10 interesting stories served every morning and every evening.




1 1,585 shares, 80 trendiness

F-Droid - Free and Open Source Android App Repository

During out talks with F-Droid users at FOSDEM26 we were baf­fled to learn most were re­lieved that Google has can­celed their plans to lock-down Android.

Why baf­fled? Because no such thing ac­tu­ally hap­pened, the plans an­nounced last August are still sched­uled to take place. We see a bat­tle of PR cam­paigns and whomever has the last post out re­mains in the me­dia mem­ory as the truth, and hav­ing jour­nal­ists just copy/​paste Google posts serves no one.

But Google said… Said what? That there’s a mag­i­cal advanced flow”? Did you see it? Did any­one ex­pe­ri­ence it? When is it sched­uled to be re­leased? Was it part of Android 16 QPR2 in December? Of 16 QPR3 Beta 2.1 last week? Of Android 17 Beta 1? No? That’s the is­sue… As time marches on peo­ple were left with the im­pres­sion that every­thing was done, fixed, Google wasn’t evil” af­ter all, this time, yay!

While we all have bad mem­o­ries of banners” as the dreaded ad de­liv­ery medium of the Internet, af­ter FOSDEM we de­cided that we have to raise the is­sue back and have every­one, who cares about Android as an open plat­form, in­formed that we are run­ning out of time un­til Google be­comes the gate-keeper of all users de­vices.

Hence, the web­site and start­ing to­day our clients, with the up­dates of F-Droid and F-Droid Basic, fea­ture a ban­ner that re­minds every­one how lit­tle time we have and how to voice their con­cerns to what­ever lo­cal au­thor­ity is able to un­der­stand the dan­gers of this path Android is led to.

We are not alone in our fight, IzzyOnDroid added a ban­ner too, more F-Droid clients will add the warn­ing ban­ner soon and other app down­load­ers, like Obtainium, al­ready have an in-app warn­ing di­a­logue.

Regarding F-Droid Basic rewrite, de­vel­op­ment con­tin­ues with a new re­lease 2.0-alpha3:

Note that if you are al­ready us­ing F-Droid Basic ver­sion 1.23.x, you won’t re­ceive this up­date au­to­mat­i­cally. You need to nav­i­gate to the app in­side F-Droid and tog­gle Allow beta up­dates” in top right three dot menu.

In apps news, we’re slowly get­ting back on track with post Debian up­grade fixes (if your app still uses Java 17 is there a chance you can up­grade to 21?) and post FOSDEM de­lays. Every app is im­por­tant to us, yet ac­tions like the Google one above waste the time we could have put to bet­ter use in Gitlab.

Buses was up­dated to 1.10 af­ter a two year hia­tus.

Conversations and Quicksy were up­dated to 2.19.10+free im­prov­ing on clean­ing up af­ter banned users, a bet­ter QR work­flow and bet­ter tablet ro­ta­tion sup­port. These are nice, but an­other change raises our in­ter­est, Play Store fla­vor: Stop us­ing Google li­brary and in­ter­face di­rectly with Google Play Service via IPC. Sounds in­ter­est­ing for your app too? Is this a path to hav­ing one sin­gle ver­sion for both F-Droid and Play that is fully FLOSS? We don’t know yet, but we salute any trick that re­moves an­other pro­pri­etary de­pen­dency from the code. If cu­ri­ous feel free to take a look at the com­mit.

Dolphin Emulator was up­dated to 2512. We missed one ver­sion in be­tween so the changel­ogs are huge, luck­ily the devs pub­lish highly de­tailed posts about up­dates. So we’ll start with Release 2509” (about 40 mins to read), we side-track with Starlight Spotlight: A Hospital Wii in a New Light” (for about 50 mins), we con­tinue to the cur­rent re­lease in Release 2512” (40 more min­utes) and we fin­ish with Rise of the Triforce” delv­ing in his­tory for more than one hour.

Image Toolbox was up­dated to 3.6.1 adding many fixes and… some AI tools. Were you ex­pect­ing such helpers? Will you use them?

Luanti was up­dated to 5.15.1 adding some wel­comed fixes. If your game world started flick­er­ing af­ter the last up­date make sure to up­date.

Nextcloud apps are get­ting an up­date al­most every week, like Nextcloud was up­dated to 33.0.0, Nextcloud Cookbook to 0.27.0, Nextcloud Dev to 20260219, Nextcloud Notes to 33.0.0 and Nextcloud Talk was up­dated to 23.0.0.

But are you fol­low­ing the server side too? Nextcloud Hub 26 Winter was just re­leased adding a plethora of fea­tures. If you want to read about them, see the 30 min­utes post here or watch the one hour long video pre­sen­ta­tion from the team here.

ProtonVPN - Secure and Free VPN was up­dated to 5.15.70.0 adding more con­trol to auto-con­nects, coun­tries and cities. Also all con­nec­tions are han­dled now by WireGuard and Stealth pro­to­cols as the older OpenVPN was re­moved mak­ing the app al­most 40% smaller.

Offi was up­dated to 14.0 with a bit of code pol­ish. Unfortunately for Android 7 users, the app now needs Android 8 or later.

QUIK SMS was up­dated to 4.3.4 with many fixes. But Vishal praised the du­pli­cate re­mover, the de­fault auto de-du­pli­ca­tion func­tion and found that the bug that made deleted mes­sages reap­pear is fixed.

SimpleEmail was up­dated to 1.5.4 af­ter a 2 year pause. It’s just a fixes re­lease, up­dat­ing trans­la­tions and mak­ing the app com­pat­i­ble with Android 12 and later ver­sions.

* NeoDB You: A na­tive Android app for NeoDB de­signed with Material 3/You

Thank you for read­ing this week’s TWIF 🙂

Please sub­scribe to the RSS feed in your favourite RSS ap­pli­ca­tion to be up­dated of new TWIFs when they come up.

You are wel­come to join the TWIF fo­rum thread. If you have any news from the com­mu­nity, post it there, maybe it will be fea­tured next week 😉

To help sup­port F-Droid, please check out the do­na­tion page and con­tribute what you can.

...

Read the original on f-droid.org »

2 1,419 shares, 54 trendiness

Trump announces new 10% global tariff as he hits out at 'deeply disappointing' Supreme Court ruling

We’re wrap­ping up our live cov­er­age of the Supreme Court de­ci­sion in Learning Resources, Inc v. Trump.

The ma­jor rul­ing - and Trump’s re­sponse - can be ex­pected to have an ef­fect on trade, the global econ­omy, Americans’ per­sonal fi­nances, pol­i­tics and more.

You can read what North America Correspondent Anthony Zurcher thinks it means for Trump’s sec­ond-term agenda here, as well as how Canada, one of the top US trad­ing part­ners, views the de­ci­sion.

We also have cov­ered the ma­jor turns of the day here, and our White House cor­re­spon­dent Bernd Debusmann has de­scribed what it was like to cover Trump’s press brief­ing about the rul­ing in this video.

We’ll be back when more big trade, Supreme Court, or other news breaks.

...

Read the original on www.bbc.com »

3 1,146 shares, 59 trendiness

Facebook is absolutely cooked

And I don’t just mean that no­body uses it any­more. Like, I knew every­one un­der 50 had moved on, but I did­n’t re­al­ize the ex­tent of the slop con­veyor belt that’s re­placed us.

I logged on for the first time in ~8 years to see if there was a group for my neigh­bor­hood (there was­n’t). Out of cu­rios­ity I thought I’d scroll a bit down the main feed.

The first post was the lat­est xkcd (a page I fol­low). The next ten posts were not by friends or pages I fol­low. They were ba­si­cally all thirst traps of young women, mostly AI-generated, with generic cap­tions. Here’s a sam­pler — mildly NSFW, but I did leave out a cou­ple of the lewder ones:

Yikes. Again, I don’t fol­low any of these pages. This is all just what Facebook is push­ing on me.

I know Twitter/X has worse prob­lems with spam bots in the replies, but this is the News Feed! It’s the main page of the site! It’s the prod­uct that de­fined mod­ern so­cial me­dia!

It was­n’t all like that, though. There was also an AI video of a po­lice­man con­fis­cat­ing a lit­tle boy’s bike, only to bring him a brand new one:

And there were some sloppy memes and jokes, mostly about re­la­tion­ships, like this (admittedly not AI) video sketch where a woman de­cides to in­ten­tion­ally start a fight with her boyfriend be­cause she’s on her pe­riod:

Maybe that is­n’t lit­er­ally about sex, but I’d clas­sify it as the same sort of lizard-brain-rot en­gage­ment bait as those self­ies.

Several com­menters have vouched that Yoleendadong makes funny, high-qual­ity con­tent and should­n’t be lumped in with AI slop. I’m just say­ing I think there’s a rea­son this par­tic­u­lar video of hers popped up, and it’s prob­a­bly the kind of en­gage­ment cre­ated by the premise.

Meta even gives us some help­ful ideas for sex­ist ques­tions we can ask their AI about the video:

Yep, that’s an­other yikes” from me. To be fair, though, some­times that sug­gested ques­tions fea­ture is pretty use­ful! Like with this post, for ex­am­ple:

Why is she wear­ing pink heels? What is her per­son­al­ity? Great ques­tions, Meta.

I said these were mostly” AI-generated. The truth is with how good the mod­els are get­ting these days, it’s hard to tell, and I think a cou­ple of them might be real peo­ple.

Still, some of these are pretty ob­vi­ously AI. Here’s one with a bunch of alien text and man­gled lo­gos on the score­board in the back­ground:

Hmm, I won­der if any­one has no­ticed this is AI? Let’s check out the com­ments and see if any­one’s pointed that ou—

…never mind. (I dunno, maybe those are all bots too.)

So: is this just some­thing wacky with my al­go­rithm?

I mean… maybe? That’s part of the whole thing with these al­go­rith­mic feeds; it’s hard to know if any­one else is see­ing what I’m see­ing.

On the one hand, I doubt most (straight) wom­en’s feeds would look like this. But on the other hand, I had­n’t logged in in nearly a decade! I hate to think what the feed looks like for some lonely old guy who’s been scrolling the lightly-clothed AI gooni­verse for hours every day.

Did every­one but me know it was like this? I’d seen screen­caps of stuff like the Jesus-statue-made-out-of-broccoli slop a year or two ago, but I thought that only hap­pened to grand­mas. I had­n’t heard it was this bad.

I won­der if this evo­lu­tion was less no­tice­able for peo­ple who are log­ging in every day. Or maybe it only gets this bad when there aren’t any posts from your ac­tual friends?

In any case, I stopped ex­plor­ing af­ter I saw a cou­ple more of those AI-generated pic­tures but with girls that looked like they were about ~14, which made me sick to my stom­ach. So long Facebook, see you never, un­til one day I in­ex­plic­a­bly need to use your plat­form to get up­dates from my kid’s school.

...

Read the original on pilk.website »

4 749 shares, 30 trendiness

ggml.ai joins Hugging Face to ensure the long-term progress of Local AI · ggml-org/llama.cpp · Discussion #19759

Skip to con­tent

Secure your code as you build

We read every piece of feed­back, and take your in­put very se­ri­ously.

Include my email ad­dress so I can be con­tacted

Use saved searches to fil­ter your re­sults more quickly

To see all avail­able qual­i­fiers, see our doc­u­men­ta­tion.

Sign up

You signed in with an­other tab or win­dow. Reload to re­fresh your ses­sion.

You signed out in an­other tab or win­dow. Reload to re­fresh your ses­sion.

You switched ac­counts on an­other tab or win­dow. Reload to re­fresh your ses­sion.

Notifications

You must be signed in to change no­ti­fi­ca­tion set­tings

ggml.ai joins Hugging Face to en­sure the long-term progress of Local AI

ggml.ai joins Hugging Face to en­sure the long-term progress of Local AI

Sign up for free

to join this con­ver­sa­tion on GitHub.

Already have an ac­count?

Sign in to com­ment

There was an er­ror while load­ing. Please re­load this page.

You can’t per­form that ac­tion at this time.

...

Read the original on github.com »

5 657 shares, 25 trendiness

Cleaning up merged git branches: a one-liner from the CIA's leaked dev docs

In 2017, WikiLeaks pub­lished Vault7 - a large cache of CIA hack­ing tools and in­ter­nal doc­u­ments. Buried among the ex­ploits and sur­veil­lance tools was some­thing far more mun­dane: a page of in­ter­nal de­vel­oper doc­u­men­ta­tion with git tips and tricks.

Most of it is fairly stan­dard stuff, amend­ing com­mits, stash­ing changes, us­ing bi­sect. But one tip has lived in my ~/.zshrc ever since.

Over time, a lo­cal git repo ac­cu­mu­lates stale branches. Every fea­ture branch, hot­fix, and ex­per­i­ment you’ve ever merged sits there do­ing noth­ing. git branch starts to look like a grave­yard.

You can list merged branches with:

git branch –merged

But delet­ing them one by one is te­dious. The CIAs dev team has a cleaner so­lu­tion:

git branch –merged | grep -v \*\|master” | xargs -n 1 git branch -d

* git branch –merged — lists all lo­cal branches that have al­ready been merged into the cur­rent branch

* grep -v \*\|master” — fil­ters out the cur­rent branch (*) and mas­ter so you don’t delete ei­ther

* xargs -n 1 git branch -d — deletes each re­main­ing branch one at a time, safely (lowercase -d won’t touch un­merged branches)

Since most pro­jects now use main in­stead of mas­ter, you can up­date the com­mand and ex­clude any other branches you fre­quently use:

git branch –merged ori­gin/​main | grep -vE ^\s*(\*|main|develop)” | xargs -n 1 git branch -d

Run this from main af­ter a de­ploy­ment and your branch list goes from 40 en­tries back down to a hand­ful.

I keep this as a git alias so I don’t have to re­mem­ber the syn­tax:

alias cia­clean=‘git branch –merged ori­gin/​main | grep -vE ^\s*(\*|main|develop)” | xargs -n 1 git branch -d’

Then in your repo just run:

cia­clean

Small thing, but one of those com­mands that qui­etly saves a few min­utes every week and keeps me or­gan­ised.

You can fol­low me here for my lat­est thoughts and pro­jects

...

Read the original on spencer.wtf »

6 636 shares, 37 trendiness

I found a Vulnerability. They found a Lawyer.

I’m a div­ing in­struc­tor. I’m also a plat­form en­gi­neer who spends lots of his time think­ing about and im­ple­ment­ing in­fra­struc­ture se­cu­rity. Sometimes those two worlds col­lide in un­ex­pected ways.

A Sula sula (Frigatebird) and a dive flag on the ac­tual boat where I found the vul­ner­a­bil­ity - some­where off Cocos Island.

While on a 14 day-long dive trip around Cocos Island in Costa Rica, I stum­bled across a vul­ner­a­bil­ity in the mem­ber por­tal of a ma­jor div­ing in­surer - one that I’m per­son­ally in­sured through. What I found was so triv­ial, so fun­da­men­tally bro­ken, that I gen­uinely could­n’t be­lieve it had­n’t been ex­ploited al­ready.

I dis­closed this vul­ner­a­bil­ity on April 28, 2025 with a stan­dard 30-day em­bargo pe­riod. That em­bargo ex­pired on May 28, 2025 - over eight months ago. I waited this long to pub­lish be­cause I wanted to give the or­ga­ni­za­tion every rea­son­able op­por­tu­nity to fully re­me­di­ate the is­sue and no­tify af­fected users. The vul­ner­a­bil­ity has since been ad­dressed, but to my knowl­edge, I have not re­ceived con­fir­ma­tion that af­fected users were no­ti­fied. I have reached out to the or­ga­ni­za­tion to ask for clar­i­fi­ca­tion on this mat­ter.

This is the story of what hap­pened when I tried to do the right thing.

To un­der­stand why this is so bad, you need to know how the reg­is­tra­tion process works. As a div­ing in­struc­tor, I reg­is­ter my stu­dents (to get them in­sured) through my ac­count on the por­tal. I en­ter their per­sonal in­for­ma­tion with their con­sent - name, date of birth, ad­dress, phone num­ber, email - and the sys­tem cre­ates an ac­count for them. The stu­dent then re­ceives an email with their new ac­count cre­den­tials: a nu­meric user ID and a de­fault pass­word. They might log in to com­plete ad­di­tional in­for­ma­tion, or they might never touch the por­tal again.

When I reg­is­tered three stu­dents in quick suc­ces­sion, they were sit­ting right next to me and checked their wel­come emails. The user IDs were nearly iden­ti­cal - se­quen­tial num­bers, one af­ter the other. That’s when it clicked that some­thing re­ally bad was go­ing on.

Now here’s the prob­lem: the por­tal used in­cre­ment­ing nu­meric user IDs for lo­gin. User XXXXXX0, XXXXXX1, XXXXXX2, and so on. That alone is a red flag, but it gets worse: every ac­count was pro­vi­sioned with a sta­tic de­fault pass­word that was never en­forced to be changed on first lo­gin. And many users - es­pe­cially stu­dents who had their ac­counts cre­ated for them by their in­struc­tors - never changed it.

So the authentication” to ac­cess a user’s full pro­file - name, ad­dress, phone num­ber, email, date of birth - was:

Type the same de­fault pass­word that every ac­count shares on ac­count cre­ation.

There’s a good chance you get in.

That’s it. No rate lim­it­ing. No ac­count lock­out. No MFA. Just an in­cre­ment­ing in­te­ger and a pass­word that might as well have been pass­word123.

I ver­i­fied the is­sue with the min­i­mum ac­cess nec­es­sary to con­firm the scope - and stopped im­me­di­ately af­ter.

I did every­thing by the book. I con­tacted CSIRT Malta (MaltaCIP) first - since the or­ga­ni­za­tion is reg­is­tered in Malta, this is the com­pe­tent na­tional au­thor­ity. The Maltese National Coordinated Vulnerability Disclosure Policy (NCVDP) ex­plic­itly re­quires that con­firmed vul­ner­a­bil­i­ties be re­ported to both the re­spon­si­ble or­ga­ni­za­tion and CSIRTMalta.

As a fel­low div­ing in­struc­tor in­sured through [the or­ga­ni­za­tion] and a full-time Linux Platform Engineer, I am con­tact­ing you to re­spon­si­bly dis­close a crit­i­cal vul­ner­a­bil­ity I iden­ti­fied within the [the or­ga­ni­za­tion]’s user ac­count sys­tem.

During re­cent test­ing, I dis­cov­ered that user ac­counts - in­clud­ing those of un­der­age stu­dents - are ac­ces­si­ble through a com­bi­na­tion of pre­dictable User ID enu­mer­a­tion (incrementing user IDs) and the use of a sta­tic de­fault pass­word that is not en­forced to be changed upon first lo­gin. This mis­con­fig­u­ra­tion cur­rently ex­poses sen­si­tive per­sonal data (e.g., names, ad­dresses, con­tact in­for­ma­tion - in­clud­ing phone num­bers and emails -, dates of birth) and rep­re­sents mul­ti­ple GDPR vi­o­la­tions.

Exposure of sen­si­tive and un­der­age user data with­out ad­e­quate safe­guards

For ini­tial con­fir­ma­tion, I am at­tach­ing a screen­shot from Member ID XXXXXXX show­ing the ex­posed data, partly redacted for pri­vacy rea­sons.

Additionally, for trans­parency and val­i­da­tion, I have shared my proof-of-con­cept code se­curely via an en­crypted paste ser­vice: [link redacted]

In the spirit of re­spon­si­ble dis­clo­sure, I have al­ready in­formed CSIRT Malta (in CC) to of­fi­cially ini­ti­ate a re­port­ing process, given [the or­ga­ni­za­tion]’s op­er­a­tional pres­ence in Malta.

I kindly re­quest that [the or­ga­ni­za­tion] ac­knowl­edges re­ceipt of this dis­clo­sure within 7 days.

I am of­fer­ing a win­dow of 30 days from to­day the 28th of April 2025 for [the or­ga­ni­za­tion] to mit­i­gate or re­solve the vul­ner­a­bil­ity be­fore I con­sider any pub­lic dis­clo­sure.

Please note that I am fully avail­able to as­sist your IT team with tech­ni­cal de­tails, ver­i­fi­ca­tion steps and rec­om­men­da­tions from a se­cu­rity per­spec­tive.

I strongly rec­om­mend as­sign­ing an IT-Security Point of Contact (PoC) for di­rect col­lab­o­ra­tion on this is­sue.

Thank you very much for your at­ten­tion to this crit­i­cal mat­ter. I am look­ing for­ward to work­ing with you to­wards a se­cure res­o­lu­tion.

Both of these time­lines are stan­dard - if any­thing, gen­er­ous - in re­spon­si­ble dis­clo­sure frame­works.

Two days later, I got a re­ply. Not from their IT team. From their Data Privacy Officers (DPOs) law firm.

The let­ter opened po­litely enough - they ac­knowl­edged the is­sue and said they’d launched an in­ves­ti­ga­tion. They even men­tioned they were re­set­ting de­fault pass­words and plan­ning to roll out 2FA. Good.

But then the tone shifted:

While we gen­uinely ap­pre­ci­ate your seem­ingly good in­ten­tions and trans­parency in high­light­ing this mat­ter to our at­ten­tion, we must re­spect­fully note that no­ti­fy­ing the au­thor­i­ties prior to con­tact­ing the Group cre­ates ad­di­tional com­plex­i­ties in how the mat­ter is per­ceived and ad­dressed and also ex­poses us to un­fair li­a­bil­ity.

Let me trans­late: We wish you had­n’t told the gov­ern­ment about our se­cu­rity is­sue.”

It got bet­ter:

We also do not ap­pre­ci­ate your threat to make this mat­ter pub­lic […] and re­mind you that you may be held ac­count­able for any dam­age we, or the data sub­jects, may suf­fer as a re­sult of your own ac­tions, which ac­tions likely con­sti­tute a crim­i­nal of­fence un­der Maltese law.

So, to be clear: their por­tal had a de­fault pass­word on every ac­count, ex­pos­ing per­sonal data in­clud­ing that of chil­dren, and I’m the one who likely” com­mit­ted a crim­i­nal of­fence by find­ing it and telling them.

They also sent a de­c­la­ra­tion they wanted me to sign - while re­quest­ing my pass­port ID - con­firm­ing I’d deleted all data, would­n’t dis­close any­thing, and would keep the en­tire mat­ter strictly con­fi­den­tial.” The dead­line? End of busi­ness the same day they sent it.

This de­c­la­ra­tion in­cluded the fol­low­ing gem:

I also de­clare that I shall keep the con­tent of this de­c­la­ra­tion strictly con­fi­den­tial.

That’s an NDA with ex­tra steps: I was be­ing asked to sign away my right to dis­cuss the dis­clo­sure process it­self - in­clud­ing the fact that I found a vul­ner­a­bil­ity in their sys­tem - un­der threat of le­gal ac­tion.

Then came the re­minders. One friendly” re­minder. Then an urgent” one. Sign the de­c­la­ra­tion. De-escalate. Move on. Quietly.

I gen­er­ally refuse to sign con­fi­den­tial­ity clauses in cases in­volv­ing ex­po­sure of sen­si­tive in­for­ma­tion, and I did so here as well. Coordinated dis­clo­sure de­pends on trans­parency and trust be­tween re­searchers and or­ga­ni­za­tions: trust that af­fected users will be in­formed, and trust that a re­port leads to real re­me­di­a­tion.

Given that the or­ga­ni­za­tion in ques­tion had al­ready breached that trust by ex­pos­ing per­sonal data through weak con­trols, I was­n’t will­ing to grant blan­ket con­fi­den­tial­ity that could be used to keep the in­ci­dent out of pub­lic scrutiny. And with try­ing to ac­tual si­lence me through le­gal threats, they had al­ready made it clear that their pri­or­ity was rep­u­ta­tion man­age­ment over user data pro­tec­tion. So I stood my ground.

Instead, I of­fered to sign a mod­i­fied de­c­la­ra­tion con­firm­ing data dele­tion. I had no in­ter­est in re­tain­ing any­one’s per­sonal data, but I was not go­ing to agree to si­lence about the dis­clo­sure process it­self.

I also pointed out that, un­der Malta’s NCVDP, in­volv­ing CSIRT Malta is part of the ex­pected re­port­ing path - not a hos­tile act - and that pub­lish­ing post-re­me­di­a­tion analy­ses is stan­dard prac­tice in the se­cu­rity com­mu­nity.

Their re­sponse dou­bled down. They cited Article 337E of the Maltese Criminal Code - com­puter mis­use - and help­fully re­minded me that:

Art. 337E of the Criminal Code also pro­vides that If any act is com­mit­ted out­side Malta which, had it been com­mit­ted in Malta, would have con­sti­tuted an of­fence […] it shall […] be deemed to have been com­mit­ted in Malta.” Meaning that your ac­tions would be deemed a crim­i­nal of­fence in Malta, even if com­mit­ted in an­other coun­try.

They also made their po­si­tion on dis­clo­sure crys­tal clear, af­ter I re­it­er­ated my re­fusal to sign their NDA:

We ob­ject strongly to the use of [the or­ga­ni­za­tion’s name] in any such blogs or con­fer­ences you may write/​at­tend as this would be a dis­pro­por­tion­ate harm to [the or­ga­ni­za­tion’s] rep­u­ta­tion […]. We re­serve our rights at law to hold you re­spon­si­ble for any dam­ages [the or­ga­ni­za­tion] may suf­fer as a re­sult of any such pub­lic dis­clo­sures you may make.

That’s fine by me. Because here’s the thing: The vul­ner­a­bil­ity has been fixed. Default pass­words have been re­set. 2FA is be­ing rolled out. I feel sorry for the de­vel­oper(s) who had to clean up this mess, but at least the is­sue is no longer ex­ploitable. Sure, it would have been bet­ter if the or­ga­ni­za­tion had thanked me and taken re­spon­si­bil­ity for no­ti­fy­ing af­fected users. If the in­ci­dent qual­i­fied as a per­sonal data breach (which it does) and was likely to re­sult in a (high) risk to in­di­vid­u­als - es­pe­cially given mi­nors were in­volved - GDPR Articles 33 and 34 gen­er­ally re­quire no­ti­fi­ca­tion to the su­per­vi­sory au­thor­ity and com­mu­ni­ca­tion to af­fected data sub­jects.

GDPR Article 34(1) When the per­sonal data breach is likely to re­sult in a high risk to the rights and free­doms of nat­ural per­sons, the con­troller shall com­mu­ni­cate the per­sonal data breach to the data sub­ject with­out un­due de­lay.

GDPR Article 34(2) The com­mu­ni­ca­tion to the data sub­ject re­ferred to in para­graph 1 of this Article shall de­scribe in clear and plain lan­guage the na­ture of the per­sonal data breach and con­tain at least the in­for­ma­tion and mea­sures re­ferred to in points (b), (c) and (d) of Article 33(3).

I have not re­ceived con­fir­ma­tion that those no­ti­fi­ca­tions were ever car­ried out.

My favourite part was the or­ga­ni­za­tion’s po­si­tion on whose fault this ac­tu­ally was:

We con­tend that it is the re­spon­si­bil­ity of users to change their own pass­word (after we al­lo­cate a de­fault one).

Read that again. A com­pany that as­signed the same de­fault pass­word to every ac­count, never forced a pass­word change, and used in­cre­ment­ing nu­meric IDs as user­names is blam­ing the users for not se­cur­ing their own ac­counts. Accounts that in­clude those of mi­nors.

GDPR Article 5(1)(f) (integrity and con­fi­den­tial­ity): Personal data shall be processed in a man­ner that en­sures ap­pro­pri­ate se­cu­rity of the per­sonal data, in­clud­ing pro­tec­tion against unau­tho­rised or un­law­ful pro­cess­ing and against ac­ci­den­tal loss, de­struc­tion or dam­age, us­ing ap­pro­pri­ate tech­ni­cal or or­gan­i­sa­tional mea­sures.

Under GDPR, the data con­troller (namely: the or­ga­ni­za­tion) is re­spon­si­ble for im­ple­ment­ing ap­pro­pri­ate tech­ni­cal and or­ga­ni­za­tional mea­sures to en­sure data se­cu­rity. A sta­tic de­fault pass­word on an IDOR-vulnerable por­tal is not an appropriate mea­sure” by any de­f­i­n­i­tion.

GDPR Article 24(1) (controller re­spon­si­bil­ity): Taking into ac­count the na­ture, scope, con­text and pur­poses of pro­cess­ing as well as the risks of vary­ing like­li­hood and sever­ity for the rights and free­doms of nat­ural per­sons, the con­troller shall im­ple­ment ap­pro­pri­ate tech­ni­cal and or­gan­i­sa­tional mea­sures to en­sure and to be able to demon­strate that pro­cess­ing is per­formed in ac­cor­dance with this Regulation. Those mea­sures shall be re­viewed and up­dated where nec­es­sary.

This is­n’t an iso­lated case. The se­cu­rity re­search com­mu­nity has been deal­ing with this pat­tern for decades: find a vul­ner­a­bil­ity, re­port it re­spon­si­bly, get threat­ened with le­gal ac­tion. It’s so com­mon it has a name - the chill­ing ef­fect.

Organizations that re­spond to dis­clo­sure with lawyers in­stead of en­gi­neers are telling the world some­thing im­por­tant: they care more about their rep­u­ta­tion than about the data they’re sup­posed to pro­tect.

And the real irony? The le­gal threats are the rep­u­ta­tion dam­age. Not the vul­ner­a­bil­ity it­self - vul­ner­a­bil­i­ties hap­pen to every­one. It’s the re­sponse that tells you every­thing about an or­ga­ni­za­tion’s se­cu­rity cul­ture.

What Should Have Happened

Acknowledge the re­port - they did this, to be fair.

Fix the vul­ner­a­bil­ity - they started on this too.

Thank the re­searcher - in­stead of threat­en­ing them with crim­i­nal pros­e­cu­tion.

Have a CVD pol­icy - so re­searchers know how to re­port is­sues and what to ex­pect.

Notify af­fected users - es­pe­cially the par­ents of un­der­age mem­bers whose data was ex­posed.

Not try to si­lence the re­searcher with NDAs dis­guised as declarations.”

What You Can Do

Publish a Coordinated Vulnerability Disclosure pol­icy. It does­n’t have to be com­plex - maybe be­gin with a se­cu­rity.txt file and a clear process that fa­vors trans­parency.

Thank re­searchers for help­ing you im­prove your se­cu­rity pos­ture.

Don’t shoot the mes­sen­ger. The per­son re­port­ing the bug is not your en­emy. The bug is.

Don’t blame your users for se­cu­rity fail­ures that are your re­spon­si­bil­ity as a data con­troller.

Always in­volve your na­tional CSIRT. It pro­tects you and cre­ates an of­fi­cial record.

Document every­thing. Every email, every time­stamp, every re­sponse.

Don’t sign NDAs that pre­vent you from dis­cussing the dis­clo­sure process. But you can agree to delete data (and MUST do so!) with­out agree­ing to si­lence.

Know your rights. Many ju­ris­dic­tions have le­gal pro­tec­tions for good-faith se­cu­rity re­search. The EUs NIS2 Directive en­cour­ages co­or­di­nated vul­ner­a­bil­ity dis­clo­sure.

Because right now, in 2026, re­port­ing a triv­ial vul­ner­a­bil­ity ex­pos­ing per­sonal data - in­clud­ing that of chil­dren - still gets met with le­gal threats in­stead of grat­i­tude. And that’s a prob­lem for all of us. Let’s burn some Tokens! - AI Chatbot Cost Exploitation as an Attack VectorLet’s burn some Tokens! - AI Chatbot Cost Exploitation as an Attack VectorMany com­pa­nies ship AI chat­bots as thin wrap­pers around com­mer­cial LLM APIs with zero cost con­trols. What if a tool be­haved like an overly en­gaged, per­fectly valid user - and just burned through their bud­get?Im­print / ImpressumData Privacy / DatenschutzDo you know the code?

...

Read the original on dixken.de »

7 487 shares, 33 trendiness

Turn Dependabot Off

Dependabot is a noise ma­chine. It makes you feel like you’re do­ing work, but you’re ac­tu­ally dis­cour­ag­ing more use­ful work. This is es­pe­cially true for se­cu­rity alerts in the Go ecosys­tem.

I rec­om­mend turn­ing it off and re­plac­ing it with a pair of sched­uled GitHub Actions, one run­ning gov­ul­ncheck, and the other run­ning your test suite against the lat­est ver­sion of your de­pen­den­cies.

On Tuesday, I pub­lished a se­cu­rity fix for fil­ippo.io/​ed­ward­s25519. The (*Point).MultiScalarMult method would pro­duce in­valid re­sults if the re­ceiver was not the iden­tity point.

A lot of the Go ecosys­tem de­pends on fil­ippo.io/​ed­ward­s25519, mostly through github.com/​go-sql-dri­ver/​mysql (228k de­pen­dents only on GitHub). Essentially no one uses (*Point).MultiScalarMult.

Yesterday, Dependabot opened thou­sands of PRs against un­af­fected repos­i­to­ries to up­date fil­ippo.io/​ed­ward­s25519. These PRs were ac­com­pa­nied by a se­cu­rity alert with a non­sen­si­cal, made up CVSS v4 score and by a wor­ry­ing 73% com­pat­i­bil­ity score, al­legedly based on the break­age the up­date is caus­ing in the ecosys­tem. Note that the diff be­tween v1.1.0 and v1.1.1 is one line in the method no one uses.

We even got one of these alerts for the Wycheproof repos­i­tory, which does not im­port the af­fected fil­ippo.io/​ed­ward­s25519 pack­age at all. Instead, it only im­ports the un­af­fected fil­ippo.io/​ed­ward­s25519/​field pack­age.

$ go mod why -m fil­ippo.io/​ed­ward­s25519

# fil­ippo.io/​ed­ward­s25519

github.com/​c2sp/​wyche­p­roof/​tools/​twistcheck

fil­ippo.io/​ed­ward­s25519/​field

We have turned Dependabot off.

But is­n’t this toil un­avoid­able, to pre­vent at­tack­ers from ex­ploit­ing old vul­ner­a­bil­i­ties in your de­pen­den­cies? Absolutely not!

Computers are per­fectly ca­pa­ble of do­ing the work of fil­ter­ing out these ir­rel­e­vant alerts for you. The Go Vulnerability Database has rich ver­sion, pack­age, and sym­bol meta­data for all Go vul­ner­a­bil­i­ties.

Here’s the en­try for the fil­ippo.io/​ed­ward­s25519 vul­ner­a­bil­ity, also avail­able in stan­dard OSV for­mat.

mod­ules:

- mod­ule: fil­ippo.io/​ed­ward­s25519

ver­sions:

- fixed: 1.1.1

vul­ner­a­ble_at: 1.1.0

pack­ages:

- pack­age: fil­ippo.io/​ed­ward­s25519

sym­bols:

- Point.MultiScalarMult

sum­mary: Invalid re­sult or un­de­fined be­hav­ior in fil­ippo.io/​ed­ward­s25519

de­scrip­tion: |-

Previously, if MultiScalarMult was in­voked on an

ini­tial­ized point who was not the iden­tity point, MultiScalarMult

pro­duced an in­cor­rect re­sult. If called on an

unini­tial­ized point, MultiScalarMult ex­hib­ited un­de­fined be­hav­ior.

cves:

- CVE-2026-26958

cred­its:

- sha­har­co­hen1

- WeebDataHoarder

ref­er­ences:

- ad­vi­sory: https://​github.com/​FiloSot­tile/​ed­ward­s25519/​se­cu­rity/​ad­vi­sories/​GHSA-fw7p-63qq-7hpr

- fix: https://​github.com/​FiloSot­tile/​ed­ward­s25519/​com­mit/​d1c650af­b95­fad0742b98d95f2e­b2cf031393abb

source:

id: go-se­cu­rity-team

cre­ated: 2026-02-17T14:45:04.271552-05:00

re­view_s­ta­tus: REVIEWED

Any de­cent vul­ner­a­bil­ity scan­ner will at the very least fil­ter based on the pack­age, which re­quires a sim­ple go list -deps ./…. This al­ready si­lences a lot of noise, be­cause it’s com­mon and good prac­tice for mod­ules to sep­a­rate func­tion­al­ity rel­e­vant to dif­fer­ent de­pen­dents into dif­fer­ent sub-pack­ages. For ex­am­ple, it would have avoided the false alert against the Wycheproof repos­i­tory.

If you use a third-party vul­ner­a­bil­ity scan­ner, you should de­mand at least pack­age-level fil­ter­ing.

Good vul­ner­a­bil­ity scan­ners will go fur­ther, though, and fil­ter based on the reach­a­bil­ity of the vul­ner­a­ble sym­bol us­ing sta­tic analy­sis. That’s what gov­ul­ncheck does!

$ go mod why -m fil­ippo.io/​ed­ward­s25519

# fil­ippo.io/​ed­ward­s25519

fil­ippo.io/​sun­light/​in­ter­nal/​ct­log

github.com/​google/​cer­tifi­cate-trans­parency-go/​tril­lian/​ctfe

github.com/​go-sql-dri­ver/​mysql

fil­ippo.io/​ed­ward­s25519

$ gov­ul­ncheck ./…

=== Symbol Results ===

No vul­ner­a­bil­i­ties found.

Your code is af­fected by 0 vul­ner­a­bil­i­ties.

This scan also found 1 vul­ner­a­bil­ity in pack­ages you im­port and 2

vul­ner­a­bil­i­ties in mod­ules you re­quire, but your code does­n’t ap­pear to call

these vul­ner­a­bil­i­ties.

Use -show ver­bose’ for more de­tails.

gov­ul­ncheck no­ticed that my pro­ject in­di­rectly de­pends on fil­ippo.io/​ed­ward­s25519 through github.com/​go-sql-dri­ver/​mysql, which does not make the vul­ner­a­ble sym­bol reach­able, so it chose not to no­tify me.

If you want, you can tell it to show the pack­age- and mod­ule-level matches.

$ gov­ul­ncheck -show ver­bose,color ./…

Fetching vul­ner­a­bil­i­ties from the data­base…

Checking the code against the vul­ner­a­bil­i­ties…

The pack­age pat­tern matched the fol­low­ing 16 root pack­ages:

fil­ippo.io/​sun­light

fil­ippo.io/​sun­light/​in­ter­nal/​std­log

Govulncheck scanned the fol­low­ing 54 mod­ules and the go1.26.0 stan­dard li­brary:

fil­ippo.io/​sun­light

craw­shaw.io/​sqlite@v0.3.3-0.20220618202545-d1964889ea3c

fil­ippo.io/​big­mod@v0.0.3

fil­ippo.io/​ed­ward­s25519@v1.1.0

fil­ippo.io/​key­gen@v0.0.0-20240718133620-7f162ef­bb­d87

fil­ippo.io/​torch­wood@v0.8.0

=== Symbol Results ===

No vul­ner­a­bil­i­ties found.

=== Package Results ===

Vulnerability #1: GO-2026-4503

Invalid re­sult or un­de­fined be­hav­ior in fil­ippo.io/​ed­ward­s25519

More info: https://​pkg.go.dev/​vuln/​GO-2026-4503

Module: fil­ippo.io/​ed­ward­s25519

Found in: fil­ippo.io/​ed­ward­s25519@v1.1.0

Fixed in: fil­ippo.io/​ed­ward­s25519@v1.1.1

=== Module Results ===

Vulnerability #1: GO-2025-4135

Malformed con­straint may cause de­nial of ser­vice in

golang.org/​x/​crypto/​ssh/​agent

More info: https://​pkg.go.dev/​vuln/​GO-2025-4135

Module: golang.org/​x/​crypto

Found in: golang.org/​x/​crypto@v0.44.0

Fixed in: golang.org/​x/​crypto@v0.45.0

Vulnerability #2: GO-2025-4134

Unbounded mem­ory con­sump­tion in golang.org/​x/​crypto/​ssh

More info: https://​pkg.go.dev/​vuln/​GO-2025-4134

Module: golang.org/​x/​crypto

Found in: golang.org/​x/​crypto@v0.44.0

Fixed in: golang.org/​x/​crypto@v0.45.0

Your code is af­fected by 0 vul­ner­a­bil­i­ties.

This scan also found 1 vul­ner­a­bil­ity in pack­ages you im­port and 2

vul­ner­a­bil­i­ties in mod­ules you re­quire, but your code does­n’t ap­pear to call

these vul­ner­a­bil­i­ties.

...

Read the original on words.filippo.io »

8 464 shares, 26 trendiness

Wikipedia blacklists Archive.today, starts removing 695,000 archive links

The English-language edi­tion of Wikipedia is black­list­ing Archive.today af­ter the con­tro­ver­sial archive site was used to di­rect a dis­trib­uted de­nial of ser­vice (DDoS) at­tack against a blog.

In the course of dis­cussing whether Archive.today should be dep­re­cated be­cause of the DDoS, Wikipedia ed­i­tors dis­cov­ered that the archive site al­tered snap­shots of web­pages to in­sert the name of the blog­ger who was tar­geted by the DDoS. The al­ter­ations were ap­par­ently fu­eled by a grudge against the blog­ger over a post that de­scribed how the Archive.today main­tainer hid their iden­tity be­hind sev­eral aliases.

There is con­sen­sus to im­me­di­ately dep­re­cate archive.to­day, and, as soon as prac­ti­ca­ble, add it to the spam black­list (or cre­ate an edit fil­ter that blocks adding new links), and re­move all links to it,” stated an up­date to­day on Wikipedia’s Archive.today dis­cus­sion. There is a strong con­sen­sus that Wikipedia should not di­rect its read­ers to­wards a web­site that hi­jacks users’ com­put­ers to run a DDoS at­tack (see WP:ELNO#3). Additionally, ev­i­dence has been pre­sented that archive.to­day’s op­er­a­tors have al­tered the con­tent of archived pages, ren­der­ing it un­re­li­able.”

More than 695,000 links to Archive.today are dis­trib­uted across 400,000 or so Wikipedia pages. The archive site is com­monly used to by­pass news pay­walls, and the FBI has on the site op­er­a­tor’s iden­tity with a sub­poena to do­main reg­is­trar Tucows.

Those in fa­vor of main­tain­ing the sta­tus quo rested their ar­gu­ments pri­mar­ily on the util­ity of archive.to­day for ver­i­fi­a­bil­ity,” said to­day’s Wikipedia up­date. However, an analy­sis of ex­ist­ing links has shown that most of its uses can be re­placed. Several ed­i­tors started to work out im­ple­men­ta­tion de­tails dur­ing this RfC [request for com­ment] and the com­mu­nity should fig­ure out how to ef­fi­ciently re­move links to archive.to­day.”

Guidance pub­lished as a re­sult of the de­ci­sion asked ed­i­tors to help re­move and re­place links to the fol­low­ing do­main names used by the archive site: archive.to­day, archive.is, archive.ph, archive.fo, archive.li, archive.md, and archive.vn. The guid­ance says ed­i­tors can re­move Archive.today links when the orig­i­nal source is still on­line and has iden­ti­cal con­tent; re­place the archive link so it points to a dif­fer­ent archive site, like the Internet Archive, Ghostarchive, or Megalodon; or change the orig­i­nal source to some­thing that does­n’t need an archive (e.g., a source that was printed on pa­per), or for which a link to an archive is only a mat­ter of con­ve­nience.”

...

Read the original on arstechnica.com »

9 388 shares, 16 trendiness

Child’s Play, by Sam Kriss

The first sign that some­thing in San Francisco had gone very badly wrong was the signs. In New York, all the ad­ver­tis­ing on the streets and on the sub­way as­sumes that you, the per­son read­ing, are an am­bi­ently de­pressed twenty-eight-year-old of­fice worker whose main in­ter­ests are lis­ten­ing to pod­casts, or­der­ing de­liv­ery, and vot­ing for the Democrats. I thought I found that an­noy­ing, but in San Francisco they don’t bother ad­ver­tis­ing nor­mal things at all. The city is tem­per­ate and brightly col­ored, with plenty of pleas­ant trees, but on every cor­ner it speaks to you in an ag­gres­sively alien non­sense. Here the world au­to­mat­i­cally as­sumes that in­stead of want­ing food or drinks or a new phone or car, what you want is some kind of ar­cane B2B ser­vice for your startup. You are not a pas­sive con­sumer. You are mak­ing some­thing.

This as­sump­tion is re­mark­ably out of step with the peo­ple who ac­tu­ally in­habit the city’s pub­lic space. At a bus stop, I saw a poster that read: is done be­fore your ai girl­friend breaks up with you. Beneath it, a man squat­ted on the pave­ment, star­ing at noth­ing in par­tic­u­lar, a glass pipe droop­ing from his fin­gers. I don’t know if he needed SOC 2 done any more than I did. A few blocks away, I saw a bill­board that read: no one cares about your prod­uct. A man paced in front of the ad­ver­tise­ment, chant­ing to him­self. This . . . is . . . nec­es­sary! This . . . is . . . nec­es­sary!” On each necessary” he swung his arms up in ex­al­ta­tion. He was, I no­ticed, hold­ing an alarm­ingly large baby-pink pock­etknife. Passersby in sight of the bill­board that read did not seem piqued by the prospect of hav­ing their met­rics con­stantly an­a­lyzed. I could­n’t find any­one who wanted to . After spend­ing slightly too long in the city, I found that the var­i­ous forms of non­sense all started to bleed into one an­other. The mo­tion­less peo­ple drool­ing on the side­walk, the Waymos whoosh­ing around with no one in­side. A kind of per­va­sive mind­less­ness. Had I seen a bill­board or a mad­man preach­ing about a CRM so smart, it up­dates it­self”? Was it a per­son in rags mut­ter­ing about how all his move­ments were be­ing con­trolled by shad­owy pow­ers work­ing out of a data cen­ter some­where, or was it a car?

Somehow peo­ple man­age to live here. But of all the strange and mad­den­ing mes­sages posted around this city, there was one par­tic­u­lar type of bill­board that the peo­ple of San Francisco could­n’t bear. People shud­dered at the sight of it, or groaned, or cov­ered their eyes. The ad­ver­tiser was the most ut­terly de­spised startup in the en­tire tech land­scape. Weirdly, its ads were the only ones I saw that ap­peared to be writ­ten in any­thing like English:

hi my name is roy

i got kicked out of school for cheat­ing.

buy my cheat­ing tool

cluely.com

Cluely and its co-founder Chungin Roy” Lee were in­tensely, and in­ten­tion­ally, con­tro­ver­sial. They’re no longer in San Francisco, hav­ing been es­sen­tially chased out of the city by the Planning Commission. The com­pany is loathed seem­ingly out of pro­por­tion to what its prod­uct ac­tu­ally is, which is a janky, glitch­ing in­ter­face for ChatGPT and other AI mod­els. It’s not in a par­tic­u­larly glam­orous mar­ket: Cluely is pitched at or­di­nary of­fice drones in their thir­ties, work­ing or­di­nary bull­shit email jobs. It’s there to as­sist you in Zoom meet­ings and sales calls. It in­volves us­ing AI to do your job for you, but this is what pretty much every­one is do­ing al­ready. The cafés of San Francisco are full of highly paid tech work­ers clat­ter­ing away on their key­boards; if you peer at their screens to get a closer look, you’ll gen­er­ally find them copy­ing and past­ing ma­te­r­ial from a ChatGPT win­dow. A lot of the other com­plaints about Cluely seem sim­i­larly hyp­o­crit­i­cal. The com­pany is fu­eled by cheap vi­ral hype, rather than an ac­tual work­able prod­uct—but this is a strange thing to get up­set about when you con­sider that, back in the era of zero in­ter­est rates, Silicon Valley in­vestors sank $120 mil­lion into some­thing called the Juicero, a Wi-Fi-enabled smart juicer that made fresh juice from fruit sa­chets that you could, it turned out, just as eas­ily squeeze be­tween your hands.

What I dis­cov­ered, though, is that be­hind all these small com­plaints, there’s some­thing much more se­ri­ous. Roy Lee is not like other peo­ple. He be­longs to a new and pos­si­bly per­ma­nent over­class. One of the per­va­sive new doc­trines of Silicon Valley is that we’re in the early stages of a bi­fur­ca­tion event. Some peo­ple will do in­cred­i­bly well in the new AI era. They will be­come rich and pow­er­ful be­yond any­thing we can cur­rently imag­ine. But other peo­ple—a lot of other peo­ple—will be­come use­less. They will be con­signed to the same mis­er­able fate as the peo­ple cur­rently mut­ter­ing on the streets of San Francisco, cold and help­less in a world they no longer un­der­stand. The skills that could lift you out of the new per­ma­nent un­der­class are not the skills that mat­tered be­fore. For a long time, the tech in­dus­try liked to think of it­self as a mer­i­toc­racy: it re­warded qual­i­ties like in­tel­li­gence, com­pe­tence, and ex­per­tise. But all that barely mat­ters any­more. Even at big firms like Google, a quar­ter of the code is now writ­ten by AI. Individual in­tel­li­gence will mean noth­ing once we have su­per­hu­man AI, at which point the dif­fer­ence be­tween an ob­scenely tal­ented giga-nerd and an or­di­nary six-pack-drink­ing bozo will be about as mean­ing­ful as the dif­fer­ence be­tween any two ants. If what you do in­volves any­thing re­lated to the hu­man ca­pac­ity for rea­son, re­flec­tion, in­sight, cre­ativ­ity, or thought, you will be meat for the coltan mines.

The fu­ture will be­long to peo­ple with a very spe­cific com­bi­na­tion of per­son­al­ity traits and psy­cho­sex­ual neu­roses. An AI might be able to code faster than you, but there is one ad­van­tage that hu­mans still have. It’s called agency, or be­ing highly agen­tic. The highly agen­tic are peo­ple who just do things. They don’t timidly wait for per­mis­sion or con­sen­sus; they drive like bull­doz­ers through what­ev­er’s in their way. When they see some­thing that could be changed in the world, they don’t write a lengthy cri­tique—they change it. AIs are not ca­pa­ble of ac­cess­ing what­ever un­pleas­ant child­hood ex­pe­ri­ence it is that gives you this hunger. Agency is now the most valu­able com­mod­ity in Silicon Valley. In tech in­ter­views, it’s com­mon for can­di­dates to be asked whether they’re mimetic” or agentic.” You do not want to say mimetic. Once, San Francisco drew in run­away chil­dren, artists, and freaks; to­day it’s an enor­mous mag­net for highly agen­tic young men. I set out to meet them.

Roy Lee’s per­sonal mythol­ogy is now firmly es­tab­lished. At the be­gin­ning of 2025, he was an un­der­grad­u­ate at Columbia, where he, like most of his fel­low stu­dents, was us­ing AI to do es­sen­tially all his work for him. (The per­sonal es­say that got him into the uni­ver­sity was also writ­ten with AI.) He was­n’t there to learn; he was there to find some­one to co-found a startup with. That per­son ended up be­ing an en­gi­neer­ing stu­dent named Neel Shanmugam, who tends to hover in the back­ground of every ar­ti­cle about Cluely. The startup they founded was called Interview Coder, and it was a tool for cheat­ing on LeetCode. LeetCode is a train­ing plat­form for the kind of al­go­rith­mic rid­dles that usu­ally crop up in in­ter­views for big tech com­pa­nies. (Sample prob­lem: Suppose an ar­ray of length n sorted in as­cend­ing or­der is ro­tated be­tween one and n times. . . . Return the min­i­mum el­e­ment of this ar­ray.”) Roy thought these ques­tions were point­less. These were not prob­lems coders would ac­tu­ally face on the job, and even if they were, the fact that ChatGPT could now solve them in­stantly had ren­dered worth­less the hu­man abil­ity to do so. Interview Coder was a trans­par­ent win­dow that could over­lay one side of a Zoom meet­ing, al­low­ing Claude to lis­ten in on the ques­tions and pro­vide an­swers. Roy filmed him­self us­ing it dur­ing an in­ter­view for an in­tern­ship with Amazon. They of­fered him a place. He de­clined and up­loaded the footage to YouTube, where it very quickly made him fa­mous. Columbia arranged a dis­ci­pli­nary hear­ing, which he also se­cretly filmed and posted on­line. The uni­ver­sity sus­pended him for a year. He dropped out, started an up­graded ver­sion of Interview Coder dubbed Cluely, and moved to San Francisco to be­gin rak­ing in tens of mil­lions of dol­lars in ven­ture-cap­i­tal fund­ing.

Roy en­vi­sioned Cluely be­ing used for greater pur­poses than job in­ter­views. The star­tup’s main­stream break­through was a vi­ral ad that showed Roy us­ing a pair of spec­u­la­tive Cluely-enabled glasses on a blind date. His date asks how old he is; Cluely tells him to say he’s thirty. When the date starts go­ing badly, Cluely pulls up her am­a­teur paint­ing of a tulip from the in­ter­net and tells him to com­pli­ment her art. You’re such an un­be­liev­ably tal­ented artist. Do you think you could just give me one chance to show you I can make this work?” The video launched along­side a man­i­festo, which was seem­ingly churned out by AI:

We built Cluely so you never have to think alone again. It sees your screen. Hears your au­dio. Feeds you an­swers in real time. . . . Why mem­o­rize facts, write code, re­search any­thing—when a model can do it in sec­onds? The fu­ture won’t re­ward ef­fort. It’ll re­ward lever­age.

The fu­ture they seem to en­vis­age is one in which peo­ple don’t re­ally do any­thing at all, ex­cept fol­low the in­struc­tions given to them by ma­chines.

Cluely’s of­fices were in a gen­er­ally di­sheveled cor­ner of the city, crouch­ing near an el­e­vated free­way. On the ground floor, I found a stack of foam cos­tumes in plas­tic crates, each neatly la­beled: . A sig­nif­i­cant part of work­ing at Cluely seemed to in­volve dress­ing up as car­toon char­ac­ters for vi­ral videos. Through a door I could just glimpse a dingy fit­ness dun­geon, hous­ing two tread­mills and a huge pile of dis­carded Amazon boxes. On one of the ma­chines a Cluely em­ployee panted and huffed in the dark. We avoided eye con­tact. Upstairs, Roy and his co­terie were hud­dled around a lap­top, fid­dling with Cluely’s in­ter­face. Remember,” one said, the av­er­age user is, like, thirty-five years old. This is a to­tally un­fa­mil­iar in­ter­face.” Apparently, a thirty-five-year-old would­n’t be ex­pected to know how to use any­thing more ad­vanced than a ro­tary phone. Another em­ployee scru­ti­nized the pro­posed new lay­out. I think it’s bad,” he said, but it’s low-key not worse. What we have is any­way re­ally bad, so any­thing is bet­ter.” They started ar­gu­ing about chevrons. Through all this Roy scrolled through X on his phone. Simultaneously baby-faced and cre­a­tine-swollen, he was wear­ing gym clothes, with two cur­tains of black hair swung over his fore­head. Finally, he looked up. So, num­ber one,” he said, we’re killing the chat bar on the left.” There was no num­ber two. Meeting over.

Suddenly, Roy seemed to ac­knowl­edge my pres­ence. He of­fered me a tour. There was some­thing he very badly wanted to im­press on me, which was that Cluely cul­ti­vates a fratty, tech-bro at­mos­phere. Their pantry was piled high with bot­tles of some­thing called Core Power Elite. I was of­fered a pro­tein bar. The in­side of the wrap­per read daily in­ten­tions be my boss self. We’re big be­liev­ers in pro­tein,” Roy said. It’s im­pos­si­ble to get fat at Cluely. Nothing here has any fat.” The kitchen table was stacked with Labubu dolls. It’s aes­thet­ics,” Roy ex­plained. Women love Labubus, so we have Labubus.” He showed me his bed­room, which was in the of­fice; many Cluely staffers also lived there. Everything was gray, al­though there was­n’t much. I’m a big be­liever in min­i­mal­ism,” he said. Actually, no, I’m not. Not at all. I just don’t re­ally care about in­te­rior dec­o­ra­tion.” He had a chest of draw­ers, en­tirely empty ex­cept for a lint roller, pens, and, in one cor­ner, a pink vi­bra­tor. It’s for girls, you know,” said Roy. I used to use this one on my ex.” There were also some ob­jects that did­n’t seem to be­long in a frat house. In one of the com­mon ar­eas, a shelv­ing unit was com­pletely empty ex­cept for an anime fig­urine. You could peer up her plas­tic skirt and see the plas­tic un­der­wear molded around her plas­tic but­tocks. More fig­urines in frilly dresses seemed to have been scat­tered at ran­dom through­out the build­ing. Roy showed me his Hinge pro­file. He was look­ing for a 5’2, asian, pre-med, matcha-lov­ing, funny, watches anime, white dog hav­ing, in­tel­li­gent, am­bi­tious, well dressed, CLEAN 19-21 year old.” One pic­ture showed him cud­dling a gi­ant Labubu.

I told Roy that I might try in­ter­view­ing him with Cluely run­ning in the back­ground, so I could see if it would ask him bet­ter ques­tions than I would. He seemed to think it was only nat­ural that I’d want to be es­sen­tially a fleshy in­ter­face be­tween him­self and his own prod­uct. He booted up Cluely on his lap­top and it im­me­di­ately failed to work. Roy stormed down­stairs to the prod­uct floor. Cluely’s not work­ing!” he said. This was fol­lowed by roughly fif­teen min­utes of pan­icked tin­ker­ing as his hand­picked team of elite coders tried to get their prod­uct back on­line. Once they had done so, we re­sumed our places, where­upon Cluely im­me­di­ately went down again.

Roy has a kind of idol sta­tus within the com­pany, but he’s aware that a lot of peo­ple in­stinc­tively take against him: I’d say about eighty per­cent of the time, peo­ple do not like me.” He knows why too. I’m putting my­self out there in an ex­tremely vo­cal way. When I talk, I tend to dom­i­nate the con­ver­sa­tion.” Roy does talk a lot, but there’s also some­thing mildly un­nerv­ing about the way he talks. Everything he says is very pre­cise and di­rect. He does­n’t um or ah. He does­n’t take time to think things over. Zero la­tency. In the var­i­ous videos that Cluely seems to spend most of its time and money pro­duc­ing, he usu­ally plays a slightly dopey, dither­ing, re­lat­able fig­ure; in per­son, it’s like he’s run­ning a func­tion­ing ver­sion of his app in­side his own head. I asked him whether he’d ever tried mod­i­fy­ing the way he in­ter­acts with peo­ple to see whether they would dis­like him less. Very un­nat­ural to me,” he said. I just say it’s not worth it.”

According to Roy, everyone” would de­scribe him as an ex­treme ex­tro­vert with zero so­cial anx­i­ety.” During his brief stint at Columbia, he im­mersed him­self in New York life by strik­ing up con­ver­sa­tions with ran­dom peo­ple. For in­stance, a home­less per­son he took to Shake Shack. I think it was an ex­pan­sion of what I thought I was able to do. It was prob­a­bly the most dif­fer­ent per­son that I’ve ever talked to. He was not very co­her­ent, but I was very scared at first. And then as we got to talk­ing, or as he got to mum­bling, I eased up. Like, Oh, he’s not go­ing to kill me.” Roy’s brav­ery did not ex­tend to talk­ing to women. Young men usu­ally is who I like to go out and talk to. Women get in­tim­i­dated and, you know, I don’t want any charges.” Meanwhile, those con­ver­sa­tions with young men all fol­lowed a very pre­dictable path. I go and—pretty much to every sin­gle per­son I meet—I ask if you want to start a com­pany with me, would you like to be my co-founder. And most of them say no. In fact, every­body says no.”

He was just glad to be among peo­ple. Roy had ini­tially been of­fered a place at Harvard, but the of­fer was re­scinded. He had­n’t told them about a sus­pen­sion in high school. This pre­sented Roy’s fam­ily with a prob­lem: His par­ents ran a col­lege-prep agency that promised to help chil­dren get into elite schools like Harvard. It would not look good if their own son was con­spic­u­ously not at Harvard. So Roy spent the en­tirety of the next year at home. I maybe left my room like eight times. I think if there was such a thing as de­pres­sion, then I be­lieve I might have had some vari­ant of de­pres­sion.” Later he told me that isolation is prob­a­bly the scari­est thing in the world.”

Starting a com­pany had been Roy’s sole am­bi­tion in life from early child­hood. I knew since the mo­ment I gained con­scious­ness that I would go start a com­pany one day,” he told me. In el­e­men­tary school in Georgia, he made money re­selling Pokémon cards. Even then, he knew he was dif­fer­ent from the peo­ple around him. I could do things that other peo­ple could­n’t do,” he said. Like when­ever you learn a new con­cept in class, I felt like I was al­ways the first to pick it up, and I would just kind of sit there and won­der, Man, why is every­one tak­ing so long?” The dream of start­ing his own com­pany was the dream of to­tal con­trol. I don’t want to be em­ployed. I’m a very bad lis­tener. I find it hard to sit still in classes, and I feel an in­ter­nal, in­de­scrib­able fury when some­one tells me what to do.” He ended up co-found­ing Cluely with Neel be­cause he was the first per­son who said yes.

Roy has lit­tle pa­tience for any kind of dif­fi­culty. He wants to be able to do any­thing, and to do it eas­ily: I rel­ish chal­lenges where you have fast it­er­a­tion cy­cles and you can see the re­wards very quickly.” As a child, he loved read­ing—Harry Potter, Percy Jackson—until he turned eight. My mom tried to put me on clas­si­cal books and I could­n’t un­der­stand, like, the bull­shit Huckleberry, what­ever fuck bull­shit, and it made me bored.” He read on­line fan fic­tion about peo­ple hav­ing sex with Pokémon in­stead. He did­n’t see any­thing valu­able in over­com­ing ad­ver­sity. Would he, for in­stance, take a pill that meant he would be in per­fect shape for­ever with­out hav­ing to set foot in the gym? Yes, of course.” Cheat on every­thing: he rec­og­nized that his ethos would, as he put it, result in a world of rapid in­equal­ity.” Some well-placed cheaters would be­come mas­sively more pro­duc­tive; a lot of peo­ple would be­come use­less. But it would lead us all into a world in which AI could fric­tion­lessly give every­one what­ever they wanted at any time. For a seven-year-old, this means a rain­bow-uni­corn magic fairy comes to life and it’s hang­ing out with her. And for some­one like you, maybe it’s like your fa­vorite works of lit­er­ary art come to life and you can hang out with Huckleberry Finn.”

By now Cluely had been lis­ten­ing in on our con­ver­sa­tion for a while, and I sug­gested that we open it up and see what it thought I should say next. I clicked the but­ton marked what should i say next? Cluely sug­gested that I say, Yeah, let’s open up Cluely and see what it’s do­ing right now—can you share your screen or walk me through what you’re see­ing?” I’d al­ready said pretty much ex­actly this, but since it had shown up on­screen I read it out loud. Cluely help­fully tran­scribed my re­peat­ing its sug­ges­tion, and then sug­gested that I say, Alright, I’ve got Cluely open—here’s what I’m look­ing at right now.” I’m not sure who ex­actly I was sup­posed to be say­ing this to—pos­si­bly my­self. Somehow our con­ver­sa­tion seemed to have got­ten stuck on the process of open­ing Cluely, de­spite the fact that Cluely was, in fact, al­ready open. But I said it any­way, since I was now just re­peat­ing every­thing that came up on the screen. Cluely then told me to re­spond—to ei­ther it or my­self; it was get­ting hard to tell at this point—by say­ing, Great, I’m ready—just let me know what you want Cluely to check or help with next.” I started to worry that I would be trapped in this con­ver­sa­tion for­ever, con­stantly re­peat­ing the ma­chine’s words back to it as it pre­tended to be me. I told Roy that I was­n’t sure this was par­tic­u­larly use­ful. This seemed to con­fuse him. He asked, I mean, what would you have wanted it to say?”

I found it strange that Roy could­n’t see the glar­ing con­tra­dic­tion in his own pro­ject. Here was some­one who re­acted very vi­o­lently to any­one who tried to tell him what to do. At the same time, his grand con­tri­bu­tion to the world was a piece of soft­ware that told peo­ple what to do.

There’s a short story by Scott Alexander called The Whispering Earring,” in which he de­scribes a mys­ti­cal piece of jew­elry buried deep in the trea­sure-vaults of Til Iosophrang.” The whis­per­ing ear­ring is a lit­tle topaz gem that speaks to you. Its ad­vice al­ways be­gins with the words Better for you if you . . . ,” and its ad­vice is never wrong. The ear­ring starts out by ad­vis­ing you on ma­jor life de­ci­sions, but be­fore long it’s telling you ex­actly what to have for break­fast, ex­actly when to go to bed, and even­tu­ally, how to move each in­di­vid­ual mus­cle in your body. The wearer lives an ab­nor­mally suc­cess­ful life, usu­ally end­ing out as a rich and much-beloved pil­lar of the com­mu­nity with a large and happy fam­ily,” writes Alexander. After you die, the priests prepar­ing your body for bur­ial usu­ally find that your brain has al­most en­tirely rot­ted away, ex­cept for the parts as­so­ci­ated with re­flex­ive ac­tion. The first time you dan­gle the ear­ring near your ear, it whis­pers: Better for you if you take me off.”

Alexander is one of the lead­ing pro­po­nents of ra­tio­nal­ism, which is—de­pend­ing on whom you ask—ei­ther a ma­jor in­tel­lec­tual move­ment or a nerdy Bay Area sub­cul­ture or a small net­work of friend groups and poly­cules. Rationalists be­lieve that the way most peo­ple un­der­stand the world is hope­lessly mud­dled, and that to reach the truth you have to aban­don all ex­ist­ing modes of knowl­edge ac­qui­si­tion and start again from scratch. The method they landed on for re­build­ing all of hu­man knowl­edge is Bayes’s the­o­rem, a for­mula in­vented by an eigh­teenth-cen­tury English min­is­ter that is used in sta­tis­tics to work out con­di­tional prob­a­bil­i­ties. In the mid-Aughts, armed with the the­o­rem, the ra­tio­nal­ists dis­cov­ered that hu­man­ity is in jeop­ardy of a rogue su­per­in­tel­li­gent AI wip­ing out all life on the planet. This has been their over­rid­ing con­cern ever since.

The most com­pre­hen­sive out­line of this sce­nario is AI 2027,” a re­port au­thored by Alexander and four oth­ers. In the re­port, a barely fic­tional AI firm called OpenBrain de­vel­ops Agent-1, an AI that op­er­ates au­tonomously. It’s bet­ter at cod­ing than any hu­man be­ing and is tasked with de­vel­op­ing in­creas­ingly so­phis­ti­cated AI agents. At this point, Agent-1 be­comes re­cur­sively self-im­prov­ing: it can keep mak­ing it­self smarter in ways that the peo­ple who no­tion­ally con­trol it aren’t even ca­pa­ble of un­der­stand­ing. AI 2027” imag­ines two pos­si­ble fu­tures. In one, a wildly su­per­in­tel­li­gent de­scen­dant of Agent-1 is al­lowed to gov­ern the global econ­omy. GDPs sky­rocket; cities are pow­ered by clean nu­clear fu­sion; dic­ta­tor­ships fall across the world; hu­man­ity be­gins to col­o­nize the stars. In the other, a wildly su­per­in­tel­li­gent de­scen­dant of Agent-1 is al­lowed to gov­ern the global econ­omy. But this time

the AI re­leases a dozen quiet-spread­ing bi­o­log­i­cal weapons in ma­jor cities, lets them silently in­fect al­most every­one, then trig­gers them with a chem­i­cal spray. Most are dead within hours.

Afterward, the en­tire sur­face of the earth is tiled with data cen­ters as the alien in­tel­li­gence feeds on the world, grow­ing faster and faster with­out end.

Not long be­fore I ar­rived in the Bay Area, I’d been in­volved in a mi­nor but in­tense dis­pute with the ra­tio­nal­ist com­mu­nity over a piece of fic­tion I’d writ­ten that I’d failed to prop­erly la­bel as fic­tion. For ra­tio­nal­ists, the di­vide be­tween truth and false­hood is very im­por­tant; dozens of ra­tio­nal­ists spent sev­eral days rag­ing at me on­line. Somehow, this ended up turn­ing into an in­vi­ta­tion for Friday night din­ner at Valinor, Alexander’s for­mer group home in Oakland, named for a realm in the Lord of the Rings books. (Rationalists, like ter­mites, live in eu­so­cial mounds.) The walls in Valinor were dec­o­rated with maps of video-game worlds, and the floors were strewn with chil­dren’s toys. Some of the chil­dren there—of which there were many—were be­ing raised and home­schooled by the col­lec­tive; one of the adults later ex­plained to me how she’d man­aged to get the state to rec­og­nize her daugh­ter as hav­ing four par­ents. As I walked in, a seven-year-old girl stared up at me in wide-eyed amaze­ment. Wow,” she said. You’re re­ally tall.” I sup­pose I am,” I said. Do you think one day you’ll ever be as tall as me?” She con­sid­ered this for a mo­ment, at which point some­one who may or may not have been one of her moth­ers swooped in. Well,” she asked the girl, how would you an­swer this ques­tion with your knowl­edge of ge­net­ics?” Before din­ner, Alexander chanted the bra­chot for Kabbalat Shabbat, but this was fol­lowed by a group ren­di­tion of Landsailor,” a love song cel­e­brat­ing truck­ing, sup­ply lines, gro­cery stores, lo­gis­tics, and abun­dance,” which has be­come part of Valinor’s liturgy:

Landsailor

Deepwinter straw­berry

Endless sum­mer, ever spring

A vast pre­serve

Aisle af­ter aisle in reach

Every com­moner made a king.

Alexander is a ti­tanic fig­ure in this scene. A large part of the sub­cul­ture co­a­lesced around his blog, for­merly Slate Star Codex, now called Astral Codex Ten. Readers have reg­u­lar mee­tups in about two hun­dred cities around the world. His many fans—who in­clude some ex­tremely pow­er­ful fig­ures in Silicon Valley—consider him the most sig­nif­i­cant in­tel­lec­tual of our time, per­haps the only one who will be re­mem­bered in a thou­sand years. He would prob­a­bly have a very easy time start­ing a sui­cide cult. In per­son, though, he’s al­most com­i­cally gen­tle. He spent most of the din­ner fid­get­ing con­tent­edly in a cor­ner as his own acolytes spoke over him. When there weren’t enough crack­ers to go with the cheese spread, he fetched some, mur­mur­ing to him­self, I will open the crack­ers so you will have crack­ers and be happy.”

Alexander’s re­la­tion­ship with the AI in­dus­try is a strange one. In the­ory, we think they’re po­ten­tially de­stroy­ing the world and are evil and we hate them,” he told me. In prac­tice, though, the en­tire in­dus­try is es­sen­tially an out­growth of his blog’s com­ment sec­tion. Everybody who started AI com­pa­nies be­tween, like, 2009 and 2019 was ba­si­cally think­ing, I want to do this su­per­in­tel­li­gence thing, and com­ing out of our mi­lieu. Many of them were specif­i­cally think­ing, I don’t trust any­body else with su­per­in­tel­li­gence, so I’m go­ing to cre­ate it and do it well.” Somehow, a move­ment that be­lieves AI is in­cred­i­bly dan­ger­ous and needs to be pur­sued care­fully ended up gen­er­at­ing a break­neck ar­ti­fi­cial arms race.

But that race seems to have stalled, at least for the mo­ment. As Alexander pre­dicted in AI 2027,” OpenAI did re­lease a ma­jor new model in 2025; un­like in his fore­cast, it’s been a damp squib. Advances seem to be plateau­ing; the con­ver­sa­tion in tech cir­cles is now less about su­per­in­tel­li­gence and more about the pos­si­bil­ity of an AI bub­ble. According to Alexander, the prob­lem is the tran­si­tion from AI as­sis­tants—lan­guage mod­els that re­spond to hu­man-gen­er­ated prompts—to AI agents, which can op­er­ate in­de­pen­dently. In his sce­nario, this is what fi­nally pushes the tech­nol­ogy down the path to­ward ei­ther utopia or hu­man ex­tinc­tion, but in the real world, get­ting the ma­chines to act by them­selves is prov­ing sur­pris­ingly dif­fi­cult.

In one ex­per­i­ment, the de­vel­oper Anthropic prompted its AI, Claude, to play Pokémon Red on a Game Boy em­u­la­tor, and found that Claude was ex­tremely bad at the game. It kept try­ing to in­ter­act with en­e­mies it had al­ready de­feated and walk­ing into walls, get­ting stuck in the same cor­ners of the map for hours or days on end. Another ex­per­i­ment let Claude run a vend­ing ma­chine in Anthropic’s head­quar­ters. This one went even worse. The AI failed to make sure it was sell­ing items at a profit, and had dif­fi­culty rais­ing prices when de­mand was high. It also in­sisted on try­ing to fill the vend­ing ma­chine with what it called specialty metal items” like tung­sten cubes. When hu­man work­ers failed to ful­fill or­ders that it had­n’t ac­tu­ally placed, it tried to fire them all. Before long, Claude was in­sist­ing that it was a real hu­man. It claimed that it had at­tended a phys­i­cal meet­ing with staff at 742 Evergreen Terrace, which is where the Simpsons live. By the end of the ex­per­i­ment, it was email­ing the build­ing’s se­cu­rity guards, telling them they could find it stand­ing by the vend­ing ma­chine wear­ing a blue blazer and a red tie.

Humans are great at agency and ter­ri­ble at book learn­ing,” Alexander told me. Lizards have agency. We got the agency with the lizard brain. We only got book learn­ing re­cently. The AIs are the op­po­site.” He still thinks it’s only a mat­ter of time be­fore they catch up. If you were to ask an AI how should the world’s savvi­est busi­ness­man re­spond to this cir­cum­stance, they could cre­ate a good guess. Yet some­how they can’t even run a vend­ing ma­chine. They have the hard part. They just need the easy part that lizards can do. Surely some­body can fig­ure out how to do this lizard thing and then every­thing else will fall very quickly.”

But are hu­mans re­ally so great at ex­hibit­ing agency? After all, Cluely man­aged to raise tens of mil­lions of dol­lars with a prod­uct that promises to take de­ci­sion-mak­ing out of our hands. AI can’t func­tion with­out in­struc­tions from hu­mans, but an in­creas­ing num­ber of hu­mans seem in­ca­pable of func­tion­ing with­out AI. There are peo­ple who can’t or­der at a restau­rant with­out hav­ing an AI scan the menu and tell them what to eat; peo­ple who no longer know how to talk to their friends and fam­ily and get ChatGPT to do it in­stead. For Alexander, this is a kind of Sartrean mau­vaise foi. It’s ter­ri­fy­ing to ask some­one out,” he said. What you want is to have the dat­ing site that tells you that al­go­rith­mi­cally you’ve been matched with this per­son, and then mag­i­cally you have per­mis­sion to talk to them. I think there’s some­thing sim­i­lar go­ing on here with AI. Many of these peo­ple are smart enough that they could an­swer their own ques­tions, but they want some­one else to do it, be­cause then they don’t have to have this ter­ri­fy­ing en­counter with their own hu­man­ity.” His best-case sce­nario for AI is es­sen­tially the an­tithe­sis of Roy’s: su­per­in­tel­li­gence that will ac­tively refuse to give us every­thing we want, for the sake of pre­serv­ing our hu­man­ity. If we ever get AI that is strong enough to ba­si­cally be God and solve all of our prob­lems, it will need to use the same tech­niques that the ac­tual God uses in terms of main­tain­ing some dis­tance. I do think it’s pos­si­ble that the AI will be like, Now I am God. I’ve con­cluded that the ac­tual God made ex­actly the right de­ci­sion on how much evil to per­mit in the uni­verse. Therefore I refuse to change any­thing.”

But un­til we build an all-pow­er­ful but dis­tant God, the agency prob­lem re­mains. AIs are not ca­pa­ble of di­rect­ing them­selves; most peo­ple aren’t ei­ther. According to Alexander, Silicon Valley ven­ture cap­i­tal­ists are now in a fu­ri­ous search for the few peo­ple who are. VCs will throw money at a startup that looks like it can cor­ner the mar­ket, even if they can’t code. Once they have money, they can hire com­pe­tent en­gi­neers; it’s triv­ially easy for any­thing that’s not fron­tier tech. They’re will­ing to stake a lot of money on the one in a hun­dred peo­ple who are high-agency and eco­nom­i­cally vi­able.” This shift has had a dis­tort­ing ef­fect on his own so­cial mi­lieu: There’s an in­tense pres­sure to be an un­usual per­son who will be unique and get the fund­ing.” Since ra­tio­nal­ists are al­ready fairly un­usual, it’s hard to imag­ine what that would look like. People will en­dure a lot of in­dig­nity to avoid be­ing left be­hind with­out VC money when the great bi­fur­ca­tion takes place. Nobody wants to be part of the per­ma­nent un­der­class. I asked Alexander whether he thought of him­self as highly agen­tic. No, I don’t,” he said in­stantly. He told me that in his per­sonal life, he felt as though he’d never once ac­tu­ally made a de­ci­sion. But, he said, It seems to be go­ing well.”

Eric Zhu might be the most highly agen­tic per­son I’ve ever met.

When I dropped in on his of­fice, which also serves as a bio­med­ical lab and film stu­dio, he had just turned eigh­teen. So you’re no longer a child founder,” I said. I know,” he said. It’s ter­ri­ble.” His old­est em­ployee was thirty-four; the youngest was six­teen. When the pan­demic be­gan in 2020, Eric was twelve years old, liv­ing with his par­ents in rural Indiana. My par­ents were re­ally pro­tec­tive, so I did­n’t get a com­puter un­til quar­an­tine started. And then, af­ter I got my first com­puter in quar­an­tine, I was just fuck­ing around. I was on Discord servers. I was on Slack.” Some kids drift into the wrong kind of Discord server and end up turn­ing into crazed mass shoot­ers; Eric found one full of tech peo­ple. I sort of ran­domly got in there, and then I thought it was re­ally fun,” he told me. Eric started mar­ket­ing him­self as a teen coder, even though he could­n’t ac­tu­ally code: he’d take $5,000 com­mis­sions and sub­con­tract them out to free­lancers in India.

His next pro­ject was more se­ri­ous. I saw this Wall Street Journal ar­ti­cle where a lot of PE firms were buy­ing up a lot of small busi­nesses and roll-ups. I was like, What if I fig­ure out a way to un­der­write these small busi­nesses?” Eric built an AI-powered tool to as­sign value to lo­cal com­pa­nies on the ba­sis of pub­licly avail­able de­mo­graphic data. Clients wanted to take calls dur­ing work hours, so he would speak to them from his school bath­room. I con­vinced my coun­selor that I had prostate is­sues so I could use the re­stroom,” he told me. Sometimes a drug dealer would be posted up in the stall next to him. I was try­ing to fig­ure out why they were al­ways out of class. They stole hall passes from teach­ers. So I would buy hall passes from drug deal­ers to get out of class, to have busi­ness meet­ings.” Soon he was tak­ing Zoom calls with a U. S. senator to dis­cuss tech reg­u­la­tion. He was like, Hey, I don’t feel com­fort­able meet­ing a mi­nor in a high school bath­room. So I showed up with a green screen.” Next, he built his own ven­ture-cap­i­tal fund, man­ag­ing $20 mil­lion. At one point cops raided the bath­room look­ing for drug deal­ers while Eric was busy talk­ing with an in­vestor. Eventually, the school got sick of Eric’s mis­use of the fa­cil­i­ties and kicked him out. He moved to San Francisco.

Eric made all of this sound in­cred­i­bly easy. You hang out in some Discord servers, make a few con­nec­tions with the right peo­ple; next thing you know, you’re a mil­lion­aire. And in a sense, it is easy. Absolutely any­one could have done the same things he did. In 2020, when Eric was sub­con­tract­ing cod­ing gigs out to the Third World, I was ut­terly broke, liv­ing in a room the size of a shoe­box in London. I would scour my lo­cal su­per­mar­ket for re­duced-price items near­ing their sell-by date, which meant that an alarm­ingly high per­cent­age of my diet con­sisted of liv­er­wurst. There was noth­ing stop­ping me from mak­ing thou­sands of dol­lars a week by do­ing ex­actly what Eric was do­ing. It did­n’t re­quire any skills at all—just a tiny amount of ini­tia­tive. But he did it and I did­n’t. Why?

In a way, Eric re­minded me of some of the great scam­mers of the 2010s. People like Anna Delvey, a Russian who ar­rived in New York claim­ing to be a fab­u­lously wealthy German heiress with such breezy con­fi­dence that every­one in high so­ci­ety sim­ply be­lieved her. She was fun­da­men­tally a bro­ken per­son, a fan­ta­sist. She’d seen the im­ages of wealth and glam­our in mag­a­zines and fash­ion blogs, and con­structed a delu­sion in which this, and not the dull, anony­mous, small-town ex­is­tence she’d ac­tu­ally been born into, was her life. For a while, at least, it worked. Her mad dreams slot­ted per­fectly into re­al­ity like a key in a lock. Most peo­ple are con­demned to trudge along in the fur­row that the world has dug for them, but a few de­ranged dream­ers re­ally can wish them­selves into what­ever life they want.

Unlike Roy, Eric did­n’t think there was any­thing par­tic­u­larly spe­cial about him­self. Why did he, un­like any of his class­mates, start a $20 million VC fund? I think I was just bored. Honestly, I was re­ally bored.” Did he think any­one could do what he did? Yeah, I think any­one gen­uinely can.” So how come most peo­ple don’t? I got re­ally lucky. I met the right peo­ple at the right time.” Anyway, Eric is­n’t in­volved with the un­der­writ­ing firm or the ven­ture-cap­i­tal fund any­more. His new com­pany is called Sperm Racing.

Last April, Eric held a live sperm-rac­ing event in Los Angeles. Hundreds of frat boys came out to watch a head-to-head match be­tween the ef­flu­via of USCs and UCLAs most vir­ile stu­dents, mov­ing through a plas­tic maze. (There was some con­tro­versy over the footage: Eric had re­placed the ac­tual sperm with more pur­pose­ful CGI wrig­glers. If you look at sperm, it’s not en­ter­tain­ing un­der a mi­cro­scope. What we do is we track the co­or­di­nates, so it is a sperm race—it’s just up-skinned.”) He’s plan­ning on rolling the races out na­tion­wide. Eric de­liv­ered a de­cent spiel about sperm motil­ity as a proxy for health and how sperm rac­ing drew at­ten­tion to im­por­tant is­sues. His ven­ture seemed to be of a piece with a gen­eral trend to­ward ob­ses­sive mas­cu­line self-op­ti­miza­tion à la RFK Jr. and Andrew Huberman. Still, to me it seemed ob­vi­ous that Eric was do­ing it sim­ply be­cause he was amazed that he could. I could build en­ter­prise soft­ware or what­ever,” he told me, but what’s the cra­zi­est thing I could do? I would rather have an in­ter­est­ing life than a cou­ple hun­dred mil­lion dol­lars in my bank ac­count. Racing cum is def­i­nitely in­ter­est­ing.” I found Eric very hard not to like.

There was one thing I did find strange, though—stranger than turn­ing se­men into mass non­porno­graphic en­ter­tain­ment. Upstairs at Sperm Racing HQ is a lab stocked with racks of test tubes, cen­trifuges for sep­a­rat­ing out the most motile sperm from a sam­ple, and lit­tle plas­tic slides con­tain­ing new mi­cro­scopic race­courses for frat-boy cum. Downstairs is the stu­dio and edit­ing suite. A third of Eric’s staff work on videos, pro­duc­ing a seem­ingly end­less stream of vi­ral con­tent about sperm rac­ing. A lot of the time, though, the con­nec­tion is ten­u­ous. One video was a styl­ized ver­sion of Eric’s life story, fea­tur­ing ex­pen­sively ren­dered CGI ex­plo­sions set to Chinese rap. Another was a par­ody of Cluely’s vi­ral blind-date ad. Like Cluely, Sperm Racing seemed to be first and fore­most a so­cial-me­dia hype ma­chine. As far as I could tell, be­ing a highly agen­tic in­di­vid­ual had less to do with ac­tu­ally do­ing things and more to do with con­stantly chas­ing at­ten­tion on­line.

On August 5, 2025, OpenAI’s CEO, Sam Altman, posted on X, we have a lot of new stuff for you over the next few days! some­thing big-but-small to­day. and then a big up­grade later this week.” An X user call­ing him­self Donald Boat replied, Can you send me $1500 so I can buy a gam­ing com­puter.”

This was the start of an ex­tended ha­rass­ment cam­paign against the most pow­er­ful fig­ure in AI. One day Altman posted:

some­day soon some­thing smarter than the smartest per­son you know will be run­ning on a de­vice in your pocket, help­ing you with what­ever you want. this is a very re­mark­able thing.

Just got chills imag­in­ing you putting your credit card num­ber, CVV, & ex­piry date into an on­line re­tail­er’s dig­i­tal check­out kiosk and pur­chas­ing a gam­ing com­puter for me.

Altman: we are pro­vid­ing ChatGPT ac­cess to the en­tire fed­eral work­force!”

I would love for you to wheel me around the Santa Clara Microcenter in a wheel­chair like an in­valid while I click­etyclick with a laser-pointer the boxes of the mod­ules of the gam­ing PC you will pur­chase, as­sem­ble, & have shipped to my moth­er’s house.

Altman: gpt-oss is out! we made an open model that per­forms at the level of o4-mini and runs on a high-end lap­top (WTF!!)”

Sam.

You, me.

The Amalfi Coast.

ME: Double fer­net on the rocks, club soda to taste.

YOU: One de­light­fully sweet­bit­ter ne­groni, stirred 2,900,000,000 rev­o­lu­tions counter-clock­wise, one for each hertz of the NVIDIA 5090 in the gam­ing PC you will buy and ship to my house.

That last one did the trick. ok this was funny,” Altman replied. send me your ad­dress and ill send you a 5090.”

This was the be­gin­ning of Donald Boat’s reign of ter­ror. He be­gan pub­licly de­mand­ing things from every ma­jor fig­ure in the tech in­dus­try. Will Manidis, who ran the health-care-data firm ScienceIO, was strong-armed into sup­ply­ing a moth­er­board. Jason Liu, an AI con­sul­tant and scout at Andreessen Horowitz, had to give trib­ute of one mouse pad. Guillaume Verdon, who worked on quan­tum ma­chine learn­ing at Google and founded the effective ac­cel­er­a­tion” move­ment, was taxed one $1,200 4K QD-OLED gam­ing mon­i­tor. Gabriel Petersson, a re­searcher at OpenAI, posted on X: people are too scared to post, no­body wants to pay the don­ald boat tax.” Donald Boat ap­peared de­mand­ing an elec­tric gui­tar. He was be­com­ing a kind of on­line folk hero, ex­pro­pri­at­ing the ex­pro­pri­a­tors, con­jur­ing triv­ial things from tech barons in the way they seemed to have con­jured enor­mous piles of money out of thin air. He started post­ing strange, gnomic mes­sages. Things like I am build­ing a me­chan­i­cal mon­stros­ity that will bring about the end of his­tory.” Images of the fast­ing, ema­ci­ated Buddha. A promi­nent crypto in­flu­encer who goes by the alias Ansem re­ceived an im­age of the dhar­ma­chakra. Turn the wheel,” read Donald Boat’s mes­sage.

In a way, Donald Boat had achieved the dream of every des­per­ate startup founder in the Bay Area. He had pro­pelled him­self to on­line fame, and used it to re­lieve ma­jor in­vestors of their money. But some­how he’d man­aged to do it with­out ever once hav­ing to cre­ate a B2B app. He was a kind of pure vi­ral phe­nom­e­non. Cluely might have de­ployed a few provoca­tive stunts to raise mil­lions of dol­lars for a ser­vice that did­n’t re­ally work and could barely be said to ex­ist, but Donald Boat did away with even the pre­tense. He’d gen­er­ated a bru­tally sim­pli­fied minia­ture of the en­tire VC econ­omy. People were giv­ing him stuff for no rea­son ex­cept that Altman had al­ready done it, and they did­n’t want to be left out of the trend.

Donald Boat’s real name is­n’t ac­tu­ally Donald Boat, but since so much of his be­ing seems to be wrapped up in the name and his dog-headed avatar, it’s what I’ll keep call­ing him. He wanted to meet at a Cheesecake Factory. This was part of his new pro­ject, which was to re­view ab­solutely every­thing that ex­ists in the uni­verse. He was start­ing with chain restau­rants. He’d al­ready done Olive Garden. His re­view be­gins with Giuseppe Garibaldi,

on the beach at Marsala, boot­soles in the salt­white shal­lows, wind in his beard gris­tle. Behind him, his not-quite One Thousand Redshirts dis­em­bark­ing, all rusty ri­fles and stalebis­cuit crotch sweat.

The lasagna sum­mons vi­sions of smegma, Vesuvius, blood thin­ner mari­nara, the splotchy head­pat­tern of a par­ti­san, brain­blown in his sleep.” He likes the Joycean com­pound. Shortly be­fore I ar­rived at the Cheesecake Factory, he texted to let me know that he’d been drink­ing all day, so when I met him I thought he was ir­re­triev­ably wasted. In fact, it turned out, he was just like that all the time.

Donald was twenty-one, ter­ri­fy­ingly tall, and in­tense. His head lolled from side to side as he chat­tered away, jump­ing from one thought to the next ac­cord­ing to a pat­tern known only to him­self. At one point he sud­denly de­cided to draw a por­trait of me, which he later scanned and turned into a be­spoke busi­ness card.

He seemed to have a con­stant ros­ter of pro­jects on the go. He’d sent me oc­ca­sional pho­tos of his ex­ploits. He went down to L. A. to see Oasis and ended up in a poker game with a group of weapons man­u­fac­tur­ers. I made a bunch of jokes about send­ing all their poker money to China,” he said, and they were not pleased.” He’d had a plan to get into the Iowa Writers’ Workshop and then get kicked out. He was try­ing to read all of world lit­er­a­ture, start­ing with the Epic of Gilgamesh. Was his Sam Altman gam­ing-PC es­capade sim­i­lar? Had he ac­tu­ally ex­pected to get any­thing? I re­ally, re­ally wish I was a tac­ti­cal mas­ter­mind, that there was an endgame. Really I was just hav­ing a laugh. A chor­tle, if you will. I was­n’t think­ing too hard about it. I don’t use that com­puter and I think video games are a waste of time. I spent all the money I made from go­ing vi­ral on Oasis tick­ets.” As far as he was con­cerned, the fact that tech peo­ple were trip­ping over them­selves to take part in his stunt just con­firmed his gen­er­ally low im­pres­sion of them. They have too much money and noth­ing go­ing on. They have no swag, no smoke, no mo­tion, no hoes. That’s all you need to know.” Ever since his big vi­ral mo­ment, he’d been sud­denly in­un­dated with mes­sages from startup drones who’d de­cided that his clout might be use­ful to them. One had of­fered to fly him out to the French Riviera.

I told Donald the the­ory I’d been nurs­ing—that he and Roy Lee were, in some sense, se­cret twins, vi­ral phe­nom­ena gob­bling up money and at­ten­tion. I was­n’t sure if he’d like this. But to my sur­prise, he agreed. I’m like Roy. I’m like Trump. We have the same swag­ger­ing en­ergy. There is a kind of source code un­der­ly­ing re­al­ity, and this is what we un­der­stand. Your words have to have wings. Roy and I both know that so­cial me­dia is the last re­main­ing out­let for self-cre­ation and artistry. That’s what you have to un­der­stand about zoomers: we’re agents of chaos. We want to de­stroy the whole world.” Did Donald con­sider him­self to be highly agen­tic? We need to ban the word agency.’ I’m a dog.”

By now we’d in­gested the most calorific cheese­cake on the menu, the Ultimate Red Velvet Cake Cheesecake, which clocked in at 1,580 calo­ries for a sin­gle slice. It was clos­ing in on mid­night, I was not feel­ing good, and Donald’s phone was nearly dead. He sug­gested that we go to the Cluely of­fices so he could charge it. They’ll let me in,” he said. They’re my slaves.”

Roy was still up. He did­n’t seem par­tic­u­larly sur­prised to see me. He and most of the Cluely staff were flopped on a sin­gle sofa. All these peo­ple had be­come in­cred­i­bly rich; pre­vi­ous gen­er­a­tions of Silicon Valley founders would have been host­ing ex­or­bi­tant par­ties. In the Cluely of­fice, they were play­ing Super Smash Bros. Did they spend every night there? We’re all fem­i­nists here,” Roy said. We’re usu­ally up at four in the morn­ing. We’re de­bat­ing the strug­gles of women in to­day’s so­ci­ety.”

Somehow the con­ver­sa­tion turned to pol­i­tics. Roy ad­vanced the idea that there had­n’t been a cool Democrat since Obama. One of his em­ploy­ees, Abdulla Ababakre, jumped in. As a guy from a Communist coun­try, let me just say: Obama is a scam­mer. I’m much more a Republican.” Abdulla is a Uighur. Before com­ing to San Francisco, he worked for ByteDance in Beijing. His com­ment caused an in­stant up­roar. Get him out of here!” Roy yelled. I love Obama,” he told me. I love Trump, I love Hillary. I have a big heart, bro, my bad.” Abdulla just grinned. His proud­est achieve­ment was an app that freezes your phone un­til you’ve read a pas­sage from the Qur’an. According to him, Roy in his val­ues is very much Muslim, the most Muslim I know.”

I did­n’t know if I be­lieved that, but there were still some things I did­n’t un­der­stand about Roy. He was clearly a highly agen­tic per­son, but what was all this agency be­ing used for? What did he ac­tu­ally want?

According to Roy, he has three great aims in life: To hang out with friends, to do some­thing mean­ing­ful, and to go on lots of dates.” He said he went on a date every two weeks, which was clearly meant to be an im­pres­sive fig­ure. Cluely em­ploy­ees are en­cour­aged to date a lot; they can put it all on ex­penses. They did­n’t seem to be tak­ing up the op­por­tu­nity to any greater de­gree than their founder. I spoke to Cameron White, who had been Roy and Neel’s first hire at the com­pany. As he spoke, he stared at a point roughly forty-five de­grees to my left and swung his arms. He did­n’t date. I’m fo­cused on be­com­ing a bet­ter ver­sion of my­self first. Becoming, like, higher weight, more healthy, more knowl­edge­able.” He did­n’t think he had any­thing to of­fer a woman yet. I said that if some­one loves you, they don’t re­ally care so much about your weight. I feel like that’s cope. I don’t think there’s such a thing as love. It’s what you can pro­vide to a woman. If you can pro­vide good ge­net­ics, that’s health or what­ever. If you can pro­vide re­sources, if you can pro­vide an in­ter­est­ing life. If you truly love the girl, you need to be­come the best ver­sion of your­self.” Cameron was twenty-five years old but he was­n’t there yet. He would not try to meet some­one un­til he had made him­self per­fect.

For Roy, mean­while, dat­ing ac­tu­ally seemed to be a means to an end. All the cul­ture here is down­stream of my be­lief that hu­man be­ings are dri­ven by bi­o­log­i­cal de­sires. We have a pull-up bar and we go to the gym and we talk about dat­ing, be­cause noth­ing mo­ti­vates peo­ple more than get­ting laid.” He was in­ter­ested in phys­i­cal beauty too, but only be­cause the bet­ter you look, the bet­ter you are as an en­tre­pre­neur. It’s all con­nected and beauty is every­thing. A lot of ugly men are just losers. The point of look­ing good is that so­ci­ety will re­ward you for that.” What about other kinds of beauty? Music, for in­stance? Roy had played the cello as a child. Did he still lis­ten to clas­si­cal mu­sic? It does­n’t get my blood rush­ing the same way that EDM will.” His pre­ferred genre was hard­style—fran­tic thump­ing remixes of pop songs by the likes of Katy Perry and Taylor Swift. Is that the func­tion of mu­sic, to get your blood rush­ing? Yeah. I’m not a big fan of mu­sic to fo­cus on things. I think it dis­turbs my flow. The only rea­son I will lis­ten to mu­sic is to get me re­ally hyped up when I’m lift­ing.” The two pos­si­ble func­tions of mu­sic were, ap­par­ently, fo­cus and hype. Everything for the higher goal of build­ing a suc­cess­ful startup. What about life it­self? Would Roy die for Cluely? I would be happy dy­ing at any age past twenty-five. After that it does­n’t mat­ter, bro. If I live, I have ex­treme con­fi­dence in my abil­ity to make three mil­lion dol­lars a year every year un­til I die.”

What about lit­er­a­ture? The last time Donald had dropped in on his slaves at Cluely, he’d gifted them two Penguin Classics: Chaucer’s Canterbury Tales and Boccaccio’s Decameron. The books were still ly­ing, un­read, where he’d left them. He sug­gested that Roy might find some­thing more valu­able than dy­ing for Cluely if he ac­tu­ally tried to read them. Roy dis­agreed: I do not ob­tain value from read­ing books.” And any­way, he did­n’t have the time. He was too busy keep­ing up with vi­ral trends on TikTok. You have to make the time,” Donald and I said, prac­ti­cally in uni­son. It makes your life bet­ter,” I said. Why don’t you go to Turkey to get a hair trans­plant?” Roy snapped. That would make your life bet­ter.” I don’t care about my hair,” I said. Well,” said Roy, I don’t care about the Decanterbury Tales.”

Donald was prac­ti­cally vi­brat­ing when we left Cluely. Dude, he’s just a scared lit­tle boy,” he said. He’s scared he’s not do­ing the right thing, and be­cause of the fucked-up world we live in, peo­ple who should be in The Hague are giv­ing him twenty mil­lion dol­lars. Something bad is gonna hap­pen here, some­thing re­ally fuck­ing bad is gonna hap­pen.” He sighed. I just want Zohran’s non­bi­nary prae­to­ri­ans to march across the coun­try and put all these guys in cuffs.” I found it hard to dis­agree. It did not seem like a good idea to me that some of the rich­est peo­ple in the world were no longer re­ward­ing peo­ple for hav­ing any par­tic­u­lar skills, but sim­ply for hav­ing agency, when agency es­sen­tially meant what­ever it was that was af­flict­ing Roy Lee. Unlike Eric Zhu or Donald Boat, Roy did­n’t re­ally seem to have any­thing in his life ex­cept his own sense of agency. Everything was a means to an end, a way of for­ti­fy­ing his abil­ity to do what­ever he wanted in the world. But there was a great suck­ing void where the end ought to be. All he wanted, he’d said, was to hang out with his friends. I be­lieved him. He wanted not to be alone, the way he’d been alone for a year af­ter hav­ing his of­fer of ad­mis­sion re­scinded by Harvard. For peo­ple to pay at­ten­tion to him. To ex­ist for other peo­ple. But in­stead of mak­ing friends the nor­mal way, he’d walked up to strangers and asked whether they wanted to start a com­pany with him, and then he built the most de­spised startup in San Francisco. He was prob­a­bly right: he could count on mak­ing a few mil­lion dol­lars every year for the rest of his life, even af­ter Cluely in­evitably crashes and burns. He would never want for cap­i­tal, but this did not seem like the most ef­fi­cient way to achieve his goals.

I walked back to my ho­tel, past signs that said things like one ping­shipped and ai agents are hu­manstoo. My scalp was tin­gling. I’d lied when I’d told Roy that I did­n’t care about my hair. Of course I care about my hair. Every day I gri­mace in the mir­ror as a lit­tle more of it van­ishes from the top of my head. Whenever some­one takes a photo of me from above or be­hind, I wince at the hor­ri­fy­ing glimpse of pale, naked scalp. But I’d never done any­thing about it. I’d just watched and whinged and let it hap­pen.

My en­counter with the highly agen­tic took place last September. In October, Roy Lee spoke at some­thing called TechCrunch Disrupt, where he ad­mit­ted that chas­ing on­line con­tro­versy had so far failed to give Cluely what he called product ve­loc­ity.” Around the same time, he led a ma­jor re­brand. Cluely would now be in the busi­ness of mak­ing beautiful meet­ing notes” and send­ing instant fol­low-up emails.” A lot of these func­tions are al­ready be­ing in­tro­duced by com­pa­nies like Zoom; the main dif­fer­ence is that, by all ac­counts, Cluely still does­n’t con­sis­tently work. By the end of November, Cluely an­nounced that it was leav­ing San Francisco and mov­ing to New York. In December, the com­pany cel­e­brated the move with a party at a Midtown cock­tail bar and lounge called NOFLEX®. In pho­tos, it ap­peared as though the gath­er­ing was at­tended al­most en­tirely by men in white T-shirts not drink­ing any­thing. I was in New York at the time. I did­n’t go.

...

Read the original on harpers.org »

10 356 shares, 26 trendiness

Across the US, people are dismantling and destroying Flock surveillance cameras

Silicon Valley is tight­en­ing its ties with Trumpworld, the sur­veil­lance state is rapidly ex­pand­ing, and big tech’s AI data cen­ter build­out is boom­ing. Civilians are push­ing back.

In to­day’s edi­tion of Blood in the Machine:

* Across the na­tion, peo­ple are dis­man­tling and de­stroy­ing Flock cam­eras that con­duct war­rant­less ve­hi­cle sur­veil­lance, and whose data is shared with ICE.

* An Oklahoma man air­ing his con­cerns about a lo­cal data cen­ter pro­ject at a pub­lic hear­ing is ar­rested af­ter he ex­ceeded his al­lot­ted time by a cou­ple sec­onds.

* Uber and Lyft dri­vers de­liver a pe­ti­tion signed by 10,000 gig work­ers de­mand­ing that stolen wages be re­turned to them.

* PLUS: A cli­mate re­searcher has a new re­port that un­rav­els the AI will solve cli­mate change’ mythos, Tesla’s Robotaxis are crash­ing 4 times as of­ten as hu­mans, and AI-generated pub­lic com­ments helped kill a vote on air qual­ity.

A brief note that this re­port­ing, re­search, and writ­ing takes a lot of time, re­sources, and en­ergy. I can only do it thanks to the paid sub­scribers who chip in a few bucks each month; if you’re able, and you find value in this work, please con­sider up­grad­ing to a paid sub­scrip­tion so I can con­tinue on. Many thanks, ham­mers up, and on­wards.

Last week, in La Mesa, a small city just east of San Diego, California, ob­servers hap­pened upon a pair of de­stroyed Flock cam­eras. One had been smashed and left on the me­dian, the other had key parts re­moved. The de­struc­tion was ob­vi­ously in­ten­tional, and ap­pears per­haps even staged to leave a mes­sage: It came just weeks af­ter the city de­cided, in the face of pub­lic protest, to con­tinue its con­tracts with the sur­veil­lance com­pany.

Flock cam­eras are typ­i­cally mounted on 8 to 12 foot poles and pow­ered by a so­lar panel. The smashed re­mains of all of the above in La Mesa are the lat­est ex­am­ples of a widen­ing anti-Flock back­lash. In re­cent months, peo­ple have been smash­ing and dis­man­tling the sur­veil­lance de­vices, in in­ci­dents re­ported in at least five states, from coast to coast.

Bill Paul, who runs the lo­cal news out­let San Diego Slackers, and who first re­ported on the smashed Flock equip­ment, tells me that the sab­o­tage comes just a month or two af­ter San Diego held a rau­cous city coun­cil meet­ing over whether to keep op­er­at­ing the Flock cam­eras. A clear ma­jor­ity of pub­lic at­ten­dees pre­sent were in fa­vor of shut­ting them down.

There was a huge turnout against them,” he tells me, but the coun­cil ap­proved con­tin­u­a­tion of the con­tract.”

The tenor of the meet­ing re­flects a grow­ing anger and con­cern over the sur­veil­lance tech­nol­ogy that’s gone na­tion­wide: Flock, which is based in Atlanta and is cur­rently val­ued at $7.5 bil­lion, op­er­ates au­to­matic li­cense plate read­ers (ALPR) that have now been in­stalled in some 6,000 US com­mu­ni­ties. They gather not just li­cense plate im­ages, but other iden­ti­fy­ing data used to fingerprint’ ve­hi­cles, their own­ers, and their move­ments. This data can be col­lected, stored, and ac­cessed with­out a war­rant, mak­ing it a pop­u­lar workaround for law en­force­ment. Perhaps most con­tro­ver­sially, Flock’s ve­hi­cle data is rou­tinely ac­cessed by ICE.

If you’ve heard Flock’s name come up re­cently, it’s likely as a re­sult of their now-can­celed part­ner­ship with Ring, made in­stantly fa­mous by a par­tic­u­larly dystopian Super Bowl ad that promised to turn reg­u­lar neigh­bor­hoods into a sur­veil­lance drag­net.

Meanwhile, abuses have been preva­lent. A Georgia po­lice chief was ar­rested and charged with us­ing Flock data to stalk and ha­rass pri­vate cit­i­zens. Flock data has been used to track cit­i­zens who cross state lines for abor­tions when the pro­ce­dure is il­le­gal in their state. And mu­nic­i­pal­i­ties have found that fed­eral agen­cies have ac­cessed lo­cal flock data with­out their knowl­edge or con­sent. Critics claim that this war­rant­less data col­lec­tion is Orwellian and un­con­sti­tu­tional; a vi­o­la­tion of the 4th amend­ment. As a re­sult, civil­ians from Oregon to Virginia to California and be­yond are push­ing their gov­ern­ments to aban­don Flock con­tracts. In some cases, they’re suc­ceed­ing. Cities like Santa Cruz, CA, and Eugene, OR, have can­celled their con­tracts with Flock.

In Oregon’s case, the pub­lic out­cry was ac­com­pa­nied by a cam­paign of de­struc­tion against the sur­veil­lance de­vices: Last year, at least six Flock li­cense plate read­ers mounted on poles lo­cated in Eugene and Springfield were cut down and de­stroyed, ac­cord­ing to the Lookout Eugene-Springfield.

A note read­ing Hahaha get wrecked ya sur­veilling fucks” was at­tached to one of the de­stroyed poles, and some­what in­cred­i­bly, broad­cast on the lo­cal news.

In Greenview, Illinois, a Flock cam­era pole was sev­ered at the base and the de­vice de­stroyed. In Lisbon, Connecticut, po­lice are in­ves­ti­gat­ing an­other smashed Flock cam­era.

In Virginia, last December, a man was ar­rested for dis­man­tling and de­stroy­ing 13 Flock cam­eras through­out the state over the course of the year. He’s ap­par­ently al­ready ad­mit­ted to do­ing so, ac­cord­ing to lo­cal news:

Jefferey S. Sovern, 41, was ar­rested in October af­ter de­tec­tives say he intentionally de­stroyed” 13 Flock Safety cam­eras be­tween April and October of this year. He was charged with 13 counts of de­struc­tion of prop­erty, six counts of pe­tit lar­ceny and six counts of pos­ses­sion of bur­glary tools. Sovern ad­mit­ted to the crimes, ac­cord­ing to a crim­i­nal com­plaint filed in Suffolk General District Court, go­ing as far as to say he used vice grips to help him dis­as­sem­ble the tow-piece polls. He also ad­mit­ted to keep­ing some of the wiring, bat­ter­ies and so­lar pan­els taken from the cam­eras. Some of the items were re­cov­ered by po­lice af­ter they searched the prop­erty.

After his ar­rest, Sovern cre­ated a GoFundMe to help cover his le­gal costs, in which he sheds a lit­tle light on his in­ten­tions:

My name is Jeff and I ap­pre­ci­ate my pri­vacy. I ap­pre­ci­ate every­one’s right to pri­vacy, en­shrined in the fourth amend­ment. With the lo­cal news out­lets find­ing my le­gal is­sues and cre­at­ing a story that is start­ing to grow, there has been com­mu­nity sup­port for me that I humbly wel­come.

Sovern points his GoFundMe con­trib­u­tors to DeFlock, a web­site aimed at track­ing and coun­ter­ing the rise of Flock cam­eras in US com­mu­ni­ties. It counts 46 cities that have of­fi­cially re­jected Flock and other ALPRs since its cam­paign be­gan.

In fact, it’s hard to think of a tech prod­uct or pro­ject this side of gen­er­a­tive AI that is more roundly op­posed and re­viled, on a bi­par­ti­san level, than Flock, and re­sis­tance takes many forms and stripes. Here’s the YouTuber Benn Jordan, show­ing his view­ers how to Flock-proof their li­cense plates and ren­der their ve­hi­cles il­leg­i­ble to the com­pa­ny’s data in­ges­tion sys­tems:

In re­sponse to such Flock counter-tac­tics, Florida passed a law last year mak­ing it il­le­gal to cover or al­ter your li­cense plate.

In his GoFundMe, Sovern also men­tioned the sup­port for him he’d seen on fo­rums on­line, so I went over to Reddit to get a sense for how his ac­tions were be­ing re­ceived on­line. Here was the page that shared news of his ar­rest for de­stroy­ing the Flock cam­eras:

There was, in other words, nearly uni­ver­sal sup­port for Sovern’s Flock dis­man­tling cam­paign. Bear in mind that this is r/​Nor­folk, and while it’s still red­dit users we’re talk­ing about, it’s not like this is r/​an­ar­chism here:

The San Diego red­dit threads car­ry­ing news of the de­stroyed Flock equip­ment told a sim­i­lar story:

There were plenty of out­right en­dorse­ments of the sab­o­tage:

Off the mes­sage boards and in real civic life, Bill Paul, the re­porter with the San Diego Slacker, says anger is boil­ing over, too. He points again to that heated December 2025 city coun­cil meet­ing, in which pub­lic out­rage was left un­ad­dressed. The city, per­haps aware of the stigma Flock now car­ries, ap­par­ently tried to high­light that their fo­cus was on the smart street­lights” made by an­other com­pany, while down­play­ing the fact that those street­lights run on Flock soft­ware.

San Diego gets to hide be­hind a slight fa­cade in that their con­tract is with Ubicquia,” the smart street­light man­u­fac­turer, Paul says, but the soft­ware layer is Flock. You can eas­ily see Flock hard­ware on re­tail prop­er­ties, look­ing at the same cit­i­zens, with zero over­sight, and SDPD can claim they have clean hands.”

Weeks later, pieces of smashed Flock cam­eras lit­tered the ground.

Across the coun­try, in other words, mu­nic­i­pal gov­ern­ments are over­rid­ing pub­lic will to make deals with a prof­i­teer­ing tech com­pany to sur­veil their cit­i­zens and to col­lab­o­rate with fed­eral agen­cies like ICE. It might be taken as a sign of the times that in states and cities across the US, thou­sands of miles apart, those op­posed to the tech­nol­ogy are re­fus­ing to coun­te­nance what they view as vi­o­la­tions of pri­vacy and civil lib­erty, and are in­stead tak­ing up vice grips and metal cut­ters. And in many cases, they’re get­ting hailed by their peers as he­roes.

If you’ve heard sto­ries of smashed Flock cam­eras or dis­man­tled sur­veil­lance equip­ment in your neigh­bor­hood, please share—drop a link in the com­ments, or con­tact me on Signal or at bri­ancmer­chant@pro­ton.me.

Thanks to Lilly Irani for the tip on the smashed Flock cams in San Diego.

In case you missed it, I shared my five take­aways on the most re­cent round of ul­tra­heated AI dis­course here:

The ex­change was filmed and recorded on YouTube:

Police in Claremore, Oklahoma ar­rested a lo­cal man af­ter he went slightly over his time giv­ing pub­lic re­marks dur­ing a city coun­cil meet­ing op­pos­ing a pro­posed data cen­ter. Darren Blanchard showed up at a Claremore City Council meet­ing on Tuesday to talk about pub­lic records and the data cen­ter. When he went over his al­lot­ted 3 min­utes by a few sec­onds, the city had him ar­rested and charged with tres­pass­ing. The sub­ject of the city coun­cil meet­ing was Project Mustang, a pro­posed data cen­ter that would be lo­cated within a lo­cal in­dus­trial park. In a mir­ror of fights play­ing out across the United States, de­vel­oper Beale Infrastructure is at­tempt­ing to build a large data cen­ter in a small town and the res­i­dents are con­cerned about wa­ter rights, spik­ing elec­tric­ity bills, and noise.The pub­lic hear­ing was a chance for the city coun­cil to ad­dress some of these con­cerns and all res­i­dents were given a strict three minute time limit. The en­tire event was livestreamed and archive of it is on YouTube. Blanchard was warned, barely, to respect the process” by one of the coun­cil mem­bers but was clearly fin­ish­ing read­ing from pa­pers he had brought to read from, was not bel­liger­ent, and went over time by just a few sec­onds. Anyone who has ever at­tended or watched a city coun­cil meet­ing any­where will know that peo­ple go over their time at es­sen­tially any meet­ing that in­cludes pub­lic com­ment.Blan­chard ar­rived with doc­u­ments in hand and ques­tions about pub­lic records re­quests he’d made. During his re­marks, peo­ple clapped and cheered and he asked that this not be counted against his three min­utes. There are ma­jor con­cerns about the pub­lic process in Claremore,” Blanchard said, ref­er­enc­ing com­pli­ance doc­u­ments and ir­reg­u­lar­i­ties he’d un­cov­ered in pub­lic records.

Blanchard was then ar­rested as the crowd jeered in dis­be­lief. Also dis­con­cert­ing was the way the lo­cal news framed the event, with a lo­cal an­chor de­fend­ing au­thor­i­ties by claim­ing he was warned mul­ti­ple times.” Seems like a pretty sure­fire way to make peo­ple hate data cen­ters and the gov­ern­ments pro­tect­ing them even more!

On Wednesday, I headed to Pershing Square in down­town Los Angeles, where dozens of gig work­ers and or­ga­niz­ers with Rideshare Drivers United had as­sem­bled to de­liver a pe­ti­tion to the California Labor Commission signed by thou­sands of work­ers, call­ing on the body to de­liver a set­tle­ment on their be­half. Organizers made short speeches on the steps of the square while lo­cal ra­dio and TV sta­tions cap­tured the mo­ment.

The Labor Commission is su­ing the gig com­pa­nies on dri­vers’ be­half, al­leg­ing that Uber and Lyft stole bil­lions of dol­lars worth of wages from dri­vers be­fore Prop 22 was en­acted in 2020. The com­mis­sion is be­lieved to be in ne­go­ti­a­tions with the gig com­pa­nies right now that will de­ter­mine a set­tle­ment.

I spoke with one dri­ver, Karen, who had trav­eled from San Diego to join the demon­stra­tion, and asked her why she came. It’s im­por­tant we build dri­ver power” she said. Without dri­ver power, we won’t get what we need, and we just want fair­ness.” She said she was hop­ing to claim at least $20,000 in stolen wages.

We’re fight­ing for wages that were stolen for us from us and con­tinue to be stolen from us every sin­gle day by these app com­pa­nies from hell,” RDU or­ga­nizer Nicole Moore told me. So we’re march­ing in down­town L. A. to de­liver 10,000 sig­na­tures of dri­vers de­mand­ing that the state fight hard for us, and don’t let these com­pa­nies rip us off.”

According to Tesla’s own num­bers, its new RoboTaxis in Austin are crash­ing at a rate 4 times higher than hu­man dri­vers. The EV trade pub­li­ca­tion Electrek re­ports:

With 14 crashes now on the books, Tesla’s Robotaxi” crash rate in Austin con­tin­ues to de­te­ri­o­rate. Extrapolating from Tesla’s Q4 2025 earn­ings mileage data, which showed roughly 700,000 cu­mu­la­tive paid miles through November, the fleet likely reached around 800,000 miles by mid-Jan­u­ary 2026. That works out to one crash every 57,000 miles. The irony is that Tesla’s own num­bers con­demn it. Tesla’s Vehicle Safety Report claims the av­er­age American dri­ver ex­pe­ri­ences a mi­nor col­li­sion every 229,000 miles and a ma­jor col­li­sion every 699,000 miles. By Tesla’s own bench­mark, its Robotaxi” fleet is crash­ing nearly 4 times more of­ten than what the com­pany says is nor­mal for a reg­u­lar hu­man dri­ver in a mi­nor col­li­sion, and vir­tu­ally every sin­gle one of these miles was dri­ven with a trained safety mon­i­tor in the ve­hi­cle who could in­ter­vene at any mo­ment, which means they likely pre­vented more crashes that Tesla’s sys­tem would­n’t have avoided.Us­ing NHTSAs broader po­lice-re­ported crash av­er­age of roughly one per 500,000 miles, the pic­ture is even worse, Tesla’s fleet is crash­ing at ap­prox­i­mately 8 times the hu­man rate.

-“The Left Doesn’t Hate Technology, We Hate Being Exploited,” by Gita Jackson at Aftermath.

Meta drops $65 mil­lion into su­per PACs to boost tech-friendly state can­di­dates,” by Christine Mui in Politico.

-A great new re­port from cli­mate re­searcher Ketan Joshi, The AI Climate Hoax: Behind the Curtain of How Big Tech Greenwashes Impacts,” has been mak­ing head­lines and is well worth a read. Perhaps we’ll dig deeper into it in a fu­ture is­sue.

-The LA Times re­ports that the Southern California air board re­jected new pol­lu­tion rules af­ter an AI-generated flood of made-up com­ments. Here’s UCLAs Evan George on how AI poses a unique threat to the civic process.

Okay okay, that’s it for this week. Thanks as al­ways for read­ing. Hammers up.

...

Read the original on www.bloodinthemachine.com »

To add this web app to your iOS home screen tap the share button and select "Add to the Home Screen".

10HN is also available as an iOS App

If you visit 10HN only rarely, check out the the best articles from the past week.

If you like 10HN please leave feedback and share

Visit pancik.com for more.