I read at least one thread per day criticizing Tesla self-driving (which has hundreds of highly-paid engineers working on it) as unreliable vaporware, meanwhile I'm supposed to hack my car with some code off a GitHub repo?
I'll be adding this to my list of 101 creative ways to die, behind basement apartment in Venice, Italy.
Those companies worth billions like GM and Tesla perform extensive testing to prove to regulators their software isn't going to kill people and does not pose an unacceptable risk to other drivers on the road. Do you get to sidestep all that if you post your code to GitHub?
Why not? You are free to modify your vehicle in almost anyway you want as a consumer. Should someone putting some rain shields on their window require licensing and government testing for it because it might break off? Should generic brake pads or tierod ends require independent government testing or approval to be purchased and used?
Regulations don't exist to save people from their own stupid mistakes, they exist to prevent systemic abuses and dangers to the public in the pursuit of profit. And we already know from endless examples that corporations will knowingly let people die if their decision will increase profit margins. Not to mention the public doesn't have the ability to properly test or verify corporate designed and sold devices. Unless corporations provide all documentation related to the design and materials and code used, they should have special restrictions and regulations beyond what the average person does.
States have window tinting laws to help police to pull over, harass, identify, and/or profile people in the pursuit of profit and control. The main justification for window tint laws is "protecting law enforcement", which is itself is a bad excuse, but everything beyond that is definitely complete bullcrap because the tinting laws differ so completely between states, with some states not caring at all.
Many states with tinting laws have zero laws about maintenance or inspection of vehicles which is all but proof that the safety of the public is not even a real consideration. You can literally have sharp jagged chunks of rusty metal hanging off your car and its not illegal.
Yup, because you get to be personally responsible for any outcomes just like you would be if you were driving without ai assistance. If you aren’t comfortable building and testing an open source project then it isn’t for you.
People cry daily that cybertrucks should not be street legal because they do not meet EU safety regulations but gluing plastic gadgets to your window yourself and calling it "AI assistance" is okay because the driver is ultimately responsible?
I’m imagining it… marathon meetings, everyone worried about code standards, someone made Claude rewrite the whole thing in Prologue and is zealously arguing for it in a 900-comment PR.
And somehow half the time invested in the project is arguing about a code of conduct.
Tesla FSD is awesome. I use it almost all the time now, it feels safer than me driving. It's like having a private chauffeur. My disengagements are mostly nav related.
Are you really expecting me to read this paragraph all by myself? What am I supposed to do, load some text off of a Hacker News comment section? I only read paragraphs written by teams of highly paid experts.
Do you have a source for that? I'm not aware of any regulation requiring ADAS. Even automatic emergency breaking is not yet required for a few more years.
It is in the EU but in the US ADAS won't be mandated until 2029. It would tank your IIHS rating though and all major mfgs have met a voluntary pledge to have >95% light duty vehicles ship with autobraking by 2023: https://www.iihs.org/news/detail/automakers-fulfill-autobrak...
I saw a computer with 'system33', 'system34' folders personally. Also you would never actually know it happened because... it's not ECC. And with ECC memory we replace a RAM stick every two-three months explicitly because ECC error count is too high.
Rounding that to 1 error per 30 days per 256M, for 16G of RAM that would translate to 1 error roughly every half a day. I do not believe that at all, having done memory testing runs for much longer on much larger amounts of RAM. I've seen the error counters on servers with ECC RAM, which remain at 0 for many months; and when they start increasing, it's because something is failing and needs replaced. In my experience RAM failures are much rarer than for HDDs and SSDs.
Given enough computers, anything will happen. Apparently enough bit flips happen in domains (or their DNS resolution) that registering domains one bit away from the most popular ones (e.g. something like gnogle.com for google.com) might be worth it for bad actors. There was a story a few years ago, but I can't find it right now; perhaps someone will link it.
A very old game speedrun -- of the era that speedruns weren't really a "thing" like they are today -- apparently greatly benefited from a hardware bit flip, and it was only recently discovered.
The Tick Tock Clock upwarp in Super Mario 64. All evidence that exists of it happening is a video recording. The most similar recording was generated by flipping a single bit in Mario's Y position, compared to other possibilities that were tested, such as warping Mario up to the closest ceiling directly above him.
I'm pretty sure that while no one knows the cause definitively, many people agreed that the far more likely explanation for the bit change was a hardware fault (memory error, bad cartridge connection or something similar) or other, more powerful sources of interference. The player that recorded the upwarp had stated that they often needed to tilt the cartridge to get the game to run, showing that the connection had already degraded. The odds of it being caused by a cosmic ray single-event upset seem to be vanishingly low, especially since similar (but not identical) errors have already been recorded on the N64.
At the time Google was taking RAM that had failed manufacturer QA that they had gotten for cheap and sticking it on DIMMs themselves and trying to self certify them.
You are right. Apologies for spreading false information(
"We provide strong evidence that memory errors are dominated by hard errors, rather than soft errors, which previous work suspects to be the dominant error mode." [0]
"Memory errors can be caused by electrical or magnetic interference (e.g. due to cosmic rays), can be due to problems with the hardware (e.g. a bit being
permanently damaged), or can be the result of corruption along the data path between the memories and the processing elements. Memory errors can be classified into soft errors, which randomly corrupt bits but do not leave physical damage; and hard errors, which corrupt bits in a repeatable manner because of a physical defect."
"Conclusion 7: Error rates are unlikely to be dominated
by soft errors.
We observe that CE [correctable errors] rates are highly correlated with system utilization, even when isolating utilization effects from the effects of temperature. In systems that do not use memory scrubbers this observation might simply reflect a higher detection rate of errors. In systems with memory scrubbers, this observations leads us to the conclusion that a significant fraction of errors is likely due to mechanism other than soft errors, such as hard errors or errors induced on the datapath. The reason is that in systems with memory scrubbers the reported rate of soft errors should not depend on utilization levels in the system. Each soft error will eventually be detected (either when the bit is accessed by an application or by the scrubber), corrected and reported. Another observation that supports Conclusion 7 is the strong correlation between errors in the same DIMM. Events that cause soft errors, such as cosmic radiation, are expected to happen randomly over time and not in correlation.
Conclusion 7 is an interesting observation, since much previous work has assumed that soft errors are the dominating error mode in DRAM. Some earlier work estimates hard errors to be orders of magnitude less common than soft errors and to make up about 2% of all errors."
Happens all the time, in reality (even on the darkside). When the atmosphere fails (again, happening all the time), error correction usually handles the errant bits.
In the 2010 era of RAM density, random bit flips were really uncommon. I worked with over a thousand systems which would report ECC errors when they happen and the only memorable events at all were actual DIMM failures.
Also, around 1999-2000, Sun blamed cosmic rays for bit flips for random crashes with their UltraSPARC II CPU modules.
Yep, hardware failures, electrical glitches, EM interference... All things that actually happen to actual people every single day in truly enormous numbers.
It ain't cosmic rays, but the consequences are still flipped bits.
In Apple's case, starting with macOS Tahoe, Filevault saves your recovery key to your iCloud Keychain [0]. iCloud Keychain is end-to-end encrypted, and so Apple doesn't have access to the key.
As a US company, it's certainly true that given a court order Apple would have to provide these keys to law enforcement. That's why getting the architecture right is so important. Also check out iCloud Advanced Data Protection for similar protections over the rest of your iCloud data.
As of macOS Tahoe, the FileVault key you (optionally) escrow with Apple is stored in the iCloud Keychain, which is cryptographically secured by HSM-backed, rate-limited protections.
Unbreakable phones are coming. We’ll have to decide who controls the cockpit: The captain? Or the cabin?
The security in iOS is not to designed make you safer, in the same way that cockpit security doesn't protect economy class from rogue pilots or business-class terrorists. Apple made this decision years ago, they're right there in Slide 5 of the Snowden PRISM disclosure. Today, Tim stands tall next to POTUS. Any preconceived principle that Apple might have once clung to is forfeit next to their financial reliance on American protectionism: https://www.cnbc.com/2025/09/05/trump-threatens-trade-probe-...
Of course Apple offers a similar feature. I know lots of people here are going to argue you should never share the key with a third party, but if Apple and Microsoft didn't offer key escrow they would be inundated with requests from ordinary users to unlock computers they have lost the key for. The average user does not understand the security model and is rarely going to store a recovery key at all, let alone safely.
Apple will escrow the key to allow decryption of the drive with your iCloud account if you want, much like Microsoft will optionally escrow your BitLocker drive encryption key with the equivalent Microsoft account feature. If I recall correctly it's the default option for FileVault on a new Mac too.
If they say they don't, and they do, then that's fraud, and they could be held liable for any damages that result. And, if word got out that they were defrauding customers, that would result in serious reputational damage to Apple (who uses their security practices as an industry differentiator) and possibly a significant customer shift away from them. They don't want that.
The government would never prosecute a company for fraud where that fraud consists of cooperating with the government after promising to a suspected criminal that they wouldn't.
That's not the scenario I was thinking of. There are other possibilities here, like providing a decryption key (even if by accident) to a criminal who's stolen a business's laptop, or if a business had made contractual promises to their customers, based on Apple's promises to them. The actions would be private (civil) ones, not criminal fraud prosecution.
Besides, Apple's lawyers aren't stupid enough to forget to carve out a law-enforcement demand exception.
Cooperating with law enforcement cannot be a fraud. Fraud is lying to get illegal gains. I think, it's legally ok to lie if the goal is to catch a criminal and help the government.
For example, in 20th century, an European manufacturer of encryption machines (Crypto AG [1]) made a backdoor at request of governments and never got punished - instead it got generous payments.
None of these really match the scenario we're discussing here. Some are typical big company stuff, some are technical edge cases, but none are "Apple lies about a fundamental security practice consistently and with malice"
That link you provided is a "conspiracy theory," even by the author's own admission. That article is also outdated; OCSP is as dead as a doornail (no doubt in part because it could be used for surveillance) and they fixed the cleartext transmission of hardware identifiers.
Are you expecting perfection here? Or are you just being argumentative?
> That link you provided is a "conspiracy theory," even by the author's own admission.
"Conspiracy theory" is not the same as a crazy, crackhead theory. See: Endward Snowden.
Full quote from the article:
> Mind you, this is definitionally a conspiracy theory; please don’t let the connotations of that phrase bias you, but please feel free to read this (and everything else on the internet) as critically as you wish.
> and they fixed the cleartext transmission of hardware identifiers
Have you got any links for that?
> Are you expecting perfection here? Or are you just being argumentative?
I expect basic things people should expect from a company promoting themselves as respecting privacy. And I don't expect them to be much worse than GNU/Linux in that respect (but they definitely are).
It was noted at the bottom of the article as a follow up.
> I expect basic things people should expect from a company promoting themselves as respecting privacy. And I don't expect them to be much worse than GNU/Linux in that respect (but they definitely are).
The problem with the word “basic” is that it’s entirely subjective. What you consider “basic,” others consider advanced. Plus the floor has shifted over the years as threat actors have become more knowledgeable, threats more sophisticated, and technologies advanced.
Finally, the comparison to Linux doesn’t make a lot of sense. Apple provides a solution of integrated hardware, OS, and services. Linux has a much smaller scope; it’s just a kernel. If you don’t operate services, then by definition, you don’t have any transmitted data to protect. Nevertheless, if you consider the software packages that distros package alongside that kernel, I would encourage you to peruse the CVE databases to see just how many security notices have been filed against them and which remain open. It’s not all sunshine and roses over in Linux land, and never has been.
At the end of the day, it's all about how you weigh the evidence. If those examples are sufficient to tip the scales for you, that's your choice. However, Apple's overall trustworthiness--particular when it comes to protecting people's sensitive data--remains high for in the market. Even the examples you posted aren't especially pertinent to that (except for iCloud Keychain, where the complaint isn't whether Apple is securely storing it, but the fact that it got transmitted to them in the first place, and there exists some unresolved ambiguity about whether it is appropriately deleted on demand).
Terrible security... compared to what? Some ideal state that exists in your head, or a real-world benchmark? Do you expect them to ignore lawful orders from governments as well?
> Apple's solution is iCloud Keychain which is E2E encrypted, so would not be revealed with a court order.
Nope. For this threat model, E2E is a complete joke when both E's are controlled by the third party. Apple could be compelled by the government to insert code in the client to upload your decrypted data to another endpoint they control, and you'd never know.
This is a wildly unrealistic viewpoint. This would assume that you somehow know the language of the client you’re building and have total knowledge over the entire codebase and can easily spot any sort of security issues or backdoors, assuming you’re using software that you yourself didn’t make (and even then).
This also completely disregards the history of vulnerability incidents like XZ Utils, the infected NPM packages of the month, and even for example CVEs that have been found to exist in Linux (a project with thousands of people working on it) for over a decade.
You're conflating two orthogonal threat models here.
Threat model A: I want to be secure against a government agency in my country using the ordinary judicial process to order engineers employed in my country to make technical modifications to products I use in order to spy on me specifically. Predicated on the (untrue in my personal case) idea that my life will be endangered if the government obtains my data.
Threat model B: I want to be secure against all nation state actors in the world who might ever try to surreptitiously backdoor any open source project that has ever existed.
I'm talking about threat model A. You're describing threat model B, and I don't disagree with you that fighting that is more or less futile.
Many open source projects are controlled by people who do not live in the US and are not US citizens. Someone in the US is completely immune to threat model A when they use those open source projects and build them directly from the source.
We're talking about a hypothetical scenario where a state actor getting the information encrypted by the E2E encryption puts your life or freedom in danger.
If that's you, yes, you absolutely shouldn't trust US corporations, and you should absolutely be auditing the source code. I seriously doubt that's you though, and it's certainly not me.
The sub-title from the original forbes article (linked in the first paragraph of TFA):
> But companies like Apple and Meta set up their systems so such a privacy violation isn’t possible.
...is completely utterly false. The journalist swallowed the marketing whole.
Okay, so yes I grant your point that people where governments are the threat model should be auditing source code.
I also grant that many things are possible (where the journalist says "isn't possible").
However, what remains true is that Microsoft appears to store this data in a manner that can be retrieved through "simple" warrants and legal processes, compared to Apple where these encryption keys are stored in a manner that would require code changes to accomplish.
These are fundamentally different in a legal framework and while it doesn't make Apple the most perfect amazing company ever, it shames Microsoft for not putting in the technical work to accomplish these basic barriers to retrieving data.
> retrieved through "simple" warrants and legal processes
The fact it requires an additional engineering step is not an impediment. The courts could not care less about the implementation details.
> compared to Apple where these encryption keys are stored in a manner that would require code changes to accomplish.
That code already exists at apple: the automated CSAM reporting apple does subverts their icloud E2E encryption. I'm not saying they shouldn't be doing that, it's just proof they can and already do effectively bypass their own E2E encryption.
A pedant might say "well that code only runs on the device, so it doesn't really bypass E2E". What that misses is that the code running on the device is under the complete and sole control of apple, not the device's owner. That code can do anything apple cares to make it do (or is ordered to do) with the decrypted data, including exfiltrating it, and the owner will never know.
> The courts could not care less about the implementation details
That's not really true in practice by all public evidence
> the automated CSAM reporting apple does
Apple does not have a CSAM reporting feature that scans photo libraries, it never rolled out. They only have a feature that can blur sexual content in Messages and warn the reader before viewing.
We can argue all day about this, but yeah - I guess it's true that your phone is closed source so literally everything you do is "under the complete and sole control of Apple."
That just sends you back to the first point and we can never win an argument if we disagree about the level the government might compel a company to produce data.
It's also the "default" in Windows 11 to require a recovery bitlocker key every time you do a minor modification to the "bios" like changing the boot order
I was going to say: "Well Apple historically is an easy target of Pegasus" but that can only be used a few times before Apple figures out the exploit and fixes it. Its more expensive than just asking the Apple.
But given PRISM, I'm sure Apple will just give it up.
Amazon caters to the ALLCAPS Chinese scam stores. They know how to game the system and have invested a lot of resources into it. Your little home-based business doesn't stand a chance. It's a matter of time before they clone your product and undercut you by half.
Big nod. I've been trying to register our company to sell customized products. It's been quite an ordeal with document rejections etc, and at the end they just said the rejection is final. No support, no appeals, no transparency. Yet those ALLCAPS companies seem have no troubles.
I understand the problems described for Amazon, though that doesn't make Walmart good or without the same or different problems and advantages. What is Walmart Marketplace like for sellers? And how is the sales traffic, relatively?
I can give you perspective as a customer. I can't imagine they treat sellers any differently. I quit Prime (after spending tens of thousands over the years) and Amazon immediately started treating me like a third-class citizen. Free shipping is normally 5+ days. Lots of mysterious shipping delays that never happened before. Obscene amounts of dark patterns trying to get me to sign back up for Prime. Literally every checkout flow is a maze where I have to ensure I don't accidentally click the wrong thing or I'll find myself on the hook for a subscription.
I started giving more business to Walmart. Free shipping promos are just that, same dollar threshold as AMZN but items often arrive in a day or two (sometimes same day). They arrive by the date stated. Free shipping is the default selection. Experience with third party sellers has been good. They do shill Walmart+ (their cheaper Prime equivalent) but it's not obnoxious and no dark patterns. They do have the Chinese products but for some reason they do not pollute the search anywhere near as bad as Amazon. It's easy to filter out third party products with one click. I know stuff I'm getting is not counterfeit - they seem to have much better control over supply chain than AMZN. Many products are drop shipped direct from the manufacturer.
Unfortunately the Chinese flea market junk is Amazon's bread and butter so they have intentionally made it difficult to exclude it.
The downside is Walmart's site is a bit rough around the edges but lately Amazon is doing a great job of destroying their own site in multiple ways - like removing the ability to print real invoices, removing the ability to effectively filter third-party sellers in search, etc.
I used to sell on Amazon, and Walmart Marketplace reached out to me to convince me they could offer me a better seller experience than Amazon.
I was excited because I hated dealing with Amazon, but I had the call with the Walmart rep and he couldn't cite any benefit over Amazon.
Would Walmart take a lower fee? No, it would be the same as Amazon.
Would Walmart give back its fee if the customer sent the product back for a refund? No, Walmart would keep my fees and have the same perverse incentives that pushed costs onto the vendor.
It was surprising how much hubris Walmart brought to the discussion. The constant tone was, "We're Walmart, so obviously you want to work with us."
>Would Walmart take a lower fee? No, it would be the same as Amazon.
Walmart charges less in two ways:
* No monthly membership fee.
* Seemingly random fee discounts, up to and including 0%. More than once I've sold an item early in a day, then sold it again later that day with a different fee percentage.
>Would Walmart give back its fee if the customer sent the product back for a refund?
When Walmart refunds a customer, it takes from the seller's reserves exactly what was paid for the sale in the first place. No more, no less. It is Amazon that charges sellers a "refund processing fee".
While Walmart definitely has its issues, there are also many virtues vis-a-vis Amazon. It is worthwhile selling on both. My 2025 Amazon and Walmart sales are equal.
This was 3-4 years ago, so it's possible that they've improved since then or that the rep I was speaking to was misinformed, but at the time, he told me there was no fee advantage on Walmart Marketplace, and I tried to be polite in my reaction of, "Then, why would you be an attractive alternative?"
The refund structure has always been in place in the going on five years I've sold on Walmart. The random discounted fees have started in the past year.
The OP talks about being locked out by Amazon, and the comment I responded to above talks about being overtaken by scams.
Edit: you say it too:
> I hated dealing with Amazon
Yet the comments in this subthread all talk only about costs - they say the costs are the same so why switch to Walmart? Aren't the reasons already given?
The real story here is China and India have been quietly buying up gobs of African IP blocks - most of which are used for botting operations. I see it in my server logs.
China already de-facto owns half of Africa so it's natural they would prey on their scarce IP resources as well.
When you see AI scraping at a massive scale originating from $AFRICAN_COUNTRY IP space, and that country's GDP is smaller than Rhode Island, you sure as shit know someone else is behind it.
I see this often that people refer to countries as actors. Are you implying that the government of these countries bought those resources and they're now owned by the government? Or are you saying that citizens/corporations of those countries are buying? I find it weird, I wouldn't use the phrase "The United States is buying XYZ" unless it was the current government doing so?
China does not have a meaningful distinction between private industry and the state. She also maintains a level of surveillance and control, particularly in the IT world, that makes this hard with some level of government sanction.
It seems to be widly accepted that the Chinese State (don't know about India) often imposes on or sponsers citizens to perform actions it finds adventagious.
And, I'd say, the US is known to do this. I'll lead with 'Project Azorian' to back it up.
India does it too. You see it on all socials as well as reddit. Brain dead posts and comments praising the current govt or gate against anyone criticising.
Almost all the Indian subreddits are against the current government. You will be banned from a subreddit even if you rightly speak in support of current government on Reddit.
It's hard to take your rest of your comment seriously if you are blatantly dishonest about this.
The official one isn’t but there are a lot more in support of it. They are just named differently. Local language (we have a lots of them) or endonyms etc.
All national subreddits are anti-government. The popular regional ones like r/delhi is anti-government too. If you know any pro-government subreddits let me know, I would love to join.
I'm not sure the distinction matters, and attribution is inherently hard and easy to get wrong. I frequently read Country X is doing Y, less as a indicator of government action and more of a single that we can't be more specific of who within the country is performing an action but we know the behavior is occurring there.
In the case of IP address purchases, these are publicly tied to specific public and private entities and can be easily queried through the regional registries. These private entities are frequently the same kind of shell company you'll get with hiding shady financial details.
>Are you implying that the government of these countries bought those resources and they're now owned by the government
You have to take these issues with nuance instead of looking at them black and white.
If the US government gives you a billion dollar subsidy to do some particular action, is the action that is done the will of the corporation or the will of the government?
If the US government is paying private companies to 'gain information on' foreign entities, is that the will of the private companies or of the government itself?
If when a US company acquires a resource the US government can ask nicely for it with the threat of implied violence if you don't give it, is that a private resource or not?
And, note, I'm talking about the US that has relatively strong property rights and not about China where the government has far more leeway with the operation of companies, and absolutely uses them for nation state level information gathering.
In the US, the government can apply pressure and bargain with companies for favor, but there is no legal requirement of companies agreeing (shy of court orders). Far more than cases of corporate compliance with the government are cases of corporate defiance.
In China, there is no meaningful difference between the party and any Chinese company. Companies are seed funded by the state and carry the will of the state. There is no "come back with a court order" in China. And even if there was, the courts are also just another arm of the party.
I'll be adding this to my list of 101 creative ways to die, behind basement apartment in Venice, Italy.
reply