> Still no email blast from Vercel alerting users, which is concerning.
On the one hand, I get that it's a Sunday, and the CEO can't just write a mass email without approval from legal or other comms teams.
But on the other hand... It's Sunday. Unless you're tuned-in to social media over the weekend, your main provider could be undergoing a meltdown while you are completely unaware. Many higher-up folks check company email over the weekend, but if they're traveling or relaxing, social media might be the furthest thing from their mind. It really bites that this is the only way to get critical information.
> On the one hand, I get that it's a Sunday, and the CEO can't just write a mass email without approval from legal or other comms teams
This is not how things work. In a crisis like this there is a war room with all stakeholders present. Doesn’t matter if it’s Sunday or 3am or Christmas.
And for this company specifically, Guillermo is not one to defer to comms or legal.
Has anyone actually gotten an email from Vercel confirming their secrets were accessed? Right now we're all operating under the hope (?) that since we haven't (yet?) gotten an email, we're not completely hosed.
Hope-based security should not be a thing. Did you rotate your secrets? Did you audit your platform for weird access patterns? Don’t sit waiting for that vercel email.
For most secrets they are under your control so, sure, go ahead and rotate them, allowing the old version to continue being used in parallel with the new version for 30 minutes or so.
For other secrets, rotation involves getting a new secret from some upstream provider and having some services (users of that secret) fail while the secret they have in cache expires.
For example, if your secret is a Stripe key; generating a new key should invalidate the old one (not too sure, I don't use Stripe), at which point the services with the cached secret will fail until the expiry.
nope...I feel u, the "Hope-based security" is exactly what Vercel is forcing on its users right now by prioritizing social media over direct notification.
If the attacker is moving with "surprising velocity," every hour of delay on an email blast is another hour the attacker has to use those potentially stolen secrets against downstream infrastructure. Using Twitter/X as a primary disclosure channel for a "sophisticated" breach is amateur hour. If legal is the bottleneck for a mass email during an active compromise, then your incident response plan is fundamentally broken.
Sure, and the reason he is is because he DOES check stuff like this before sending it out.
Top leaders excel because they assemble a team around them they trust. You can't do everything yourself, you need to delegate. And having people in those positions also means you shouldn't be acting alone or those people will not stick around
First of all, I would expect a top leader to be prepared for scenarios like this (including templates of customer communication).
And yeah, I would expect a CEO to have enough legal knowledge to handle such a situation (customer communication) on his own.
But I also have to mentioned that I'm not in the US. Not every country has the litigation system of the US where you can basically destroy a company because you as the customer are too dumb to not spill hot coffee over yourself.
> you as the customer are too dumb to not spill hot coffee over yourself
presuming you're referring to the hot coffee lawsuit, maybe read details of the story. McDonalds wasn't at all blameless, and the plaintiff had reasonable demands
You expect the CEO of a company to have the legal depth of knowledge AND knowledge of all their customers, contracts and SLAs to be able to wing a communication and not somehow trip over all of that? They also should understand every possible legal jurisdiction that could be affected? You realise even the head of their legal department (a HIGHLY competent lawyer) likely wouldn’t say there could do that without speaking to the key people in their team?
Should the CEO also bang out some dev estimates for the roadmap because, hey, they should be competent enough to do something like that. Why not submit the accounts for the year? How hard can it be, just reading a few lines off their Sage or Quickbooks accounts?
Let me be more clear on what I mean by “wing it,” because “having templates” doesn’t really cut it. Anyone can bang out a “we have a problem” template, so why does the CEO need to attach their name to it? Once you’re at the point of needing a CEO to communicate, you have a specific problem, with its own specific impacts that a single person can not be expected to have enough depth of knowledge in their brain to actually talk about without involving their domain experts, including legal, technical, whatever the situation needs.
> can not be expected to have enough depth of knowledge in their brain to actually talk about
What is the use of a CEO if not to have enough depth of knowledge about the different aspects of running a business?
Like what? Poor little CEO that doesn't understand anything about the world and how to run a company. Seems like helplessness is expected at every stage.
> What is the use of a CEO if not to have enough depth of knowledge about the different aspects of running a business?
Bit of a difference between “having depth of knowledge in their business” and “can speak off-the-cuff with the necessary accuracy to remain in compliance with every contract and legal jurisdiction their organisation is engaged in, without consulting the numerous domain experts they employ for just this purpose,” isn’t there.
Also, such a situation that requires the CEO’s direct attention has already gone FAR beyond your standard incidents where you can throw out a pre written statement. Do you want your organisation just cuffing it from the top down? Are you Elon Musk in disguise?
Take the lead couldn't be more different than act by themselves.
Take the lead, yes they should be able to as that's the job pretty much.
Act by themselves, sure they can make decisions in small cases. But on big things you hear everybody's input, weigh it, and only if needed, cast the deciding vote.
I'm going down with the ship over on X.com the Everything App. There's a parcel of very important tech people that are running some playbook where posting to X.com is sufficient enough to be unimpeachable on communication, despite its rather beleaguered state and traffic.
The disaster plan says there is a process, but it has never been used and is probably outdated. Chances are the social media strategy requires posting on the Facebook and updating key Circles on Google+
Such has been the case with many technological advancements. You can change the date on this to 1999 and complain that the Internet has accomplished this; suddenly everyone can get information on car repairs, recipes, and the like, without needing to do lots of research ahead of time or take a course, thus killing the need for a mechanic or a bakery.
Outside of software development, a lot of things that AI can do still require a human to understand and do it. I can't tell Claude to change my oil, or ChatGPT to bake me a cake. I can use them as tools to teach me what to do, same as the Internet, or TV programs, or books, or any other "invention."
Great piece. I thought the same of Cal's announcement; it basically boiled down to "we're willing to shift our entire business to a security-through-obscurity approach." It won't be long until systems are sophisticated enough that they can target an application over the course of a weekend, and try thousands of exploits across each possible endpoint you offer, to see what happens, regardless of whether or not your source code is public.
Anyone who's launched anything on the web -- anything at all -- and looked at the logs will see all sorts of endpoints being requested for /wp-admin/ or random WordPress plugins, even if their site has never, and will never, run WordPress. Imagine this at scale, with every possible attack method imaginable, blindly hitting everything on the web. That's where I think we're headed, and closed source won't fix that.
I think it also helps them figure out which videos keep people on YouTube longer. If I scroll to a section of the page that has 6 videos, and I stare at them for 10 seconds, then scroll down, they'll know that one or two of those videos must have been somewhat interesting. But if I stare at 6 videos, then scroll away 2 seconds later, it knows that nothing in that batch was worthwhile.
The fewer videos they have in focus at a time, the more accurate their algorithms can be.
Advertisements have helped finance the web for decades. AI could be no different.
What type of advertisers would want to advertise next to an AI chat window? How often would ads show? Would the users still enjoy using the platform if you showed enough ads to offset the cost of running the service?
Lot of questions that all boil down to "it depends." None of the big players want to dilute their product with ads (yet). But I definitely think some will be willing.
My own discussions with advertisers have revealed a growing interest around the concept of conversational-based targeting (see website) and advertising. But, many are still skeptic and require additional CTR and ROI data, which is not possible since there's nothing like this on the market yet.
Ads shown would be dependent on the partner platform. For example, a platform like Cursor could deploy a simple agent dedicated to monitoring the conversation thread for ad invocation and display. This agent would be instructed to display only a limited number of them per conversation (e.g., 2 ads), based on a high-level summary + demographic information. The ad package returned would provide the text-ad itself, url link, and other necessary information. Finally, Cursor would showcase this ad within the chat tab itself, let's say after the LLM's response.
Also, after speaking with many users, it seems there's a willingness to make the tradeoff as long as ads are clearly separate from original LLM outputs, not overly targeted, infrequent, and accompanied by a clear reason for being shown. Also, only high-level contextual information + demographic data are shared. These requirements are definitely achievable.
Finally, pricing can only really be sorted if we have willing partners on both sides.
As of now, convincing advertisers and developers has proven to be difficult. It feels as if I'm speaking alien sometimes. I thank you for seeing the vision.
Good software can be art. And like all art, we have hit the stage in which code can also be cranked out en masse, thoughtlessly, for a quick buck. It was only inevitable.
The lack of domain re-verification seems important. The other things listed are the case for any social media platform, but they bear repeating.
I hope domain re-verification is fairly automatic once implemented. If I remove my Bluesky information from my DNS, it should be a safe assumption that the affiliated account will soon lose its username, maybe within a week or two. Same if I'm buying a domain; I wouldn't want lingering accounts for months or years after the fact. If it's a more manual process, that could be annoying, especially since you can also use subdomains -- someone could be "admin.example.com" and fly under the radar when selling example.com.
I find such thoughts exciting. In the future, children will be taught basic facts that, to us in the first half of the 21st century, are some of the most complicated questions of the universe.
I think knowledge about universe will be mostly the same but streamlined. In our modern day science we have a lot of concepts that exist only because of the path we took to get to where we are now.
Most of these interpretations will be cut out once a better ways to proper undestanding is found. I imagine electrons shells, wave function collapse, pseudo-vectors, relativistic mass, xyz ... will go away quickly to be replaced with more suitable concepts previously (and still) held back by necessity of humans to be able to do some math with pen and paper.
Not going away. It's based too directly in quantum mechanics principles, and the same tools are used in too may other problems with good results. If you talk to a hard core physicist, they may explain some minor corrections, but the simple model is 99% accurate and the corrections quite technical. Perhaps there is a better theory in the future, but it will be very weird, you really don't want to know it.
> wave function collapse
It's going away, but it may take 500 years. Nobody likes wave function colapse. There is people working to eliminate it, but we have no clue if it's hard, very hard or impossible. I think that a combination of the so-called-many-worlds-interpretation and something-something-decoherence will solve it in 50 years, or 100 years or 500 years. I'm optimistic, but it may take a while......
> pseudo-vectors
Solved? The problem is drawing normal vectors that are 1-forms and pseudo-vectors that are mostly 2-forms in the same space. Most pseudo-vectors are like a tiny surface area instead of a tiny arrow. But people love to draw all of them as arrows and that causes the problem. Also, in special relativity the electric field (vector) and magnetic field (pseudo-vector) are combined in a single weird entity that fixes the problem. There is still the problem with the weak force, but I think it's solved once you replace mass with the Higgs boson. So it's "solved" if you like to use a little more math and want to translate it to everyone else that likes arrows.
> relativistic mass
Solved. Most modern Special Relativity books try to avoid relativistic mass. The problem is that you need number to accelerate to one side and a different number to accelerate to the front/rear. So it's better to skip it and use other equations. The usual "relativistic mass" is good for accelerations to one side to get circular movements, so it's nice for some problems.
Has almost nothing to do with actual orbitals. "Filling electron shells", "octets" are just idiotic old rule of thumb ideas only accidentally aligning with reality.
> wave function collapse
I think it's going away pretty fast as we exprimentally find quantum behaviors in increasingly macroscopic objects. At some point it will become clear that nothing collapses into particles and it's just that through interaction wavefunctions narrow down when they exchange some energy and momentum. But other interactions can spread them apart back again. We are gonna create consistent description of the process in both directions.
> pseudo-vectors
they are still used but they are gonna be replaced by bivectors as they are more natural
> relativistic mass
true that it's partially sovled, but we need a generation or two of people not mentioning at all in educational context or metioning it negatively for it finally go away ... today it's still treated as "useful educational metaphor" which it is not
> xyz
Basically breaking down math calculations to coordinate wise caluclations
People will stop doing that because most symbolic maths in education is going to be done with computers and rarely anyone will be doing any element-wise transforamtions on anything.
It's a good rule of thumb for hand waving chemistry. It's not good enough to predict protein folding, but it's good enough to understand how amino acids connect. I don't expect it to disappear.
> wave function collapse
I disagree because I expect a different solution to the problem.
> pseudo-vectors -> bivectors
I agree. We only have to convince the other 7999999998 persons :) .
> relativistic mass
Another good rule of thumb, but I'm not sure for whom. This days nobody has to make a DIY synchrotron at home. It can probably go away, but it will resurface from time to time like a clever trick in a YouTube video.
> xyz
I like covariant equations, so I agree. Anyway, at work we sometimes use some non-covariant approximations but we add a search to optimize the base to get the best one were we can apply to nasty coordinate tricks.
Anyway, I needed like 10 years to understand the difference between a matrix and a linear transformation. 20yo probably only can use coordinates until they grow up.
> how does bluesky solve the problem of building your castle in another man's kingdom?
Bluesky (the platform) doesn't, and they acknowledge that. It's centrally owned, and is prone to all of the risks that any other centralized platform offers.
> if I do something controversial or using regulatory arbitrage, I'm interested in how AT is useful for managing that risk.
AT is completely decentralized, like email.
If your account is @motohagiography.example.com, other AT instances will make a DNS query to example.com to see if that has an entry that the AT protocol recognizes. If so, it will make a connection to that instance, and gather your content for display.
However, if a particular instance sees their a volume of unwanted accounts from example.com, they could blacklist that domain from interacting with their instance, so, even with this setup, you are at the mercy of the "big players" respecting you — just like if you try to send email to users using Gmail and Google decides you're suspect.
And, if you violate the laws of where you're located, law enforcement will handle that the same as they would if you violating the laws over HTTP or over email.
On the one hand, I get that it's a Sunday, and the CEO can't just write a mass email without approval from legal or other comms teams.
But on the other hand... It's Sunday. Unless you're tuned-in to social media over the weekend, your main provider could be undergoing a meltdown while you are completely unaware. Many higher-up folks check company email over the weekend, but if they're traveling or relaxing, social media might be the furthest thing from their mind. It really bites that this is the only way to get critical information.
reply