This is an incredibly facile take on the situation. Iran has been a destabilizing regional power with imperial aims for 47 odd years. They even murdered the PM of Lebanon via their proxy army. They’ve been poking the bear for decades, and there are serval occasions where it may have happened sooner in an alternative universe. Had McCain become president in ‘08 we may well have seen a land invasion from US positions in Iraq, as the Iranian Quds force was already fighting US soldiers in Iraq. The whole DoD is now full of Iraq veterans who hate the Iranian government to their bones. It’s shocking this didn’t happen sooner, and probably only didn’t because of luck.
It always takes a ton of work to roll back state over reach. The Bound By Oath podcast by the Institute for Justice has a whole season about how hard it is to bring civil rights claims against the government or government officials.
And gets harder in a country where even the judges are political appointees and apparently that’s by design. (I resisted adding a smiley here because this is rather sad)
The courts are actually striking down a lot of government overreach recently. The tariffs were just overturned, and the administration was blocked from using the national guard for law enforcement. In fact this administration has lost more Supreme Court cases than any other administration at only 1 year in.
I've been thinking a bit about how to do security well with my generated code. I've been using tools that check deps for CVEs, static tools that check for sql injection and similar problems, and baking some security requirements into the specs I hand claude. I can't tell yet if this is better than what I did before or just theater. It seems like in this case you'd need/want to specify some tests around access.
I'm interested to hear how other people approach this.
So the problem I'm having is I don't know what I'm doing vis a vis security, so I can't audit my own understanding by just sitting in a chair, but here's what I've been doing.
I'm building a desktop app that has has authentication needs because we need to connect our internal agents and also allow the user to connect theirs. We pay for our agents, the user pays for theirs (or pays us to use ours etc.). These are, relatively speaking, VERY SIMPLE PROBLEMS, nevertheless agents are happy to consume and leak secrets, or break things in much stranger ways, like hooking the wrong agent up to the wrong auth which would have charged a user for our API calls. That seemed very unlikely to me until I saw it.
So far what has "worked" (made me feel less anxious, aside from the niggling worry that this is theater) is:
1. Having a really strong and correct understanding of our data flows. That's not about security per se so at least that I can be ok at it. This allows me to...
2. Be aggressive and paranoid about not doing it at all, if it can be helped. Where I actually handle authentication is as minimal as possible (one should have some reasonable way to prove that to yourself). Done right the space is small enough to reason about.
How do I do 1 & 2 while not knowing anything? Painfully and slowly and by reading. The web agents are good if you're honest about your level of knowledge and you ask for help in terms of sources to read. It's much more effective than googling. Ask, read what the agents say, press them for good recommendations for YOU to read, not anyone. Then go out and read those sources. Have I learned enough to supervise a frontier model? No. Absolutely not. Am I doing it anyway? Yes.
Ask the LLM to create for you a POC for the vulnerability you have in mind. Last time I did this I had to repeatedly make a promise to the LLM that it was for educational purposes as it assumed this information is "dangerous".
Same way you handle preserving any other property you want to preserve while "vibecoding" -- ensure tests capture it, ensure the tests can't be skipped. It really is this simple.
It really disappointing to see it so strongly preferring Github Actions which is in my experience terrible. Almost everything about GHA pushes you in the direction of constantly blowing out the 10GB cache limit in an attempt to have CI not run for ages. I also feel like the standard cache action using git works poorly with any tools that use mtime on files to determine freshness.
I guess at least Opus can help you muddle through GHA being so crappy.
I wouldn't expect it to be impossible, and it isn't, but I would expect the permits to be different than they were 60 years ago. You can still build a house today, but that doesn't mean you can build one using the same permits you received in 1965. This is true for everything.
Of course. And the goal in part is to enrich prior entrants and also to create massive unearned gains for them by printing a license for something no one else can have. This explains a lot of the housing prices writ large -- boomers and others who own houses that are grandfathered in via various regulations that let them build for cheap but not you, and making a new one has to be done at much higher regulations, basically printing money for those grandfathered in without them having to do anything but add regulations that apply to everyone else but them.
It's not anti-capitalism to not spend public money on nonsense that doesn't further the goals of education, no is it anti-capitalism to control the learning environment in schools. What we have is a collective action problem.
Iran had good relations with Israel prior to 1979 and never persecuted or expelled its Jews after 1948 unlike every other country in the region. In fact there’s a great degree of very old cultural affinity between Persians and Jews. A secular Iran is likely to have very close ties with Israel if for no other reason than as a backlash to the excesses of the cleracy.
I find that incredibly hard to believe especially since nicotine causes a physical chemical dependency. Sure it is hard for some people to get off of social media, but let's no go overboard here with the social media == big tobacco metaphor.
Think about it for a minute, the harm from gambling is intrinsic because you are statistically likely to lose money. It's not so different from a behavioral addiction like gaming, but you can lose your house.
Chemical dependency just makes addictive behavior that much worse. Moreover there is literally no evidence that social media is harder to quit than cigarettes.
I think it's possible to criticize things for what they are, without having to resort to conflating them with other things. Excessive gambling doesn't have to be equated to physical addiction in order to be regarded as a bad thing -- it can be a bad thing as a result of its own consequences without having to be compared to anything else.
> If they didn't have a hand in the protests, that seems like a stunning failure on the part of the US State Department to support their own policies
This is nothing but evidence free speculation. What you’re doing is undermining the validity of the protest movement and parroting the line of the Iranian government. It’s disgusting. Take this shit somewhere else.
No my point is that the idea that the protests aren’t organic is deeply fucking ignorant and gross. It’s this whole line of thinking that everything turns on US action in the world, which is how 19 year olds think after they read Howard Zin or some essay by Chomsky for the first time. It’s unserious on top of robbing a lot of brave people of their own agency.
> No my point is that the idea that the protests aren’t organic is deeply fucking ignorant and gross.
Scott Bessent, at the WEF [0], explained that:
> President Trump ordered treasury and our OFAC division, (Office of Foreign Asset Control) to put maximum pressure on Iran, and it’s worked because in December, their economy collapsed, we saw a major bank go under, the central bank has started to print money, there is a dollar shortage, they are not able to get imports and this is why the people took to the streets.
So it is organic insofar as the US is working hard to water and nourish something. This has been a huge push to destabilise and unseat the Iranian regime, the idea that they didn't have some people involved in the protests is hard to countenance. It'd be incompetence of the grossest variety. Technically possible? Yeah. A reasonable prior? No.
It's hardly evidence-free, this stuff [0, 1, 2] has been making international news headlines for months. And the last time the US was involved in toppling Iran they used paid-for protests [3] so it is barely speculative to say they'd do again what worked last time. That is just common sense on their part. If they haven't done that, then people will be fired in the US executive for incompetence because that is the cheapest way to achieve their rather clear goals of rolling Iran's power structures. If you don't believe that they did that, who do you think is responsible for that failure on the US government's part?
It is unfortunate that the US's actions right now undermined whatever validity you feel the protests had. I certainly agree it is disgusting - and also bad for US interests so it is curious why they're doing it. Take it up with them if you have a problem with the idea, I'm not a US general or policy maker.
reply