For tech B2B companies where the founders or executive team hold the majority stake in the organisation, yes. A failure to disclose or respond when there is a public notice on an .onion address, or a sample set of your customer data has been published online, creates tangible, direct commercial impact.
You should expect every deal in your pipeline to stall. Your product and company will be flagged by every GRC team, and every stakeholder trying to purchase your product will suddenly need to go to risk committees, or into meetings with CISOs, CTOs, and founders, to explain why buying from you is worth the risk compared to competitors who have not been breached.
If you have not addressed the issue, it becomes a literal deal-breaker. The sooner you write the press release, notify customers, and deal with the underlying problems, the sooner you can turn the incident into a credible story about how you responded, contained it, and improved.
If you do not respond, or you deny it, your deals are dead.
The reason I prefaced this with companies where the founders or executive team hold a majority stake is that I sincerely do not believe the same incentives do not exist for most other companies. The stock price is not meaningfully impacted by incidents like this; it is more affected by vibes, market conditions, and the general tech economy. There are a hundred things that will move the stock price before cybersecurity and data incidents do.
Operating revenue and profit, however, will be impacted. Executives on a death march for growth, who understand that an incident like this can wipe away a year of progress (and essentially their life's work), are far more likely to take it seriously. They are directly exposed to the commercial consequences.
The companies you see trying to sweep this under the rug, or outright ignore it, are usually one of two things.
1. They are so out of touch with their customers that they would rather listen to a lawyer chasing the “ideal legal-risk outcome” than pursue the best financial, customer and cybersecurity risk outcome. In my experience these are executives who are independently wealthy or already come from wealth, and their priority is simply keeping the status quo.
2. They are simply not incentivised to deal with it properly (carrot, nor stick). That is: they don't lose their bonus, they don't face the axe, and they aren't rewarded for doing anything "well" in response to it. They might say they're "inherently" exposed because if the business is impacted, so are they (stock price, performance bonuses) -- but that's incredibly disingenuous, as it's pretty much always not a material difference to them.
For B2C or B2B doing "traditional" stuff? No. The incentive simply just isn't there.
It makes sense when you have a somewhat fixed core team size. Frankly, in some regards, this is the responsible thing to do.
It means they’ll never grow modules or the codebase beyond what the team can reasonably maintain.
However on the other hand.. What does this mean for the existing team, are maintainers now worth considerably more to the project? What does this mean for the codebase, or the momentum of the project?
It’s an approach I would have expected for the likes of curl, or single-purpose libraries. But this is a mammoth decision for a mammoth project.
What you’re concerned about doesn’t stop at the employer.
Anyone with access to data being processed about you may have incentives that align similarly with your employer’s use case.
Advertisers, Internet service providers, phone manufacturers, social networks, tech platform providers, schools, families, spouses, nosy neighbours, nosy governments.
The scale at which you can build a summary about someone is astonishing.
How they breach policies, how they break laws, how they mishandle sensitive data, how they materially negatively impact customers.
This whole thing is now a litigation nightmare, and frankly I can’t believe Meta is doing this so publicly. They’ve created an incredibly dangerous and lucrative lever in which vexatious and otherwise incentivised individuals and organisations can subpoena and demand evidence which, provided the ample data available, will surely produce enough evidence given the expanse of their employer base. They simply need to have a thread to pull on, so a judge doesn’t deem it a fishing expedition.
Similarly, I worry for democracies with no checks or balances to prevent ruling parties from exploiting or abusing this power. For example, in India, there’s accusations of their equivalent of the NSA being used to spy on the opposition —- under the guise of “keep them honest”. https://www.idsa.in/system/files/book/book_IntellegenceRefor...
In other Western countries whenever this type of work is conducted, it’s usually at Director or Minister-level approval. There’s lawyers involved, it’s heavily documented. What happens when systems, or products, are given the implicit approval of this same function by their very nature?
Well, at the risk implying intention and thus anthropomorphizing Larry... you know sharks don't eat, they simply consume food, like a fire consumes wood, this is what Larry Ellison advocates for:
"Citizens will be on their best behavior, because we’re constantly recording and reporting everything that is going on"
That smart TV you just got has ACR (Automatic Content Recognition), which takes a screenshot of what you're watching, twice a second, and sends it off to data brokers.
And yet the appratchiks will tell you "just bring another laptop", "just bring another phone", "just don't have health insurance" as the moat closes and you're being exploited on every step.
It's incredibly interesting content, but I can't but help but notice the "AI-isms". I noticed it when he said "And that's the first mental shift", so I extracted the transcript and..
> "But print f is not really just a function... It's a formatting engine."
> "A format string is not just a string. It's a program."
> "A good log file is not just data. It's an emergency instrument panel."
> "...how print f has evolved into a diagnostic language and not just a formatting function."
> "...remember that you're not just printing an integer. You're invoking a tiny machine..."
> "print f of user input is not just bad style. It's an engraved invitation to chaos..."
And then there's the "whimsy" that AI liked to throw into this type of content.
> "It's a bit like giving a blindfold machinist a box of random parts and instructions and saying the third item is a carburetor."
> "...at which point it becomes a swamp full of math crocodiles."
> "The number 0.1 looks pretty innocent in decimal like a little cherub sitting on a cloud. But in binary floating point, it is a repeating fraction wearing a fake mustache..."
> "...letting the user hand your tiny formatting machine a bag of burglary tools."
Apologies to the author if this is incorrect, but this very much feels like videotaped AI spam. Even if I really, really do enjoy the subject matter.
If it's interesting then it's not spam. And why should you care if AI was utilized or not if you found it interesting? Dave (from that video) is an experienced engineer after all.
The worst part of GenAI seems not to be AI slop (I can easily close the tab if the content isn't interesting). It's the fact that every...single...submission(!!!) on HN now has someone questioning and dissecting the content to dismiss it as AI generated.
I'd much rather people gave submissions the benefit of the doubt, or just clicked `Flag` if it is obviously worthless slop.
Just like those spam 'articles' that may at their core be interesting or have some value - but force you to click past 4 ads and scroll over/filter out another 17 just to extract the promised value - noticing that content you're consuming is obviously AI generated results in two things:
1. resentment that your time and attention was wasted by machine generated word-padding, and
2. a loss of confidence in the accuracy of the information presented
> Just like those spam 'articles' that may at their core be interesting or have some value - but force you to click past 4 ads and scroll over/filter out another 17 just to extract the promised value
That's a different problem entirely and predates the recent GenAI craze.
> a loss of confidence in the accuracy of the information presented
Then it isn't interesting any longer ;)
---
You're missing my general point though. People like yourself moaning about AI is far less interesting and useful. If you don't like the content, then flag it. If you do, then don't flood the comments with analysis about whether-or-not this was AI.
All of these meta-comments about AI are as worthless to the discussions should be classed with the same disrespect as the meta-comments about website stylesheets:
> Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting.
> You're missing my general point though. People like yourself moaning about AI is far less interesting and useful. If you don't like the content, then flag it. If you do, then don't flood the comments with analysis about whether-or-not this was AI.
As opposed to flooding it with comments about how anti-AI comments are bad?
I'm not flooding HN with such comments though. I replied to one criticism and then experienced a backlash for it.
I get the hate for GenAI is high. Many of you are scared for your jobs and AI has caused a seismic shift in society. But that doesn't justify lashing out at me because I simply said "Dave isn't a n00b" and "if you don't like AI content then flag it".
My comment was reasonable. However accusing a veteran Microsoft engineer for being an "idiot" (as some had in this submission) because his script loosely mimicked some AI-isms, is not reasonable. And it's disappointing that so many people are defending that behavior.
I wasn't talking about your general point though. Your comment opened with a statement and a question, and I was quoting the statement and directly answering the question you asked.
> That's a different problem entirely and predates the recent GenAI craze.
From the perspective of respecting the reader's time and attention, I see it as almost exactly the same problem, which is why I made that comparison when answering your question.
> ...People like yourself moaning...
Seeing as you conveniently linked to the HN commenting guidelines, I suggest you take another look at them, maybe focusing your attention on the ones closer to the top of the list, and then re-read the comment you just posted.
> Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.
?
I wasn't doing anything of that. Or at least, if you want to take a looser interpretation then I don't see how my reply was any different from your initial reply to me.
From the rules:
> Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith.
I ask that you view my comments through a more charitable lens. Because I'm not trying to belittle people here.
---
> From the perspective of respecting the reader's time and attention, I see it as almost exactly the same problem, which is why I made that comparison when answering your question.
It's not the same problem though. We are talking specifically about AI. Not some other related but different issue.
I do actually agree with you on that other issue. But arguing that they're "almost exactly the same" isn't charitable. Which leads back to the HN rule I quoted above.
---
I think a lot of the problem in this tangent boils more down to peoples bias against AI than it does about the actual content I replied with. I get why people hate AI. And I'm genuinely not defending AI as a broader technology. I'm just saying that people dissecting each and every submission on HN for tell-tail traits of AI isn't the right way to deal with the problem. Just flag the submission and move on. (and in this case, it's not even AI generated content).
The fact that my comments appear so controversial is baffling to me. People complain about the value of their attention being undermined with AI and yet they'll spend twice as long in meta-debates about that content. Surely that's contradictory to the point they're complaining about. So why is "flag and move on" such a disagreeable statement?
> It's the fact that every...single...submission(!!!) on HN now has someone questioning and dissecting the content to dismiss it as AI generated.
Then, when finally neither the topic nor the content has anything to do with AI, "It's so nice to read something on HN not mentioning AI" in the comments.
HN has made a clear decision on when AI content is acceptable on the site itself, it'd be nice if there was a clear decision on the linked content as well. Regardless whether it's the policy I'd personally prefer or not, it'd do a lot in regards to avoiding the same discussion appearing everywhere.
It's moreso the "AI-isms" that irk me. It's interesting, but I'm not finishing the video because once I notice it -- I can't help but focus on it. Instead, I tl;dr'd the transcript.
People question my use of AI when I double `-` with an iPhone on the internet constantly.[0] I get it, it's annoying.
However, if our barrier for quality is "at it's core, the content of this is interesting", then the quality of this place will fall off a cliff. This is factoid-level interesting. It's not a hacker writing something profound or presenting a breakthrough in garbled grade 8 English. It's a fun fact being presented in an acceptably, inoffensive, reasonably produced format.. Is that the bar?
Dave (the guy in that video) is an older timer Microsoft engineer. I don't know if he used AI to help compose his script but you can guarantee the subject matter is from his own experience.
I suspect the AI-isms you identified were really just more his own personal presentation style. I've watched a few of his videos over the years and from what I recall, they were similarly written.
Tough crowd, but I for one hate this stuff too and thank you for the heads up. "Engraved invitation to chaos", fucking hell. I think I just lost 3 IQ points. Who's the target audience here?
Everything I needed to know about printf, I learned from the reference manual. Anybody could do the same. Here's a reasonable one: https://en.cppreference.com/c/io/fprintf - look, it's like 5 pages or whatever, and the last 2 are examples and xrefs. You sit there and read it 2 or 3 times and you'd be done faster than Task Manager Man can read his script.
I didn't call Dave a legend (though that term is completely subjective). I just said he isn't an idiot who uses AI to look clever.
What you're failing to realise is that different people write content for different audiences. And the fact that the OP opened with "It's incredibly interesting content" shows that there is an audience for Dave's content.
Also, the tone of your comments is completely unnecessary too.
Such a list will never exist in an organisation of this size, with the amount of delegated management and operations required for these functions. In fact, it’s unlikely such a list is even _allowed_ to exist given the sensitive nature of some areas of the business, being a publicly traded company which works directly with regulated entities and governments.
It’d be interesting to hear a senior old-timer from MS to weigh in on their blog about this, and similar/adjacent problems that arise from working across such a colossal entity.
It’s a wonder they ever release anything new, if I’m being completely honest. The amount of governance, hoops, process and procedure across every aspect of their business must be staggering.
> In fact, it’s unlikely such a list is even _allowed_ to exist given the sensitive nature of some areas of the business, being a publicly traded company which works directly with regulated entities and governments.
If the existence of a domain/subdomain is considered sensitive information, then something has gone very wrong.
Companies do register domains before launching products and don't want to leak them. Now, I still support Microsoft and other companies to list the domains they send official emails from.
Why would that not be possible?
You can still do that and then once the rabbit is out add it to the main list.
Come on, don't let the good be the enemy of the perfect.
I'm sure there are several ways to find and list all domains.
What bothers me more is that they allowed to have different domains in the first place. Why not sub domains to make it clear.
That's what I said? Companies can hide domains while they are under development but then they should still maintain a list that they send emails from. I was opposed to legislation that required all registered domains regardless of use being published.
I’ll spend some more time replying to this next week, so circle back to this comment; I’m someone who regularly helps people get past these audits, meet the criteria customers are trying to assess with these certifications, and vet startups who don’t have these certifications or budget.
Then read through it and see what you can address immediately (EDR on your laptop, MFA on your cloud environments, etc), followed by role playing your client; “based on answers to this questionnaire, what would I not accept?”
There will be some items you can’t fix.
You’ll soon find out the majority of customers, including banks, governments, defence contractors, crypto startups — simply do not care. If they want to use your product, they’ll work with you.
It may be single-tenancy, it may require architectural changes, it may mean making it selfhosted with a time-bomb, but you’ll be able to address the requirements of the CISO, compliance monkey or executive.
I’ve yet to meet an industry or individual I can’t convince. Even if the product is a hot mess, half baked and radioactive — we’ll deploy it on a VM running inside of a VDI within the customer’s environment, because slopping together a migration path is _so easy_, and those early, highly regulated clients are worth it.
Major problem of entire compliance/auditing industry is not enough asking in companies "what are the actual risks we are dealing with", "what's the goal for given control", "do we have alternative control ensuring that".
Compounded by cheap shitty auditors that just mark down checkboxes on a worksheet
Agree, see the Delve fiasco. But that’s not their job. Their job is literally checkbox. However some audits are so poorly done, or have auditors with zero real world engineering or cyber experience, they’re actively harmful to a product or customer base.
Example: insane, complex password policies and password rotation policies. These are still pushed by auditors rather than trying to build a reasonable exception case with the client.
I was thinking more of audits that do not even allow deviation nor have any understanding what they are asking for each checkbox. So it's hard to even start on anything nuanced.
Please don't do any extra engineering for your wiki project simply because it appears on the Cloud Security Alliance CAIQ worksheet. These worksheets are built by committees where every member has a bunch of idiosyncratic controls and objectives that they slip into the document.
Sometimes good change comes from compliance. More than once I’ve seen major product resource shift to address major cybersecurity gaps, in response to a compliance led audit.
Compliance is not security, but engineers, especially solo ones tend to have their blinkers on when they’re trying to build something to first work.
No worries, it’s more about finding what the security and compliance teams care about — and making them comfortable. Compliance doesn’t equal security, I’ve onboarded startups with better security than the SOC2 certified, ISO27K Swiss cheese $B unicorn.
Hackers don’t target based on certification. It’s generally convenience and motive. Unknown startups who are laying solid foundations won’t show up on anyone’s radar for the first 2 years without some insanely unlucky event (i.e supply chain breach, an early employee doing something really dumb).
That’s how this project started, with trying to take the Persona repo and bringing it up to date. There were two challenges… first, don’t underestimate how hard it is to take a decade old Node repo and run it today. There are no types, many dependencies don’t work on modern Node versions, and upgrading them all together is a nightmare. BrowserID is not a very complex protocol, so rebuilding it gave me an opportunity to use new tools (TypeScript, Bun, Jose for crypto).
And the second reason is that I don’t want to try to be Mozilla Persona. The fallback IdP is a great idea, but y’all have no reason to trust me to be the one to run it. I can sidestep that issue for my own needs today, avoid the complexity of sending emails, and if for some reason this project does pick up any steam we can figure out whether/how to add that functionality down the road.
From my understanding is you’d probe the board during different operations, process the results and deduct what signals are useful and traffic transmitting across the board (I.E private keys, what protocols are used, debug interfaces, firmware components, chip functions, etc).
You should expect every deal in your pipeline to stall. Your product and company will be flagged by every GRC team, and every stakeholder trying to purchase your product will suddenly need to go to risk committees, or into meetings with CISOs, CTOs, and founders, to explain why buying from you is worth the risk compared to competitors who have not been breached.
If you have not addressed the issue, it becomes a literal deal-breaker. The sooner you write the press release, notify customers, and deal with the underlying problems, the sooner you can turn the incident into a credible story about how you responded, contained it, and improved.
If you do not respond, or you deny it, your deals are dead.
The reason I prefaced this with companies where the founders or executive team hold a majority stake is that I sincerely do not believe the same incentives do not exist for most other companies. The stock price is not meaningfully impacted by incidents like this; it is more affected by vibes, market conditions, and the general tech economy. There are a hundred things that will move the stock price before cybersecurity and data incidents do.
Operating revenue and profit, however, will be impacted. Executives on a death march for growth, who understand that an incident like this can wipe away a year of progress (and essentially their life's work), are far more likely to take it seriously. They are directly exposed to the commercial consequences.
The companies you see trying to sweep this under the rug, or outright ignore it, are usually one of two things.
1. They are so out of touch with their customers that they would rather listen to a lawyer chasing the “ideal legal-risk outcome” than pursue the best financial, customer and cybersecurity risk outcome. In my experience these are executives who are independently wealthy or already come from wealth, and their priority is simply keeping the status quo.
2. They are simply not incentivised to deal with it properly (carrot, nor stick). That is: they don't lose their bonus, they don't face the axe, and they aren't rewarded for doing anything "well" in response to it. They might say they're "inherently" exposed because if the business is impacted, so are they (stock price, performance bonuses) -- but that's incredibly disingenuous, as it's pretty much always not a material difference to them.
For B2C or B2B doing "traditional" stuff? No. The incentive simply just isn't there.
GDPR, CCPA, whatever, hasn't moved the dial.
reply