I built a new pc for gaming 2 years ago with windows 11 and I can’t see myself using this OS again when I retire it. From randomly losing Bluetooth, to keyboard resets, to the hilarious failure that is the new right click menu (which lags a bit before appearing, something that I find hilarious) it’s just a bad user experience through and through. My new pc will either run Linux or be a Mac mini. Hopefully Linux gaming will continue to improve and I will be able to completely ditch windows once and for all.
I also used to read my commute but stopped it after I finished "for whom the bell tolls". I was so moved that I ended up crying in the bus and I would have liked to experience that feeling in the privacy of my home rather in the morning bus with 9 hours still on the clock.
I can only hope that this degradation of UX will make more people switch or consider switching to other distributions. It's the only thing that will make microsoft listen.
The lack of evidence before attributing the attack(s) to a Chinese sponsored group makes me correlate this report with recent statements from companies in the AI space about how China is about to surpass US in the AI race. Ultimately statements and reports like these seem more like an attempt to make the US government step in and be the big investor that keeps the money flowing rather than anything else.
Do public reports like this one often go deep enough into the weeds to name names, list specific tools and techniques, URLs?
I don't doubt of course that reports intended for government agencies or security experts would have those details, but I am not surprised that a "blog post" like this one is lacking details.
I just don't see how one goes from "this is lacking public evidence" to "this is likely a political stunt".
I guess I would also ask the skeptics (a bit tangentially, I admit), do you think what Anthropic suggested happened is in fact possible with AI tools? I mean are you denying that this is could even happen or just that Anthropic's specific account was fabricated or embellished?
Because if the whole scenario is plausible that should be enough to set off alarm bells somewhere.
There's an incentive to blame "Chinese/Russian state sponsored actors" because it makes them less culpable than "we got owned by a rando".
It's like the inverse of "nobody got fired for using IBM" -- "nobody can blame you for getting hacked by superspies". So, in the absence of any evidence, it's entirely possible they have no idea who did it and are reaching for the most convenient label.
That's fair. If the actor (and it's a Chinese state actor here) is what is being questioned as "bullshit" then that should be the discourse in the article and in this thread.
Instead the lack of a paper trail from Anthropic seems to be having people questioning the whole event?
> > State sponsorship can include the state looking the other way.
> So all attacks anywhere are state sponsored?
There's a difference between a deliberate decision to look away, and unawareness through lack of oversight.
You steal candy from a store. There's a difference between the security guard seeing you and deliberately looking away, compared to just not seeing you at all.
Not really? APTs would seem to be either criminal enterprises or state-sponsored because SOMEBODY has to be paying the big bucks.
So yes, probably 100% of criminal enterprises are paying off officials, but if that's the definition of "state sponsored" then the term loses any meaning.
EDIT I guess there's also "legit" businesses like Palantir/NSO group, but I would argue any firm like that is effectively state-sponsored as they are usually revolving doors with NSA-type agencies, the military etc.
Exactly, and anyone without even needing much evidence to do so.
It’s allowed in the current day and time to criticize someone else for not providing evidence, even when that evidence would make it easier for the attackers to tune their attack to prevent being identified, and everyone will be like “Yeah, I’m mad, too! Anthropic sucks!” When in the process that only creates friction for the only company that’s spent significant ongoing effort to prevent an AI disasters by trying to be the responsible leader.
I’ve really had my fill of the current climate where people are quick to criticize an easy target just because they can rally anger. Anyone can rally anger. If you must rally anger, it should be against something like hypocrisy, not because you just get mad at things that everyone else hates.
There’s a big jump between “the attack came from China” and “the attack was sponsored by the Chinese government.” People generally make this jump in one of three ways.
1) Just a general assumption that all bad stuff from China must be state-sponsored because it’s generally a top-down govt-controlled society. This is not accurate and not really actionable for anyone in the U.S.
2) The attack produced evidence that aligns with signatures from “groups” that are already widely known / believed to be Chinese state sponsored, AKA APTs. In this case, disclosing the new evidence is fine since you’re comparing to, and hopefully adding to, signature data that is already public. It’s considered good manners to contribute to the public knowledge from which you benefited.
3) Actual intelligence work by government agencies like FBI, NSA, CIA, DIA, MI6, etc. is able to trace the connections within Chinese government channels. Obviously this is usually reserved for government statements of attribution and rarely shared with commercial companies.
Hopefully Anthropic is not using #1, and it’s unlikely they are benefiting from #3. So why not share details a la #2?
Of course it’s possible and plausible for people to be using Claude for attacks. But what good does saying that do? As the article says: defenders need actionable, technical attack information, not just a general sense of threat.
#3 much intelligence is to the benefit of industry and commercial companies. To a country their economy is their country. After the end of the cold war most state espionage was focused on industry. Sharing is possibly common but secret. The lack of details in the report to me smells of "we are not allowed to share the details". (It also smells of that law to attribute incompetence and not lies)
Now anthropic is new and I don't know how embedded they are with their hosts government compared to a FANG etc but I wouldn't discount some of #3
(If you see an American AI company requiring security clearance that gives a good indication of some level of state involvement. But it might also be just selling their software to a peaceful internal department...)
The report itself reads like a humblebrag at best, marketing materials at worst. I have to agree with the OP: taking this report at face value requires that you trust Anthropic, a lot.
Their August threat intelligence report struck similar chords.
> Do public reports like this one often go deep enough into the weeds to name names
Yes. They often include IoCs, or at the very least, the rationale behind the attribution, like "sharing infrastructure with [name of a known APT effort here]".
Not vested in the argument but it stood out to me that, Your argument is similar to tv courts if it’s plausible the report is true. Very far from the report is credible
Honest companies with good reputations tend to get the benefit of the doubt.
E.g., how much do you expect Costco or Valve to intentionally harm their customers compared to Comcast or Electronic Arts? That’s just the old school concept of reputation at work. Companies can “buy” benefit of the doubt by being genuine and avoiding blowing smoke up people’s ass.
Anthropic has been spitting bullshit about how the AGI they’re working on is so smart it’s dangerous. So those chumps having no answers when they get hacked smells like something.
Are they telling us their magical human AGI brain and their security professionals being paid top industry rates can’t trace what happened in a breach?
Anthropic has also been the biggest anti-China LLM in a long while, so it's possible they're using an opportunistic hack (potentially involving actual Chinese IP addresses) as another way to push their agenda.
Considering ever since the Vault 7 releases, we should be well aware of the fact that at least one government is able to make any attack look like any other nation state actor, any attribution to, especially convenient adversaries, is extremely suspicious on the face of it.
Anthropic does seem to have more ethical practices on that than most companies in this space, purchasing and scanning physical books rather than pirating them as Meta and OpenAI did. However, books are cheap, and I’m unsure of their wider practices.
The bubble is gonna burst soon and these companies are desperate to convince the government they are either too big to fail or too critical to national defense to fail.
Feels like most current humans will die (some of boredom) while waiting on this bubble to burst… US in general and HN in particular are averaging 10.78 bubble-popping predictions per hour :)
- Many people in many countries now hate the U.S. and U.S. companies like Anthropic.
- In addition, leaders in the U.S. have been lobbied by OpenAI and invest in it which is a direct competitor and is well-represented on HN.
- China’s government has vested interest in its own companies’ AI ventures.
Given this, I’d hardly say that Anthropic was much of a strong U.S. puppet company, and likely has strong evidence about what happened, why also hoping to spin the PR to get people to buy their services.
I don’t think it’s unreasonable to assume that people that write inflammatory posts about Anthropic may have more than an axe to grind against AI and may be influenced by their country and its propaganda or potentially may even be working for them.
> Whatever his reason, Tim Cook is not as protective of the user experience as his predecessor was. If we were to ask Tim why it’s okay to bring ads into Apple products now, but wasn’t okay during Steve’s reign, the best (only?) answer would probably be, “Today’s Apple is very different from Steve’s Apple.”
> Quite true. And that is exactly the problem.
So Ken Segall first admits he doesn't know the reason, then speculates the answer Tim Cook would give if they were asked the question, then ends the article by contemplating on that speculative answer.
And the thumbnail is quite obviously AI generated. Just low quality all around. The point could be driven home without resorting to either of these two things.
I had the same bluetooth issue on windows 11. It stopped working. I didn't even have the option to see the bluetooth setting. All my peripherals stopped working and I had to bring out the cables. Then one day after a month or so it was fixed.
> If you use neovim inside a terminal you are just straight up using an inferior product, with less features and more problems
I use neovim like that and the selling point for me is that it's 1 less program that I have to install and learn with the added (crucial) benefit that it doesn't update on its own, changing UI and setting that I was used to.
>benefit that it doesn't update on its own, changing UI and setting that I was used to.
This exact thing remains true though, you are using the exact same neovim, but instead of it being wrapped inside a totally bizarre piece legacy software, it is rendered inside a modern graphical frontend. It looks mostly the same, except it handles fonts better, it is independent of weird terminal quirks and likely faster. There is no dowside.
And again, your point about using TUI stuff because of the input method or whatever is just false. Neovide has the exact same input method, yet has a complete GUI. Using the terminal makes no sense it all, it is the worst neovim experience there is.
I recently got into neovim and some things that the author mentions can be found in pre-built configurations like kickstart by default. E.g when hitting "g" I also get a popup with the available follow up keys alongside the final keybind's result. Grepping text provides a preview window with the context of the line that was found
Τhe melancholy of resistance is a book that shaped my understanding of conflict and apathy. I am happy this man got the Nobel, he is a tremendous writer.
I am a FE developer and I believe that we collectively have a loser's mentality when dealing with CSS.
In my mind, SCSS + CSS modules + maybe a processor tool is an rock solid and modern set of tech that produces excellent results and most importantly moves styling off the main thread. It makes sense to use it, but we don't. FE interviews even for senior+ roles are JS/React/system design questions. Nothing about CSS and I get it. Why interview for something you don't use internally?
I recently read something that stuck with me, which was about micro front ends but I think applies in more cases than this: "it doesn't solve a technical problem but an organizational one".
There was an excellent reddit discussion on the pros and cons of tailwind and it boiled down to "it's really hard to enforce CSS guidelines for teams of multiple people". Tech leads didn't want to monitor how 10 or 20 or 50+ different FE developers wrote CSS and opted for tailwind so that everyone wrote the same, even if that meant multiple inline classes pasted on each element. I find this reluctance to enforcing guidelines weird, considering at $WORK we have multiple confluence pages and internal documents about React and Javascript guidelines and I have seen similar documents in previous work places. Would it be really different to apply the same mental paradigm for CSS?
Of course, all this is under the hindsight knowledge that HTML and CSS have evolved in recent years to be truly powerful and versatile. I get the technical decision to go all in on JSS and React 5 years ago. I don't now.
It seems to me, that many FE devs don't even know CSS these days. Rather just tack on some "ready" made component found on NPM or some component library. When it actually comes to using CSS to fix something about part of a page or part of a component, I often see non-responsive ways of doing that, badly tested across browsers, breaking at some width of the viewport, etc.
In my view CSS is essential. Not knowing CSS at least somewhat well is a huge obstacle in producing high quality frontend work. It's like being a carpenter, but simply not knowing one important aspect of wood, or not being able to use a specific tool to work with wood, lets say a tool to smooth surfaces. CSS is part of the medium you work with as a FE engineer. It is unfathomable to me, how a FE engineer can not know this stuff well. If some FE engineer is reading this, and feels some impostor syndrome: Yes, if you don't know your medium and tools as least in the basics, then you should feel like an impostor.
I see broken responsiveness very often. Of course in almost all websites, that rely on JS to display what is essentially a bunch of static texts.
If I was interviewing for a FE position, and really had to go through the circus of asking interviewees code questions, I would definitely include a minimum of CSS knowledge there. Basic things like how they would scope their CSS to specific elements or classes of elements and how they would prevent their styling to bleed into other stuff. Or how they would set up a theme with just CSS. Not questions expecting them to write CSS on a whiteboard, of course. Just testing their basic understanding.
> In my mind, SCSS + CSS modules + maybe a processor tool is an rock solid and modern set of tech
"my set of non-standard tools and preprocessors is superior to these guys' non-standard tools and preprocessors" is not a good argument.
> I find this reluctance to enforcing guidelines weird
Because CSS doesn't lend itself to any enforcement. All the tools that appear around it includng those you like like SASS and "some processing" don't appear because people don't understand something or can't enforce something.
> Of course, all this is under the hindsight knowledge that HTML and CSS have evolved in recent years to be truly powerful and versatile.
Indeed. And many of these features have been made available across all major browsers only in the past two or so years.
No one is going to rewrite everything from SASS or CSS-in-JS just because some features now exist in vanilla CSS.
I never said we have to rewrite existing apps and I explicitly mention that these improvements are recent. You come off as overly sarcastic and irritating in an otherwise civil thread.
CSS modules are really enough - there's no need to overthink it any further.
I'm currently in a project where my first task, spanning several months, was to clean up after the previous guy. The main issues in styling were misguided attempts at sharing styles implemented via breaking encapsulation.
If you have a workplace (not just a manager or even a set of them but an entire organization or subset thereof) that is allergic to punishing people then it's easier and less headache inducing to just tell everyone to use a particular framework with a set of customizations to maintain some semblance of unity. This is true if large teams and small "teams" that are overburdened with lots of disparate projects.
Should they be allergic to punishing people? No, but it be how it do.
> I find this reluctance to enforcing guidelines weird
It's worse than that. All the hype in design has been about creating a global design language, and enforcing it over all your teams for more than a decade now. All the hype has been on centralizing the design team, moving it away from the developers for some years. All the hype has been on tools that claim to enable reusing and distributing that work...
And yet everything is done in a way that developers have to do everything themselves and don't get to coordinate with each other.
(Honestly, I'm settling on the opinion that non-developing application design is a scam all around.)
reply