> Open source creates a useful urgency: when your code is public, you assume it will be examined closely, so you invest earlier and more aggressively in finding and fixing issues before attackers do.
This should be the mentality of every company doing open source.Great points made.
> I want to be fair to Cal.com here, because I don’t think they’re acting in bad faith. I just think the security argument is a convenient frame for decisions that are actually about something else. […] Framing a business decision as a security imperative does a disservice to the open-source ecosystem that helped Cal.com get to where they are.
Covering something up is not bad faith. PR firms do it all the time (though plenty more do things in bad faith too). If what you're covering up is an explicitly user-hostile decision then maybe that's bad faith if what you're trying to do is trick people. But if you're just lying for brownie points then that's not always bad faith, just dumb.
> Large parts of it are delivered straight into the user’s browser on every request: JavaScript, …
Ooh, now I want to try convincing people to return from JS-heavy single-page apps to multi-page apps using normal HTML forms and minimal JS only to enhance what already works without it—in the name of security.
The web has grown so hostile lately that javascript is honestly not safe or useful anymore. the only thing it's used for is serving ads and trackers and paywalls, if i can't read a website with no script enabled it's not meant for me and im just not reading it.
I concur that most web sites could use less JavaScript. And a lot of (but not all) cosmetic uses for JavaScript can be done in CSS.
Of course for web apps (as distinct from web sites) most of what we do would be impossible without JavaScript. Infinite scrolling, maps (moving and zooming), field validation on entry, asynchronous page updates, web sockets, all require JavaScript.
Of course JavaScript is abused. But it's clearly safe and useful when used well.
This article raises a lot of good points that strengthen the argument against keeping models away just because they're "too powerful". I remain disappointed to see AI corporations gloating about how powerful their private models are that they're not going to provide to anyone except a special whitelist. That's more likely to give attackers a way in without any possibility for defense, not the other way around.
I think the "too powerful" is a convenient half-truth that also helps with marketing, and more importantly keeps the model from being distilled in the short term. They'll release it "to the masses" after KYC or after they already have the next gen for "trusted partners".
I feel bad for Anthropic because they thought Persona was an acceptable KYC provider. It probably was a genuine mistake. I might have to leave them over that, if they think it's fun to ask me to give Peter Thiel my ID to persist indefinitely on Persona's servers!!!
> Open source creates a useful urgency: when your code is public, you assume it will be examined closely, so you invest earlier and more aggressively in finding and fixing issues before attackers do.
This should be the mentality of every company doing open source.Great points made.
This should be a mentality of every company building products :)
I guess open source makes you more accountable.
> I want to be fair to Cal.com here, because I don’t think they’re acting in bad faith. I just think the security argument is a convenient frame for decisions that are actually about something else. […] Framing a business decision as a security imperative does a disservice to the open-source ecosystem that helped Cal.com get to where they are.
That sure sounds like bad faith to me.
Bad faith requires you to intend it badly, though, not just for it to be bad.
Framing a business decision as a security imperative sure sounds like intent to mislead to me.
The above statement is claiming it likely is intended as something bad though. A convenient coverup.
Covering something up is not bad faith. PR firms do it all the time (though plenty more do things in bad faith too). If what you're covering up is an explicitly user-hostile decision then maybe that's bad faith if what you're trying to do is trick people. But if you're just lying for brownie points then that's not always bad faith, just dumb.
Hiding something to manipulate public perception is bad faith.
> dishonest or unacceptable behaviour:
https://dictionary.cambridge.org/dictionary/english/bad-fait...
> I just think the security argument is a convenient frame for decisions that are actually about something else.
That would mean they think it’s bad faith. Claiming to do something because of A but to really do it because of B is dishonest
> Large parts of it are delivered straight into the user’s browser on every request: JavaScript, …
Ooh, now I want to try convincing people to return from JS-heavy single-page apps to multi-page apps using normal HTML forms and minimal JS only to enhance what already works without it—in the name of security.
(C’mon, let a bloke dream.)
There are a lot of things to hate in the Web3 world. Lack of back button form resubmission or redirect loops is a strange thing to dislike though.
The web has grown so hostile lately that javascript is honestly not safe or useful anymore. the only thing it's used for is serving ads and trackers and paywalls, if i can't read a website with no script enabled it's not meant for me and im just not reading it.
I concur that most web sites could use less JavaScript. And a lot of (but not all) cosmetic uses for JavaScript can be done in CSS.
Of course for web apps (as distinct from web sites) most of what we do would be impossible without JavaScript. Infinite scrolling, maps (moving and zooming), field validation on entry, asynchronous page updates, web sockets, all require JavaScript.
Of course JavaScript is abused. But it's clearly safe and useful when used well.
Never used it as it asks me to burn an email address to post.
This article raises a lot of good points that strengthen the argument against keeping models away just because they're "too powerful". I remain disappointed to see AI corporations gloating about how powerful their private models are that they're not going to provide to anyone except a special whitelist. That's more likely to give attackers a way in without any possibility for defense, not the other way around.
I think the "too powerful" is a convenient half-truth that also helps with marketing, and more importantly keeps the model from being distilled in the short term. They'll release it "to the masses" after KYC or after they already have the next gen for "trusted partners".
I feel bad for Anthropic because they thought Persona was an acceptable KYC provider. It probably was a genuine mistake. I might have to leave them over that, if they think it's fun to ask me to give Peter Thiel my ID to persist indefinitely on Persona's servers!!!