One of the maxims of infosec is that the resources (money, time, expertise, risk, etc.) an attacker is willing to expend to penetrate a target is proportional to the value of that target. Of course "value" sometimes has a subjective component, particularly when attackers are motivated by politics, personal grudges, etc., but for the most part it more-or-less tracks the economic value of the target.

With this move, Microsoft is about to make their cloud one of the most valuable targets in the world. A billion people are going to start saving documents (and drafts of documents) in it, most of them without even realizing it or knowing how to turn it off. It's about to become the motherlode of data and metadata (about people, systems, software, locations, etc.) and everyone knows it. There's no way that Microsoft can defend this. None. There's no way that anyone short of a national intelligence agency could defend this, and I have my doubts about that.

If that seems like hyperbole, then consider: how much would Putin spend to get his hands on this? A billion? In a heartbeat - it'd be a bargain. Or the Chinese. Or the Iranians. Or the Saudis. Or the Mexican drug cartels. Or the....

It's not a question of if this will be hacked, only when and how and by whom and how long Microsoft will try to hide it.

Note: if I were the attacker, I'd get in now. That is, I'd either get my people hired into roles in this operation or I'd bribe/extort the people who are already there. After all: you don't have to break in if you're already inside.

Users: "We need a built-in ad-blocker to protect our privacy and security".

Mozilla: "Hey! We screwed up the address bar!"

Users: "We need a built-in Javascript blocker/enabler to protect our privacy and security."

Mozilla: "Look! Look! We changed the shape of the buttons! New icons!"

Users: "We need built-in anti-tracking a la Privacy Badger and Canvas Blocker to protect our privacy and security."

We're well past the point where we should be filing bug reports and submitting fixes or assisting Mozilla in any way. Mozilla needs to die. And while it may be difficult to find an organization/group to take Firefox away from them, it must be done. The first thing the new caretakers should do is start ripping out code -- there's over a decade of bloat and crap that needs to go. And the second thing is that the browser should have the features of the best extensions -- like NoScript -- built in.

(1) There are all kinds of abusive things going on with AI crawlers, including ignoring robots.txt - or not even bothering to check for it, using faked user-agents, using end-user systems on commercial ISPs, using systems distributed across various clouds, not rate-limiting queries, etc. That's why there are myriad efforts all working toward mitigating the damage that's being done, and unfortunately, no one technique solves the problem entirely. (And the people running the AI crawlers are responding to these defensive efforts by escalating their attacks.) What's happening is essentially a DDoS against every web site, and it's not only costing a fortune in bandwidth/cycles/etc., it's costing a fortune in human time.

I've been here a long, long time. And this is one of the worst things I've ever seen. And it's all to feed the insatiable egos and greed of the tech bros who've bet the farm on AI and have yet to realize that "garbage in, garbage out" still applies no matter how much computing capacity you throw at it.

(2) It's ironic that Cloudflare, of all operations, would whine about someone else's abusive conduct. Here's an exercise for the reader: read the article here Scammers Unleash Flood of Slick Online Gaming Sites - Krebs on Security. Then follow the link he provides to the list of domains involved in this. Now look where they're (almost) all hosted.

The wasteful part: they were too lazy and cheap to properly decommission the servers by pulling the disks and wiping them...before donating all of them to worthwhile projects and organizations. This isn't difficult: I've done it many times, in two cases for much larger operations, and I've done it with far more sensitive data, e.g. medical data, financial data. This is an appalling display of negligence and incompetence, and it's awful for the environment.

The obvious lie: "For security reasons (and to protect the PII of all our users and customers), everything was being shredded and/or destroyed." If they were actually trying to protect PII, then they shouldn't have moved to the cloud. Not only have they thrown everything into a black box, they've thrown it into somebody else's black box that they have absolutely no control over -- and no visibility into. If some offshore contractor working at that cloud company decides to grab all the info and sell it as a side gig, (a) they can't stop it (b) they won't know it's happened until it's much too late and (c) they'll be unable to do anything meaningful about it.

He should be removed from his corporate position and committed to an institution immediately.

That won't happen, of course; as s society we've already decided that it's perfectly fine to have psychotics, sociopaths, megalomaniacs, and morons (e.g. RFK Jr, Musk, Zuckerberg, Trump) in positions of leadership. And we'll go through today and tomorrow and the next day pretending that this is normal and okay while they drive not just IT, not just the US, but the entirety of human society over a cliff.

I have no problem believing that lines of code are being churned out at a much higher rate by Surge's approach.

But is it any good?

Or is it -- as seems highly likely given what we've seen from AI coding tools so far -- unreadable, bug-ridden, unmaintainable, insecure, utter crap?

Which won't matter to Chen because he and his enormously bloated ego will have the opportunity to cash out long, long before the bill comes due for this hype and hubris. It'll be the little people who have to suffer the consequences of this exercise and clean up the mess.

As discussed here already, higher temperatures are stressors on human health, crop viability, etc. But there are further effects. To pick one: increases in local SST (sea surface temperatures) are a driver of more rapidly-intensifying hurricanes. (They're not the only factor: there also needs to be a supply of moist air, there needs to be low wind shear, etc. But they're one of the factors.) This Wikipedia article: Rapid intensification provides a good introduction and notes that improving the models that forecast rapid intensification is a high priority -- because now it needs to be.

On October 22, 2015, Patricia went from a tropical storm to a CAT5 hurricane in 24 hours.

I spent a dozen years as a certified trainer for first responders/incident commanders and still am one sometimes. Let me break my comments into micro and macro.

Micro: the recent Kerrville incident. The NWS did its job and did it in a timely manner -- despite reckless cuts by Trump/DOGE/etc. The issued an urgent flash flood warning at 1:26 AM, which should have been taken very seriously because that area has a long history of flash flooding. Local officials should have woken everyone up any way they could: tornado sirens, local and state police cars with full sirens and lights, fire trucks, civilian pickup trucks with horns, anything, everything. If possible they should have brought in a helicopter with a loudspeaker.

The river was already rising at that point, but slowly, and rose only moderately (per the USGS gauge, linked below) until 5:15 AM. That's when the flow went exponential. So they had the better part of 4 hours to wake people up and get them moving away from the river. That includes the girls camp that's been so often discussed: local officials knew it was there and knew it was full. And yet they didn't even manage to send a squad car over there to wake up everyone. If they'd done that, those girls could have WALKED to safety in the time they had available. (And of course if there were buses or other vehicles, it'd have been faster.)

Here's the gauge -- note that the left-hand vertical axis is logarithmic. Guadalupe Rv at Kerrville, TX – 08166200

Every responsible locality has plans for this, doubly so if it's something that's happened before -- which in this case, it has. While there's always some improvisation in emergency response, most of this should have come down to "pull out the red binder, open to page 1, and start working through the checklist -- you know, the one we've rehearsed every 4 months for the last 6 years." Every person should already know what they're going to do, like "wake up every school bus drivers, tell them to drive to the X high school, start the buses, and head to their assigned locations to pick up people" or "get someone on the bridge upstream with a spotlight on the river so that we can see the flood coming before it gets here and registers on the gauge". The incident commander should supervise all of this pre-planned activity, making on-the-fly modifications as necessary...and if the plan is a good one, and if it's been kept updated, and if it's been rehearsed well, then there shouldn't be too much improvisation needed.

This by no means guarantees success. Things go wrong, equipment breaks, miscommunications happen. But it gives the best chance, and if even half of this had happened in Kerrville, it would have saved a lot of lives.

Macro: There is never money or time for disaster preparation, avoidance, training, mitigation. There is usually money for disaster cleanup. Oh, and there are "thoughts and prayers", which are (a) useless and (b) an attempt by the cheap, lazy, and incompetent to excuse their complicity in all the death and destruction that just happened. We don't need thoughts. We don't need prayers. We need science (like the NWS and NOAA do), we need data (e.g. the best forecasts they can possibly give us), we need training and equipment, we need plans, we need cooperation, we need clear messaging, and we need the money required to do all these things. Give us that and we have a fighting chance -- and our historical record when given that chance is damn good. Deny us that and you're going to get Kerrville on a regular basis. (Doubly so given global warming and its effect on locally-intensified weather events.)

This is already long, but I want to ask you all to consider one more thing. Right now, as you're reading this, there are people out there who are trying to recover all the bodies. (They know it's not a rescue. Not any more.) They would have much rather been there to evacuate all those people which they could have done if all the stuff I said above had happened. They could have met those little girls and comforted them as they moved them the hell out of the way of the wall of water that came down the Guadalupe River. But they didn't, because they couldn't. And now they're looking for them, and pulling their battered little bodies out of the mud. One...after another. I have done this work, and I hated it. I don't sleep well any more and probably never will again. But it had to be done. And now all those people working on site are going through the same thing. They're doggedly trying to provide closure to all those waiting families, and they're pushing themselves to physical and psychological exhaustion to do it. They're paying the price. So spare a kind thought for them, please. They're going to need it.

After all, they're building climate refuges/bunkers in places that they expect to survive what's coming and that are sufficiently remote that the probability of a mob showing up at the front door is quite small. They know that climate scientists are right, and they suspect it's going to be worse than predicted. (Which is a good bet, because if you actually take the time to read things like the IPCC reports, you'll notice something that's common to all science in every field everywhere: the projections are never exactly right. You'll also notice something else: time after time, those predictions haven't been pessimistic enough. In other words, the real world gets worse faster than the models predict; the models are adjusted with this new data; and then the real world gets worse faster than the models predict.)

And that's not the scary part. Nor is the part where wars over water happen (because that's right in front of us) or the part where areas become uninhabitable (same) or where hurricanes devastate areas that "can't" be hit by hurricanes (already history) or where record-setting fires, floods, droughts, etc. happen constantly (also already history). No, the scary part -- if you understand stochastic processes -- is that there is nothing anywhere in the mathematics of global warming that guarantees that the process is linear and stable. There are things that strongly suggest that there is a point at which it's neither, and of course there's a lot of debate over what that point is. If it's not clear what "nonlinear and "unstable" mean: imagine a century's worse of warming in a year. Imagine what kind of weather becomes possible if that happens. And then realize that it won't end there. If we go over that threshold, whatever it is, we're not coming back. All the frantic efforts to engineer our way out of it won't work and all the belated changes that we should have made decades ago won't help.

There is no hell hot enough, no torture chamber cruel enough, for the people who are driving us to this future.

...until you consider the implications.

The first is that it's not evenly distributed: some parts of the planet will get hotter faster than that - others may even cool down. Some will get dryer; some will get wetter. Keep in mind, this is a globally-calculated average. As we've already seen, short-term, mid-term, and long-term temperature increases in some regions may be much more than just a quarter of a degree. Some of those are well on the path to becoming essentially uninhabitable, and that in turn will generate social, political, and economic crises.

The second is that even this fractional degree of warming significantly shifts the window of possibility for extreme events: bigger hurricanes, worse droughts, etc. Events that were extremely unlikely 20, 30, 40 years ago are now only somewhat unlikely. Even the best weather models -- which are stunningly accurate when it comes to things like predicting hurricane landfall locations -- may need to be adjusted to account for conditions that have never happened before. Until that adjustment happens, those models may not be as reliable as they have been, and that affects public safety.

The third is we don't know where the tipping point is. Despite enormous amounts of research, we have - at best - plausible estimates. And if you've read any of this research then you know that we do not want to find the tipping point by going over it. And every incremental increase in the rate of warming slightly increases the probability that we'll do that.

...and the bill will come due. The people at CISA, from the top down, have been working incredibly hard for years to get their hands around the myriad problems that we face and to make some meaningful progress on as many of them as possible. I haven't always agreed with their priorities or their analysis or their conclusions, but most of those disagreements have been minor -- and I recognize that they may have access to information that I don't.

The mass exodus of experienced talent from CISA is no doubt being greeted with cheers in Moscow and Beijing and Tehran and elsewhere. This significantly weakens the aggregate security posture of the US and it greatly impairs our ability to detect and respond to threats. I think, sadly, that it's only a matter of time until one of our adversaries decides to exploit this on a large scale, and I worry that the consequences may be dire.

Oh, believe me, I'm painfully well aware that they've got competition in the race to the bottom, and one could well make the argument that they're no worse than anyone else. (I don't happen to agree with that argument, but I'll grant that it's plausible and an interesting topic to debate.)

The DMCA issue is tricky. I'm inclined to side with privacy advocates nearly all the time, and I very much dislike companies wielding the DMCA like a club, doubly so when their requests/demands are overbroad and clearly intended to induce a chilling effect on speech. On the other hand, I read Discord's counter-argument in this particular case, and it really does come down to "awww I don't wanna", which is (a) not a good way to respond in this particular case and (b) not a good way to respond in the general case because it risks getting denied in a way that creates precedent hostile to privacy. In other words: if Discord wanted to oppose this, okay, fine: then they should have written a much more serious response, minus the frivolous complaints and plus strong arguments.

Discord is already one of the worst (mainstream) operations on the Internet - and in a world where sociopathic fascist billionaires are running some of them, that's saying a lot. Let's review a few samples briefly:

• Discord Cracks Down on NSFW Furry Art, Extremist Problem Persists - Rolling Stone
• Discord Is the World’s Most Important Financial Messenger, and a Hotbed for Scammers
• Discord.io suffers massive data breach, announces closure | Mashable
• Discord Disputes DMCA Subpoena, Rejects Role as Anti-Piracy Partner * TorrentFreak
• Discord Begins Testing Facial Scans for Age Verification
• New Jersey attorney general sues Discord app for alarming security lapses New Jersey Monitor
• Discord servers used in child abductions, crime rings, sextortion
• Discord gets sued for allegedly violating child safety laws | The Verge

The best thing that Discord could do right now -- to avoid further enshittification -- would be to shut down. Not coincidentally, this would also be the best thing for the Internet and for human society.

1. Not everyone uses Android or iOS.

2. But lots of people do, so an app might make sense. What's the plan when the app stores refuse to carry it?

3. This scheme is highly susceptible to DoS attacks at every point. E.g. "[...] where users will need say 9 of 15 nodes to be available [...]" means that if someone can DoS or cut off access to 7 of 15 then nobody can do anything. (This is a general problem with T of N algorithms.) E.g. "Users should register and login before they can use any of their limited guesses to their phone-unlock secret." means if someone can login, then can exhaust the limited guesses, leaving none for the actual user.

4. This won't work without end-to-end connectivity, and likely won't work without sufficiently robust/fast connectivity - i.e., no queueing/batching.

5. What's the plan when something awful happens, it turns out that it was in part facilitated by this service, and multiple governments decide that it's time to legislate it out of existence? They don't need a $5 hammer if they have the weight of the criminal justice system.

6. Speaking of $5 hammers: suppose this service is built. Suppose it's wonderful. Suppose it works beautifully. Suppose it's adopted by huge numbers of people because it's wonderful and works beautifully. That means that an ever-increasing amount of valuable data will stored by its users. Eventually, someone is going to notice that, decide that they'd like to get their hands on it, and go after the node operators.

7. "I helped build [thing at Google]" is not nearly the qualification that $GoogleGuy thinks it is. Google built one good product: search. Everything else has been mediocre at best. (And now, of course, they're doing everything possible to make search absolute garbage.)

Because this profoundly idiotic move by Firefox will make it much easier to mislead and thus exploit users. But it seems that's all that Firefox's developers have left: endless tinkering with a UI that was perfectly fine 15 years ago instead of (and I know this is radical, but hear me out) listening to users and building in an ad-blocker and the functionality of NoScript.