Open Source RSS 2.0" href="/rss/feeds/opensource.xml" /> <link rel="alternate" type="application/rss+xml" title="Patching and Deployment RSS 2.0" href="/rss/feeds/patchinganddeployment.xml" /> <link rel="alternate" type="application/rss+xml" title="Performance RSS 2.0" href="/rss/feeds/performance.xml" /> <link rel="alternate" type="application/rss+xml" title="Power Management RSS 2.0" href="/rss/feeds/powermanagement.xml" /> <link rel="alternate" type="application/rss+xml" title="Privacy and Rights RSS 2.0" href="/rss/feeds/privacyandrights.xml" /> <link rel="alternate" type="application/rss+xml" title="Processors RSS 2.0" href="/rss/feeds/processors.xml" /> <link rel="alternate" type="application/rss+xml" title="Programming Languages RSS 2.0" href="/rss/feeds/programminglanguages.xml" /> <link rel="alternate" type="application/rss+xml" title="Purpose-built Systems RSS 2.0" href="/rss/feeds/purpose-builtsystems.xml" /> <link rel="alternate" type="application/rss+xml" title="Quality Assurance RSS 2.0" href="/rss/feeds/qualityassurance.xml" /> <link rel="alternate" type="application/rss+xml" title="RFID RSS 2.0" href="/rss/feeds/rfid.xml" /> <link rel="alternate" type="application/rss+xml" title="SIP RSS 2.0" href="/rss/feeds/sip.xml" /> <link rel="alternate" type="application/rss+xml" title="Search Engines RSS 2.0" href="/rss/feeds/searchengines.xml" /> <link rel="alternate" type="application/rss+xml" title="Security RSS 2.0" href="/rss/feeds/security.xml" /> <link rel="alternate" type="application/rss+xml" title="Semi-structured Data RSS 2.0" href="/rss/feeds/semi-structureddata.xml" /> <link rel="alternate" type="application/rss+xml" title="Social Computing RSS 2.0" href="/rss/feeds/socialcomputing.xml" /> <link rel="alternate" type="application/rss+xml" title="System Administration RSS 2.0" href="/rss/feeds/systemadministration.xml" /> <link rel="alternate" type="application/rss+xml" title="System Evolution RSS 2.0" href="/rss/feeds/systemevolution.xml" /> <link rel="alternate" type="application/rss+xml" title="Testing RSS 2.0" href="/rss/feeds/testing.xml" /> <link rel="alternate" type="application/rss+xml" title="Virtual Machines RSS 2.0" href="/rss/feeds/virtualmachines.xml" /> <link rel="alternate" type="application/rss+xml" title="Virtualization RSS 2.0" href="/rss/feeds/virtualization.xml" /> <link rel="alternate" type="application/rss+xml" title="Visualization RSS 2.0" href="/rss/feeds/visualization.xml" /> <link rel="alternate" type="application/rss+xml" title="VoIP RSS 2.0" href="/rss/feeds/voip.xml" /> <link rel="alternate" type="application/rss+xml" title="Web Development RSS 2.0" href="/rss/feeds/webdevelopment.xml" /> <link rel="alternate" type="application/rss+xml" title="Web Security RSS 2.0" href="/rss/feeds/websecurity.xml" /> <link rel="alternate" type="application/rss+xml" title="Web Services RSS 2.0" href="/rss/feeds/webservices.xml" /> <link rel="alternate" type="application/rss+xml" title="Workflow Systems RSS 2.0" href="/rss/feeds/workflowsystems.xml" /> <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-6562869-1']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + 'stats.g.doubleclick.net/dc.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> <script type="text/javascript"> function plusone_vote( obj ) { _gaq.push(['_trackEvent','plusone',obj.state]); } </script> <script type="text/javascript">/* <![CDATA[ */ ColdFusion.Ajax.importTag('CFFORM'); /* ]]> */</script> <script type="text/javascript">/* <![CDATA[ */ if (window.ColdFusion) ColdFusion.required['add_email']=true; /* ]]> */</script> <script type="text/javascript">  </script> </head> <body id="home" class="acmq-root"> <div id="wrapperhp"> <div id="header"> <a href="index.cfm"><img src=/img/acmqueue_logo.gif /></a> <a href="whyjoinacm.cfm"><img src='/img/logo_acm.gif' border='0' style='clear:both;' /></a> <div id="message-wrap" style='right:32em;'> <a href='http://www.acm.org/joinacm2?ref=queue' target='_new'>A Special Offer to Join ACM</a> - <a href="whyjoinacm.cfm">Why Join ACM?</a> </div> <div id="search-wrap"> <input type="text" class="st-default-search-input"> <script type="text/javascript"> (function(w,d,t,u,n,s,e){w['SwiftypeObject']=n;w[n]=w[n]||function(){ (w[n].q=w[n].q||[]).push(arguments);};s=d.createElement(t); e=d.getElementsByTagName(t)[0];s.async=1;s.src=u;e.parentNode.insertBefore(s,e); })(window,document,'script','//s.swiftypecdn.com/install/v2/st.js','_st'); _st('install','UyYECD1kdsPnbHJtPyzG','2.0.0'); </script> </div> <div id="wrap-nav" style='margin-top:1px;border:0px;'> <ul id="nav-primary" style='margin-left:45px; top:40px; width:640px;'> <li id="nav-home" style='width:25%;'> <a href="index.cfm" style='width:150px'>Home</a> </li> <li id="nav-audiocasts" style='width:25%;'> <a href="issuedetail.cfm?issue=3727151" style='width:150px'>Current Issue</a> </li> <li id="nav-videos" style='width:25%;'> <a href="pastissues.cfm" style='width:150px'>Past Issues</a> </li> <li id="nav-blogs" style='width:25%;'> <a href="topics.cfm" style='width:150px'>Topics</a> </li> </ul> </div> </div> <div id="nav-secondary" style='margin-top:-20px;'> <div id="sitenav"> <ul style='font-size:0.9em;'> <li><a href="/editorialboard.cfm">Queue Editorial Board</a></li>  <li> </li> <li><a href="https://dl.acm.org/magazine/queue">Queue Archive sort articles by author, topic, and popularity</a></li> <li> </li> <li><a href="/rssfeeds.cfm">RSS Feeds</a></li> <li> </li> <li><a href="/blogs.cfm">Blogs</a></li> </ul> </div> <div id="layoutsu" style=""> <div id="cf_layoutarea170573459803651218" style="overflow:auto;"> <div id="emailsignup" class="promo divider"> <h5> Sign up for QueueNews </h5> Our free ~monthly newsletter showcases all of ACM Queue's latest articles and columns. <form id="form-emailsignup" action="newssignup.cfm" method="post" target="_blank" onsubmit="return ColdFusion.Ajax.checkForm(this, _CF_checkCFForm_1,'cf_layoutarea170573459803651218')"> <fieldset> Your Email: <input name="add_email" type="text" class="text" id="add_email" /> <input class="text" id="list_name" name="list_name" type="hidden" value="QUEUENEWS" /> <button type="submit" value="Sign Up"> Sign Up </button> </fieldset> <input type='text' style='display:none' /></form> </div> </div> </div> <div>  <div id="secondary"> <div class="section"> <div class="promo divider" style='z-index:'>  <div class="promo divider"> <h4>acmqueue app</h4> <a href="/app/"> <img src="/app/2025_01-02_lrg.png" width=160 height=214 border="0" alt="Volume 23, Issue 1 issue of acmqueue magazine"> </a> <a href="/app/"> Volume 23, Issue 1 issue of acmqueue in app stores now </a> </div>  <hr /> <h4>Join ACM</h4> <hr />  <a href="https://campus.acm.org/public/qj/keep_inventing/qjprofm_control.cfm?promo=DA4AQA"> <img src="/ads/160x600_B.gif" border="0" width="159" height="600" alt="ACM Keep Inventing"> </a>  </div> </div> </div>  </div> </div> <div> <div id="primary">  <div id="currentissue" style='margin-top:0px;padding-top:10px;'> <div class="excerpt2"> <div class="excerpt3"> <div class="block"> <div class="block"> <h1><a href='/issuedetail.cfm?issue=3727151'>Volume 23, Issue 1</a></h1> <a href='https://queue.acm.org/detail.cfm?id=3723000'>The Surprise of Multiple Dependency Graphs</a>   Josie Anugerah, Eve Martin-Jones Dependency resolution is not deterministic. It seems like it should be easy to avoid installing vulnerable open source software, but dependency graphs are surprisingly complex. At the time of writing, the latest version of the popular npm tool webpack has millions of potential dependency graphs depending on circumstances during its resolution. The exact graph chosen for a given package can depend on what other software is being built, what kind of system is building it, and even the state of the ecosystem on a given day. As a result, the developer and user of a package may end up with very different dependency graphs, which can lead to unexpected vulnerabilities. <a href='https://queue.acm.org/listing.cfm?item_topic=Open%20Source&qc_type=theme_list&filter=Open%20Source&page_title=Open%20Source&order=desc'>Open source</a> <a href='https://queue.acm.org/detail.cfm?id=3722542'>Fifty Years of Open Source Software Supply Chain Security</a>   Russ Cox For decades, software reuse was only a lofty goal. Now it's very real. The xz attack seems to be the first major attack on the open source software supply chain. The event-stream attack was similar but not major, and Heartbleed and Log4j were vulnerabilities, not attacks. But the xz attack was discovered essentially by accident because it made sshd just a bit too slow at startup. Attacks, by their nature, try to remain hidden. What are the chances we would accidentally discover the very first major attack on the open source software supply chain in just a few weeks? Perhaps we were extremely lucky, or perhaps we have missed others. <a href='https://queue.acm.org/listing.cfm?item_topic=Open%20Source&qc_type=theme_list&filter=Open%20Source&page_title=Open%20Source&order=desc'>Open source</a> <a href='https://queue.acm.org/detail.cfm?id=3723152'>String Matching at Scale</a>   Dennis Roellke A call for interdisciplinary collaboration and better-directed resources String matching can't be that difficult. But what are we matching on? What is the intrinsic identity of a software component? Does it change when developers copy and paste the source code instead of fetching it from a package manager? Is every package-manager request fetching the same artifact from the same upstream repository mirror? Can we trust that the source code published along with the artifact is indeed what's built into the release executable? Is the tool chain kosher? <a href='https://queue.acm.org/listing.cfm?item_topic=Development&qc_type=theme_list&filter=Development&page_title=Development&order=desc'>Development</a> <a href='https://queue.acm.org/detail.cfm?id=3722043'>How to Evaluate AI that's Smarter than Us</a>   Chip Huyen Exploring three strategies: functional correctness, AI-as-a-judge, and comparative evaluation Evaluating AI models that surpass human expertise in the task at hand presents unique challenges. These challenges only grow as AI becomes more intelligent. However, the three effective strategies presented in this article exist to address these hurdles. The strategies are: Functional correctness ? evaluating AI by how well it accomplishes its intended tasks; AI-as-a-judge: using AI instead of human experts to evaluate AI outputs; and Comparative evaluation: evaluating AI systems in relationship with each other instead of independently. <a href='https://queue.acm.org/listing.cfm?item_topic=AI&qc_type=theme_list&filter=AI&page_title=AI&order=desc'>AI</a>, Kode Vicious <a href="/detail.cfm?id=3722545">Analyzing Krazy Kode</a> Accounting for the emotional state of the person who wrote that code There actually are about six or seven emotions, or so I'm told. But the one state you should really try to avoid is confusion, which isn't actually an emotion but instead a state of mind. Code created by a confused mind shows itself in the randomness of naming, which is not handled by modern, fascist, programming languages like Go. Sure, you may have your names in the proper case and your spaces in the proper place, but you can still name a function PublicThingTwo() if you want to, and this is a sure sign of trouble. <a href='https://queue.acm.org/listing.cfm?item_topic=Business/Management&qc_type=theme_list&filter=Business/Management&page_title=Business/Management&order=desc'>Business/Management</a>, <a href='https://queue.acm.org/listing.cfm?typefilter=Kodevicious&sort=publication_date&order=desc&qc_type=Kodevicious&article_type=&item_topic=all&filter_type=topic&page_title=Kode%20Vicious&filter=all'>Kode Vicious</a>   <h1><a href='/issuedetail.cfm?issue=3714453'>Volume 22, Issue 6</a></h1> The Soft Side of Software <a href="/detail.cfm?id=3711676">My Career-limiting Communication</a>   Kate Matsudaira Be thoughtful about your content. You've got a lot riding on it. Whether in email, documents, or slides, use punchy visuals to make content easier to digest with your most important points clearly highlighted. Make sure that data, charts, and photos are unambiguously labeled, with any caveats noted. In general, steer away from pie charts, averages, and percentages. That's because, as popular as these devices might be, they often manage to tell only part of the story and miss opportunities to highlight the relative size of datasets, outliers, or trends over time. <a href='https://queue.acm.org/listing.cfm?item_topic=Business/Management&qc_type=theme_list&filter=Business/Management&page_title=Business/Management&order=desc'>Business/Management</a>, <a href='https://queue.acm.org/listing.cfm?typefilter=Thesoftsideofsoftware&sort=publication_date&order=desc&qc_type=Thesoftsideofsoftware&article_type=&item_topic=all&filter_type=topic&page_title=The%20Soft%20Side%20of%20Software&filter=all'>The Soft Side of Software</a> <a href='https://queue.acm.org/detail.cfm?id=3712057'>Systems Correctness Practices at AWS</a>   Marc Brooker, Ankush Desai Leveraging Formal and Semi-formal Methods Building reliable and secure software requires a range of approaches to reason about systems correctness. Alongside industry-standard testing methods (such as unit and integration testing), AWS has adopted model checking, fuzzing, property-based testing, fault-injection testing, deterministic simulation, event-based simulation, and runtime validation of execution traces. Formal methods have been an important part of the development process—perhaps most importantly, formal specifications as test oracles that provide the correct answers for many of AWS's testing practices. <a href='https://queue.acm.org/listing.cfm?item_topic=Concurrency&qc_type=theme_list&filter=Concurrency&page_title=Concurrency&order=desc'>Concurrency</a> <a href='https://queue.acm.org/detail.cfm?id=3712258'>Intermediate Representations for the Datacenter Computer</a>   Achilles Benetopoulos Lowering the Burden of Robust and Performant Distributed Systems In-memory application data size is outstripping the capacity of individual machines, necessitating its partitioning over clusters of them; online services have high availability requirements, which can be met only by deploying systems as collections of multiple redundant components; high durability requirements can be satisfied only through data replication, sometimes across vast geographical distances. <a href='https://queue.acm.org/listing.cfm?item_topic=Data&qc_type=theme_list&filter=Data&page_title=Data&order=desc'>Data</a>, <a href='https://queue.acm.org/listing.cfm?item_topic=Distributed%20Computing&qc_type=theme_list&filter=Distributed%20Computing&page_title=Distributed%20Computing&order=desc'>Distributed Computing</a> <a href='https://queue.acm.org/detail.cfm?id=3711677'>Simulation: An Underutilized Tool in Distributed Systems</a>   David R. Morrison Not easy but not impossible, and worth it for the insights it can provide Simulation has a huge role to play in the advent of AI systems: We need an efficient, fast, and cost-effective way to train AI agents to operate in our infrastructure, and simulation absolutely provides that capability. <a href='https://queue.acm.org/listing.cfm?item_topic=AI&qc_type=theme_list&filter=AI&page_title=AI&order=desc'>AI</a>, <a href='https://queue.acm.org/listing.cfm?item_topic=Distributed%20Computing&qc_type=theme_list&filter=Distributed%20Computing&page_title=Distributed%20Computing&order=desc'>Distributed Computing</a> Operations and Life <a href='https://queue.acm.org/detail.cfm?id=3711674'>Give Engineers Problems, Not Solutions</a>   Thomas A. Limoncelli A simple strategy to improve solutions and boost morale This technique is about providing the "why" instead of the "how." Instead of dictating specific solutions, present the problem and desired outcome, and let your team figure out how to solve it. This fosters creativity, shared ownership, and collaborative problem-solving. It also empowers the team to strive for the best solution. <a href='https://queue.acm.org/listing.cfm?item_topic=Business/Management&qc_type=theme_list&filter=Business/Management&page_title=Business/Management&order=desc'>Management</a>, <a href='https://queue.acm.org/listing.cfm?qc_type=operationsandlife&page_title=Operations%20and%20Life'>Operations and Life</a> Kode Vicious <a href='https://queue.acm.org/detail.cfm?id=3711675'>The Drunken Plagiarists</a> Working with Co-pilots The trick of an LLM is to use a little randomness and a lot of text to guess the next word in a sentence. Seems kind of trivial, really, and certainly not a measure of intelligence that anyone who understands the term might use. But it's a clever trick and does have some applications. <a href='https://queue.acm.org/listing.cfm?item_topic=AI&qc_type=theme_list&filter=AI&page_title=AI&order=desc'>AI</a>, <a href='https://queue.acm.org/listing.cfm?typefilter=Kodevicious&sort=publication_date&order=desc&qc_type=Kodevicious&article_type=&item_topic=all&filter_type=topic&page_title=Kode%20Vicious&filter=all'>Kode Vicious</a> Drill Bits <a href='https://queue.acm.org/detail.cfm?id=3711673'>Retrofitting: Principles and Practice</a>   Terence Kelly with Special Guest Borer Ziheng (Aaron) Su Retrofitting radically new functionality onto production software tests every skill of the programmers craft. A practical case study illuminates principles for bolting new tricks onto old dogs. <a href='https://queue.acm.org/listing.cfm?item_topic=Code&qc_type=theme_list&filter=Code&page_title=Code&order=desc'>Code</a>, <a href='https://queue.acm.org/listing.cfm?item_topic=Development&qc_type=theme_list&filter=Development&page_title=Development&order=desc'>Development</a>, <a href='https://queue.acm.org/listing.cfm?typefilter=Drillbits&sort=publication_date&order=desc&qc_type=Drillbits&article_type=&item_topic=all&filter_type=topic&page_title=Drill%20Bits&filter=all'>Drill Bits</a> <a href='https://queue.acm.org/detail.cfm?id=3711679'>The Price of Intelligence</a>   Mark Russinovich, Ahmed Salem, Santiago Zanella-Béguelin, Yonatan Zunger Three risks inherent in LLMs The vulnerability of LLMs to hallucination, prompt injection, and jailbreaks poses a significant but surmountable challenge to their widespread adoption and responsible use. We have argued that these problems are inherent, certainly in the present generation of models and likely in LLMs per se, and so our approach can never be based on eliminating them; rather, we should apply strategies of "defense in depth" to mitigate them, and when building and using these systems, do so on the assumption that they will sometimes fail in these directions. <a href='https://queue.acm.org/listing.cfm?item_topic=AI&qc_type=theme_list&filter=AI&page_title=AI&order=desc'>AI</a>   <h1><a href='/issuedetail.cfm?issue=3705868'>Volume 22, Issue 5</a></h1> <h2>Special Issue on Accessibility</h2> <a href='https://queue.acm.org/detail.cfm?id=3704441'>It's Time to Make Software Accessible</a>   Stacy M. Branham, Shahtab Wahid Here's how, from OS to organization The articles that constitute this special issue on accessibility show that, regardless of whether you work on the back end, front end, design, or are part of an organization's leadership, there are steps you can take to make progress. Before we get to writing software and making policy, however, there is an even more fundamental concern: the widespread misconception of the nature of disability and assistive and accessible technology. If we are going to change the status quo, we must start there. <a href='https://queue.acm.org/listing.cfm?item_topic=HCI&qc_type=theme_list&filter=HCI&page_title=HCI&order=desc'>HCI</a> <a href='https://queue.acm.org/detail.cfm?id=3704442'>The State of Digital Accessibility</a>   Stacy M. Branham, Shahtab Wahid, Sheri Byrne-Haber,   Jamal Mazrui, Carlos Muncharaz, Carl Myhill If you are new to digital accessibility, and even if you are not, it can be difficult to stay abreast of the big picture, and the tech industry moves fast. So, we asked a team of experts to bring us up to speed. Not only do they have day jobs that involve digital accessibility, but they also have lived experience of disability. We posed the following questions to them: What's the state of accessibility? Key challenges? Why do we need accessible software? How can we make the case for accessibility? Who's leading the way? Where do we go from here? <a href='https://queue.acm.org/listing.cfm?item_topic=HCI&qc_type=theme_list&filter=HCI&page_title=HCI&order=desc'>HCI</a> <a href='https://queue.acm.org/detail.cfm?id=3704627'>System-class Accessibility</a>   Chris Fleizach, Jeffrey P. Bigham The architectural support for making a whole system usable by people with disabilities This article illustrates system-class accessibility with our work enabling iPhones to be used nonvisually using the VoiceOver screen reader. We reimagined touchscreen input for nonvisual use, introducing new gestures suitable for control of a screen reader, and for output we added support for synthesized speech and refreshable braille displays (hardware devices that output tactile braille characters). We added new accessibility APIs that applications could adopt and made our user interface frameworks include them by default. Finally, we added an accessibility service to bridge between these new inputs and outputs and the applications. Because we implemented support for VoiceOver at the system level, future accessibility features that we have released since have directly leveraged this work to provide a consistent user experience. <a href='https://queue.acm.org/listing.cfm?item_topic=HCI&qc_type=theme_list&filter=HCI&page_title=HCI&order=desc'>HCI</a> <a href='https://queue.acm.org/detail.cfm?id=3704628'>Accessibility Considerations for Mobile Applications</a>   Juanami Spencer How the Bloomberg Connects app supports accessibility in the product and process Considering accessibility is essential when creating mobile applications to ensure they are usable and enjoyable for as broad an audience as possible. Mobile accessibility has unique considerations compared with desktop experiences, but it provides immense value to those users who rely on mobile devices in their day-to-day activities. By keeping these considerations in mind, mobile product development teams can better support and enhance the lives of all users. This article explores some of the key accessibility considerations for a mobile application and highlights a few ways the Bloomberg Connects app supports accessibility in both the product and process. <a href='https://queue.acm.org/listing.cfm?item_topic=HCI&qc_type=theme_list&filter=HCI&page_title=HCI&order=desc'>HCI</a> <a href='https://queue.acm.org/detail.cfm?id=3704443'>Design Systems Are Accessibility Delivery Vehicles</a>   Shahtab Wahid Making accessibility support for applications scalable, productive, and consistent Design systems are infrastructure built for consumers—the designers and developers—working on applications. A successful one allows consumers in an organization to quickly scale design and development across applications, increase productivity, and establish consistency. Many consumers, however, are not prepared to build for accessibility. Couldn't an organization make building accessibility support for applications scalable, productive, and consistent? This article explores how a design system becomes an important vehicle to supporting accessibility. <a href='https://queue.acm.org/listing.cfm?item_topic=HCI&qc_type=theme_list&filter=HCI&page_title=HCI&order=desc'>HCI</a> <a href='https://queue.acm.org/detail.cfm?id=3704638'>Driving Organizational Accessibility</a>   Vinnie Donati People often ask about the secret sauce behind Microsoft's approach to accessibility and inclusion. It's simple: We run it like a business. In this article we'll explore how Microsoft drives accessibility throughout its organization and we'll look closely at essential frameworks and practices that promote an inclusive culture. Through examining aspects like awareness building, strategic development, accessibility maturity modeling, and more, we aim to offer a guide for organizations starting their accessibility journey. The idea is to share what we've learned in the hope that you can take it, tweak it to fit your company's purpose, and nurture accessibility in a way that's not just a checkbox activity but genuinely integrated into your culture. <a href='https://queue.acm.org/listing.cfm?item_topic=HCI&qc_type=theme_list&filter=HCI&page_title=HCI&order=desc'>HCI</a> <hr style="border-bottom:1px solid #C0C2C4;" /> <a href='https://queue.acm.org/detail.cfm?id=3703128'>You Don't Know Jack About AI</a>   Sonja Johnson-Yu, Sanket Shah And ChatGPT probably doesn't either For a long time, it was hard to pin down what exactly AI was. A few years back, such discussions would devolve into hours-long sessions of sketching out Venn diagrams and trying to map out the different subfields of AI. Fast-forward to 2024, and we all now know exactly what AI is. AI = ChatGPT. Or not. <a href='https://queue.acm.org/listing.cfm?item_topic=AI&qc_type=theme_list&filter=AI&page_title=AI&order=desc'>AI</a> The Bikeshed <a href='https://queue.acm.org/detail.cfm?id=3703126'>Civics is Boring. So, Let's Encrypt Something!</a>   Poul-Henning Kamp IT professionals can either passively suffer political solutions or participate in the process to achieve something better. The proposal offered here ought to make everybody happy. Law enforcement will have ways to gain access to communications, provided they can convince a judge it's necessary. Important communications will be able to continue using the same strength of encryption they use today. Communications that didn't require encryption in the first place will be able to employ sufficient encryption to prevent trivial wiretapping, but nothing strong enough to prevent brute-force access should a judge decide that's necessary. <a href='https://queue.acm.org/listing.cfm?typefilter=Thebikeshed&sort=publication_date&order=desc&qc_type=Thebikeshed&article_type=&item_topic=all&filter_type=topic&page_title=The%20Bikeshed&filter=all'>The Bikeshed</a>, <a href='https://queue.acm.org/listing.cfm?item_topic=Security&qc_type=theme_list&filter=Security&page_title=Security&order=desc'>Security</a> Kode Vicious <a href='https://queue.acm.org/detail.cfm?id=3703127'>Building on Shaky Ground</a> We owe it to the world to make systems work safely and reliably. The CrowdStrike catastrophe happened because of architectural issues in hardware and in systems software. We should be building systems that make writing a virus difficult, not child's play. But that's an expensive proposition now. <a href='https://queue.acm.org/listing.cfm?typefilter=Kodevicious&sort=publication_date&order=desc&qc_type=Kodevicious&article_type=&item_topic=all&filter_type=topic&page_title=Kode%20Vicious&filter=all'>Kode Vicious</a>, <a href='https://queue.acm.org/listing.cfm?item_topic=Security&qc_type=theme_list&filter=Security&page_title=Security&order=desc'>Security</a>   <h1><a href='/issuedetail.cfm?issue=3695735'>Volume 22, Issue 4</a></h1> Case Study <a href="/detail.cfm?id=3688155">Program Merge: What's Deep Learning Got to Do with It?</a> A discussion with Shuvendu Lahiri, Alexey Svyatkovskiy, Christian Bird, Erik Meijer and Terry Coatta If you regularly work with open-source code or produce software for a large organization, you're already familiar with many of the challenges posed by collaborative programming at scale. Some of the most vexing of these tend to surface as a consequence of the many independent alterations inevitably made to code, which, unsurprisingly, can lead to updates that don't synchronize. Difficult merges are nothing new, of course, but the scale of the problem has gotten much worse. This is what led a group of researchers at MSR (Microsoft Research) to take on the task of complicated merges as a grand program-repair challenge, one they believed might be addressed at least in part by machine learning. <a href='https://queue.acm.org/listing.cfm?item_topic=AI&qc_type=theme_list&filter=AI&page_title=AI&order=desc'>AI</a>, <a href='https://queue.acm.org/casestudies.cfm'>Case Studies</a> Research for Practice <a href="/detail.cfm?id=3688088">Deterministic Record-and-Replay</a>   Peter Alvaro, Andrew Quinn Zeroing in only on the nondeterministic actions of the process This column describes three recent research advances related to deterministic record-and-replay, with the goal of showing both classical use cases and emerging use cases. A growing number of systems use a weaker form of deterministic record-and-replay. Essentially, these systems exploit the determinism that exists across many program executions but intentionally allow some nondeterminism for performance reasons. This trend is exemplified in GPUReplay in particular, but also in systems such as ShortCut and Dora. <a href='https://queue.acm.org/listing.cfm?item_topic=Debugging&qc_type=theme_list&filter=Debugging&page_title=Debugging&order=desc'>Debugging</a>, <a href='https://queue.acm.org/listing.cfm?sort=publication_date&order=desc&qc_type=Researchforpractice&page_title=Research%20for%20Practice'>Research for Practice</a> Bridging the Moat <a href="/detail.cfm?id=3688095">Test Accounts: A Hidden Risk</a> You may decide the risks are acceptable. But, if not, here are some rules for avoiding them. A test account that's shared among many can be used by anyone who happens to have the password. This leaves a trail of poorly managed or unmanaged accounts that only increases your attack surface. A test account could be a treasure trove of information, even revealing information about internal system details. If you really need to take this approach, give your developers their own test accounts and then educate them about the risks of misusing these accounts. Also, if you can periodically expire these accounts, all the better. <a href='https://queue.acm.org/listing.cfm?qc_type=Bridgingthemoat&page_title=Bridging%20the%20Moat'>Bridging the Moat</a>, <a href='https://queue.acm.org/listing.cfm?item_topic=Security&qc_type=theme_list&filter=Security&page_title=Security&order=desc'>Security</a> Kode Vicious <a href="/detail.cfm?id=3688154">Unwanted Surprises</a> When that joke of an API is on you There is the higher-order question of whether loosely typed languages with coercion are really a good idea in the first place. If you don't know what you're operating on, or what the expected output range might be, then maybe you ought not to be operating on that data in the first place. But now these languages have gotten into the wild and we'll never be able to hunt them down and kill them soon enough for my liking, or for the greater good. <a href='/listing.cfm?item_topic=Development&qc_type=theme_list&filter=Development&page_title=Development&order=desc'>Development</a>, <a href='https://queue.acm.org/listing.cfm?typefilter=Kodevicious&sort=publication_date&order=desc&qc_type=Kodevicious&article_type=&item_topic=all&filter_type=topic&page_title=Kode%20Vicious&filter=all'>Kode Vicious</a> <a href="/detail.cfm?id=3688007">GPTs and Hallucination</a>   Jim Waldo, Soline Boussard Why do large language models hallucinate? The findings in this experiment support the hypothesis that GPTs based on LLMs perform well on prompts that are more popular and have reached a general consensus yet struggle on controversial topics or topics with limited data. The variability in the applications's responses underscores that the models depend on the quantity and quality of their training data, paralleling the system of crowdsourcing that relies on diverse and credible contributions. Thus, while GPTs can serve as useful tools for many mundane tasks, their engagement with obscure and polarized topics should be interpreted with caution. LLMs' reliance on probabilistic models to produce statements about the world ties their accuracy closely to the breadth and quality of the data they're given. <a href='https://queue.acm.org/listing.cfm?item_topic=AI&qc_type=theme_list&filter=AI&page_title=AI&order=desc'>AI</a>, <a href='https://queue.acm.org/listing.cfm?item_topic=Privacy%20and%20Rights&qc_type=theme_list&filter=Privacy%20and%20Rights&page_title=Privacy%20and%20Rights&order=desc'>Privacy and Rights</a> <a href="/detail.cfm?id=3689949">Confidential Computing Proofs</a>   Mark Russinovich, Cédric Fournet, Greg Zaverucha, Josh Benaloh, Brandon Murdoch, Manuel Costa An alternative to cryptographic zero-knowledge Proofs are powerful tools for integrity and privacy, enabling the verifier to delegate a computation and still verify its correct execution, and enabling the prover to keep the details of the computation private. Both CCP and ZKP can achieve soundness and zero-knowledge but with important differences. CCP relies on hardware trust assumptions, which yield high performance and additional confidentiality protection for the prover but may be unacceptable for some applications. CCP is also often easier to use, notably with existing code, whereas ZKP comes with a large prover overhead that may be unpractical for some applications. <a href='https://queue.acm.org/listing.cfm?item_topic=Privacy%20and%20Rights&qc_type=theme_list&filter=Privacy%20and%20Rights&page_title=Privacy%20and%20Rights&order=desc'>Privacy and Rights</a>, <a href='https://queue.acm.org/listing.cfm?item_topic=Security&qc_type=theme_list&filter=Security&page_title=Security&order=desc'>Security</a> <a href="/detail.cfm?id=3687999">Assessing IT Project Success: Perception vs. Reality</a>   João Varajão, António Trigo We would not be in the digital age if it were not for the recurrent success of IT projects. This study has significant implications for practice, research, and education by providing new insights into IT project success. It expands the body of knowledge on project management by reporting project success (and not exclusively project management success), grounded in several objective criteria such as deliverables usage by the client in the post-project stage, hiring of project-related support/maintenance services by the client, contracting of new projects by the client, and vendor recommendation by the client to potential clients. Researchers can find a set of criteria they can use when studying and reporting the success of IT projects, thus expanding the current perspective on evaluation and contributing to more accurate conclusions. For practitioners, this study provides a rich set of criteria that can be used for evaluating their projects, as well as strong evidence of the importance of considering not only project execution, but also post-project outcomes and impacts in the evaluation. <a href='https://queue.acm.org/listing.cfm?item_topic=Business/Management&qc_type=theme_list&filter=Business/Management&page_title=Business/Management&order=desc'>Business and Management</a>, <a href='https://queue.acm.org/listing.cfm?item_topic=Education&qc_type=theme_list&filter=Education&page_title=Education&order=desc'>Education</a> <a href="/detail.cfm?id=3690759">Questioning the Criteria for Evaluating Non-cryptographic Hash Functions</a>   Catherine Hayes, David Malone Maybe we need to think more about non-cryptographic hash functions. Although cryptographic and non-cryptographic hash functions are everywhere, there seems to be a gap in how they are designed. Lots of criteria exist for cryptographic hashes motivated by various security requirements, but on the non-cryptographic side there is a certain amount of folklore that, despite the long history of hash functions, has not been fully explored. While targeting a uniform distribution makes a lot of sense for real-world datasets, it can be a challenge when confronted by a dataset with particular patterns. <a href='/listing.cfm?item_topic=Development&qc_type=theme_list&filter=Development&page_title=Development&order=desc'>Development</a>     <h4><a href='https://queue.acm.org/pastissues.cfm'>Older Issues</a></h4> </div> </div> </div> </div>  </div>  </div>  </div> </div>  <div id="portal-footer"> <div id="footer"> <ul> <li style='color:white;'>Columns:</li> <li><a href="/listing.cfm?typefilter=Thebikeshed&sort=publication_date&order=desc&qc_type=Thebikeshed&article_type=&item_topic=all&filter_type=topic&page_title=The%20Bikeshed&filter=all">The Bikeshed</a></li> <li><a href="/listing.cfm?qc_type=Bridgingthemoat&page_title=Bridging%20the%20Moat">Bridging the Moat</a></li> <li><a href="/listing.cfm?typefilter=Committomemory&sort=publication_date&order=desc&qc_type=committomemory&article_type=&item_topic=all&filter_type=topic&page_title=Commit%20to%20Memory&filter=all">Commit to Memory</a></li> <li><a href="/listing.cfm?typefilter=Drillbits&sort=publication_date&order=desc&qc_type=Drillbits&article_type=&item_topic=all&filter_type=topic&page_title=Drill%20Bits&filter=all">Drill Bits</a></li> <li><a href="/listing.cfm?typefilter=Escapingthesingularity&sort=publication_date&order=desc&qc_type=Escapingthesingularity&article_type=&item_topic=all&filter_type=topic&page_title=Escaping%20the%20Singularity&filter=all">Escaping the Singularity</a></li> <li><a href="/listing.cfm?typefilter=Kodevicious&sort=publication_date&order=desc&qc_type=Kodevicious&article_type=&item_topic=all&filter_type=topic&page_title=Kode%20Vicious&filter=all">Kode Vicious</a></li> <li><a href="/listing.cfm?qc_type=operationsandlife&page_title=Operations%20and%20Life">Operations and Life</a></li> <li><a href="/listing.cfm?qc_type=Thesoftsideofsoftware&page_title=The%20Soft%20Side%20of%20Software">The Soft Side of Software</a></li> </ul> <ul> <li style='color:white;'>Discussions:</li> <li><a href="/listing.cfm?sort=publication_date&order=desc&qc_type=Researchforpractice&page_title=Research%20for%20Practice">Research for Practice</a></li> <li><a href="/listing.cfm?typefilter=ctoroundtable&sort=publication_date&order=desc&qc_type=ctoroundtable&article_type=&item_topic=all&filter_type=topic&page_title=CTO Roundtables&filter=all">CTO Roundtables</a></li> <li><a href="/casestudies.cfm">Case Studies</a></li> <li><a href="/listing.cfm?qc_type=interviews&page_title=Interviews">Interviews</a></li> </ul> <ul> <li style='color:white;'>Other ACM Links:</li> <li><a href="https://cacm.acm.org/">CACM</a></li> <li><a href="https://technews.acm.org">ACM TechNews</a></li> <li><a href="https://usacm.acm.org">Washington Updates</a></li> <li><a href="https://catless.ncl.ac.uk/Risks/">RISKS Forum</a></li> </ul> <ul> <li><a href="rssfeeds.cfm">RSS Feeds</a></li> <li><a target="_blank" href="https://twitter.com/ACMQueue">Twitter feed</a></li> </ul> <ul> <li><a href="listing.cfm">Articles</a> (Full Listing)</li> <li><a href="privacypolicy.cfm">Privacy Policy</a></li> <li><a href="contactus.cfm">Contact us</a></li> </ul> <ul> <li><a href="whatisqueue.cfm">About Queue</a></li> <li><a href="author_guidelines.cfm">Author Guidelines</a></li> <li><a href="editorialboard.cfm">Editorial Board</a></li> <li><a href="whyjoinacm.cfm">Join ACM</a></li> <li><a href="https://www.acm-media.org">Advertising</a></li> </ul> © ACM, Inc. All Rights Reserved. </div>  </div> </body> </html>