Skip Navigation
saint I eat words


Matrix -

Posts 834
Comments 108 When Regulation Encourages ISPs to Hack Their Customers

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Rad Security. You can hear a podcast discussion of this newsletter by searching

When Regulation Encourages ISPs to Hack Their Customers

When Regulation Encourages ISPs to Hack Their Customers


>KT, formerly Korea Telecom, has been accused of deliberately infecting 600,000 of its own customers with malware to reduce peer-to-peer file sharing traffic. This is a bizarre hack and a great case study of how government regulation has distorted the South Korean internet.

>South Korean media outlet JTBC reported last month that KT had infected customers who were using Korean cloud data storage services known as 'webhards' (web hard drives). The malware disabled the webhard software, resulted in files disappearing and sometimes caused computers to crash.

>JTBC news says the team involved "consisted of a 'malware development' section, a 'distribution and operation' section, and a 'wiretapping' section that looked at data sent and received by KT users in real time".

>The company‬ ‭claims that the people involved in the webhard hack were a small group operating independently. It's just an amazing coincidence that they just happened to invest so much time and effort into a caper that aligned so well with KT's financial interests!‬‭

>South Korea has a 'sender pays' model in which ISPs must pay for traffic they send to other ISPs, breaking the worldwide norm of 'settlement-free peering', voluntary arrangements whereby ISPs exchange traffic without cost.

>Once the sender pays rules were enforced, however, KT was left with large bills from its peer ISPs for the Facebook traffic sent from the cache in its network. KT tried to recoup costs from Facebook, but negotiations broke down and Facebook disabled the cache. South Korean users were instead routed over relatively expensive links to overseas caches with increased latency.

>These sender pays rules may also encourage peer-to-peer file sharing relative to more centralised pirate content operations.

>An unnamed sales manager from a webhard company told TorrentFreak torrent transfers saved them significant bandwidth costs, but as long as traffic flows between ISPs, someone will pay. KT is South Korea's largest broadband provider, so since it has more customers, peer-to-peer file sharing means that the company has to pay fees to its competitor ISPs.

>Either way, this is just a great example of where unusual regulation can produce unusual results.



Pluralistic: The reason you can't buy a car is the same reason that your health insurer let hackers dox you (28 Jun 2024)


  • Author: Cory Doctorow
  • Category: rss
  • URL:


>Equifax knew the breach was coming. It wasn't just that their top execs liquidated their stock in Equifax before the announcement of the breach – it was also that they ignored years of increasingly urgent warnings from IT staff about the problems with their server security.

>Just like with Equifax, the 737 Max disasters tipped Boeing into a string of increasingly grim catastrophes.

>Equifax isn't just a company: it's infrastructure.

>This witch-hunts-as-a-service morphed into an official part of the economy, the backbone of the credit industry, with a license to secretly destroy your life with haphazardly assembled "facts" about your life that you had the most minimal, grudging right to appeal (or even see).

>There's a direct line from that acquisition spree to the Equifax breach(es). First of all, companies like Equifax were early adopters of technology. They're a database company, so they were the crash-test dummies for ever generation of database.

>There's a reason libraries, cities, insurance companies, and other giant institutions keep getting breached: they started accumulating tech debt before anyone else, so they've got more asbestos in the walls, more sagging joists, more foundation cracks and more termites.

>The reason to merge with your competitors is to create a monopoly position, and the value of a monopoly position is that it makes a company too big to fail, which makes it too big to jail, which makes it too big to care.

>The biggest difference was that Boeing once had a useful, high-quality product, whereas Equifax started off as an irredeemably terrible, if efficient, discrimination machine, and grew to become an equally terrible, but also ferociously incompetent, enterprise.

>Every corporate behemoth is locked in a race between the eventual discovery of its irreparable structural defects and its ability to become so enmeshed in our lives that we have to assume the costs of fixing those defects. It's a contest between "too rotten to stand" and "too big to care."

>Remember how we discovered this? Change was hacked, went down, ransomed, and no one could fill a scrip in America for more than a week, until they paid the hackers $22m in Bitcoin?

>Well, first Unitedhealthcare became the largest health insurer in America by buying all its competitors in a series of mergers that comatose antitrust regulators failed to block. Then it combined all those other companies' IT systems into a cosmic-scale dog's breakfast that barely ran. Then it bought Change and used its monopoly power to ensure that every Rx ran through Change's servers, which were part of that asbestos-filled, termite-infested, crack-foundationed, sag-joisted teardown. Then, it got hacked.

>Good luck with that. There's a company you've never heard. It's called CDK Global. They provide "dealer management software." They are a monopolist. They got that way after being bought by a private equity fund called Brookfield. You can't complete a car purchase without their systems, and their systems have been hacked.

>What happens next is a near-certainty: CDK will pay a multimillion dollar ransom, and the hackers will reward them by breaching the personal details of everyone who's ever bought a car, and the slaves in Cambodian pig-butchering compounds will get a fresh supply of kompromat.

>But on the plus side, the need to pay these huge ransoms is key to ensuring liquidity in the cryptocurrency markets, because ransoms are now the only nondiscretionary liability that can only be settled in crypto


0 How We Built the Internet

A deep dive into the fundamentals of digital communication infrastructure

How We Built the Internet

How We Built the Internet


  • Author: Anna-Sofia Lesiv
  • Category: article
  • URL:


>The internet is a universe of its own.

>The infrastructure that makes this scale possible is similarly astounding—a massive, global web of physical hardware, consisting of more than 5 billion kilometers of fiber-optic cable, more than 574 active and planned submarine cables that span a over 1 million kilometers in length, and a constellation of more than 5,400 satellites offering connectivity from low earth orbit (LEO).

>“The Internet is no longer tracking the population of humans and the level of human use. The growth of the Internet is no longer bounded by human population growth, nor the number of hours in the day when humans are awake,” writes Geoff Huston, chief scientist at the nonprofit Asia Pacific Network Information Center.

>As Shannon studied the structures of messages and language systems, he realized that there was a mathematical structure that underlied information. This meant that information could, in fact, be quantified.

>Shannon noted that all information traveling from a sender to a recipient must pass through a channel, whether that channel be a wire or the atmosphere.

>Shannon’s transformative insight was that every channel has a threshold—a maximum amount of information that can be delivered reliably to a sender.

>Kleinrock approached AT&T and asked if the company would be interested in implementing such a system. AT&T rejected his proposal—most demand was still in analog communications. Instead, they told him to use the regular phone lines to send his digital communications—but that made no economic sense.

>What was exceedingly clever about this suite of protocols was its generality. TCP and IP did not care which carrier technology transmitted its packets, whether it be copper wire, fiber-optic cable, or radio. And they imposed no constraints on what the bits could be formatted into—video text, simple messages, or even web pages formatted in a browser.

>David Clark, one of the architects of the original internet, wrote in 1978 that “we should … prepare for the day when there are more than 256 networks in the Internet.”

>Fiber was initially laid down by telecom companies offering high-quality cable television service to homes. The same lines would be used to provide internet access to these households. However, these service speeds were so fast that a whole new category of behavior became possible online. Information moved fast enough to make applications like video calling or video streaming a reality.

>And while it may have been the government and small research groups that kickstarted the birth of the internet, its evolution henceforth was dictated by market forces, including service providers that offered cheaper-than-ever communication channels and users that primarily wanted to use those channels for entertainment.

>In 2022, video streaming comprised nearly 58 percent of all Internet traffic. Netflix and YouTube alone accounted for 15 and 11 percent, respectively.

>At the time, Facebook users in Asia or Africa had a completely different experience to their counterparts in the U.S. Their connection to a Facebook server had to travel halfway around the world, while users in the U.S. or Canada could enjoy nearly instantaneous service. To combat this, larger companies like Google, Facebook, Netflix, and others began storing their content physically closer to users through CDNs, or “content delivery networks.”

>Instead of simply owning the CDNs that host your data, why not own the literal fiber cable that connects servers from the United States to the rest of the world?

>Most of the world’s submarine cable capacity is now either partially or entirely owned by a FAANG company—meaning Facebook (Meta), Amazon, Apple, Netflix, or Google (Alphabet).

>Google, which owns a number of sub-sea cables across the Atlantic and Pacific, can deliver hundreds of terabits per second through its infrastructure.

>In other words, these applications have become so popular that they have had to leave traditional internet infrastructure and operate their services within their own private networks. These networks not only handle the physical layer, but also create new transfer protocols —totally disconnected from IP or TCP. Data is transferred on their own private protocols, essentially creating digital fiefdoms.

>SpaceX’s Starlink is already unlocking a completely new way of providing service to millions. Its data packets, which travel to users via radio waves from low earth orbit, may soon be one of the fastest and most economical ways of delivering internet access to a majority of users on Earth. After all, the distance from LEO to the surface of the Earth is just a fraction of the length of subsea cables across the Atlantic and Pacific oceans.

What is next?

0 Incantations

The danger of using magic without understanding…




  • Author: Jos Visser
  • Category: rss
  • URL:


>The problem with incantations is that you don’t understand in what exact circumstances they work. Change the circumstances, and your incantations might work, might not work anymore, might do something else, or maybe worse, might do lots of damage. It is not safe to rely on incantations, you need to move to understanding.

0 How much are your 9's worth?

Making your 9’s look great by cheating.

How much are your 9's worth?

How much are your 9's worth?


  • Author: Ross Brodbeck
  • Category: rss
  • URL:


>All nines are not created equal. Most of the time I hear an extraordinarily high availability claim (anything above 99.9%) I immediately start thinking about how that number is calculated and wondering how realistic it is.

>Human beings are funny, though. It turns out we respond pretty well to simplicity and order.

>Having a single number to measure service health is a great way for humans to look at a table of historical availability and understand if service availability is getting better or worse. It’s also the best way to create accountability and measure behavior over time…

… as long as your measurement is reasonably accurate and not a vanity metric.

>Cheat #1 - Measure the narrowest path possible.

This is the easiest way to cheat a 9’s metric. Many nines numbers I have seen are various version of this cheat code. How can we create a narrow measurement path?

>Cheat #2 - Lump everything into a single bucket.

Not all requests are created equal.

>Cheat #3 - Don’t measure latency.

This is an availability metric we’re talking about here, why would we care about how long things take, as long as they are successful?!

>Cheat #4 - Measure total volume, not minutes.

Let’s get a little controversial.

>In order to cheat the metric we want to choose the calculation that looks the best, since even though we might have been having a bad time for 3 hours (1 out of every 10 requests was failing), not every customer was impacted so it wouldn’t be “fair” to count that time against us.

>Building more specific models of customer paths is manual. It requires more manual effort and customization to build a model of customer behavior (read: engineering time). Sometimes we just don’t have people with the time or specialization to do this, or it will cost to much to maintain it in the future.

>We don’t have data on all of the customer scenarios. In this case we just can’t measure enough to be sure what our availability is.

>Sometimes we really don’t care (and neither do our customers). Some of the pages we build for our websites are… not very useful. Sometimes spending the time to measure (or fix) these scenarios just isn’t worth the effort. It’s important to focus on important scenarios for your customers and not waste engineering effort on things that aren’t very important (this is a very good way to create an ineffective availability effort at a company).

>Mental shortcuts matter. No matter how much education we try, it’s hard to change perceptions of executives, engineers, etc. Sometimes it is better to pick the abstraction that helps people understand than pick the most accurate one.

>Data volume and data quality are important to measurement. If we don’t have a good idea of which errors are “okay” and which are not, or we just don’t have that much traffic, some of these measurements become almost useless (what is the SLO of a website with 3 requests? does it matter?).

What is your way of cheating nines? ;)

0 J.G. Ballard: My Favorite Books

The renowned English writer reflects on the literature that shaped his imagination.

J.G. Ballard: My Favorite Books

J.G. Ballard: My Favorite Books


  • Author: The MIT Press Reader
  • Category: article
  • URL:


>In this respect I differed completely from my children, who began to read (I suspect) only after they had left their universities. Like many parents who brought up teenagers in the 1970s, it worried me that my children were more interested in going to pop concerts than in reading “Pride and Prejudice” or “The Brothers Karamazov” — how naive I must have been. But it seemed to me then that they were missing something vital to the growth of their imaginations, that radical reordering of the world that only the great novelists can achieve.

>I now see that I was completely wrong to worry, and that their sense of priorities was right — the heady, optimistic world of pop culture, which I had never experienced, was the important one for them to explore. Jane Austen and Dostoyevsky could wait until they had gained the maturity in their 20s and 30s to appreciate and understand these writers, far more meaningfully than I could have done at 16 or 17.


  • “The Day of the Locust,” Nathanael West
  • “Collected Short Stories,” Ernest Hemingway
  • “The Rime of the Ancient Mariner,” Samuel Taylor Coleridge
  • “The Annotated Alice,” ed. Martin Gardner
  • “The World through Blunted Sight,” Patrick Trevor-Roper
  • “The Naked Lunch,” William Burroughs
  • “The Black Box,” ed. Malcolm MacPherson
  • “Los Angeles Yellow Pages”
  • “America,” Jean Baudrillard
  • “The Secret Life of Salvador Dalí,” by Dalí
0 Cyber Conflict and Subversion in the Russia-Ukraine War

Cyber operations reveal their limitations as means of warfare, but territorial conquest opens unique opportunities for exploitation.

Cyber Conflict and Subversion in the Russia-Ukraine War

Cyber Conflict and Subversion in the Russia-Ukraine War


  • Author: Default
  • Category: article
  • URL:


>The Russia-Ukraine war is the first case of cyber conflict in a large-scale military conflict involving a major power.

>Contrary to cyberwar fears, most cyber operations remained strategically inconsequential, but there are several exceptions: the AcidRain operation, the UKRTelecom disruption, the September 2022 power grid sabotage, and the catastrophic Kyivstar outage of 2023.

>These developments suggest hacking groups are increasingly fusing cyber operations with traditional subversive methods to improve effectiveness.

>The first exceptional case is AcidRain. This advanced malware knocked out satellite communication provided by Viasat’s K-SAT service across Europe the very moment the invasion commenced. Among the customers of the K-SAT service: Ukraine’s military. The operation that deployed this malware stands out not only because it shows a direct linkage to military goals but also because it could have plausibly produced a clear tactical, potentially strategic, advantage for Russian troops at a decisive moment.

>The second exception is a cyber operation in March 2022 that caused a massive outage of UKRTelecom, a major internet provider in Ukraine. It took only a month to prepare yet caused significant damage. It cut off over 80 percent of UKRTelecom’s customers from the internet for close to 24 hours.

>Finally, the potentially most severe challenge to the theory of subversion is a power grid sabotage operation in September 2022. The operation stands out not only because it used a novel technique but also because it took very little preparation. According to Mandiant, it required only two months of preparation and used what is called “living off the land” techniques, namely foregoing malware and using only existing functionality.

>After all, why go through the trouble of finding vulnerabilities in complex networks and develop sophisticated exploits when you can take the easy route via an employee, or even direct network access?

Lessons learned from two decades of Site Reliability Engineering
  • Reread today again, with some highlights:

    Lessons Learned from Twenty Years of Site Reliability Engineering



    The riskiness of a mitigation should scale with the severity of the outage

    We, here in SRE, have had some interesting experiences in choosing a mitigation with more risks than the outage it's meant to resolve.

    We learned the hard way that during an incident, we should monitor and evaluate the severity of the situation and choose a mitigation path whose riskiness is appropriate for that severity.

    Recovery mechanisms should be fully tested before an emergency

    An emergency fire evacuation in a tall city building is a terrible opportunity to use a ladder for the first time.

    Testing recovery mechanisms has a fun side effect of reducing the risk of performing some of these actions. Since this messy outage, we've doubled down on testing.

    We were pretty sure that it would not lead to anything bad. But pretty sure is not 100% sure.

    A "Big Red Button" is a unique but highly practical safety feature: it should kick off a simple, easy-to-trigger action that reverts whatever triggered the undesirable state to (ideally) shut down whatever's happening.

    Unit tests alone are not enough - integration testing is also needed

    This lesson was learned during a Calendar outage in which our testing didn't follow the same path as real use, resulting in plenty of testing... that didn't help us assess how a change would perform in reality.

    Teams were expecting to be able to use Google Hangouts and Google Meet to manage the incident. But when 350M users were logged out of their devices and services... relying on these Google services was, in retrospect, kind of a bad call.

    It's easy to think of availability as either "fully up" or "fully down" ... but being able to offer a continuous minimum functionality with a degraded performance mode helps to offer a more consistent user experience.

    This next lesson is a recommendation to ensure that your last-line-of-defense system works as expected in extreme scenarios, such as natural disasters or cyber attacks, that result in loss of productivity or service availability.

    A useful activity can also be sitting your team down and working through how some of these scenarios could theoretically play out—tabletop game style. This can also be a fun opportunity to explore those terrifying "What Ifs", for example, "What if part of your network connectivity gets shut down unexpectedly?".

    In such instances, you can reduce your mean time to resolution (MTTR), by automating mitigating measures done by hand. If there's a clear signal that a particular failure is occurring, then why can't that mitigation be kicked off in an automated way? Sometimes it is better to use an automated mitigation first and save the root-causing for after user impact has been avoided.

    Having long delays between rollouts, especially in complex, multiple component systems, makes it extremely difficult to reason out the safety of a particular change. Frequent rollouts—with the proper testing in place— lead to fewer surprises from this class of failure.

    Having only one particular model of device to perform a critical function can make for simpler operations and maintenance. However, it means that if that model turns out to have a problem, that critical function is no longer being performed.

    Latent bugs in critical infrastructure can lurk undetected until a seemingly innocuous event triggers them. Maintaining a diverse infrastructure, while incurring costs of its own, can mean the difference between a troublesome outage and a total one.

  • Spots, stripes and more: Working out the logic of animal patterns

    More than 70 years ago, mathematician Alan Turing proposed a mechanism that explained how patterns could emerge from bland uniformity. Scientists are still using his model — and adding new twists — to gain a deeper understanding of animal markings.

    Spots, stripes and more: Working out the logic of animal patterns

    Interesting findings


    update to 19.4, some downtime

    Sorry for the Downtime, had not been paying enough attention to the change log and made wrong assumptions that the site does not work because up pictrs update.

    But it was wrong port on the docker template!


    Startling differences between humans and jukeboxes


    • Author: Adam Mastroianni
    • Category: article
    • URL:


    >Similarly, when you survey people about what motivates them at work, they go “Feeling good about myself! Having freedom, the respect of my coworkers, and opportunities to develop my skills, learn things, and succeed!” When you survey people about what motivates others, they go, “Money and job security!” In another survey, people claimed that they value high-level needs (e.g., finding meaning in life) more than other people do.3

    >I’m saying “people” here as if I wasn’t one of them, but I would have agreed with all of the above. It was only saying it out loud that made me realize how cynical my theory of human motivation was, and that I applied it to everyone but myself. Yikes!

    >It’s not that hard to give people skills. It’s way harder to give them interests.

    >The best way to use incentives, then, is to:

    >1) find the people who already want what you want

    >2) help them survive

    >in a department where an internal survey revealed low morale among the graduate students. A town hall was convened to investigate the issue. The students knew that one of the biggest problems was that a handful of professors terrorize and neglect their underlings, and the fastest way to fix this would be to put those faculty members on an ice floe and push it out to sea. This, of course, was difficult to bring up (some of those faculty members were in the room), and so instead we talked about minor bureaucratic reforms like whether there should be some training for advisors, or whether bad advisors should have fewer opportunities to admit students. Nobody could name who these mysterious bad advisors were, of course, so even these piddling suggestions went nowhere.

    >If you hire someone based on the shininess of their CV and then hope that, somehow, the employee handbook will show them how to also be a good person and not just a prolific paper-producer, you’re going to end up with a department full of sad graduate students.

    >If you’re writing a constitution or a code of conduct, by all means, do a good job. But if you’re counting on something like “SUBSECTION 3A: Being evil is not allowed” to stop people from being evil, or if you think Roberts Rules of Order are going to turn an insecure despot into an enlightened ruler, well, strap in for some Dark Ages and some bad improv.

    >discovering your inner motivations takes time and experience, and we gum up the process with lots of strong opinions about what should motivate us.

    >If you believe that people need to be treated like jukeboxes or secret criminals, you are accepting the behaviorist premise that we need to put people inside a giant [operant conditioning chamber](,graduate%20student%20at%20Harvard%20University.) that dispenses food pellets for good behavior and electric shocks for bad behavior.

    0 How AI will change democracy

    Artificial intelligence is coming for our democratic politics, from how politicians campaign to how the legal system functions.

    How AI will change democracy

    Went well with this this

    How AI Will Change Democracy


    • Author: Bruce Schneier
    • Category: rss
    • URL:


    >Replacing humans with AIs isn’t necessarily interesting. But when an AI takes over a human task, the task changes.

    >In particular, there are potential changes over four dimensions: Speed, scale, scope and sophistication.

    >It gets interesting when changes in degree can become changes in kind. High-speed trading is fundamentally different than regular human trading. AIs have invented fundamentally new strategies in the game of Go. Millions of AI-controlled social media accounts could fundamentally change the nature of propaganda.

    >We don’t know how far AI will go in replicating or replacing human cognitive functions. Or how soon that will happen. In constrained environments it can be easy. AIs already play chess and Go better than humans.

    >keep in mind a few questions: Will the change distribute or consolidate power? Will it make people more or less personally involved in democracy? What needs to happen before people will trust AI in this context? What could go wrong if a bad actor subverted the AI in this context?

    >The changes are largely in scale. AIs can engage with voters, conduct polls and fundraise at a scale that humans cannot—for all sizes of elections. They can also assist in lobbying strategies. AIs could also potentially develop more sophisticated campaign and political strategies than humans can.

    >But as AI starts to look and feel more human, our human politicians will start to look and feel more like AI. I think we will be OK with it, because it’s a path we’ve been walking down for a long time. Any major politician today is just the public face of a complex socio-technical system. When the president makes a speech, we all know that they didn’t write it.

    >In the future, we’ll accept that almost all communications from our leaders will be written by AI. We’ll accept that they use AI tools for making political and policy decisions. And for planning their campaigns. And for everything else they do.

    >AIs can also write laws. In November 2023, Porto Alegre, Brazil became the first city to enact a law that was entirely written by AI. It had to do with water meters. One of the councilmen prompted ChatGPT, and it produced a complete bill. He submitted it to the legislature without telling anyone who wrote it. And the humans passed it without any changes.

    >A law is just a piece of generated text that a government agrees to adopt.

    >AI will be good at finding legal loopholes—or at creating legal loopholes. I wrote about this in my latest book, A Hacker’s Mind. Finding loopholes is similar to finding vulnerabilities in software.

    >AIs will be good at inserting micro-legislation into larger bills.

    >AI can help figure out unintended consequences of a policy change—by simulating how the change interacts with all the other laws and with human behavior.

    >AI can also write more complex law than humans can.

    >AI can write laws that are impossible for humans to understand.

    >Imagine that we train an AI on lots of street camera footage to recognize reckless driving and that it gets better than humans at identifying the sort of behavior that tends to result in accidents. And because it has real-time access to cameras everywhere, it can spot it … everywhere.

    >The AI won’t be able to explain its criteria: It would be a black-box neural net. But we could pass a law defining reckless driving by what that AI says. It would be a law that no human could ever understand. This could happen in all sorts of areas where judgment is part of defining what is illegal. We could delegate many things to the AI because of speed and scale. Market manipulation. Medical malpractice. False advertising. I don’t know if humans will accept this.

    >It could audit contracts. It could operate at scale, auditing all human-negotiated government contracts.

    >Imagine we are using an AI to aid in some international trade negotiation and it suggests a complex strategy that is beyond human understanding. Will we blindly follow the AI? Will we be more willing to do so once we have some history with its accuracy?

    >Could AI come up with better institutional designs than we have today? And would we implement them?

    >An AI public defender is going to be a lot better than an overworked not very good human public defender. But if we assume that human-plus-AI beats AI-only, then the rich get the combination, and the poor are stuck with just the AI.

    >AI will also change the meaning of a lawsuit. Right now, suing someone acts as a strong social signal because of the cost. If the cost drops to free, that signal will be lost. And orders of magnitude more lawsuits will be filed, which will overwhelm the court system.

    >Another effect could be gutting the profession. Lawyering is based on apprenticeship. But if most of the apprentice slots are filled by AIs, where do newly minted attorneys go to get training? And then where do the top human lawyers come from? This might not happen. AI-assisted lawyers might result in more human lawyering. We don’t know yet.

    >AI can help enforce the law. In a sense, this is nothing new. Automated systems already act as law enforcement—think speed trap cameras and Breathalyzers. But AI can take this kind of thing much further, like automatically identifying people who cheat on tax returns, identifying fraud on government service applications and watching all of the traffic cameras and issuing citations.

    >But most importantly, AI changes our relationship with the law. Everyone commits driving violations all the time. If we had a system of automatic enforcement, the way we all drive would change—significantly. Not everyone wants this future. Lots of people don’t want to fund the IRS, even though catching tax cheats is incredibly profitable for the government. And there are legitimate concerns as to whether this would be applied equitably.

    >AI can help enforce regulations. We have no shortage of rules and regulations. What we have is a shortage of time, resources and willpower to enforce them, which means that lots of companies know that they can ignore regulations with impunity.

    >Imagine putting cameras in every slaughterhouse in the country looking for animal welfare violations or fielding an AI in every warehouse camera looking for labor violations. That could create an enormous shift in the balance of power between government and corporations—which means that it will be strongly resisted by corporate power.

    >The AI could provide the court with a reconstruction of the accident along with an assignment of fault. AI could do this in a lot of cases where there aren’t enough human experts to analyze the data—and would do it better, because it would have more experience.

    >Automated adjudication has the potential to offer everyone immediate justice. Maybe the AI does the first level of adjudication and humans handle appeals. Probably the first place we’ll see this is in contracts. Instead of the parties agreeing to binding arbitration to resolve disputes, they’ll agree to binding arbitration by AI. This would significantly decrease cost of arbitration. Which would probably significantly increase the number of disputes.

    >If you and I are business partners, and we have a disagreement, we can get a ruling in minutes. And we can do it as many times as we want—multiple times a day, even. Will we lose the ability to disagree and then resolve our disagreements on our own? Or will this make it easier for us to be in a partnership and trust each other?

    >Human moderators are still better, but we don’t have enough human moderators. And AI will improve over time. AI can moderate at scale, giving the capability to every decision-making group—or chatroom—or local government meeting.

    >AI can act as a government watchdog. Right now, much local government effectively happens in secret because there are no local journalists covering public meetings. AI can change that, providing summaries and flagging changes in position.

    >This would help people get the services they deserve, especially disadvantaged people who have difficulty navigating these systems. Again, this is a task that we don’t have enough qualified humans to perform. It sounds good, but not everyone wants this. Administrative burdens can be deliberate.

    >Finally, AI can eliminate the need for politicians. This one is further out there, but bear with me. Already there is research showing AI can extrapolate our political preferences. An AI personal assistant trained on and continuously attuned to your political preferences could advise you, including what to support and who to vote for. It could possibly even vote on your behalf or, more interestingly, act as your personal representative.

    >We can imagine a personal AI directly participating in policy debates on our behalf along with millions of other personal AIs and coming to a consensus on policy.

    >More near term, AIs can result in more ballot initiatives. Instead of five or six, there might be five or six hundred, as long as the AI can reliably advise people on how to vote. It’s hard to know whether this is a good thing. I don’t think we want people to become politically passive because the AI is taking care of it. But it could result in more legislation that the majority actually wants.

    >I think this is all coming. The time frame is hazy, but the technology is moving in these directions.

    >All of these applications need security of one form or another. Can we provide confidentiality, integrity and availability where it is needed? AIs are just computers. As such, they have all the security problems regular computers have—plus the new security risks stemming from AI and the way it is trained, deployed and used. Like everything else in security, it depends on the details.

    >In most cases, the owners of the AIs aren’t the users of the AI. As happened with search engines and social media, surveillance and advertising are likely to become the AI’s business model. And in some cases, what the user of the AI wants is at odds with what society wants.

    >We need to understand the rate of AI mistakes versus the rate of human mistakes—and also realize that AI mistakes are viewed differently than human mistakes. There are also different types of mistakes: false positives versus false negatives. But also, AI systems can make different kinds of mistakes than humans do—and that’s important. In every case, the systems need to be able to correct mistakes, especially in the context of democracy.

    >Many of the applications are in adversarial environments. If two countries are using AI to assist in trade negotiations, they are both going to try to hack each other’s AIs. This will include attacks against the AI models but also conventional attacks against the computers and networks that are running the AIs. They’re going to want to subvert, eavesdrop on or disrupt the other’s AI.

    >Large language models work best when they have access to everything, in order to train. That goes against traditional classification rules about compartmentalization.

    >Can we build systems that reduce power imbalances rather than increase them? Think of the privacy versus surveillance debate in the context of AI.

    >And similarly, equity matters. Human agency matters.

    >Whether or not to trust an AI is less about the AI and more about the application. Some of these AI applications are individual. Some of these applications are societal. Whether something like “fairness” matters depends on this. And there are many competing definitions of fairness that depend on the details of the system and the application. It’s the same with transparency. The need for it depends on the application and the incentives. Democratic applications are likely to require more transparency than corporate ones and probably AI models that are not owned and run by global tech monopolies.

    >AI will be one of humanity’s most important inventions. That’s probably true. What we don’t know is if this is the moment we are inventing it. Or if today’s systems are yet more over-hyped technologies. But these are security conversations we are going to need to have eventually.

    >AI is coming for democracy. Whether the changes are a net positive or negative depends on us. Let’s help tilt things to the positive.

    Yea or Nay?


    cross-posted from:

    > Some appetizers for the book on breaking Enigma.

    0 The habits of effective remote teams - PostHog

    Remote work sucks. If you work at Dell, that is. In March, it announced remote employees would not be considered for promotions, or be able to…

    The habits of effective remote teams


    • Author: PostHog
    • Category: email
    • URL: mailto:reader-forwarded-email/1c3a1c8d6e553790a7809f3edb62d8f3


    >Remote work doesn't work without a strong writing culture.

    >If a decision is made on a call and nobody writes it down, was a decision even made?

    >Writing is thinking, so it helps you think through both what you’re trying to achieve and how you want to communicate it, making everyone more intentional.

    >But the manager's schedule is the enemy of remote work. Successful remote teams avoid it entirely, which makes them incredibly good at getting shit done.

    >We optimize for productivity, not presence.

    >The biggest (and stupidest) argument against remote work? It makes people less productive. This is demonstrably untrue.

    >So, if productivity isn't the problem, what is it? It’s trust. If you trust people to do their very best work, and create a culture that values transparency, they'll deliver.

    >We trust people to do their best work and, in return, they deliver.

    >Simply put, when something goes wrong, the investigation of the root cause is, as the company puts it, blameless. This encourages everyone to speak up without fear of punishment. People are trusted to make mistakes and, as a result, problems that do arise are easier to solve.

    >Successful remote companies build everything out in the open. This gives everyone the context they need, and eliminates the political squabbles that plague less transparent companies.

    >As Buffer co-founder and CEO Joel Gascoigne wrote almost a decade ago, “transparency breeds trust, and trust is is the foundation of great teamwork.” It’s still true today.

    0 Paul Auster, American author of The New York Trilogy, dies aged 77

    The writer of The New York Trilogy, Leviathan and 4 3 2 1 – known for his stylised postmodernist fiction – has died from complications of lung cancer

    Paul Auster, American author of The New York Trilogy, dies aged 77

    Have enjoyed The New York Trilogy


    „Nuovargio visuomenė“: kodėl nuolat jaučiamės persidirbę ir nelaimingi?

    >Filosofą išgarsinusi „Nuovargio visuomenė“ (vok. Müdigkeitsgesellschaft) Vokietijoje išleista 2010 m. Šioje knygoje jis dešimtmečiu aplenkė šiandien visuotinai pripažįstamą perdegimo kultūros įsigalėjimą, ypač būdingą vadinamajai tūkstantmečio kartai (gimusiesiems 1981–1996 m.). Kasdien patiriama tokia stipri stimuliacija, ypač internete ir socialiniuose tinkluose, kad sunkiai begebama jausti ar savarankiškai mąstyti. Ironiška, kad Hano knygos populiarinamos iš lūpų į lūpas būtent per internetą.

    2 Google Patches Fourth Chrome Zero-Day in Two Weeks

    Exploited in the wild, Chrome vulnerability CVE-2024-5274 is a high-severity flaw described as a type confusion in the V8 JavaScript and WebAssembly engine.

    Google Patches Fourth Chrome Zero-Day in Two Weeks

    Remember IE5 days? ;)

    Parishioners Report Priest for Saying Jesus Died With Erection
  • This is what you get when are not sleeping during biology classes.

  • Mexico's president says his country is breaking diplomatic ties with Ecuador after embassy raid
  • i am all for normalizing raiding ambassies for [put the cause you support] as well

  • Help name the story: sci-fi, people living on different weekdays
  • looks interesting, but not this one.

  • Fededration is disabled by default due to heavy resource usage
  • from the logs it would seem that synapse went down not due to share volume of traffic, but special malformed usernames - so it seems a different pattern was used (if it is was an attack)

  • Fededration is disabled by default due to heavy resource usage
  • I am not sure if that is related, but technically Matrix uses a different protocol from ActivityPub, so it had to be targeted specifically

  • The Erosion of Financial Privacy - Marginal REVOLUTION
  • can do, if you could provide the link to the debunking source - would be great!

  • Stolen Face ID scans used to break into bank accounts
  • Yes, seems so from the article.

  • Palworld server costs near $500K per month as network engineer is ordered to 'never let the service go down no matter what'
  • Agree, but five nines are not 100% ;) Anyway - this discussion reminds me of Technical Report 85.7 - Jim Gray, which might be of the interest to some of you.

  • Palworld server costs near $500K per month as network engineer is ordered to 'never let the service go down no matter what'
  • well this is probably PR as there is no such system nor it can be made that can have 100% uptime. not talking about the fact that network engineers rarely work with servers :)