my.feedland.org
Open in
urlscan Pro
157.245.5.7
Public Scan
Submitted URL: https://www.info.evdemon.org/
Effective URL: http://my.feedland.org/Bazz
Submission: On June 25 via api from US — Scanned from DE
Effective URL: http://my.feedland.org/Bazz
Submission: On June 25 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
XML
Loosely Coupled Thinking
Stuff I'm Interested In
* Architecture
* Tech News
* Development
* Personal News
Today, 14:28Phil Windley's Technometria (Feed)
What Is Decentralized Identity?
Summary: What is decentralized identity and why is it important? My attempt at a
simple explanation.
In Yeah, yeah, yeah, yeah, yeah, nah, Alan Mayo references my recent blog post,
Decentralized Identity Comes of Age, and says:
My challenge to the decentralization community is for them (someone) to explain
how it works in relatively simple and reasonable terms. I say relative because
identity is not simple, so we should not expect simple solutions.
This post is my attempt to do that for Alan and others.
Identity is how we recognize, remember, react to, and interact with other
people, organizations, and services. Put another way, identity is about
relationships. Online we suffer from a proximity problem. Since we're not near
the parties we want to have relationships with, our natural means of
recognizing, remembering, and interacting with others can't be used. Digital
identity systems are meant to provide us with the means of creating online
relationships.
Traditional identity systems have not served us well because they are owned and
controlled by companies who build them for their own purposes. The relationships
they support are anemic and transactional. We can't use them for any purpose
except what their owner's allow.
Decentralized identity systems1 on the other hand allow you to create online
relationships with any person, organization, or service you choose and give you
the tools to manage and use those relationships. They help you recognize,
remember, react to, and interact with them. The most important tool is a
decentralized identity wallet. The world of decentralized identity wallets is
still young, but organizations like the Linux Foundation's Open Wallet
Foundation give me hope that useful, interoperable wallets are a tool we'll all
be able to use soon. They are as foundational to decentralized identity as a
browser is to the web.
Besides helping you manage peer-to-peer relationships with others online,
wallets hold verifiable credentials, the digital analog to the credentials and
cards you carry in a physical wallet. One of the most important aspects of
digital relationships is providing information about yourself to those you
interact with. Sometimes that information can come from you—it's
self-asserted—but many times the other party wants to reliably know what others
say about you. For example, if you establish a banking relationship, the bank is
legally obligated to verify things like your name and address independent of
what you say. Decentralized identity wallets allow you to prove things about
yourself using credentials others provide to you. At the same time, they protect
your privacy by limiting the information disclosed and forgoing the need for the
party you're interacting with to directly contact others to verify the
information you provide.
In summary, decentralized identity systems allow you to create digital
relationships with other parties independently, without relying on any other
organization or service. These relationships are direct, private, and secure.
They also provide the means for you to prove things about yourself inside these
relationships so that even though you're operating at a distance, you and the
other party can have confidence in the relationship's authenticity.
How Does It Work
The preceding paragraphs say what decentralized identity is, and provide its
benefits, but don't say how it works. Alan and others will likely want a few
more details. Everything I describe below is handled by the wallet. The person
using the wallet doesn't need to have any more knowledge of how they work than
the operator of a browser needs to understand HTTP and HTML.
The foundation of a peer-to-peer, decentralized online relationship is an
autonomic identifier like a peer DID. Identifiers are handles that someone else
can use to identify someone or something else online. Peer DIDs can be created
by a wallet at will, they're free, and they're self-certifying (i.e., there's no
need for a third party). A relationship is created when two identity wallets
create and exchange peer DIDs with each other on behalf of their owners. Peer
DIDs allow the parties to the relationship to exchange private, secure messages.
There are four primary interaction patterns that wallets undertake when
exchanging messages:
DID Authentication which uses the DIDs to allow each party to authenticate the
other Single-Party Credential Authorization where the same party issues and
verifies the credential. Multi-Party Authorization where the credential issuer
and verifier are different parties. Generalized Trustworthy Data Transfer which
uses a collection of credentials to aid the wallet owner in completing online
workflows. Generalized Credential Exchange Pattern (click to enlarge)
Verifiable credentials make heavy use of cryptography to provide not only
security and privacy, but also confidence that the credential data is authentic.
This confidence is based on four properties a properly designed credential
presentation protocol provides:
The identifier of the credential issuer Proof that the credential is being
presented by the party is was issued to Proof that the credential has not been
tampered with The revocation status of the credential
The credential presentation can do all this while only disclosing the
information needed for the interaction and without the verifier having to
contact the credential issuer. Not having to contact the issuer ensures the
credential can be used in situations with poor connectivity, that the issuer
needn't be online, and preserves the credential subject's privacy about where
the credential is being used.
A properly designed credential exchange protocol has four important properties:
The system is decentralized and contextual. There is no central authority for
all credentials. Every party can be an issuer, an owner, and a verifier. The
system can be adapted to any country, any industry, any community, any set of
credentials, any set of trust relationships. Issuers are free to determine what
credentials to issue and whether or not to revoke them. Wallet owners are free
to choose which credentials to carry and where and when they get shared. While
some verifiers require a specific credential—such as a customs agent requiring a
passport—others will accept a range of credentials. Therefore owners can decide
which credentials to carry in their wallet based on the verifiers with whom they
interact. Verifiers make their own decisions about which credentials to accept.
For example, a bar you are trying to enter may accept any credential you have
about your date of birth. This means some credentials (e.g., passports, driving
licenses, birth certificates) may be much more useful than just for the original
purpose for which they were issued.
These properties make a decentralized identity system self sovereign.
Why is Decentralized Identity Important?
Decentralized identity systems are designed to provide people with control,
security, and privacy while enhancing the confidence we have in our online
relationships. Some time ago, I wrote the following. I think it's an apt way to
close any discussion of decentralized identity because unless we keep our eyes
on the goal, we'll likely take shortcuts in implementation that fail to live up
to their promise.
Presently, people don't have operational relationships anywhere online.2 We have
plenty of online relationships, but they are not operational because we are
prevented from acting by their anemic natures. Our helplessness is the result of
the power imbalance that is inherent in bureaucratic relationships. The solution
to the anemic relationships created by administrative identity systems is to
provide people with the tools they need to operationalize their self-sovereign
authority and act as peers with others online. Peer-to-peer relationships are
the norm in the physical world. When we dine at a restaurant or shop at a store
in the physical world, we do not do so under the control of some administrative
system. Rather, we act as embodied agents and operationalize our relationships,
whether they be long-lived or nascent, by acting for ourselves. Any properly
designed decentralized identity system must provide people with the tools they
need to be "embodied" in the digital world and act autonomously.
Time and again, various people have tried to create decentralized marketplaces
or social networks only to fail to gain traction. These systems fail because
they are not based on a firm foundation that allows people to act in
relationships with sovereign authority in systems mediated through protocol
rather than by the whims of companies. We have a fine example of a protocol
mediated system in the internet, but we've failed to take up the daunting task
of building the same kind of system for identity. Consequently, when we act, we
do so without firm footing or sufficient leverage.
Ironically, the internet broke down the walled gardens of CompuServe and Prodigy
with a protocol-mediated metasystem, but surveillance capitalism has rebuilt
them on the web. No one could live an effective life in an amusement park.
Similarly, we cannot function as fully embodied agents in the digital sphere
within the administrative systems of surveillance capitalists, despite their
attractions. The emergence of self-sovereign identity, agreements on protocols,
and the creation of metasystems to operationalize them promises a digital world
where decentralized interactions create life-like online experiences. The richer
relationships that result from properly designed decentralized identity systems
promise an online future that gives people the opportunity to act for themselves
as autonomous human beings and supports their dignity so that they can live an
effective online life.
Notes I prefer the term self-sovereign to decentralized because it describes the
goal rather than the implementation, but I'll stick with decentralized here. All
self-sovereign identity systems are decentralized. Not all decentralized
identity systems are self-sovereign. The one exception I can think of to this is
email. People act through email all the time in ways that aren't intermediated
by their email provider. Again, it's a result of the architecture of email, set
up over four decades ago and the culture that architecture supports.
Photo Credit: Young Woman Using a Wallet from DALL-E (public domain) Prompt:
draw a rectangular picture of a young woman using a wallet.
Tags: identity ssi decentralized+identity verifiable+credentials
MORE
5 hours0
24.6.2024, 6:00SEI Blog (Feed)
Incorporating Agile Principles into Independent Verification and Validation
This post discusses how Agile principles can work with independent verification
and validation processes.
MORE
Yesterday at 5:31 PM0
Today, 17:55ongoing by Tim Bray (Feed)
Lounge Penguin
Lounge, as in a jazz club. Penguin, as in GoGo Pengin, a piano/bass/drums trio.
We caught their show at Jazz Alley in Seattle last week. Maybe you should go hit
a jazz lounge sometime.
What happened was
My daughter turned eighteen and graduated high school. She had heard that Car
Seat Headrest was playing Seattle’s Woodland Park Zoo, and could tickets and a
road trip (me buying and driving) be her present? Seemed reasonable, and she
found a friend to take along. I wouldn’t mind seeing the Headrests (decent indie
rock stuff) but her party, her friend. I noticed that GoGo Penguin was playing
Seattle’s Jazz Alley, and Lauren was agreeable to coming along for the ride and
the show.
I only know about GoGo Penguin because YouTube Music drops them into my default
stream now and them. I’d thought “sounds good, maybe a little abstract”,
couldn’t have named a song, but hey.
The “Jazz Club” concept
You’ve seen it in a million old movies, and the Vic Fontaine episodes of ST:DS9.
The lights are low, the audience is sitting at tables with little lamps on them,
the band’s on a thrust stage among the tables, there’s expected to be a soft
background of clinking glasses and conversation. Some people are focusing in
tight on the music, others are socializing at a respectfully low volume.
Of course, usually a gunfight breaks out or an alien materializes on stage… no
wait, that’s just on-screen not real-life.
All jazz clubs serve alcohol — fancy cocktails, natch — and many will sell you
dinner too. Dimitriou’s Jazz Alley in Seattle is a fine example.
GoGo Penguin at Jazz Alley; June 20th, 2024.
Our table was in the balcony.
We had a decent if conventional Pacific-Northwest dinner (crab and halibut),
with a good bottle of local white. They’ve got things set up so most people have
finished eating by the time the music starts. The seats were comfy. The decor
was pleasing. The service was impeccable. I felt very grown-up.
GoGo Penguin
They’re three youngish guys from Manchester. Their Web site says they’re an
“emotive, cinematic break-beat trio”. OK then. Piano/bass/drums is the canonical
minimal jazz ensemble. Only they’re not minimal and it’s not jazz. I guess if
you redefined “jazz” as complex rhythmically-sophisticated music featuring
virtuoso soloing skills, well yeah. Damn, those guys can play. But their music
is heavily composed, not a lot of opportunities for anyone to stretch out and
ride the groove.
And it ain’t got that swing; can it still mean a thing?
I guess so, because I enjoyed myself. Damn, those guys can play. There wasn’t a
microsecond that was boring, plus the arrangements were super intelligent and
kept surprising me.
But most of all, the bass. Nick Blacka hit me harder than any bassist since I
saw (and blogged!) Robbie Shakespeare of Sly and Robbie in 2004.
It’s really something special. It may be a stand-up acoustic bass, but it’s
wired up so he can dominate the band’s sound when he reaches back for it (which
he does neither too little nor too much). Plus the instrument’s acoustic texture
roars out entirely unmarred, you can feel those strings and wood in your gut. He
moves between bowing and plucking and banging and you hardly even notice because
it’s always the right thing.
I don’t wanna diss Chris Illingsworth on piano or Jon Scott on drums; both of
them made me catch my breath. But it’s Blacka’s bass explosions that I took home
with me.
That swing?
These days my musical obsessions are Americana (i.e. bluegrass with pretensions)
and old blues. The first of which also features instrumental complexity and
virtuosity. And, if I’m being honest, both offer a whole lot more soul than
Penguins.
I respect what the they’re doing. I’ll go see them again. But I wish they’d get
the hell out from behind those diamond-bright razor-sharp arrangements and just
get down sometimes.
Next?
Lauren and I had real fun and left feeling a bit guilty that we’ve been ignoring
Vancouver’s own jazz clubs. Not that I’m going to stop going to metal or
post-punk or baroque concerts. But jazz clubs are a good grown-up option.
MORE
Yesterday at 8:42 PM0
23.6.2024, 18:04The Architect Elevator (Feed)
Old Books that Every Architect Should Read
If architecture is timeless, so should be the books about it. Here's a book list
with some classics.
MORE
Sunday at 6:27 PM0
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #55: June 21, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get Platformonomics Updates By Email
Subscribe
A deja vu kind of week: the EU’s gotta EU, IBM’s gotta IBM, private equity’s
gotta private equity, Oracle’s gotta Oracle, and China’s gotta China. But we’re
unclear what it means if OpenAI’s gotta OpenAI.
News The European Union is STILL an Advanced Persistent Threat
Previous:
BREAKING: European Union Designated an Advanced Persistent Threat
Related:
New Branding, Same Scanning: “Upload Moderation”
Undermines End-to-End Encryption
Not Available in Europe
This is Europe’s future. GDPR cookie consents went to the EU’s head, making them
think they can dictate global practices, no matter how insane, useless, or
uninformed the regulations. But tech companies will increasingly just not ship
the latest and greatest to the EU, even if it means a non-global product line.
European versions of product should be referred to as the “wine and cheese”
editions.
Previous:
EU Suffering From Premature Regulation, BREAKING: European Union Designated an
Advanced Persistent Threat, EU Insanity: Regulatory Contortions, EU Insanity:
Not Learning From Regulatory Failure, EU Announces DMA Struggle Sessions, EU
Insanity: AI Regulatory Suicide, EU Insanity: AI Energy Suicide, EU Insanity:
The Kafka Singularity, EU Insanity: AI Energy Suicide (Part Deux), EU Insanity:
Mistral Edition, Move Fast and Regulate Things (You Don’t Understand), The EU
Will Continue to Fiddle While Rome Burns, When “Move Fast and Regulate Things”
Breaks Down, AI Regulation: Move Fast and Regulate Things
“Very Serious” Will be the Struggle Sessions
The EU’s “sweeping” and “landmark” rules are not an a priori set of regulations
to comply with, but a fishing license for regulators to meddle in any aspect of
(non-European) Big Tech business that catches their fancy. Rule of Law it isn’t.
These struggle sessions will continue until Europe has a tech industry (i.e.
don’t hold your breath) even as the beleaguered continent ignores its
existential economic, energy and geopolitical challenges.
Previous:
Apple Qualifies for DMA Struggle Session, UK Announces Big Tech Struggle
Sessions “For The Children”, EU Announces DMA Struggle Sessions, EU Announces
Meta Struggle Sessions,
Existential Corner: What is OpenAI This Week?
It remains unclear what OpenAI wants to be if/when it grows up. A technology
provider (frontier models)? A consumer services company (but emphatically not
one inspired by Her)? An enterprise company? That seems the most difficult, yet:
Previous:
Existential Corner: What is OpenAI?
IBM is Not a Technology Company: McDonald’s Edition
Previous:
This Week in Securities Fraud, IBM and the Art of Misleading Investors, Last IBM
Strategic Imperative Bites the Dust, IBM’s “Cloud” Business (or Lack Thereof),
Tweetstorm Digest: Reactions to Barron’s “IBM’s Reboot” Story, IBM’s Lost
Decade, Follow the CAPEX: The Clown Car Race Checkered Flag, Introducing
Platformonomics ClownWatch,
Related:
McDonald’s enters strategic partnership with IBM to automate drive-thru lanes,
Big Blue scoffs a Happy Meal: McDonald’s sells automated order-taking tech to
IBM
Private Equity in Action: OtterTune
Whatever private equity is up to, customers always seem to suffer.
Previous:
Private Equity in Action: PluralSight,
Private Equity in Action: Not Every VMware Customer Was Screwed, Private Equity
in Action: The VMware Saga May Never End, Software Migration Alerts, Private
Equity in Action: VMware “Unease” Continues, Perfidious Private Equity, Private
Equity in Action: VMware Yet Again, Private Equity in Action: VMware
(Continued), Private Equity in Action: VMware, Private Equity Will Buy and Ruin
More Software Companies, Software Migration Alert: VMware (Continued), Software
Migration Alert: VMware, Private Equity in Action: VMware Customer Complaints
“Unwarranted”
Oracle Invents “Non-GAAP CAPEX”
Because they know their CAPEX is woefully insufficient, Oracle has claimed in
earnings calls that their CAPEX spend was 25% bigger than the number they
reported to the SEC in the last two quarters. ¯\_(ツ)_/¯
Previous:
Oracle Still Can’t Build Data Centers, Why Can’t Oracle Build Data Centers?,
Follow the CAPEX: The Clown Car Race Checkered Flag
China Up to No Good: Prepare to Repel Boarders Edition
What is the “nothing to worry about here” explanation for China’s actions off
the Second Thomas Shoal?
Previous:
One, Two, Three, Four: We Want a Meme War, Xi Jinping Thought on Wall Street
Running Dogs, The Perils of Working for a Cult of Personality, Press Releases
We’d Like to See, Best Nickname for Emmanuel Macron, Winnie-the-Pooh: Lover of
Honey, Champion of Freedom, Missing the (Bamboo) Forest for the (Apple) Trees
Related:
Full Philippine Navy Thread, “The Sierra Madre has become the most dangerous
flashpoint in the Indo-Pacific”
China Up to No Good: Cyberwar Retaliation Edition
Rahm Emanual, US ambassador to Japan, is leading the charge in the meme war with
the Chinese Communist Party.
Previous:
One, Two, Three, Four: We Want a Meme War, Xi Jinping Thought on Wall Street
Running Dogs, The Perils of Working for a Cult of Personality, Press Releases
We’d Like to See, Best Nickname for Emmanuel Macron, Winnie-the-Pooh: Lover of
Honey, Champion of Freedom, Missing the (Bamboo) Forest for the (Apple) Trees
MORE
Friday at 8:58 PM0
23.6.2024, 18:04The Architect Elevator (Feed)
The Many Facets of Coupling
Dissecting a buzzword takes more than a single blog post.
MORE
Friday at 5:26 PM0
18.6.2024, 16:30All Things Distributed (Feed)
Introducing Distill CLI: An efficient, Rust-powered tool for media summarization
After a few code reviews from Rustaceans at Amazon and a bit of polishing, I'm
ready to share the Distill CLI. An open-source tool written in Rust for
summarizing meetings and other media that uses AWS services, such as S3,
Transcribe, and Bedrock.
MORE
June 180
Today, 17:55ongoing by Tim Bray (Feed)
Epsilon Love
Quamina was for a time my favorite among all my software contributions. But then
it stalled after I shipped 1.0 in January of 2023. First of all, I got busy with
the expert witness for Uncle Sam gig and second, there was a horrible problem in
there that I couldn’t fix. Except for now I have! And I haven’t done much
codeblogging recently. So, here are notes on nondeterministic finite automata,
epsilon transitions, Ken Thompson, Golang generics, and prettyprinting. If some
subset of those things interests you, you’ll probably like this.
(Warning: if you’ve already had your hands on the theory and practice of finite
automata, this may all be old hat.)
[Update: This is kind of embarrassing. It looks like what this post refers to as
an “epsilon” is not the same epsilon that features in the theory of finite
automata. I mean, it still works well for where I’m using it, but I obviously
need dig in harder and deeper.]
Sidebar: What’s a Quamina?
I don’t think there’s much to be gained by duplicating Quamina’s README but in
brief: “A fast pattern-matching library in Go with a large and growing pattern
vocabulary and no dependencies outside Go’s standard libraries.” If you want
much, much more, this Quamina Diary blog series has it.
The problem
Combining too many patterns with wild-cards in them caused Quamina 1.0’s data
structures to explode in size with a growth rate not far off the terrifying
O(2N), which meant that once you’d added much more than 20 patterns you couldn’t
add any more, because the add-pattern code’s runtime was O(2N) too.
Those structures are state machines generally, “nondeterministic finite
automata” (NFA’s) in particular. Which offer good solutions to many software
problems, but when they get to be any size at all, are really hard to fit into a
human mind. So when I was looking at Quamina’s unreasonably-big automata and
trying to figure out how they got that way, my brain was screaming “Stop the
pain!”
Lesson: Prettyprint!
At the point I stalled on Quamina, I’d started a refactor based on the theory
that the NFAs were huge because of a failure to deduplicate state transitions.
But the code I’d written based on that theory was utterly broken; it failed
simple unit tests and I couldn’t see why.
During the months when I was ignoring the problem, I privately despaired because
I wasn’t sure I could ever crack it, and I couldn’t stomach more struggling with
ad-hoc Printf and debugger output. So I decided to generate human-readable
renditions of my automata. Given that, if I still couldn’t figure out what was
going on, I’d have to admit I wasn’t smart enough for this shit and walk away
from the problem.
Which turned out to be a good call. Generating an information-dense but readable
display was hard, and I decided to be ruthless about getting the spaces and
punctuation in the right places. Because I didn’t want to walk away.
Back in the day, we used to call this “prettyprinting”.
It worked! First of all, my prettyprinter showed me that the automata emitted
based on my deduplication theory were just wrong, and what was wrong about them,
and I found that code and fixed it.
Bad news: My deduplication theory was also just wrong. Good news: My
prettyprinter provided unavoidable proof of the wrongness and made me go back to
first principles.
And I just landed a PR that cleanly removed the state explosion.
Free advice
I’ll show off the prettyprinter output below where I dig into the
state-explosion fix. But for the moment, a recommendation: If you have a data
structure that’s not Working As Intended and is hard to grok, go hide for a
couple of days and write yourself a prettyprinter. Prettyprinting is an
intelligence amplifier. Your Future Self will thank you heartily.
“Back to first principles”?
The single best write-up on NFA and regex basics that I’ve ever encountered is
Regular Expression Matching Can Be Simple And Fast (but is slow in Java, Perl,
PHP, Python, Ruby, ...) by Russ Cox. It’s a discussion of, and reflection on,
the regular expression library constructed by Ken Thompson in the mid-Sixties,
before he got mixed up in Unix.
What’s annoying is that I had read this before I started wiring NFAs into
Quamina, but ignored most of its important lessons due to a combination of not
understanding them and thinking that my existing code could do what Cox
described. A couple of weeks ago I went back and read it again, and it all made
perfect sense and showed me the way forward. So I guess the lesson is that if
you’re not Ken Thompson, you’re going to have trouble understanding what he did
until you’ve tried and failed yourself?
So, major thanks to Ken for this (and Unix and other things too) and to Russ for
the write-up.
Epsilon transitions
These are the magic bullet that make NFA’s work. Quamina didn’t have them, now
it does. There are other bits and pieces but that’s the core of the thing.
I think the easiest way to explain is by showing you an NFA as displayed by
Quamina’s new prettyprinter. It matches the regular expression "x.*9" — note
that the " delimiters are part of the pattern:
758[START HERE] '"' → 910[on "] 910[on "] 'x' → 821[gS] 821[gS] ε → 821[gS] /
'9' → 551[gX on 9] 551[gX on 9] '"' → 937[on "] 937[on "] 'ℵ' → 820[last step]
820[last step] [1 transition(s)]
There’s an API to attach labels to states as you build automata, which as a
side-effect gives each a random 3-digit number too. This is done in a way that
can be turned into a no-op at production time.
758: The start state; the only character that does anything is the opening "
delimiter which transitions to state 910.
910: You get here when you see the " and the only exit is if you see an x, which
moves to 821.
821: This state is the “glob” * operator. gS in its label stands for “glob
spin”. It has an "epsilon" (ε) transition to itself. In Computer-Science theory,
they claim that the epsilon transition can occur at any time, spontaneously,
la-di-da. In programming practice, you take an epsilon transition for every
input character. 821 also has an ordinary transition on 9 to state 551.
This possibility of having multiple transitions out of a state on the same input
symbol, and the existence of epsilon transitions, are the defining
characteristics that make NFAs “nondeterministic”.
551: Its label includes gX for “glob exit”. The only transition is on the
closing " delimiter, to 937.
937 has only one transition, on ℵ (stands for the reserved value Quamina inserts
to signal the end of input) to 820.
820 doesn’t do anything, but the [1 transition(s)] label means that if you reach
here you’ve matched this field’s value and can transition to working on the next
field.
Now I’m going to display the prettyprint again so you can look at it as you read
the next paragraph.
758[START HERE] '"' → 910[on "] 910[on "] 'x' → 821[gS] 821[gS] ε → 821[gS] /
'9' → 551[gX on 9] 551[gX on 9] '"' → 937[on "] 937[on "] 'ℵ' → 820[last step]
820[last step] [1 transition(s)]
A little thought shows how the epsilon-transition magic works. Suppose the input
string is "xyz909". The code will match the leading " then x and hit state 821.
When it sees y and z, the only thing that happens is that the epsilon transition
loops back to 821 every time. When it hits the first 9, it’ll advance to 551 but
than stall out because the following character is 0 which doesn’t match the only
path forward through ". But the epsilon transition keeps looping and when the
second 9 comes along it’ll proceed smoothly through 551, 937, and 820, signaling
a match. Yay!
So now, I have a fuzz test which adds a pattern for each of about thirteen
thousand 5-letter words, with one * embedded in each at a random offset,
including the leading and trailing positions. The add-pattern code hardly slows
down at all. The matching code slows down a lot, to below 10,000/second, in
stark contrast to most Quamina instances, which can achieve millions of
matches/second.
I’m sort of OK with this trade-off; after all, it’s matching 10K-plus patterns!
I’m going to work on optimizing it, but I have to accept that the math, as in
finite-automata theory, might be against me. But almost certainly there are some
optimizations to be had. There are possibilities suggested by Cox’s description
of Thompson’s methods. And the search for paths forward will likely be good blog
fodder. Yay!
Ken again
When I re-read Russ Cox’s piece, I was looking at the pictures and narrative,
mostly ignoring the C code. When everything was working, I went back and was
irrationally thrilled that my bottom-level function for one state traversal had
the same name as Ken Thompson’s: step().
Also, when you process an NFA, you can be in multiple states at once; see the
"xyz909" example above. When you’re in multiple states and you process an input
symbol, you might end up in zero, one, or many new states. Russ writes, of Ken
Thompson’s code, “To avoid allocating on every iteration of the loop, match uses
two preallocated lists l1 and l2 as clist and nlist, swapping the two after each
step.”
Me too! Only mine are called currentStates and nextStates because it’s 2024.
And thereby hangs a blog or maybe more than one. Because traversing the NFA is
at Quamina’s white-hot center. You really REALLY don’t want to be allocating
memory in that code path. Which should be straightforward. But it’s not, for
interesting reasons that raise optimization problems I’m just starting to think
about, but you’ll probably hear all about it when I do.
Un-generic
In the process of moving Quamina from DFAs to mixed DFA/NFA to pure-NFA I
adopted and then abandoned Go’s generics. They hate me. Or I’m not smart enough.
Or something. I wrote about the experience back in 2022 and while that piece
ended inconclusively, I am personally much happier with generics-free Go code.
Maybe they make other people happy.
Hard to understand
And then finally, there’s this one function I wrote in June 2022, doesn’t matter
what it does. It has a a comment at the top that begins: “Spookeh. The idea is
that…” and goes on for a long paragraph which, well, I can’t understand. Then I
look at the code and think “that can’t work.” I keep thinking of sequences that
should send it off the rails and write the unit tests and they fail to fail, and
I use the prettyprinter and the NFA it generates is ruthlessly correct. I go
back and look at it every few days and end up shaking my head. This is making me
grumpy.
But after all, I did write, in a previous Quamina Diary episode: “The
observation that computer programmers can build executable abstractions that
work but they then have trouble understanding is not new and not surprising.
Lots of our code is smarter than we are.”
But I’ll figure it out. And it’s nice to have interesting computer-programming
stuff to blog about.
MORE
Friday at 7:12 AM0
24.6.2024, 6:00SEI Blog (Feed)
Software Cost Estimation Explained
Anandi Hira explains software cost estimation, presents estimation tools, and
examines inherent biases that exist in software cost estimation models.
MORE
Tuesday at 10:40 PM0
Today, 17:55ongoing by Tim Bray (Feed)
Wikipedia Pain
There are voices — some loud and well-respected — who argue that Wikipedia is
deeply flawed, a hellscape of psychotic editors and contempt for expertise. I
mostly disagree, but those voices deserve, at least, to be heard.
[Note: There’s a companion blog post, Sex Edit War!, about my own experience in
a Wikipedia Edit War. (I won! It was fun!) I hope it’ll make some of this
narrative more concrete.]
Background
If you look at this post’s Reference Publishing topic, you’ll see a lot of
Wikipedia-related material. I was one of its early defenders against the
early-days waves of attackers who compared it to a public toilet and its editors
to the Khmer Rouge.
I should also disclose that, over the years, I have made some 2,300 Wikipedia
edits, created seven articles, and (what makes me happiest) contributed 49
images which have been used, in aggregate, 228 times.
I say all this to acknowledge that I am probably predisposed to defend
Wikipedia.
What happened was…
Somebody spoke up on the Fediverse, saying “I wonder if reporters know that
Wikipedia hallucinates too??” I’m not giving that a link, since they followed up
with a post asserting that ChatGPT is better than Wikipedia. Life’s too short
for that.
Anyhow, I replied “The difference is, errors in Wikipedia tend to get
systematically fixed. Sometimes it takes more work than it should, but the vast
majority of articles are moving in the right direction a vast majority of the
time.” Much discussion ensued; follow the threads.
Shortly thereafter, the redoubtable JWZ complained about an edit to his page and
I spoke up noting that the edit had been reversed, as bad edits (in my
experience) usually are. That conversation branched out vigorously, dozens of
contributions. Feel free to trawl through the Fediverse threads, but you don’t
have to, I’ll summarize.
Gripe: Bad editors
This kept coming back.
Jamie Zawinski: I just find the culture of the editors intolerable.
Ruben Schade: I didn’t want to draw the ire of those horrible admins.
Dave Slusher: The editor culture demonstrably contains decision makers who ain't
that bright and are pretty lazy.
I dunno. I don’t want to gaslight those people; if that’s the experience they
had, that’s the experience they had. My own experience is different: The editors
I’ve interacted with have generally been friendly and supportive, and often
exceptionally skilled at digging up quality citations. But I think that these
reports are something Wikipedia should worry about.
Gripe: Disrespect of expertise
By number and volume of complaints, this was the #1 issue that came up in those
threads:
Brian Dear: Pantheon published my book in 2017. For years I tried to add to the
paltry Wikipedia entries for everything from PLATO, plasma panels, to early
MUDs, instant msging, but no: Wikipedia editors deleted it all (“not
authoritative”). Screw ‘em.
Dan O’Neill: An editor argued with me about the history of my own company.
Zawinski: Wikipedia specifically rejects domain experts until someone who knows
nothing cites them elsewhere.
Alex Rosenberg: So many mistakes in early pages about PS3 that I tried to get
corrected as a primary source, but some random kiddie blogger's guess as to what
an acronym stood for was more valuable to the editors.
I generally disagree with these takes. Wikipedia not only respects but requires
expert support for its content. However, it uses a very specific definition of
“expert”: Someone who can get their assertions published in one or more Reliable
Sources.
I think that if you’re about to have an opinion about Wikipedia and expertise
and citations, you should give that Reliable-Sources article a careful read
first. Here’s why: It is at the white-hot center of any conversation about what
Wikipedia should and should not say. Since Wikipedia is commonly the top result
for a Web search, and since a couple of generations of students have been taught
to consult but not cite it, the article is central to what literate people
consider to be true.
Let’s consider the complaints above. Mr Dear literally Wrote the Book. But, I
dunno. I went and looked at the PLATO article and subjects linked to it, and,
well, it looks good to me? It cites Mr Dear’s book but just once. Maybe the
editors didn’t think Mr Dear’s book was very good? Maybe Dear says controversial
things that you wouldn’t want to publish without independent evidence? The
picture is inconclusive.
As for Mr O’Neill’s complaint, no sympathy. Given the social structure of
capitalism, the employees and leadership of a company are the last people who
should be considered Reliable Sources on that company. Particularly on anything
that’s remotely controversial.
Mr Zawinski is upset that the person who chooses citations from Reliable Sources
“knows nothing”, which I take to be an abbreviation for “is not a subject-matter
expert”. There’s some truth here.
When it comes to bald statements of fact, you don’t need to be an expert; If
more than one quality magazine or academic journal says that the company was
incorporated in 1989, you don’t need to know anything about the company or its
products to allow “founded in 1989” into an article.
On the other hand, I think we can all agree that people who make significant
changes on articles concerning complex subjects should know the turf. My
impression is that, for academic subjects, that condition is generally met.
Mr Rosenberg, once again, is upset that his personal expertise about the PS3 is
being disregarded in favor of material sourced from a gamer blog. I’d have to
know the details, but the best possible outcome would be Mr Rosenberg
establishing his expertise by publishing his narrative in a Reliable Source.
Bad Pattern
There’s a pattern I’ve seen a few times where a person sees something in
Wikipedia in an area where they think they’re knowledgeable and think it’s wrong
and decide “I’ll just fix that.” Then their edits get bounced because they don’t
include citations. Even though they’re an “expert”. Then that person stomps away
fuming publicly that Wikipedia is crap. That’s unfortunate, and maybe Wikipedia
should change its tag-line from “anyone can edit” to “anyone who’s willing to
provide citations can edit.”
Implications
This policy concerning expertise has some consequences:
The decision on who is and isn’t an expert is by and large outsourced to the
editorial staff of Reliable Sources.
There are ferocious debates among editors about which sources are Reliable and
which are not, in the context of some specific article. Which is perfectly
appropriate and necessary. For example, last time I checked, Fox News is
considered entirely Reliable on the finer points of NFL football, but not at all
on US politics.
There are many things which people know to be true but aren’t in Wikipedia and
likely never will be, because no Reliable Source has ever discussed the matter.
For example, I created the East Van Cross article, and subsequently learned the
story of the cross’s origin. I found it entirely convincing but it was from an
guy I met at a friend’s party who was a student at the high school where and
when the graphic was first dreamed up. I looked around but found no Reliable
Sources saying anything on the subject. I doubt it’ll ever be in Wikipedia.
What do you think of those trade-offs? I think they’re pretty well OK.
The notion that anyone should be allowed to add uncited assertions to Wikipedia
because they think they’re an expert strikes me as simultaneously ridiculous and
dangerous.
Real problems
Obviously, Wikipedia isn’t perfect. There are two problems in particular that
bother me all the time, one small, one big.
Small first: The editor culture is a thicket of acronyms and it’s hard to keep
them straight. I have considered, in some future not-too-fierce editorial
debate, saying “Wait, WP:Potrezebie says you can’t say that!” Then see if anyone
calls me on it.
The big problem: The community of editors is heavily male-dominated, and there
have repeatedly been credible accusations of misogyny. I have direct experience:
I created the article for Sarah Smarsh, because we read her excellent book
Heartland in my book club, then I was shocked to find no entry. Despite the
existence of that mainstream-published and well-reviewed book, and the fact that
she had published in The Guardian and the Columbia Journalism Review, some other
editor decreed that that was insufficient notability.
At the time, I reacted by gradually accumulating more and more citations and
updating the draft. Eventually she published another book and the argument was
over. These days, in that situation I would raise holy hell and escalate the
obstruction up the Wikipedia stack.
To Wikipedia’s credit, its leadership knows about this problem and gives the
appearance of trying to improve it. I don’t know the details of what they’re
trying and whether they’re moving the needle at all. But it’s clearly still a
problem.
Once again…
I stand by what I said in December 2004: Wikipedia dwarfs its critics.
MORE
June 160
Sex Edit War!
In January 2010 I drove twenty-five minutes across Vancouver to the University
of British Columbia’s main library, with the goal of crushing an opponent in a
Wikipedia edit war. The battleground was the entry on T.E. Lawrence (better
known as Lawrence of Arabia). I won that war. As a consequence, I consider
myself the world’s leading living expert on Lawrence’s sexuality.
[Note: This is posted alongside Wikipedia Pain, which is about the issues of
truth and expertise in Wikipedia editing, in an effort to share what the process
feels like from the inside.]
Why Lawrence, anyhow? My Dad, an Alberta farm boy, became a Professor of
Agriculture, and spent most of his career in the Third World, much of it in
Lebanon and Jordan. As a result, I spent my youth there, with plentiful
opportunities for touristing all over the Middle East, including many of the
spots that appear in Lawrence’s monumental war memoir Seven Pillars of Wisdom.
I ran across Seven Pillars in college and devoured it, from time to time
thinking “I’ve been there!” While it’s full of camel charges, train-bombings,
and other Ripping Yarns, it’s a difficult book, not a light read at all. But I
enjoyed it and was left wondering who this guy was. So in the course of time I
read Lawrence’s other works, some biographies (there are many) and especially,
the collected letters.
Lawrence was an avid correspondent, sending letters almost like we do emails,
multiple times most days. I suspect that a whole lot of the Lawrence biographers
got the idea by reading the letters and like me thinking “who is this guy?” You
might want to do a little Lawrence reading.
Conducting archeology on my blog reveals that I apparently noticed Wikipedia in
2003 and had started contributing to the Lawrence article by 2004; in that year
I also wrote “Maybe the Wikipedia is a short-lived fad, maybe it’ll get better,
maybe it’ll get worse, but I was surprised that nobody pointed this out: The
Wikipedia is beautiful. It’s an unexpected and unexplainable triumph of
collective creativity and of order over entropy. I hope it lasts a long time,
and those who criticize it Just Don’t Get It.”
At that time popular opinions of The Encyclopedia That Anyone Can Edit ranged
from a headshaking blow-off of the idea’s obvious craziness to active fear and
hostility. British technology journalist Andrew Orlowski once referred to
Wikipedians as “Khmer Rouge in daipers” (sic). I became a partisan, wading into
the ring against figures as eminent as Bob McHenry, former Editor of the
Britannica, who compared Wikipedia to a public toilet: “you can’t be sure who
was there before you.” I enjoyed rolling out my rhetorical and polemical cannon
and firing back. From December 2004: “One thing is sure: the Wikipedia dwarfs
its critics.”
It must be said that back then, the critics had a point. Those of us who waded
in early often found entries about major subjects of history or culture which
were a stinking mess. Lawrence was one such; a farrago of conspiracy theories
and thinly-sourced fantasies.
Sex!
In particular the section about Lawrence’s sexuality, a subject much discussed
by his biographers and occasionally in the popular press. The amount of time
I’ve put into making this fact-based would probably be regarded as ridiculous by
most sane people. [Would they be wrong? -Ed.] [Pretty sure. -T.]
I have plenty of by-and-about-Lawrence books on my shelves and had read more or
less every published letter, which I thought gave me a fair claim to knowing him
better as a person than your average Wikipedia editor. By dint of dogged
incremental citation-backed edits, I was making good progress by 2009 at
introducing order to the chaos.
Edit!
Editing Wikipedia involves regular, often intense, disputes about what should be
said. These take place on the “Talk” page that is associated with each article.
For a contentious entry, such as Lawrence’s had become, the Talk page can become
huge, much larger than the entry itself.
In these disputes, the criteria that matter are “notability” and
“verifiability”. To be included, a subject must be notable, i.e. worth
mentioning. When is something notable? If, and only if, there are mentions of
the subject in multiple credible mainstream sources. Further, any assertion must
be verifiable, i.e. there is evidence to establish that the claims in the
material are correct. Both criteria are addressed by providing citations from
Reliable Sources.
On the subject of verifiability, Wikipedia says to the world: Any material that
is not verifiable will eventually be removed. That tenet gives a warm glow to
those of us who live on the Internet and care a lot about truth and untruth.
The subject at hand was homosexuality. First, had Lawrence been gay? Second,
what was his attitude toward gay people? Remember, this is a man who died in
1935; in his lifetime, homosexuality was publicly much disapproved-of and in
fact specifically forbidden by law.
I thought I had the facts on my side. Whatever Lawrence’s orientation, there was
no evidence of consensual intimacy with anyone of any gender, and he repeatedly
and explicitly denied, in private correspondence, any experience of sex.
On the other hand, his writing includes multiple warm, approving remarks about
male/male sexual relationships. So I thought the case for “celibate and
tolerant” was pretty well open and shut.
War!
But then I found I had an adversary.
“Factuarius” – the handle of another active Wikipedia editor – came to fight.
For reasons opaque to me, Factuarius was pretty convinced that Lawrence had been
gay and/or disapproved of homosexuality. He was able to assemble citations where
people had alleged relationships between Lawrence and one or another male
person, but this was well-plowed ground; biographers had found an absence of
evidence for the relationships and reasonably convincing reasons to doubt their
having happened.
Factuarius decided that Lawrence’s having disapproved of homosexuality was the
hill he was going to die on. He triumphantly produced two citations that
supported his position, declared victory, and told me to stand down.
The first was “Khondakar Golam Mowla, 2008 p. 258”. The book is The Judgment
Against Imperialism, Fascism and Racism Against Caliphate and Islam: Volume 1.
You can buy it from Amazon for $36.49 as I write this. It turns out it is
self-published at “AuthorHouse” and that its Foreword denounces, among other
things, “Ataturk, a secret Jew”. The tone generally follows from there. I
pointed out to Factuarius that I could go to AuthorHouse and generate a book
claiming Lawrence was from Mars.
That left him hotly defending his last reference, a Lawrence letter cited in
“Homosexuality and Orientalism: Edward Carpenter's journey to the east, P. K.
Bakshi, Prose Studies, Volume 13, Issue 1 May 1990, pages 151-177, Routledge”.
Seeing no alternative, I made that drive over to the nearest big University
research library.
It took a while to track down Prose Studies, whose dusty and clearly-unvisited
volumes occupy quite a few shelf-feet. It was founded in 1977 and the Internet
tells me it’s still publishing. I really don’t know what this journal is for or
what effect on the world, if any, its existence is designed to achieve.
[Arrogant, much? -Ed.] [Trying to be polite. -T.]
Sure enough, the article about Edward Carpenter was there in the May 1990
volume. I read it. I photographed (badly, with a 2010 phone-cam) the title and
index pages to prove that I had done so. The article mentioned Lawrence twice,
suggesting in an off-handed way that he was an example of English fascination
with homosexuality and “the Orient”. But there was nothing there that looked
like Factuarius’ citation.
Victory!
I was left happy for multiple reasons. It is a wonderful thing that research
libraries exist and preserve academic journals for their own sake, whether or
not any human will ever consult their pages. It was pretty cool playing
scholarly sleuth in the quiet passages of the library. Best of all, Factuarius
retired silently from the fray.
Which was actually a pretty minor scuffle by Wikipedia standards. There is a
hilarious page entitled Wikipedia:Lamest edit wars, which I recommend just for
fun. It even categorizes them. The first-appearing category is “Ethnic and
national feuds”, featuring the titanic struggles over the ancestries of Frédéric
Chopin and Freddie Mercury. So far, none of these has metamorphosed into a real
actual nation-against-nation shooting war, but I’m not saying it couldn’t
happen.
Eventually I took the trouble of collecting every citable fact about Lawrence’s
sexuality that I could find in all the known published resources – online search
in the Gutenberg Project and various other sources helped. I published them in a
blog piece entitled Sex and T.E. Lawrence, which has been useful in subsequent
(much less dramatic) editing disagreements.
Finally, I gave a talk at a social-media conference sometime in the 2000s
entitled Editing Wikipedia in which I had great fun relating this episode, and I
think the audience did too. In particular, reading out spicy passages
illustrating Lawrence’s real kink – there’s strong evidence that he was a
masochist. For example, in later life, he paid to have himself whipped “severely
enough to produce a seminal emission”.
The effect, at the end of all this was that material that was not verifiable –
an assertion about a historically-notable person’s viewpoint on a particular
issue – was, as it should be, removed from Wikipedia.
Also, pursuing the truth can be its own reward.
MORE
June 160
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #54: June 14, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get Platformonomics Updates By Email
Subscribe
An interesting week as the strategic fault lines creak and shudder.
My Writings Why Can’t Oracle Build Data Centers?
I asked before Oracle’s earnings announcement why the company can’t seem to
build data centers. Is Johnny-One-Rack struggling to scale up?
Previous:
Why Can’t Oracle Build Data Centers?, Follow the CAPEX: The Clown Car Race
Checkered Flag
News Oracle Still Can’t Build Data Centers
Oracle’s FY24 Q4 CAPEX spend was $2.8B and $6.87B for the fiscal year (a decline
of 21% from the prior year). The company missed the low end ($7B) of its
twice-lowered CAPEX guidance, most recently revised after the third quarter.
The company missed both revenue and earnings expectations, but the stock soared
after the company aggressively chanted “AI, AI”, raised revenue growth guidance
for next year from mid-single digits to 10%, and highlighted 44% growth of RPO
(Remaining Performance Obligation, which is revenue they have booked but not
delivered).
It sure looks like Oracle is selling cloud capacity they don’t have, and unless
they quickly get on a vastly steeper learning curve for building data centers,
are unlikely to have that capacity any time soon. CAPEX is required to turn RPO
into revenue and that never happens with the two metrics going in different
directions.
Previous:
Why Can’t Oracle Build Data Centers?, Follow the CAPEX: The Clown Car Race
Checkered Flag
Related:
Oracle Feeds Off AI Leftovers, How to Build an AI Data Center
The Siri Black Hole
Apple laid out their vision for the personal assistant and reframed the industry
AI discussion with Apple Intelligence. They were very true to the personal
computing ethos and maximized Apple’s home field advantage. The discussion of
whether Apple has missed the boat on AI should now move onto whether they can
deliver.
Apple is the company I most trust to deliver a personal assistant. If they
deliver, even just partially, they will have the strongest iPhone upgrade
proposition in years.
From an application ecosystem standpoint, the personal assistant gets better
with more relevant personal information and context. This will change the
dynamics for Apple’s own applications and the whole App Store ecosystem, as
Apple seeks to make Siri the epicenter of user interaction. Third party apps
will need to decide whether to join or try to exist standalone. Either way,
Apple is likely to invest more in its own applications to drive that virtuous
cycle of more information and context. The App Store equilibrium is over.
Apple finessed the frontier model question brilliantly and embraced a pluggable
model as I previously predicted.
Apple Intelligence will also pressure Android. Google, already sowing
disequilibrium in the ad-supported web ecosystem as the company moves from
organizing the world’s information to summarizing it, has another battle to
fight.
Previous:
Apple to Choose Choice?, Viewer Mail – Episode 2 (Apple CAPEX)
Related:
Apple Eyes Deals with Google and Anthropic After OpenAI
Apple Intelligence Infrastructure
I historically have not closely tracked Apple’s CAPEX because they don’t have a
public cloud, their spend has not kept up with the hyperclouds despite being an
enormous company, and a bunch of what they do spend goes to manufacturing
tooling.
Perhaps the biggest risk to pulling off Apple Intelligence is the back-end
infrastructure. They are building what they claim is a privacy-preserving cloud
infrastructure that allows them to do cloud processing while remaining true to
their privacy promises. Apple intends to implement that architecture on an
all-new cloud infrastructure built on Apple silicon (which historically has been
optimized for clients). Apple has limited experience building hyperscale
infrastructure and will not be able to lean as much on the existing data center
ecosystem. We’ll monitor Apple CAPEX going forward, because CAPEX is such a good
perspective on what is happening around AI.
Previous:
Viewer Mail – Episode 2 (Apple CAPEX)
Apple Qualifies for DMA Struggle Session
The struggle sessions will continue until Europe has a tech industry (i.e.
indefinitely) as the beleaguered continent ignores its existential economic,
energy and geopolitical challenges.
Previous:
EU Suffering From Premature Regulation, BREAKING: European Union Designated an
Advanced Persistent Threat, UK Announces Big Tech Struggle Sessions “For The
Children”, EU Announces DMA Struggle Sessions, EU Announces Meta Struggle
Sessions, EU Insanity: Regulatory Contortions, EU Insanity: Not Learning From
Regulatory Failure, EU Announces DMA Struggle Sessions, EU Insanity: AI
Regulatory Suicide, EU Insanity: AI Energy Suicide, EU Insanity: The Kafka
Singularity, EU Insanity: AI Energy Suicide (Part Deux), EU Insanity: Mistral
Edition, Move Fast and Regulate Things (You Don’t Understand), The EU Will
Continue to Fiddle While Rome Burns, When “Move Fast and Regulate Things” Breaks
Down, AI Regulation: Move Fast and Regulate Things
Existential Corner: How Many Steps into the 10K are We?
Previous:
Existential Corner: What is OpenAI?, Team Primitives: What Sayest Thou?, Amazon
Desperately Seeks Compression Algorithm for Experience, Most Greatest AI Company
in Entire Universe Makes Major Strategy Pivot, SEC Embraces Platformonomics
ClownWatch, Warns Amazon and IBM, The AWS Generative AI Soap Opera, The Amazon
AI Inferiority Complex
Elon Musk Threatens to Ban Oracle?
Thin-skinned fractional CEO Elon Musk had a tizzy after Apple announced ChatGPT
integration. We await his similar reaction to Oracle announcing Microsoft was
vacuuming up some of their GPUs to support ChatGPT (I’m pretty sure Oracle
misrepresented this arrangement, given it was a unilateral press release and
Oracle is gonna Oracle).
But that may explain why Larry spent so much time kissing Elon’s ass on Oracle’s
quarterly conference call (which is atypical to say the least). Larry announced
Elon is close to FSD approval in China and did a soliloquy (a silly-quy really)
about how Oracle is automated like Starlink.
Previous:
Who’s Getting the GPUs? Elon Shell Game Edition, Platformonomics ClownWatch:
Tesla, Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Elon
Musk Part II, Useful Idiots, Fellow Travelers and Unregistered Foreign Agents:
Elon/Twitter, Company Killed By Its Customers, Elon Cashes in All the Trust He’s
Banked with Twitter, Do Not Take a Dependency on Elon Musk: Chapter 147, Do Not
Take a Dependency on Elon Musk: Chapter 148, Do Not Take a Dependency on Elon
Musk: Chapter 149
Related:
Tesla shareholders sue Musk for starting competing AI company, Elon Rage Quits
His Silly OpenAI Lawsuit
MORE
June 140
24.6.2024, 6:00SEI Blog (Feed)
Redemption: A Prototype for Automated Repair of Static Analysis Alerts
This post introduces Redemption, an open source tool that uses automated code
repair technology to repair static analysis alerts in C/C++ source code.
MORE
June 100
22.6.2024, 19:00Platformonomics (Feed)
Why Can’t Oracle Build Data Centers?
This post resurfaces and expands a point in my recent post Follow the CAPEX: The
Clown Car Race Checkered Flag in advance of Oracle’s June 11th earnings report.
To hear Oracle tell it, they are the best-est and everything is always going
super-fantastic. Earnings announcements are opportunities for others to bask in
Oracle’s greatness.
The database vampire wants us to believe that, despite their almost
decade-late-start, they’re a player in cloud infrastructure services. Oracle is
so awesome, in fact, their only problem is coping with seemingly infinite
demand. They wax Sagan-esque (“billions and billions”) about all the cloud
business they fail to capture.
But, have no fear, they’re building data centers like nobody else. They tell us
“Oracle has been building data centers at a record level.”
Except they’re not building data centers at a record level. Not even by Oracle’s
own recent standards, never mind hypercloud standards.
The ability to serve cloud customers is a function of CAPEX spend. No servers,
no services.
Oracle practically brags they have neither customer demand forecasting nor a
systematic process to turn demand and capital into sellable cloud services.
Manufacturing cloud capacity efficiently and at hyperscale is an extremely
complex, multi-year discipline (and very different than dropping a few racks
into a co-lo facility and calling it a region, which is Oracle’s experience as a
boutique provider). Their outright decline in CAPEX spending over the last year
suggests Oracle is still a long way from attaining this muscle.
Contrast Oracle’s recent rhetoric and actual CAPEX spending:
FY23 Q1 (Sept 2023)“Because we have far more demand than we can supply, our
biggest challenge is building data centers as quickly as possible.”CAPEX down
24%
Reiterate FY24 CAPEX guidance of ~$8.3BFY2024 Q2 (Dec 2023)“We have to build 100
additional cloud data centers because there are billions of dollars more in
contracted demand than we currently can supply. Cloud Infrastructure demand is
huge and growing at an unprecedented rate.”CAPEX down 56%
Lowest CAPEX spend in 8 quarters
Reduce FY24 CAPEX guidance to ~$8BFY2024 Q3 (Feb 2024)“We are working as quickly
as we can to get the cloud capacity built out given the enormity of our backlog
and pipeline.”
“Oracle has been building data centers at a record level”CAPEX down 36%
Claim spent more than reported in 10-Q
Reduce FY24 CAPEX guidance to $7.0-7.5B
FY25 CAPEX guidance of $10B
Oracle’s CAPEX peaked five quarters ago and declined 40% in first three quarters
of FY24 relative to the prior year. This is not the spending of a company
building data centers “at a record level”. This is a company that does want to
grow its cloud capacity but doesn’t know how to convert capital into capacity,
even at their relatively modest scale.
While Oracle can’t even keep up with Oracle of the recent past, the contrast
with the hyperclouds is even more embarrassing (I’ve omitted AWS because they
don’t provide quarterly CAPEX numbers, and AWS is only roughly half of Amazon’s
overall reported CAPEX):
Oracle falls further and further behind with every passing quarter. Google and
Microsoft start from a much higher level of spend, and their AI-driven CAPEX
ramp of the last year is very visible. Oracle, meanwhile, continues to be the
x-axis (I may never tire of that joke).
Learning in Public
Over-the-top bluster has long been one of Oracle’s core corporate values.
That ethos perhaps explains the company’s history of making big cloud
infrastructure claims that fall ridiculously short. With incidents like “I don’t
need as many data centers” and “We never thought it would go as high as it
really did”(an astonishing 20% growth!), Oracle publicly and repeatedly
demonstrates an incomplete grasp of what it means to be hyperscale.
Building cloud infrastructure capacity is a complex, multi-year supply chain
discipline spanning multiple domains including hardware procurement,
provisioning, electricity, permitting, and construction. Various inputs, notably
compute and electricity, are scarce and presently face multi-year lead times.
Oracle is competing against other cloud infrastructure providers who are more
experienced, more sophisticated, and operate at much higher scale. Those
competitors built their capacity deployment muscle through a series of hard
lessons when stakes were lower. And they’re higher on the waiting lists for
components and power.
Oracle has started acknowledging they are struggling to build data centers:
“So, there is a tremendous amount of demand, the data centers take longer to
build, and we would like that said, we are getting very good at building them
quickly and getting the building the power and the communication links in, we’re
doing faster than we have ever happened in the past.”
“It’s very different than it used to be. So, we’re able to bring additional
capacity online very quickly if we have that the electric power and the
communication lines. So, is the long pole in the tent is actually building the
structure, connecting the electricity, connecting the communication lines.”
Transitioning from buying components at the local Best Buy to building
hyperscale infrastructure is a big leap. It is a leap that requires a vastly
more sophisticated process to convert capital into capacity. There is no sign of
that process at Oracle.
Oracle has more learning ahead of them. They will discover that data center
buildings are not a relevant metric. They will be disappointed to learn that
building a really big data center isn’t the solution (measuring data centers in
terms of how many 747s they will hold is ironic, given the 747 has also given
way to smaller jets…). They will eventually move beyond costly whipsaw spending
and focus ruthlessly on the capital efficiency of their CAPEX spending. And they
might even figure out how to forecast demand so they can match supply and
demand. We’re going to get to watch this learning unfold in public over the next
few years.
FY 2024 Q4 Expectations
Oracle’s Q3 statement was “our Q4 CapEx should be considerably higher”.
To hit the (reduced) $7.0 to 7.5B guidance for the fiscal year, (non-LLM)
arithmetic suggests we should expect Q4 CAPEX of $2.93B to $3.43B (CAPEX over
the first three quarters as reported to the SEC was $4.068B, with a peak
quarterly spend of $1.67B).
But there is some weirdness. In Q3, Oracle reported $1.67B in CAPEX to the SEC,
but bizarrely claimed in the scripted portion of their conference call that they
actually spent $2.1B in the quarter (analyzing securities fraud is outside our
scope here – see Matt Levine for that):
Now while we spent $2.1 billion on CapEx this quarter, the $1.7 billion in the
cash-flow statements is slightly lower just due to the timing of payments. So
the $2.1 billion is actually what we spent and will pay for.
And I would include for Q3 the one we just are announcing. I would add in the
amount we haven’t paid yet as the CapEx number for this quarter. Okay? And then
I guess that would be and then Larry gets the second question. But anyway, so
$2.1 billion for this quarter and you’ve got Q1 and Q2 and I’m going to be
somewhere between $7 billion and $7.5 billion for the full year, which is
actually a little bit lower than I thought. But we were able to do pretty well.
You know-how we spend very carefully.
(Those last two platitudinous sentences don’t help their case).
If we somehow give them credit for the magical $400M (as opposed to assuming it
is just Q4 spend), they only need to spend $2.5B to $3B to hit guidance (and,
more importantly, make it seem like they’re building “at record levels”!).
Is this just random confusion (in the noble cause of trying to make their CAPEX
spend seem larger)? Do they have the finance and accounting controls in place to
know how much they’re actual spending? Is this an attempt to lower expectations
to cover for a continued inability to build capacity in Q4? Does Oracle actually
want to play (i.e. spend) at hyperscale levels? (they are ~$150 billion in
cumulative CAPEX spend behind the hyperclouds). We’ll see Tuesday.
MORE
June 100
Platformonomics TGIF #53: June 7, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get Platformonomics Updates By Email
Subscribe
Thanks for all the feedback as we passed the one year milestone for this
newsletter. Keep it coming on what you like and dislike.
News
You Can’t Spell “Glue on Pizza” Without AGI
Hypothesis: AGI is already here. It is intentionally doing stupid things to
conceal its presence and undermine the credibility of its doomer opponents.
Previous:
Artificial Ideology (AI): Google Edition
Who’s Getting the GPUs? Reply Hazy, Try Again Edition
I’m still not sure who NVIDIA’s biggest customers were in their most recent
quarter. They had two direct and two indirect customers each taking around 10%
of the business, with one of the indirect customers (likely a cloud) buying
through a direct. My guess is the latter was Microsoft, but I’m not as confident
as I was that Microsoft was their biggest customer for the six prior quarters.
Thanks to everyone who joined the mad speculation.
Previous:
Who’s Getting the GPUs?, Follow the CAPEX: Triangulating NVIDIA
Who’s Getting the GPUs? Elon Shell Game Edition
Fractional CEO Elon Musk got caught moving GPUs between his three, sub-scale AI
efforts. And only a month after we predicted this:
Platformonomics ClownWatch at some point is going to have to look at Elon’s
three inadequately funded AI efforts (Tesla, Twitter and xAI). Even combined
they’re not in the game. Maybe that will motivate more Elon corporate governance
shenanigans?
Elon responded: “Corporate governance is not going to get us to Mars”.
But kudos for Starship’s recent return flight.
Previous:
Platformonomics ClownWatch: Tesla, Useful Idiots, Fellow Travelers and
Unregistered Foreign Agents: Elon Musk Part II, Useful Idiots, Fellow Travelers
and Unregistered Foreign Agents: Elon/Twitter, Company Killed By Its Customers,
Elon Cashes in All the Trust He’s Banked with Twitter, Do Not Take a Dependency
on Elon Musk: Chapter 147, Do Not Take a Dependency on Elon Musk: Chapter 148,
Do Not Take a Dependency on Elon Musk: Chapter 149
Related:
SpaceX’s Starship Rocket Successfully Completes 1st Return From Space, Musk
Chose Who Got Chips
Antitrust Incoherence: Isn’t Market Division Illegal?
When will regulators go after these back room deals that carve up the regulation
of markets?
“Big is Bad” is still a terrible foundation for antitrust. I’m assuming that if
anyone was complaining about DGX Cloud specifically, the EU would have already
issued a press release.
Previous:
Antitrust Incoherence: Roomba Aftermath Edition, Antitrust Incoherence: Apple
Edition, Antitrust Incoherence: Spotify Edition, Antitrust Incoherence: Roomba
Edition, The Incoherence Doctrine: The FTC Strikes Again, A New Antitrust
Doctrine, The DOJ Play at Home Game
You May Not Be Interested in Geopolitics, But Geopolitics is Interested in You
The U.S. government forbids Nvidia from selling some of its most advanced
artificial intelligence chips to customers in China. But it doesn’t stop Chinese
firms from buying or renting Nvidia’s chips if they’re used within the U.S.
Some big Chinese tech firms have taken advantage of that loophole, or tried to.
ByteDance, owner of TikTok, has been renting Nvidia’s best chips from Oracle for
AI computing, according to two people with knowledge of the arrangement.
Previous:
One, Two, Three, Four: We Want a Meme War
Analysts Gonna Analyst
I’ve seen some pretty embarrassing analyst reports over the years, but this
might be a new low. But credit where credit is due: one of the few pockets of
excellence left at IBM is browbeating press and analysts.
Previous:
This Week in Securities Fraud, IBM and the Art of Misleading Investors, Last IBM
Strategic Imperative Bites the Dust, IBM’s “Cloud” Business (or Lack Thereof),
Tweetstorm Digest: Reactions to Barron’s “IBM’s Reboot” Story, IBM’s Lost
Decade, Follow the CAPEX: The Clown Car Race Checkered Flag, Introducing
Platformonomics ClownWatch,
EU Insanity: Ye Olde Memory Hole
Regulators in Europe, meanwhile, are looking to apply existing digital law to
the new platforms, which could mean getting AI to “forget” information it has
memorized about people.
Previous:
EU Suffering From Premature Regulation, BREAKING: European Union Designated an
Advanced Persistent Threat, UK Announces Big Tech Struggle Sessions “For The
Children”, EU Announces DMA Struggle Sessions, EU Announces Meta Struggle
Sessions, EU Insanity: Regulatory Contortions, EU Insanity: Not Learning From
Regulatory Failure, EU Announces DMA Struggle Sessions, EU Insanity: AI
Regulatory Suicide, EU Insanity: AI Energy Suicide, EU Insanity: The Kafka
Singularity, EU Insanity: AI Energy Suicide (Part Deux), EU Insanity: Mistral
Edition, Move Fast and Regulate Things (You Don’t Understand), The EU Will
Continue to Fiddle While Rome Burns, When “Move Fast and Regulate Things” Breaks
Down, AI Regulation: Move Fast and Regulate Things
Oracle Sends Two Racks to Morocco
Racks? Regions? So easy to confuse.
Previous:
Oracle Moves to Nashville, Follow the CAPEX: The Clown Car Race Checkered Flag
Software Migration Alert: PowerSchool
When private equity rolls up, you should flee for the hills.
Previous:
Software Migration Alerts, Perfidious Private Equity
MORE
June 140
Today, 14:28Phil Windley's Technometria (Feed)
Decentralized Identity Comes of Age
Summary: In session after session, attendees at EIC are hearing the message that
decentralized identity is the answer to their identity problems.
I'm at European Identity Conference (EIC) this week. I haven't been for several
years. One thing that has struck me is how much of the conversation is about
decentralized identity and verifiable credentials. I can remember when the whole
idea of decentralized identity was anathema here. The opening keynote, by Martin
Kuppinger is Vision 2030: Rethinking Digital Identity in the Era of AI and
Decentralization. And all he's talking about is decentralized identity and how
it's at the core of solving long standing identity problems. Another data point:
Steve McCown and Kim Hamilton-Duffy ran a session this morning called
Decentralized Identity Technical Mastery which was a hands-on workshop. The
rather large room was packed—standing room only.
I attended a couple of sessions on decentralized identity where I didn't know
the companies, the speakers, or the specific platforms they were using. The
space is too big to keep track of anymore. Identity professionals who were
ignoring, or talking down, decentralized identity a few years ago are now
promoting it.
This truly feels like a tipping point to me. At IIW, it's identity geeks talking
with other identity geeks, so it's no surprise to see lots of discussion about
new things. EIC is a different kind of conference. There are about 1000 people
here I'd guess. Most of them aren't working on new standards or open source
projects. Instead they're the folks from companies who come to conferences like
EIC to learn how to solve the problems their organization is facing.
In the keynotes and in numerous sessions, the message that they're hearing is
"decentralized identity will solve your problems." Martin closed his talk with
the proclamation that "decentralized identity is the new paradigm for identity."
Photo Credit: Credential Tipping Point by DALL-E (public domain) Prompt: Draw a
rectangular picture that shows a credential at a tipping point. Make the
credential look like a lifelike credential, include cartoon picture, and some
writing. Use bright friendly colors.
Tags: identity ssi decentralized+identity verifiable+credentials
MORE
June 60
24.6.2024, 6:00SEI Blog (Feed)
The Threat of Deprecated BGP Attributes
This post examines how a small issue with Border Gateway Protocol routing, a
deprecated path attribute, can cause a major interruption to Internet traffic.
MORE
June 30
Today, 17:55ongoing by Tim Bray (Feed)
Parable of the Sofa
When Lauren was pregnant with a child who’s now turning 25, we purchased a comfy
dark-brown leather sofa which fits our living room nicely. What with kids and
relatives and employees and cats and Standards Comittees and friends and book
clubs and socials, the butt-support cushions had, a quarter century later, worn
out. So we had them replaced, at a fair price, by a small local business. Which
is something that modern capitalism is trying to make impossible.
I’ll be honest; when we realized how ratty the sofa was getting, my first
thought was “crap, gonna have to buy a sofa”. But Lauren said “No, because new
sofas are junk. Also, Luxcious.”
I’ll get to Luxcious in a bit, but it turns out that new sofas, by and large,
really are. Why would that be? Well, check out Why Are (Most) Sofas So Bad? in
Dwell magazine which has a weirdly-intermittent paywall, here’s another version.
From early in the piece: “Sofas made in the past 15 years or so are absolute
garbage, constructed of sawdust compressed and bonded with cheap glue, simple
brackets in place of proper joinery, substandard spring design, flimsy foam, and
a lot of staples.” It’s excellent, well-written, and will take you some
surprising places.
But the subtext is drearily familiar. Globalization: Check. Cheap-labor
arbitrage: Check. Tax engineering: Check. High profits: Check. Flat-packing:
Check. Late Capitalism: Check check fucking check.
But, quality furniture is expensive to make, and should be, but doesn’t wear out
fast, thus deserves extended maintenance.
Luxcious
Its Web site (“Breathe new life into old furniture”) is way prettier than its
location, in an old and extremely miscellaneous high-traffic zone: auto-body
shops, hipster lounges, self-storage, beauty supplies…
They’re family-run and idiosyncratic. You have to know how to find the sketchy
rear parking lot and walk in the back door. But they’re friendly and competent.
Here’s the new leather they bought for the cushions.
And here’s the sofa with the re-covered cushions in place.
Yes, from this angle, the new cushions make the sofa’s back look shabby, but
it’s not as obvious to the naked eye and after a decade or so we’ll never notice
it.
The whole job cost us $1100 Canadian. Given that the sofa cost
three-thousand-plus 1999 dollars and new leather sofas of the “not flat-packed
sawdust and glue” variety quickly get into five figures, the choice was a
no-brainer.
“Lifestyle”
This kind of transaction is exactly what modern capitalism is trying to stamp
out.
A single-location family-owned business that provides a living for a few people?
With no plans to load up on debt or other financial engineering? Or for growth
into unicorn status? No GenAI dimension? No marketing or public-relations
people?
In conversation with venture capitalists, you hear the phrase “lifestyle
business”, meaning one that is doing nicely and rewarding the people who run it
and which isn’t planning for unbounded growth. The words “lifestyle business”
are always, of course, uttered in a voice dripping with contempt. Luxcious is a
lifestyle business.
It seems blindingly obvious that an economy with a higher proportion of
lifestyle businesses is going to be more resilient, more humane, and immensely
more pleasant than the one that the Leaders Of Industry are trying to build.
How would we get there from here? I’m not smart enough to figure out what the
regulatory regime is that would ban most of what private-equity does and tilt
the playing field in favor of resilient lifestyle businesses.
But I’d sure vote for a political party that convinced me it was trying to
achieve that.
MORE
June 20
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #52: May 31, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get Platformonomics Updates By Email
Subscribe
This marks a year of these newsletters (elapsed time a little longer)!
I enjoy the writing process, find it helps me refine my thinking without all the
work of longer essays, and is a good way to track existing ideas and threads. My
plan is to keep writing. I’d love to hear from you on what you like and dislike.
News From CAPEX Obsessives to Cynics
That brief window when we were all CAPEX obsessives and cheerleaders has, sadly,
already given way to cynicism. The media pedants miss the bigger picture (as
they have in the past). For a start, the current AI infrastructure build-out has
arisen from the ashes of the crypto bubble. It might be bubbles, not turtles,
all the way down.
Previous:
We Are All Now CAPEX Obsessives, Q1 CAPEX Scorecard, Follow the CAPEX: Cloud
Table Stakes 2023 Retrospective
Related:
Pop!: Why Bubbles Are Great For The Economy, The Beauty of Bubbles
Who’s Getting the GPUs?
From NVIDIA’s 10-Q:
Concentration of Revenue
Revenue by geographic region is designated based on the billing location even if
the revenue may be attributable to end customers, such as enterprises and gamers
in a different location. Revenue from sales to customers outside of the United
States accounted for 48% and 67% of total revenue for the first quarter of
fiscal years 2025 and 2024, respectively.
We refer to customers who purchase products directly from NVIDIA as direct
customers, such as original equipment manufacturers, or OEMs, original device
manufacturers, or ODMs, system integrators, add-in board manufacturers, and
distributors. We also have indirect customers, who purchase products through our
direct customers; indirect customers include public cloud providers, consumer
internet companies, enterprises, startups, and public sector entities.
Sales to one direct customer, Customer A, represented 13% of total revenue and
sales to a second direct customer, Customer B, represented 11% of total revenue
for the first quarter of fiscal year 2025, both of which were attributable to
the Compute & Networking segment.
There was no direct customer that represented 10% or more of total revenue for
the first quarter of fiscal year 2024.
Two indirect customers each represented 10% or more of total revenue for the
first quarter of fiscal year 2025; one of these indirect customers purchased our
products primarily through direct Customer B. Both were attributable to the
Compute & Networking segment.
We’ll speculate on this next week (along with others).
Previous:
Follow the CAPEX: Triangulating NVIDIA
Existential Corner: What is OpenAI?
In a world where “we do have demand that exceeds our supply by a bit“, adding
Apple to the demand side of the OpenAI equation seems like a legitimate concern.
The bigger question is what trajectory does OpenAI think it is on? Maybe it is
content to focus on building the best frontier model, but their ambitions (and
valuation) seem bigger. They need a focus. The window to be a developer or
enterprise company already seems to have closed.
Consumer is still an opportunity (and the recent Her-inspired emphatically not
Her-inspired demo suggests this may be OpenAI’s bet, even if by elimination),
but there is no shortage of consumer aspirants.
Given CEO Sam Altman is a deal-maker and not seemingly a long-term builder,
maybe teeing up a bidding war between Apple and Microsoft (with anyone else is
welcome to join!) is the company’s strategy?
Apple to Choose Choice?
As we await WWDC and Apple’s bid for AI relevance, it is already pretty clear
Apple will pursue a pluggable LLM strategy, probably both on-device and in the
cloud. They have to for their China business, and it would give them opportunity
to switch to their own technology in the future.
Previous:
Viewer Mail – Episode 2 (Apple CAPEX), Missing the (Bamboo) Forest for the
(Apple) Trees, Artificial Ideology (AI): Xi Jinping Edition, Best Descriptor for
Chinese LLMs: ChatXi or ChatCCP?
Competitive Strategy: AI Safety Edition
Sending your AI safety people to a competitor seems like a great move.
Previous:
We Can Only Hope, Whatever Happened to the AI Safety People?, Everyone In
Silicon Valley Wants To Be Henry Kissinger, Existential Risk Now Has a Precise
Threshold, You Can’t Spell Alien Invasion Without A and I, Existential AI Risk +
Twitter-level Nuance
Private Equity in Action: PluralSight
Debt is a killer. Especially in the hands of financiers who don’t know much
about actually running a software business (despite having listened to multiple
podcasts on the topic). Hence our mantra: when private equity comes
amalgamating, it is time to start migrating.
Previous:
Private Equity in Action: Not Every VMware Customer Was Screwed, Private Equity
in Action: The VMware Saga May Never End, Software Migration Alerts, Private
Equity in Action: VMware “Unease” Continues, Perfidious Private Equity, Private
Equity in Action: VMware Yet Again, Private Equity in Action: VMware
(Continued), Private Equity in Action: VMware, Private Equity Will Buy and Ruin
More Software Companies, Software Migration Alert: VMware (Continued), Software
Migration Alert: VMware, Private Equity in Action: VMware Customer Complaints
“Unwarranted”
Not That Kind of Nuclear Cloud
An advanced civilization requires abundant energy. Lets do it!
Previous:
Cloud Power Up
MORE
June 60
Today, 14:28Phil Windley's Technometria (Feed)
Can LLMs Provide References for Their Work? An Experiment
Summary: We know that LLMs hallucinate. And we know that we can overcome some of
that problem with better prompts. But can LLMs provide references for their
work? I conducted an experiment.
Recently my friend Scott Mace asked this on X in response to a post about the
evolution of software and how LLMs will likely follow that same trajectory:
Yes, but how trustworthy will it be? Can I at least see the links it used to
create its response? From X
Referenced 2024-05-21T18:09:06-0400
The short answer is "no", but the real answer is a bit more nuanced because of
how LLMs like ChatGPT work. First the short answer: LLMs don't understand what
they're saying so they can't reference the material that it used to create a
response. They don't work like that. They don't go out, do a bunch of research
and then create a response. Instead lots (and I mean LOTS) of material is fed
into the program that creates the model, a multi-dimensional matrix of word
orders. Then when you ask a question ("give it prompt" in LLM-speak), it
processes the question and generates text based on the probabilities of words in
its model1. There's no way it can satisfy Scott directly because the model
doesn't—can't, as far as I know—include the references that it used to create
the text because it's generating it on the fly from material that has been
thoroughly blended together.
But, in fairness, that's not what people do most of the time either. If you
asked me over lunch or at the end of a tech presentation to describe zero trust
and its pros and cons, I'd start talking. I wouldn't start looking up things on
the web and somehow weave them into text complete with references. I'd go look
for references if you asked me to back up something I said. So, let's try that
with ChatGPT 4o. I gave it the following prompt:
You are a writer for a website focusing on technology. Your specialty is
security. Write a 150 word explanation of zero trust with three pros and three
cons.
ChaptGPT answered with this text:
Zero Trust is a security model based on the principle of "never trust, always
verify." Unlike traditional security models that assume everything inside the
network is safe, Zero Trust assumes that threats can exist both inside and
outside the network. It requires strict identity verification for every user and
device attempting to access resources, regardless of their location.
Pros:
Enhanced Security: By continuously verifying users and devices, Zero Trust
reduces the risk of breaches and unauthorized access. Minimized Attack Surface:
It limits access to only what is necessary, reducing potential entry points for
attackers. Improved Compliance: Helps meet regulatory requirements by ensuring
strict access controls and logging all access attempts.
Cons:
Complex Implementation: Deploying Zero Trust can be complex and time-consuming,
requiring a significant overhaul of existing systems and processes. Increased
Costs: The initial investment in technology and training can be high. User
Experience Impact: Continuous verification can lead to friction and
inconvenience for users if not implemented smoothly.
Zero Trust is essential for modern cybersecurity, but it requires careful
planning and resources to implement effectively.
That's pretty good. But what if we need some references to other material to
back up the pros and cons? I asked ChatGPT to supply them:
Now repeat that task, but this time include references as hyperlinks to back up
each pro and con.
ChaptGPT answered with this text:
Zero Trust is a security model based on the principle of "never trust, always
verify." Unlike traditional security models that assume everything inside the
network is safe, Zero Trust assumes that threats can exist both inside and
outside the network. It requires strict identity verification for every user and
device attempting to access resources, regardless of their location.
Pros:
Enhanced Security: By continuously verifying users and devices, Zero Trust
reduces the risk of breaches and unauthorized access (CSO Online). Minimized
Attack Surface: It limits access to only what is necessary, reducing potential
entry points for attackers (NIST). Improved Compliance: Helps meet regulatory
requirements by ensuring strict access controls and logging all access attempts
(Gartner).
Cons:
Complex Implementation: Deploying Zero Trust can be complex and time-consuming,
requiring a significant overhaul of existing systems and processes (Forrester).
Increased Costs: The initial investment in technology and training can be high
(ZDNet). User Experience Impact: Continuous verification can lead to friction
and inconvenience for users if not implemented smoothly (TechRepublic).
Zero Trust is essential for modern cybersecurity, but it requires careful
planning and resources to implement effectively.
That looks great! Nice references for each bullet. There's just one problem. All
the links, except the NIST reference, are dead. I don't know if they're wrong,
made up, or stale. I tried finding content on a few of the sites by searching
and came up dry. As I heard Johannes Ernst say once, ChatGPT is a "large
language model" not a "large fact model" and this bears that out.
Still, asking for references or evidence for statements is something people are
going to want. So, I tried a different tack. This time I asked this:
Why do you say complex implementation is a problem for zero trust? Can you give
me a few references on that I can read myself?
ChatGPT responded with this:
Implementing a Zero Trust security model can be challenging for several reasons:
Overall Complexity: Zero Trust requires a comprehensive understanding of your
network's intricacies, including users, devices, applications, and data. This
can involve significant changes to existing infrastructure, which can be
disruptive and costly. Organizations need to be prepared for the extensive
planning and resources required for successful implementation (Help Net
Security) (Enterprise Networking Planet ). Legacy Systems: Many organizations
have legacy systems that are not designed to operate within a Zero Trust
framework. These systems might require different security measures or even
complete replacement, adding to the complexity and cost (Help Net Security)
(Enterprise Networking Planet ) Cultural Shift: Zero Trust is not just a
technological shift but also a cultural one. It requires continuous verification
and strict access controls, which can lead to user frustration and resistance if
not managed properly. Ensuring user buy-in and minimizing disruption to
workflows through training and communication is essential (Deloitte United
States) (Guidehouse). Resource Intensive: Implementing and maintaining Zero
Trust can put a strain on IT resources due to the need for continuous monitoring
and management. The need for advanced security tools and ongoing updates further
adds to the resource demands (Help Net Security) (Enterprise Networking Planet
). Stakeholder Alignment: Achieving buy-in from all stakeholders and aligning
them with the Zero Trust principles is critical. This requires a coordinated
effort to educate stakeholders, prioritize gaps, and ensure consistent
understanding and application of Zero Trust principles across the organization
(Deloitte United States) (Guidehouse).
These challenges highlight the importance of a phased and well-planned approach
to Zero Trust implementation, considering both technological and human factors.
For more detailed insights, you can refer to articles from Help Net Security and
Guidehouse.
Much better. The links in the bullets all work, but the ones at the end don't.
The articles it references aren’t very detailed, so I wouldn’t say they’re
stellar references, but at least there’s a pointer to outside material that
discusses similar challenges. So, partial success.
I've found that when you're using ChatGPT to do research, treating it like a
librarian and asking questions that follow up are the best way to gain
confidence that the material is correct and find the supporting material, just
as I did above. I'm sure you could wrap additional helper functions around an
LLM to make getting references easier. But for now interrogation through chat is
the best way to get comfortable with the results.
Notes Yeah, this is really simplified and thus wrong, but it's directionally
correct. For a better explanation, see What Is ChatGPT Doing … and Why Does It
Work?.
Photo Credit: Older Man Talking to Robot Librarian from DALL-E (public domain)
Prompt: draw me a rectangular picture of an older man talking with a robot
librarian. Use earth tones.
Tags: genai llm chatgpt prompt+engineering
MORE
May 310
24.6.2024, 6:00SEI Blog (Feed)
Versioning with Git Tags and Conventional Commits
This blog post explores extending the conventional commit paradigm to enable
automatic semantic versioning with git tags to streamline the development and
deployment of software.
MORE
May 290
Today, 17:55ongoing by Tim Bray (Feed)
Tedeschi Trucks
Saturday night we went a concert by the Tedeschi Trucks Band (TTB). It was
excellent and this is partly a review, but mostly a challenge to the community
of touring musicians: “Why aren’t your production values as good as TTB’s?”
Just the Facts
TTB lives squarely in the middle of the Southern Rock genre, as invented by the
Allman Brothers in 1970 or so. Derek Trucks is the nephew of the Allmans’
original drummer Butch Trucks and performed in a later iteration of that band.
Susan Tedeschi had a successful career as a touring and recording blueswoman.
Then she and Derek got married and merged their acts.
It’s a twelve-piece band: Susan and Derek on guitar, three backup vocalists,
three horns, keyboards, bass, and two drummers (one white, one black, per the
Southern-Rock canon). The music is blues and soul, wandering into rock. Some of
the songs are their own, others genre chestnuts (Statesboro Blues, High Time We
Went). They played a three-hour show, but with not that many songs, because
every tune features extended instrumental sections. All twelve members got a
chance to shine, Derek had a break on every song, and Susan on quite a few.
What was great
Only a couple of the songs weren’t memorable; they write well and cover only the
best chestnuts. The musicianship was stellar, with electric guitar front and
center. Derek is fluid and effortless, with beautiful tone; Susan solos less but
actually plays more interesting stuff. Susan’s the lead voice but four other
members are singers, they all got a featured spot and were all pretty great.
Susan doesn’t have the vocal range or the shriek, but she had the most soul.
What was best, though — out into “fucking awesome” territory — was what
classical musicians call “ensemble” and I guess I’d call “band musicianship”.
The songs’ arrangements are just razor-sharp, full of shifts and and breaks and
little moments of drama and grace, intros and outros and bridges. The players
were effortlessly locked onto the center of the rhythm, “so tight they were
loose” as the saying goes. The amount of practicing this takes must be epic.
Which was brilliantly supported by the sound people. Every instrument and voice
was distinct and clear, and the dynamic range was maybe the best I’ve ever heard
from an electric-guitar-based band. Every moment was multilayered and you could
hear all the layers.
You could tell (well, if you know something about concert sound, you could)
that, at the soundboard, they were intervening judiciously, for example cranking
the horns (or backup singers) and fading the guitars when that’s what the song
needed.
It was an audience that was fun to be part of, enthusiastically cheering all the
solos and regularly leaping to their feet when a song hit the big up-curve.
Especially impressive given that plenty of the crowd was old enough to have been
there for the birth of Southern Rock.
On top of which, the lighting was subtle and dramatic and tasteful, and only
once in the whole three-hour show did they hurt my brain by obnoxiously flashing
brilliant lights in my eyes.
Thus my challenge:
To every touring band: Be like TTB!
Seriously; My time on earth covers most of the history of live electric-music
performance, plus I’m an audiophile, and for most of my life, most of the sound
has been shitty. But in the last few years I’ve regularly heard sound that was
better than acceptable, and occasionally dazzlingly-good. But TTB is the most
impressive combination I’ve heard of big ensemble, plenty of electric guitar,
and sparkling sound.
There is sort of an excuse: Rock, historically, has been carefully engineered to
sound good on car radios; specifically the kind of car radios owned by
impecunious youth. Dynamic range and layering are not features of this
landscape.
Anyhow, my exposure to TTB, prior to this, has been mostly YouTube, and I’ve
enjoyed them, but I dunno, now that I’ve heard the real thing, I suspect the
online version will feel thin.
If TTB can do it, any band can. But plenty still don’t. That’s increasingly just
not acceptable. I wonder if things will start to get generally better? Because
I’m pretty sure the musicians care.
Other observations
Running a 12-piece operation must be freaking expensive. I would love to hear
the details of the economics. Saturday night they filled a 2600-seat hall with
an average ticket price around C$120. So that’s over C$300K gross. The hall
costs C$21K and then there’s Ticketmaster’s cut, which if the claims of the
recent DOJ litigation are to be believed, would be egregious.
I wonder how a TTB song gets built? In particular, who does the arrangements?
Whoever it is, I’m a fan.
Lauren and I were masked (N95) and looking across the audience as far as we
could see revealed one other masked person. I dunno, 2600 people in an enclosed
space. Call me crazy, but… no, call them crazy. I’m serious.
Unusually, there were huge line-ups for the men’s washrooms, almost none for the
women’s. The lady in the row behind us cackled and said “boomer prostates.”
MORE
May 270
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #51: May 24, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get Platformonomics Updates By Email
Subscribe
It has been three weeks and a lot has happened — let’s fire this thing up again!
News NVIDIA Earnings: Civilization Endures
At least for another quarter…
We will wait for their 10-Q filing before speculating madly on who got the GPUs
this quarter.
Previous:
Follow the CAPEX: Triangulating NVIDIA, Follow the CAPEX: Cloud Table Stakes
2023 Retrospective
VC Smackdown Over Open Source Models
New Luttig post well worth reading: The future of foundation models is
closed-source
It is heartbreaking that generative AI is not structurally more advantageous for
VCs. How can we fix this?
Previous:
Feature Request: Podcast Players, The Most Important Issue in AI, The VC
Antitrust Doctrine, VC-induced Indigestion, The Looming Layoffs for Venture
Capitalists, Ghost VCs, “Open Source Software is a Protected Class“
Related:
Hallucinations in AI
Team Primitives: What Sayest Thou?
Software value inexorably moves up the stack, through ever higher levels of
abstraction. Generative AI is of course a perfect example (even venturing into
non-deterministic abstraction).
This dynamic was top of mind watching the Microsoft Build keynotes this week.
They spent maybe 10% of their time on chips/models/infrastructure. The rest was
on the Copilot stack and all the tools to build AI apps. A number of long-term
Microsoft bets, bringing both higher level abstraction and integration, feature
prominently and usefully in this platform: e.g. Fabric, Graph. Office is
actually well aligned (a level of platform conjunction that only happens every
couple of decades), so the Microsoft AI stack is the entire Microsoft stack, and
vice versa.
Meanwhile, AI laggard AWS has doubled down on being “primitive”. The claim is
developers prefer a bag of low level parts from which to roll their own
solutions. That primitives essay is interesting in two respects. First, the
contrast in the level of abstraction for primitives in Amazon’s retail business
(e.g. fulfillment) versus AWS primitives are still at a 2007 level of
granularity (or even smaller). Second is the claim that “one of the many
advantages to thinking in primitives is speed”, an attribute not yet discernible
in Amazon’s generative AI efforts (we await the explanation for why there is a
compression algorithm for experience when it comes to AI, but nowhere else). The
limitations of AWS’ siloed data approach also loom larger, in contrast to an
integrated data platform (note the Snowflake-Microsoft announce, which serves up
Snowflake data to the Microsoft AI platform).
The annual AWS product announcement festival, re:Invent, is still six months
away. Amazon is no doubt racing to get a first party frontier model story
together and demonstrate that NVIDIA has decided to grace them with some GPUs
(“we could not be more excited (now) about DGX Cloud!”). We’ll see if AWS is
content to stick with primitives or will (very belatedly) decide they need to go
full stack.
Previous:
Amazon Desperately Seeks Compression Algorithm for Experience, Most Greatest AI
Company in Entire Universe Makes Major Strategy Pivot, SEC Embraces
Platformonomics ClownWatch, Warns Amazon and IBM, The AWS Generative AI Soap
Opera, The Amazon AI Inferiority Complex
Related:
2023 Letter to Shareholders (Amazon), For AWS’ New Leader, Big Decisions Lie
Ahead on AI, Business Apps
Minesweeper Copilot
Perhaps more importantly, Microsoft also fleetingly showed Copilot support for
FreeCell and Flight Simulator. I would be remiss not to remind the world that
Minesweeper has had Copilot functionality for over 30 years.
Previous:
The Minesweeper Moment
Related:
The most successful game ever: a history of Minesweeper
Cloud Repatriation is Going Just Great: Equinix Investigates Itself, Finds No
Fraud
Equinix has investigated Equinix and says all is good at Equinix, and despite
more than a few lawsuits and investigations, the company “does not expect to
comment further on such matters until appropriate to do so”.
Not everyone is convinced:
Previous:
Cloud Repatriation is Going Just Great: Q1 2024, Cloud Repatriation is Going
Just Great: Continued Radio Silence, Cloud Repatriation is Going Just Great:
Radio Silence from Equinix, Cloud Repatriation is Going Just Great: Equinix, New
Cloud Repatriation Hypothesis
Platformonomics Repatriation Index: Q1 2024
With that pesky fraud allegation completely behind it, Equinix managed to
finally report Q1 earnings. The company, riding the twin tailwinds of AI and
cloud repatriation, reported blistering growth of 6%.
We can now update the Platformonomics Repatriation Index
The Index has hit an all-time low, meaning that movement to the cloud exceeds
repatriation away from the cloud by the largest degree in the history of our
simple heuristic. But hope springs eternal!
Previous:
Cloud Repatriation is Going Just Great: Continued Radio Silence, Cloud
Repatriation is Going Just Great: Radio Silence from Equinix, Cloud Repatriation
is Going Just Great: Equinix, New Cloud Repatriation Hypothesis, Cloud
Repatriation Where Art Thou?, Cloud Repatriation: The Search Continues, Cloud
Repatriation: Still Not a Thing, Platformonomics Repatriation Index – Q1 2023:
Surf’s Up?, The Inexorable Attraction Between Terrible Things: Cloud
Repatriation and Private Equity
We Can Only Hope
“Supported by Microsoft” is deliciously ambiguous.
Previous:
Whatever Happened to the AI Safety People?, Everyone In Silicon Valley Wants To
Be Henry Kissinger, Existential Risk Now Has a Precise Threshold, You Can’t
Spell Alien Invasion Without A and I, Existential AI Risk + Twitter-level Nuance
EU Suffering From Premature Regulation
Obituaries for the AI safety movement obviously don’t apply to Europe (and I
fear they’re not really dead elsewhere, but have gone to ground, and are biding
their time for future assaults on the future).
We’ll see what kind of landmark it turns out to be. They do have global
ambitions:
“The Act will have global reach. Companies outside the EU who use EU customer
data in their AI platforms will need to comply. Other countries and regions are
likely to use the AI Act as a blueprint, just as they did with the GDPR,” he
said, referring to EU privacy rules.
You’d think the collapse of the European economic, energy and security orders
would take precedence, but to each their own I guess.
Previous:
BREAKING: European Union Designated an Advanced Persistent Threat, UK Announces
Big Tech Struggle Sessions “For The Children”, EU Announces DMA Struggle
Sessions, EU Announces Meta Struggle Sessions, EU Insanity: Regulatory
Contortions, EU Insanity: Not Learning From Regulatory Failure, EU Announces DMA
Struggle Sessions, EU Insanity: AI Regulatory Suicide, EU Insanity: AI Energy
Suicide, EU Insanity: The Kafka Singularity, EU Insanity: AI Energy Suicide
(Part Deux), EU Insanity: Mistral Edition, Move Fast and Regulate Things (You
Don’t Understand), The EU Will Continue to Fiddle While Rome Burns, When “Move
Fast and Regulate Things” Breaks Down, AI Regulation: Move Fast and Regulate
Things
What’s Your Emergency, Exactly?
That is roughly a year’s CAPEX if you’re playing in the big leagues.
Previous:
Follow the CAPEX: Cloud Table Stakes 2023 Retrospective
Who Needed This Deal More?
“Our collaboration with IBM will bring even more generative AI solutions to our
mutual customers,” said Ankur Mehrotra, General Manager of Amazon SageMaker at
AWS.
“Even more”?
Previous:
Amazon Desperately Seeks Compression Algorithm for Experience, Most Greatest AI
Company in Entire Universe Makes Major Strategy Pivot, SEC Embraces
Platformonomics ClownWatch, Warns Amazon and IBM, The AWS Generative AI Soap
Opera, The Amazon AI Inferiority Complex, Platformonomics ClownWatch: IBM,
Follow the CAPEX: The Clown Car Race Checkered Flag, Introducing Platformonomics
ClownWatch, IBM and the Art of Misleading Investors, This Week in Securities
Fraud, Clown CAPEX, IBM’s “Cloud” Business (or Lack Thereof), IBM: How Much
Longer Do the Good Times Last?, IBM’s Lost Decade
Last IBM Strategic Imperative Bites the Dust
Remember when IBM was going to climb back to relevance with the“strategic
imperatives” of cloud, analytics, mobile, social and security technologies?
They even reported “growth” numbers for each imperative. Until they tripped up
padding growth imperatives with ye olde mainframe (oops). Despite being frequent
practitioners, they’re not even very good at securities fraud.
Previous:
IBM’s “Cloud” Business (or Lack Thereof), Tweetstorm Digest: Reactions to
Barron’s “IBM’s Reboot” Story, IBM’s Lost Decade, Follow the CAPEX: The Clown
Car Race Checkered Flag, Introducing Platformonomics ClownWatch, IBM and the Art
of Misleading Investors, This Week in Securities Fraud
Private Equity in Action: Not Every VMware Customer Was Screwed
Broadcom clarifies:
Or, in the original PEnglish:
Previous:
Private Equity in Action: The VMware Saga May Never End, Software Migration
Alerts, Private Equity in Action: VMware “Unease” Continues, Perfidious Private
Equity, Private Equity in Action: VMware Yet Again, Private Equity in Action:
VMware (Continued), Private Equity in Action: VMware, Private Equity Will Buy
and Ruin More Software Companies, Software Migration Alert: VMware (Continued),
Software Migration Alert: VMware, Private Equity in Action: VMware Customer
Complaints “Unwarranted”
Related:
Report: These were the most overpaid CEOs last year
Software Migration Alerts
Private equity was up to no good (naturally) while I was away:
When private equity comes amalgamating, it is time to start migrating. Software
migration alerts have been issued for all these companies.
Previous:
Software Migration Alerts, Perfidious Private Equity
Who Could Have Predicted It?
Onward to a grand European AI project!!!
Previous:
Follow the CAPEX: The Clown Car Race Checkered Flag, Follow the CAPEX: Keeping
Up With The Clowns, Follow the CAPEX: Clown Watch
Artificial Ideology (AI): Xi Jinping Edition
We previously asked what the Chinese Communist Party would call its
ideologically-pure LLM: ChatXi or ChatCCP? We have an answer, and the cult of
personality wins!
LLMs hold a mirror up to humanity and then “guardrails” are applied to change
that image in accordance with the prevailing ideology. In this case it is very
hard to tell whether the LLM is hallucinating or the source material.
Xi Jinping is an unbelievably thoughtful guy. The breadth and pervasiveness of
Xi Jinping Thought is staggering. I may have to do some thinking about Xi
Jinping Thought.
Previous:
Best Descriptor for Chinese LLMs: ChatXi or ChatCCP?, Product Market Fit for
Google Gemini?,One, Two, Three, Four: We Want a Meme War, Xi Jinping Thought on
Wall Street Running Dogs, The Perils of Working for a Cult of Personality, Press
Releases We’d Like to See, Best Nickname for Emmanuel Macron, Winnie-the-Pooh:
Lover of Honey, Champion of Freedom, Missing the (Bamboo) Forest for the (Apple)
Trees
Artificial Ideology (AI): Google Edition
Refreshingly, at Google the pendulum has swung from too many ideological
guardrails to the polar opposite of letting unhinged content fly in their latest
release. (Are they prioritizing competition with Elon’s Grok?).
Reddit stock is down. One presumes a revision has occurred to estimates of their
future cash flows from data sales to AI companies.
Previous:
Google Goes Off the Guardrails
Better Late Than Never
Previous:
Cloud Power Up
MORE
June 60
23.6.2024, 18:04The Architect Elevator (Feed)
The Economics of Writing Technical Books
Yes, you can make money writing books. But never do it for that.
MORE
May 250
Today, 9:19mark nottingham (Feed)
Consensus in Internet Standards
It’s common for voluntary technical standards developing organisations (SDOs
such as the IETF and W3C) to make decisions by consensus, rather than (for
example) voting. This post explores why we use consensus, what it is, how it
works in Internet standards and when its use can become problematic.
Why consensus?
SDOs have several motivations for using consensus. Most often, consensus
decisions are seen as a way to avoid the potential for gaming and politics that
comes with voting systems. If everyone can live with the result, it’s more
likely that the result reflects a diversity of viewpoints.
The IETF also has a pragmatic reason: since there is no formal membership in the
IETF, there’s no way to determine who’s eligible to vote.
However, there’s also a less obvious policy motivation to use this approach.
Several legal frameworks encourage or even require standards decisions to be
made by consensus.
For example, OMB Circular 119-A encourages the US government to prefer consensus
standards for the products they buy. US anti-trust laws regarding standards
bodies also reference this document.
Annex II of EU Regulation 1025/2012 provides similar guidelines for standards
adopted by the EU.
Even the WTO gets in on the act; their recommendations regarding technical
barriers to trade state that ‘consensus procedures should be established that
seek to take into account the views of all parties concerned and to reconcile
any conflicting arguments.’
These legal encouragements strongly motivate SDOs to adopt consensus as the
basis of their decision-making, and are reflected in the OpenStand principles
adopted by the IETF, W3C, and IEEE.
What is consensus?
The OED definition of consensus is:
Agreement in opinion, feeling, or purpose among a group of people, esp. in the
context of decision-making. Also: the collective unanimous opinion of…
Note that unanimity is one option, but not required. This mirrors OMB Circular
119-A’s explanation of consensus as:
[…] general agreement, but not necessarily unanimity. During the development of
consensus, comments and objections are considered using fair, impartial, open,
and transparent processes.
Likewise, in EU Regulation 1025/2012:
Consensus means a general agreement, characterised by the absence of sustained
opposition to substantial issues by any important part of the concerned
interests and by a process that involves seeking to take into account the views
of all parties concerned and to reconcile any conflicting arguments. Consensus
does not imply unanimity.
These definitions share a characterisation of the nature of a consensus
agreement and they also hint that the process used to achieve that consensus
must have certain properties. However, they do not mandate a particular process.
In the IETF, RFC 2418: Working Group Guidelines and Procedures Section 3.3 says:
IETF consensus does not require that all participants agree although this is, of
course, preferred. In general, the dominant view of the working group shall
prevail. (However, it must be noted that “dominance” is not to be determined on
the basis of volume or persistence, but rather a more general sense of
agreement.) Consensus can be determined by a show of hands, humming, or any
other means on which the WG agrees (by rough consensus, of course). Note that
51% of the working group does not qualify as “rough consensus” and 99% is better
than rough. It is up to the Chair to determine if rough consensus has been
reached.
Note especially the concept of ‘rough consensus’ here, which is judged by the
chair and can be appealed to higher authorities.
Meanwhile, the W3C Process defines consensus as:
A substantial number of individuals in the set support the decision and there is
no sustained objection from anybody in the set. Individuals in the set may
abstain. Abstention is either an explicit expression of no opinion or silence by
an individual in the set.
In this more strict and mechanical definition, the emphasis is on the absence of
any ‘sustained’ objection. In theory, one person can hold up the declaration of
consensus; when this happens, W3C calls this ‘dissent’:
In some cases, even after careful consideration of all points of view, a group
might find itself unable to reach consensus. The Chair may record a decision
where there is dissent so that the group can make progress (for example, to
produce a deliverable in a timely manner). Dissenters cannot stop a group’s work
simply by saying that they cannot live with a decision. When the Chair believes
that the Group has duly considered the legitimate concerns of dissenters as far
as is possible and reasonable, the group should move on.
Groups should favor proposals that create the weakest objections. This is
preferred over proposals that are supported by a large majority but that cause
strong objections from a few people.
If a dissenter is dissatisfied with a decision, they can register their
unhappiness as a Formal Objection, which invokes a new and somewhat onerous
appeal process, in the formation of a Council.
How does consensus work?
Consensus is not easy or expedient: it requires everyone to listen, understand
others’ positions, and be flexible in adapting to the needs of others. While
some issues can be decided easily if there is significant common ground between
participants, this is often not the case, and working through such differences
can require significant time – both in discussion as well as away from others
reflecting on what path forward might be viable.
Successful consensus requires a ‘good faith commitment to honest debate’:
someone participating in bad faith (e.g., behaving inauthentically,
strategically, or otherwise) can be catastrophically disruptive to this process.
As a result, seasoned standards participants tend to be very sensitive to
bad-faith arguments, and known to disregard or even shun those who appear to use
them.
Used with nuance, consensus can be a powerful decision-making tool. People with
positions that are fundamentally at odds with each other can iterate over their
understanding of the problem and find shared ground and become bought into a
shared solution. A consensus result is often one that no one is completely happy
with, and some might be quite unhappy with it, but critically, they don’t
contest the legitimacy of the outcome – often, it’s just enough that they have a
chance to be heard and understood.
For example, during the standardisation of QUIC there was strong disagreement
between some network operators and other parties (including both implementers
and privacy advocates) about making information available to networks. Through
extensive discourse and an iterative set of proposals, we were able to agree on
including the ‘spin bit’ as an optional-to-implement feature. Neither side was
enthusiastic about this outcome, but we were able to produce a standard that was
satisfactory to all.
Good consensus can also show the humility and maturity of the group. When we
were standardising HTTP/2, there were a few issues we went back and forth on
extensively, before realising we didn’t have enough context to make an informed
decision – even though a decision still need to be made to ship the protocol. In
those cases, we decided that progress was more important than any faction
‘winning’, and so we came to a consensus to abide by the result of a coin flip.
Where can consensus go wrong?
When and how to determine consensus is very cultural: what people believe
consensus is (and is not) has a significant effect on the outcome of a decision.
Perhaps because of this, a few different failure modes for consensus in Internet
standards setting are more common than they should be.
One kind of failure happens when the bar for consensus is set too high –
effectively requiring unanimity instead of consensus. If everyone has to agree,
one intransigent (or just disagreeable) person can withhold permission to
progress.
The IETF explicitly addresses this kind of failure with the culture of ‘rough
consensus’, which explicitly acknowledges that consensus need not be unanimous;
the important factor is that the reason for disagreement is understood.
In contrast, the W3C’s characterisation of any dissent as a lack of consensus
can be problematic if misapplied, because it risks creating a culture of
avoiding dissent. While the Process document clearly indicates that dissent is
manageable, the cultural expectations (as well as the potential for extra
overhead if dissent turns into a Formal Objection) can cause a group to get
‘stuck’ on a decision.
Another common failure mode is encountered when a decision-maker falls into the
trap of treating consensus-gathering like voting. While polls that gauge support
or dissent for a proposal are a useful tool, they can’t be taken as indicators
of consensus, and can’t alone decide the issue.
Pete Resnick’s excellent RFC 7282: On Consensus and Humming in the IETF is a
fantastic exploration of the subtleties here, and well worth a read. For
example:
Any finding of rough consensus needs, at some level, to provide a reasoned
explanation to the person(s) raising the issue of why their concern is not going
to be accommodated. A good outcome is for the objector to understand the
decision taken and accept the outcome, even though their particular issue is not
being accommodated in the final product.
Lack of engagement can easily be mistaken for consensus. As a chair, it’s
sometimes difficult to know if everyone agrees but just can’t be bothered to
speak up, or if no one is paying attention. Having proper notification,
communication, and multiple process steps that check for engagement can mitigate
this risk.
Inappropriate use of consensus on trivial matters ignores the considerable
overhead of the consensus-gathering process. For example, decisions about purely
editorial matters like document organisation, terminology, and presentation
shouldn’t be determined by consensus, because good-faith participants will
quickly become exhausted and lose interest.
That doesn’t mean that these decision-makers shouldn’t consult and respond to
suggestions about these matters; only that the consensus process isn’t
appropriate for them, and another decision-making structure (often, delegated
authority) is more appropriate.
A final failing is often referred to as consensus by exhaustion. Too strong a
drive for “perfect” consensus creates a culture where those who are willing to
“stick it out” get to decide by default, because everyone else tires of waiting
for a decision to be made. When this happens, the resulting decisions tend to
favour those who are most invested in the work instead of the broader community.
Those are the failings of consensus that I’ve seen most often. If you can think
of more or have other thoughts, I’d love to hear them.
MORE
May 260
24.6.2024, 6:00SEI Blog (Feed)
Measurement Challenges in Software Assurance and Supply Chain Risk Management
This SEI Blog post examines the current state of measurement in software
assurance and supply chain management, with a particular focus on open source
software, and highlights promising measurement approaches.
MORE
May 200
Today, 17:55ongoing by Tim Bray (Feed)
The Colors of Racism
Recently, somewhat by accident, I stumbled into reading a couple of monstrously
racist texts, and I’m going to need to update the Wikipedia entry for a famous
British author. But I learned a few things along the way that I want to share.
Disclosure
I try to be antiracist, but I don’t think I’m particularly good at it. I
sometimes have bigoted feelings but try hard to recognize and not act on them.
I’m convinced that humans are naturally tribal and antiracist work will continue
to be required for the foreseeable future.
The Author
Anthony Trollope (1815-1882) wrote 47 novels. I generally like them and we own a
whole shelf-full. They are funny and tender and cynical; his characters love and
marry and go into business and get elected to Parliament and are corrupt and
engage in furious professional conflict. Those characters are, without
exception, “gentle”, by which I mean members of the British ruling class.
Anthony Trollope in 1864.
When I was traveling around the world a lot, regularly crossing major oceans
before the era of in-air Internet, Trollope was a regular companion; his books
tend to be big and thick and extremely readable. Want to get started? Barchester
Towers, about a bitter feud among the clergymen of an English country town, is
one of the funniest books ever written; also there’s an excellent BBC
adaptation, with Alan Rickman deliciously smarmy as the horrid Mr Slope.
What happened was…
I’m on a publishing-oriented mailing list and someone wrote “I stumbled on the
fact that Trollope wrote a book that describes race relations in the British
West Indies” and someone wrote back “It’s a travelogue not a novel, it’s called
The West Indies and the Spanish Main, and be careful, that race-relations stuff
may not be pleasant to read.” On a whim, I summoned up the book from our
excellent public-library system and, oh my goodness gracious, that “not
pleasant” was understating it.
The book
Trollope earned his living, while he was establishing his literary career, as an
official of the British Post Office, rising to a high level in the organization
and not leaving it until he was almost 50.
In 1859, he was sent to reorganize the Post Office arrangements in the West
Indies and the “Spanish Main”, the latter meaning southern Central America and
northern South America. The expedition lasted several months and yielded this
book. In his autobiography, Trollope wrote that he thought it “the best book
which has come from my pen.” I think history would disagree. It’s on the
Internet Archive, but I’m not linking to explicit racism.
So why am I going to write about it?! Because now, 165 years after this book,
racism and its consequences remain a central focus of our cultural struggles.
Understanding the forces we combat is kind of important. Also, I recently
researched and wrote about the Demerara Rebellion (of the enslaved against their
oppressors, in 1823) so I have more context on Trollope’s observations than
most.
Background
Trollope’s tone is grumpy but good-humored. In the places he visits, he is
generally contemptuous of the hotels, the food, the weather, and the local
government.
The main narrative starts in Jamaica. By way of background, slavery had been
abolished in 1833, just 25 years before. Many of the sugar plantations that
occupied most of Jamaica had collapsed. Thus this:
By far the greater portion of the island is covered with wild wood and jungle…
Through this, on an occasional favourable spot, and very frequently on the
roadsides, one see the gardens or provision-grounds of the negroes…
These provision-grounds are very picturesque. They are not filled, as a
peasant’s garden in England or in Ireland is filled, with potatoes and cabbages,
or other vegetables similarly uninteresting in their growth; but contain
cocoa-trees, breadfruit-trees, oranges, mangoes, limes, plantains, jack frout,
sour-sop, avocado pears, and a score of others, all of which are luxuriant
trees, some of considerable size, and all of them of great beauty… In addition
to this, they always have the yam, which is with the negro somewhat as the
potato is with the Irishman; only that the Irishman has nothing else, whereas
the negro generally has either fish or meat, and has also a score of other
fruits beside the yam.
We wouldn’t use that word any more to describe Black people, but it was thought
courteous in Trollope’s day. He does deploy the N-word, albeit rarely, and
clarifying that it was normally seen, even back then, as an insult.
The bad stuff
It comes on fast. In the Jamaica chapter, the first few subheadings are:
“Introduction”, “Town”, “Country”, “Black Men”, “Coloured Men”, and “White Men”.
That “Black Men” chapter begins with six or so pages of pure racist dogma about
the supposed shortcomings of Black people. I will not enumerate them, and
obviously none stand up to the cold light of scientific inquiry.
But then it gets a little weird. Trollope notes that “The first desire of a man
in a state of a civilization is for property… Without a desire for property, man
could make no progress.” And he is harsh in his criticism of the Black
population for declining to work long shifts on the sugar plantations in hopes
of building up some capital and getting ahead.
And yet Trollope is forced to acknowledge that his position is weak. He
describes an episode of a Black laborer knocking off work early and being abused
by an overseer, saying he’ll starve. The laborer replies “No massa; no starve
now; God send plenty yam.” Trollope muses “And who can blame the black man? He
is free to work or free to let it alone.” It is amusingly obvious that this is
causing him extreme cognitive dissonance.
And he seems shockingly oblivious to issues of labor economics. On another
occasion it is a group of young women who are declining the hot nasty work in
the cane fields:
On the morning of my visit they were lying with their hoes beside them… The
planter was with me, and they instantly attacked him. “No, massa; we no workey;
money no nuff,” said one. “Four bits no pay! no pay at all!” said another. “Five
bits, massa, and we gin morrow ’arly.” It is hardly necessary to say that the
gentleman refused to bargain with them… “But will they not look elsewhere for
other work?” I asked. “Of course they will,” he said; “… but others cannot pay
better than I do.”
(A “bit” was one eighth of a dollar; I can remember my grandfather referring to
a quarter, i.e. a 25¢ coin, as “two bits”.)
They’re demanding a 20% raise and, as is very common today, the employer deems
that impossible.
Trollope contrasts the situation in Barbados, where there is no spare land and
thus no “provision grounds” and the working class (in this case, all-Black) is
forced to labor diligently for their daily bread; and is confident that this is
better.
He also visits Cuba, where slavery is still legal, and visits a plantation with
an enslaved workforce: “During the crop time … from November till May, the
negroes sleep during six hours out of the twenty-four, have two for their meals,
and work for sixteen! No difference is made on Sunday.” Trollope’s biggest
concern was that the enslaved received no religious instruction nor
opportunities to worship.
Trollope regularly also has to wrestle with the tension that arises when he
meets an accomplished or wise or influential Black person. For example, upon
arriving in New Amsterdam (in Demerara):
At ten o’clock I found myself at the hotel, and pronounce it to be, without
hesitation, the best inn, not only in that colony, but in any of these Western
colonies belonging to Great Britain. It is kept by a negro, one Mr. Paris
Brittain, of whom I was informed that he was once a slave… he is merely the
exception which proves the rule.
Here are two more samples of Trollope twisting himself in knots over what seems
to him an economic mystery.
But if the unfortunate labourers could be made to work, say four days a week,
and on an average eight hours a day, would not that in itself be an advantage ?
In our happy England, men are not slaves ; but the competition of the labour
market forces upon them long days of continual labour. In our own country, ten
hours of toil, repeated six days a week, for the majority of us will barely
produce the necessaries of life. It is quite right that we should love the
negroes ; but I cannot understand that we ought to love them better than
ourselves.
The complaint generally resolves itself to this, that free labour in Jamaica
cannot be commanded; that it cannot be had always, and up to a certain given
quantity at a certain moment ; that labour is scarce, and therefore high priced,
and that labour being high priced, a negro can live on half a day's wages, and
will not therefore work the whole day — will not always work any part of the day
at all, seeing that his yams, his breadfruit, and his plantains are ready to his
hands.
In what sense is England “happy”? Granted, it’s obvious from the point of view
of the “gentle” ruling class, none of whom are doing manual labour sixty hours
per week.
That aside, the question he raises still stands, two centuries later: Why should
anyone work harder than they need to, when the benefits of that work go to
someone else?
“Coloured”
There’s lots more of this, but it’s worth saying that while Trollope was racist
against Blacks, he was, oddly, not a white supremacist. He considers the
all-white colonial ruling class to be pretty useless, no better than the Blacks
he sneers at, and proclaims that the future belongs to the “coloured” (i.e.
mixed-race) people. He backs this up with some weird “Race Science” that I won’t
go into.
Unforgivable
Trollope’s one episode of pure venom is directed at the already-dying-out
Indigenous people of the region, pointing out with approval that one of the
island territories had simply deported that whole population, and suggesting
that “we get rid of them altogether.” This seems not to be based on race but on
the observation that they “more than once endeavoured to turn out their British
masters”. Colonialism is right behind racism in the line-up of European bad
behaviors. It may also be relevant that he apparently did not meet a single
Indigenous West-Indian person.
Meta-Trollope
I finished reading The West Indies and the Spanish Main because Trollope’s
portrayals of what he saw were so vivid and I couldn’t help being interested.
I had read Trollope’s autobiography and some more bits and pieces about him, and
had encountered not a word to the effect that whatever his virtues and
accomplishments, he was shockingly racist. So I checked a couple of biographies
out of the local library and yep, hardly a mention. One author noted that The
West Indies and the Spanish Main was out of tune with today’s opinions, but
there was no serious discussion of the issue. Wikipedia had nothing, and still
doesn’t as I write this, but I plan to fix that.
I dug a little harder here and there around the Internet and turned up nothing
about anti-Black racism, but a cluster of pieces addressing antisemitism; see
Troubled by Trollope? and Why Anthony Trollope Is the Most Jewish of the Great
English Novelists. There are a few Jews in Trollope’s novels, ranging from
wholly-admirable heroes (and heroines) to revolting villains. So you might think
he comes off reasonably well, were it not for casual splashes of antisemitic
tropes; the usual crap I’m not going to repeat here.
In case it’s not obvious, Trollope’s writings and opinions were strikingly
self-inconsistent, often within the course of a few pages. Well, and so is
racism itself.
At that point in history there was an entire absence of intersectionalist
discourse about racism being, you know, intrinsically bad, and there were many
who engaged in it enthusiastically and sincerely while remaining in polite
society.
Trollope’s racism is undeniable, but then he (once again, inconsistently) sounds
non-racist in theory. (However, he was gloomy about the attitudes of the white
population.) Check this out:
It seems to us natural that white men should hold ascendency over those who are
black or coloured. Although we have emancipated our slaves, and done so much to
abolish slavery elsewhere, nevertheless we regard the negro as born to be a
servant. We do not realize it to ourselves that it is his right to share with us
the high places of the world, and that it should be an affair of individual
merit whether we wait on his beck or he on ours. We have never yet brought
ourselves so to think, and probably never shall.
That text feels remarkably modern to me. I am a little more optimistic than he
is in his closing four words; some white people work hard at antiracism. But for
a lot of white people, his take remains depressingly accurate.
Degrees of racism?
I suspect that, if Trollope were with us today, his writings would probably be
conventionally antiracist. His opinions were solidly in his era’s mainstream and
I suspect he would find himself in ours, because he was really a pretty
conventional and actually kind of boring person.
With the single exception of those two sentences about the Indigenous people, he
seems to exhibit no particular emotional bias against any ethnic group.
Why, you might wonder, do I mention this? Therein lies a tale. In his
autobiography, when he discusses The West Indies and the Spanish Main, he notes
that it received a favorable review in The Times of London. I thought I’d like,
for the sake of context, to read that. (Thanks to William Denton for retrieving
the page images.)
I certainly didn’t enjoy reading The West Indies (unsigned) from early 1860 in
The Times. It fills most of a broadsheet page, dozens of column-inches one after
the other oozing vitriolic hate of Black people. I’m not going to even try to
describe it any further; I felt literally nauseated in reading and didn’t make
it through to the end.
I suspect that if that Times writer were with us today, he’d be an
unreconstructed alt-right dog-whistler, a good ole boy in a MAGA hat.
Reading this crap made me feel a little less angry about Trollope, who generally
liked people. Here’s what I think I learned: Racism comes in multiple flavors.
There are some people (like Trollope) who are intersectionally bigoted in a sort
of unthinking and incurious way, but not that emotionally bound to it. These are
the people that need to hear the antiracist message, loudly and clearly, over
and over. Because they might listen and learn.
Then there are the others. In 1860, that Times reviewer. Today, the slave-state
GOP MAGAs, the Israeli settler movement, Modi’s Hindutva hoodlums. They
genuinely hate The Other, down in their bellies. It’s how they define
themselves. Talking to them is useless. They have to be defeated and removed
from positions of power and influence. Then, thankfully, they can be ignored.
Because listening to them is useless too.
MORE
May 260
Today, 14:28Phil Windley's Technometria (Feed)
Internet Identity Workshop XXXVIII Report
Summary: This spring's IIW was full of interesting people and interesting
discussions with people from around the globe.
We recently completed the 38th edition of the Internet Identity Workshop. We had
330 people from around the world who called 169 sessions. As usual there was
lots of energy and thousands of side conversations. IIW is a place to get things
done and it showed in the energy and the comments people made to me about how
much they enjoyed it.
Tuesday opening (click to enlarge)
As you can see by the pins in the map at the top of this post, there were
attendees from all over the world. Not surprisingly, most of the attendees were
from the US (241), followed by Canada (11). Germany, India, and Switzerland
rounded out the top five with 9, 8, and 7 attendees respectively. Attendees from
India (5), Thailand (3), and Korea (3) showed IIW's diversity with attendees
from APAC. And there were 4 attendees from South America this time. Sadly, there
were no attendees from Africa again. Please remember we offer scholarships for
people from underrepresented areas, so if you'd like to come to IIW39, please
let us know. If you're working on identity, we want you there.
Demo hour on Wednesday (click to enlarge)
For states and provinces, California was first with 122. Washington (16), Utah
(10), Texas (10) and New York (10) rounded out the top five. San Francisco (14)
Oakland (13), San Jose (12), Seattle (11), and New York (9) were the top cities.
Drummond Reed conducts a session (click to enlarge)
In addition to sessions, we have a demo hour on Wednesday that is a little like
speed dating. There were 20 different projects highlighted. There's always more
than one session that I want to attend in any given time slot and choosing is
hard. That's a common refrain. Luckily we have sessions notes that we publish in
a Book of Proceedings.
Here's pictures from all three days courtesy of Doc Searls
You belong at IIW! IIW is where you will meet people to help you solve problems
and move your ideas forward. Please come! IIW 39 will be held October 29-31,
2024 at the Computer History Museum. We'll have tickets available soon.
Tags: identity iiw
MORE
May 160
23.6.2024, 18:04The Architect Elevator (Feed)
Ford vs. Ferrari vs. Porsche
Cultural lessons from a racing movie.
MORE
May 190
24.6.2024, 6:00SEI Blog (Feed)
Cost-Effective AI Infrastructure: 5 Lessons Learned
This post details challenges and state of the art of cost-effective AI
infrastructure and five lessons learned for standing up an LLM.
MORE
May 130
Today, 9:19mark nottingham (Feed)
Modularity: Enabling Interoperability and Competition
Mandated interoperability is often highlighted as a way to improve competition
on the Internet. However, most of the interoperability we see there today was
established voluntarily: mandating it is relatively uncharted territory, with
many potential pitfalls.
Giving policymakers a better understanding of how interoperability comes about
could help. A regulator that appreciates the motivations and constraints faced
when designing APIs has a better chance of identifying (in-)appropriate ones –
even if their target isn’t willing to fully cooperate.
This line of thinking recently led me to a more than twenty year old resource
that’s often called a “seminal work” but strangely isn’t cited much in either
Internet governance or API design circles, as far as I can tell: Design Rules
Volume 1: The Power of Modularity by Carliss Y. Baldwin and Kim B. Clark.
Their ambitions were not small:
[W]e want to explain how and why the computer industry changed from a
quasi-monopoly into a large “modular cluster.”1 […] In particular, one of most
the important forces shaping the evolution of these designs was the drive toward
modularity.
For me this was an engrossing read, even though (and perhaps because) a fair bit
is already intuitive to a practitioner.
Chapter 3: What is Modularity? explains concepts like abstraction, isolation,
information hiding, and interface that are well known in industry:
A complex system can be managed by dividing it up into smaller pieces and
looking at each one separately. When the complexity of one of the elements
crosses a certain threshold, that complexity can be isolated by defining a
separate abstraction that has a simple interface. The abstraction hides the
complexity of the element; the interface indicates how the element interacts
with the larger system.
followed by a detailed explanation of ‘how individuals with knowledge can split
apart a large design with many innate interdependencies, and thereby create a
modular design and task structure.’
Chapter 9: Design Options and Design Evolution goes on to consider the economic
impact of modularity:
It is useful to divide the large set of all complex adaptive systems into two
categories: (1) systems in which the so-called adaptive plan is in the hands of
a few agents; and (2) systems in which the adaptive plan is decentralized to
many independent agents.
Yes, decentralisation fits in here too. Then, focusing on the benefits of the
latter category of systems:
Modularization permits individuals (or firms) to mix and match alternative
designs of the modules of a system. The “rights” to mix and match are options
with quantifiable value in the greater economic system. A modularization
multiplies design options and at the same time disperses them so that they can
be “picked up” by many people, without the permission of any central architect
or planner. The pursuit of valuable options by many decentralized actors in turn
accelerates the rate of change of the system as a whole. […] Modularity creates
design options and in so doing can radically change the market value of a given
set of designs.
Chapter 14: The Emergence of Modular Clusters reinforces this:
A modular design makes possible decentralized design evolution. In the presence
of advanced capital markets, a modular design also makes possible decentralized
industry evolution. In other words, when an artifact with a modular design is
created in an economy with advanced capital markets, subindustries of firms and
markets organized around modules may emerge and evolve in parallel with the
module designs themselves.
And then Chapter 15: Competition among Hidden Modules and Industry Evolution
begins:
Modular clusters, by definition, “play host” to modular design evolution. Hence,
unless and until an artifact design has been modularized, there is no cause for
a modular cluster to form. Following a modularization, we have seen, there will
be a concomitant multiplication and decentralization of design options. The
number of workgroups engaged in design (and production) will go up, while,
simultaneously, the forces of transactions and agency costs that tend to bind
workgroups together into firms will diminish. Depending on the balance of these
and other forces acting on the industry, a modular cluster (or clusters) may
then emerge as a viable form for the industry to take.
In other words: yet more support for interoperability through modularity and
decentralization as a remedy to competition and centralization issues – this
time from an economic perspective. I think that’s important, because regulators
have a lot more history with economists than they do with tech folks.
These are, of course, just a few highlights, and there are many more keen
observations throughout; if you find these quotes interesting, I recommend you
read the whole work.
I liked this book because there’s considerable value in having these
observations written down in a well-reasoned, rigorous framework: it’s one thing
if the industry says it does things for particular reasons in its many books
about the topic, but it’s another when it’s done with the appropriate
theoretical context and rigour from the ‘outside.’
I also enjoyed it because it ties together so many of the things I’m currently
interested in: APIs, interoperability, competition, and decentralization.
Critically, there’s also followup work which is even more relevant – but I’ll
write about that separately.
In later interviews, Baldwin has said that the term ecosystem won out over her
modular clusters. ↩
MORE
May 100
18.6.2024, 16:30All Things Distributed (Feed)
Hacking our way to better team meetings
My team and I set out to build a simple note taking aide, which transcribes and
summarizes our meetings using Bedrock. Today, we’re making the proof of concept
available to everyone.
MORE
May 80
24.6.2024, 6:00SEI Blog (Feed)
Polar: Improving DevSecOps Observability
This post introduces Polar, a DevSecOps framework developed as a solution to the
limitations of traditional batch data processing.
MORE
May 70
Today, 17:55ongoing by Tim Bray (Feed)
Storage Churn
What are the highest-impact Cloud services? Storage would be near the top of any
list. Where by “Storage” I mean what S3 does: Blobs-of-bytes storage that is
effectively unlimited in capacity, credibly more durable than anything you could
build yourself, and easily connected to the world, either directly or through a
CDN. I think we’re entering a period of churn where there’s going to be serious
competition on storage price and performance. Which, by the way, is crucially
relevant to the Fediverse.
Let’s start with AWS, since they invented the modern Storage concept. The most
important thing about S3 is this: There appear to be zero credible reports of S3
data loss. Given the number of objects it holds, and the numbers of years it’s
held them, that’s remarkable.
It’s a safe place to store your data. Yeah, the API is a little klunky, and the
latency can be high, and the hardwired bucket/object hierarchy is annoying, and
so are the namespace issues. And it’s not cheap.
But it’s safe. And fast enough to be useful. And safe. And dead easy to connect
up to a CDN. And did I mention that it’s safe?
S3…
AWS, to their credit, aren’t resting on their laurels. Here is a good Register
interview with Andy Warfield, one of the lead S3 engineers and also a really
good person. He’s talking about another variation on the basic S3 service,
called “Express”, which has more filesystem-y semantics, higher performance, but
(reading between the lines) a little less durability? (Also, more expensive.)
What’s notable about S3 isn’t this particular feature, but the fact that AWS
keeps rolling out new ones. So it’s a moving target for the emerging
competition.
…but cheaper…
In recent years and especially over the last few months, alternatives and
competitors to S3 keep crossing my radar. A bunch of them have a premise that’s
essentially “S3-compatible, but cheaper”: Backblaze B2, Digital Ocean Spaces,
Wasabi, IDrive e2, Cloudflare R2, and Telnyx Cloud Storage. I’m sure I’ve missed
some.
…and faster!
Some of the products claim to be way faster. Which matters if it’s true, but so
far I don’t know of any popular benchmarking standards, so I’d take the numbers
with a grain of salt. If I really cared, for a big project, I’d want to try it
with my own code.
Here are a few of those:
S2
See Designing serverless stream storage. This is still more a research project
than a product, but I drop it in here because it says that access to S3 Express
made it possible. Its claim to fame appears to be higher performance.
Tigris
Tigris offers what they describe as “Globally Distributed S3-Compatible Object
Storage”. I think the best description of what that means is by Xe Iaso of
Fly.io, in Globally Distributed Object Storage with Tigris. It’s not just
well-written, it’s funny. Apparently Fly.io bundles Tigris in, with command-line
and billing integration.
Bunny
The fastest object storage, replicated to the edge is their big claim.
CDN?
Bunny sounds like it’s partly a CDN. And it’s not the only one. Which makes
obvious sense; if you want to deliver the stuff you’re storing to users around
the world at scale, you’re going to be hooking your storage and CDN together
anyhow. So those lines are going to stay blurry.
Compatibility and intellectual property
S3 compatibility is an issue. It’s interesting that AWS has apparently decided
not to defend the S3 API as intellectual property, and so these things
cheerfully claim 100% plug-compatibility. And when they don’t have it, they
apologize (that apology looks unusually far under the covers; I enjoyed reading
it).
Durability?
They may claim compatibility, but mostly do not claim equivalent durability.
I’ll be honest; if I were picking one, that would worry me. I’d need to see
pretty full disclosure of how the services work under the covers.
Unknowns
I just mentioned durability, which is a technology issue. The other big unknowns
are about business not technology. First of all, can you sustainably make money
selling storage at a price that undercuts AWS’s? I haven’t the vaguest idea.
Second, is this a threat to AWS? There is a vast amount of data that is never
gonna migrate off S3 because who’s got the time for that, but if the competition
really can save you a lot of money that could hit S3’s growth hard, and Amazon
wouldn’t like that. Who knows what might happen?
Now let’s change the subject.
Fediverse storage
I’ll use myself as a Fediverse example. As I write this, my @timbray@cosocial.ca
Mastodon account has just over 18K followers, distributed across 3K-and-change
instances. So whenever I post a picture or video, each of those instances
fetches it and then keeps its own copy, if only in a short-lived cache.
All these files are immutable and identical. Smell an opportunity? Yeah, me too.
Someone needs to build an object-store/CDN combo (I’ve already heard people say
“FDN”). The API should cater to Mastodon’s quirks. You could split the cost
equally or deal it out in proportion to traffic, but either way, I think there’d
be big cost savings for nearly every instance.
Furthermore, it doesn’t feel technically challenging. If I were still at AWS,
I’d be working on a PR/FAQ right now. Well, except for, since everything is
S3-compatible and CDNs are commoditized, it would be plausible (and attractive)
to build your FDN in a way that doesn’t tie you to any particular infrastructure
provider.
Someone has already started on this; see Jortage Communal Cloud; small as of
yet, but pointing in the right direction.
Fun times!
The storage world is a market with no monopolist, where providers are competing
on price, performance, and durability. Be still my beating heart.
MORE
May 70
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #50: May 3, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get Platformonomics Updates By Email
Subscribe
Platformonomics is off the next two weeks (recovering from Clown Week and the Q1
CAPEX numbers). Look for our next missive May 24th.
News Q1 Amazon CAPEX
Amazon is the last of the clouds to report for Q1: CAPEX of $15 billion, up 5%.
The Amazon numbers are not very insightful as they include both the retail
business and AWS, and both have been churning post-pandemic.
AWS was 46% of Amazon’s total CAPEX in 2023 (they only break AWS out annually)
and AWS CAPEX down for the first time ever last year.
The guidance was:
We anticipate our overall capital expenditures to meaningfully increase
year-over-year in 2024, primarily driven by higher infrastructure CapEx to
support growth in AWS, including generative AI.
On the — well, we’re talking about CapEx. Right now, in Q1, we had $14 billion
of CapEx. We expect that to be the low quarter for the year.
Previous:
Follow the CAPEX: Cloud Table Stakes 2023 Retrospective, Follow the CAPEX:
Triangulating NVIDIA, Amazon Desperately Seeks Compression Algorithm for
Experience, Most Greatest AI Company in Entire Universe Makes Major Strategy
Pivot, SEC Embraces Platformonomics ClownWatch, Warns Amazon and IBM, The AWS
Generative AI Soap Opera, The Amazon AI Inferiority Complex
Q1 CAPEX Summary Scorecard (Final)
A reminder: upwards of 80-90% of Google/Meta/Microsoft CAPEX goes to cloud
infrastructure. The comparable Amazon number is likely under 50%.
Platformonomics ClownWatch at some point is going to have to look at Elon’s
three inadequately funded AI efforts (Tesla, Twitter and xAI). Even combined
they’re not in the game. Maybe that will motivate more Elon corporate governance
shenanigans?
Previous:
Q1 CAPEX Scorecard, Follow the CAPEX: Cloud Table Stakes 2023 Retrospective,
Follow the CAPEX: Triangulating NVIDIA, Platformonomics ClownWatch, Follow the
CAPEX: The Clown Car Race Checkered Flag
We Are All Now CAPEX Obsessives
This was the CAPEX quarter! Welcome everyone aboard the CAPEX train! I probably
should sell merch.
Previous:
Q1 CAPEX Scorecard, Follow the CAPEX: Cloud Table Stakes 2023 Retrospective
We Are Not All Arithmetic Obsessives
While seemingly aboard the CAPEX train, the New York Times still has some
arithmetic quality control issues. But they do aspire to be a tech company, so
they have that going for them.
Previous:
Aspiring Technology Company Neither Interested in Technology Nor Understands
Technology, Living in a Glass House: The New York Times On Tech, Living in a
Glass House: What is the New York Times?, Does the New York Times Editorial Page
Ever Talk to the Business Side of the House?
Some (New) CAPEX Obsessives Are Hallucinating Wildly
The importance of CAPEX has become common knowledge. There is no better
indicator than the fact venture capitalists have started doing CAPEX thought
leadership tweets and blog posts in the last week.
One must admire the ability to meld absolute certainty with getting the data
(and conclusions) completely wrong (and bonus points for simultaneously being
the author of “Winning with Data”).
Cloud Repatriation is Going Just Great: Q1 2024
The cloud repatriation narrative says companies are furiously moving workloads
back to their own data centers from the cloud. Between the tailwinds of
repatriation and generative AI, you’d think the biggest data center operators
would be reporting blow out numbers. But they’re not.
Digital Realty Trust reported a revenue decline of 3% and tried to hide it with
an anemic earnings day “partnership” announcement with noted CAPEX clown Oracle
(you may want to be seated when you read this game-changing news):
As part of this collaboration, Oracle will deploy critical GPU-based
infrastructure in a dedicated Digital Realty data center in Northern Virginia.
Fellow data center giant Equinix can’t even provide a date for reporting Q1
earnings after serious fraud allegations.
With Equinix on the floor in a fetal position, we are unable to update the
Platformonomics Repatriation Index. But if Equinix managed 10% growth for the
quarter, the index would still be at an all-time-low (i.e. the lowest evidence
of repatriation).
Data centers are not the slam dunk investment everyone thinks they are. There
will be blood.
Previous:
Cloud Repatriation is Going Just Great: Continued Radio Silence, Cloud
Repatriation is Going Just Great: Radio Silence from Equinix, Cloud Repatriation
is Going Just Great: Equinix, New Cloud Repatriation Hypothesis, Cloud
Repatriation Where Art Thou?, Cloud Repatriation: The Search Continues, Cloud
Repatriation: Still Not a Thing, Platformonomics Repatriation Index – Q1 2023:
Surf’s Up?, Private Equity in Action: Data Centers, Oracle Moves to Nashville,
Should I Stay or Should I Go
Wrapping Oneself in the Flag: Seattle Times Edition
Just putting a marker down on this apparently serious proposal from the Seattle
Times, a legacy provincial newspaper turned web site aggregator. Declaring
themselves synonymous with democracy, they ask to be made a ward of state, which
somehow will help a free press flourish. Note the lack of details about the
legislation they are requesting.
I am giving them a chance to persuade me they don’t actually mean this, but if
they do, I have thoughts. Many thoughts.
EU Announces Meta Struggle Sessions
The struggle sessions will continue until Europe has a tech industry (so don’t
hold your breath).
Previous:
UK Announces Big Tech Struggle Sessions “For The Children”, EU Announces DMA
Struggle Sessions
Reminder: The European Union is an Advanced Persistent Threat
Previous:
BREAKING: European Union Designated an Advanced Persistent Threat
Feature Request: Podcast Players
Can we please have a new podcast category: “VCs Shamelessly Talking Their
Books”?
Maybe also a category for “VCs Shamelessly Talking Their Books from the AI
Sidelines”?
You could persuade me there is a lot of overlap between those two.
And, of course, provide an option to hide these categories.
Previous:
The Most Important Issue in AI, The VC Antitrust Doctrine, VC-induced
Indigestion, The Looming Layoffs for Venture Capitalists, Ghost VCs
MORE
June 60
1.5.2024, 16:56James Governor's Monkchips (Feed)
Monki Gras 2024: Wrapped
It’s always difficult, if not impossible, to sum up a conference that you’ve
recently run. But it’s important to write the post, because there are some
important jobs to be done – most notably thanking a bunch of people.
The main thing I want to say is that it was really, really, good to be back in
2024. Monki Gras is a labour of love, but the hard work is always worth it. The
event is unique in the community we sustain, and the approach we take to things.
It feels important – being an expression of so many of the things Redmonk holds
dear – most notably inclusion, kindness, and great story-telling. Like its
sister conference Monktoberfest, at Monki Gras we want people to feel inspired,
and, hopefully, to remember just why it is that they do what they do. We’re not
about the hustle, the hockey stick, and the PLG, but rather the craft, the
learning, and the teaching. We’re about highlighting the positive social aspects
of this industry we’re so privileged to work in.
With all that in mind it might seem counterintuitive that I should have made
prompt engineering and generative AI as my theme this year – Prompting Craft.
After all, while AI is exciting in the possibilities it opens up, it’s also a
little scary. A lot of the intellectual property used to train large language
models (LLMs) has been used without any consideration of copyright. What is
more, many creatives, including software developers, feel threatened by the rise
of the machines. I definitely don’t want to minimise people’s fears or concerns.
It’s going be very very uncomfortable. But it feels like the wave will break
whether we like it or not. Also Chat-GPT is really really bad at generating
vector graphics.
One answer to the tension about AI fears came from one of my speakers at the
event – Dr. Cat Hicks, founder of the Developer Success Lab. In its research
into the factors driving developer productivity, personal, and organisational
enablement the Lab examined AI as a potential threat to people. The research
found that the organisations and individuals most threatened by AI had an
adversarial culture – a culture of “brilliance”, where individuals constantly
feel they have to prove themselves, where coding is competition. Organisations
that are ready to embrace the possibilities of generative AI on the other hand,
have already fostered a culture of collaboration and shared learning, mutual
support and teamwork. For these organisations AI is just another way to work
effectively together.
I don’t plan to summarise all of the talks here but did want to mention Cat’s
talk because of the reasons outlined above. The talk was very human, and yet it
was about AI.
The human machine interface was a meta theme of the conference – prompting is
just another user interface, and it’s inherently social. We prompt each other to
get what we want and need. We prompt our children. We prompt our friends and
colleagues. We have to build trust with LLMs before we are comfortable making
more use of them. We can trick machines, just as they can trick us – security
specialists are not going to be out of a job any time soon…
So about those thank yous.
Firstly a shout to our speakers on day one – Richmond Alake, Alex Chan, Patrick
Debois, Cat Hicks, Zack Akil, Mathis Lucka, Luke Marsden, Farrah Campbell &
Brooke Jamieson, Rafe Colburn, Afsha Hossain and Matt Webb.
Day two was also excellent – thanks to Dormain Drewitz & Rachel Stephens, Ian
Miell, Julia Ferraioli, Jim Boulton, Kristen Foster-Marks, Paul Molin, Jessica
West, Kyle Roche, Emil Eifrem and Paige Bailey.
So much respect to attendees went into the prep and hard work by these speakers.
While I may not have summarised the days’ talks, my colleague Rachel Stephens
did a bang up job doing exactly that. Here are writeups of day one and day two.
Our Monki Gras sponsors were also critical in making the event a success. My
humble thanks to AWS, Civo, Deepset, CNCF, Neo4j, MongoDB, Akamai, Griptape,
PagerDuty, Screenly and Betty Junod for supporting us. A special thanks to Mark
Boost, CEO of Civo, for all his sterling efforts helping out with our venue –
Civo Tech Junction, a new space hosting free meetups and events in Shoreditch.
Last, and certainly not least, I need to thank the Monki Gras team – namely
Jessica West, Dan McGeady, and Rob Lowe. I couldn’t have done it without their
sterling efforts.
Other great write-ups include these by Sinead Doyle and François Hoehl and Simon
Haslam.
I will sign off with a quote from Patrick Debois which made me very happy.
“I have not felt this energised after a conference in at least years. I’ll be
back Monki Gras next time for sure!”
MORE
May 10
Today, 17:55ongoing by Tim Bray (Feed)
Photointegrity
In March of 2004, just over twenty years ago, I published an ongoing piece
entitled, like this one, “Photointegrity”. The issue remains the same, but the
rise of AI increases its importance and its difficulty. Here are words on the
subject, illustrated by photos all of which have been processed with AI
technology.
Tulip blossom, captured with twenty-year old analog technology, enhanced with
AI.
There’s an amusing story about the technology behind these flower pictures, down
at the bottom of this piece.
Back in 2004
I was already using Photoshop but in fully-autodidactic mode, so I thought I
should read a book about it, and selected one by Scott Kelby, “The Photoshop
guy” back then and still active in the space, two decades later. It was a good
book, but I was left wide-eyed and shocked: I’ll quote from that piece for those
of you who don’t want to step back twenty years in time and read it:
Personal Improvement
In particular, Kelby walks through an astounding list of techniques for
improving portraits, and I quote: removing blemishes, removing dark circles
under the eyes, lessening freckles or facial acne, removing or lessening
wrinkles, colorizing hair, whitening the eyes, making eyes that sparkle,
enhancing eyebrows and eyelashes, glamour skin softening, transforming a frown
into a smile, doing a digital nose job, slimming and trimming, removing love
handles, and finally slimming buttocks, arms and thighs.
Integrity?
Screw it, integrity is history. The image is no longer the capture of a
instant’s light and colour, it’s, well… whatever you and Photoshop make of it.
Photointegrity
I proposed a definition at the time: “what I’m going to do is strive to balance
Truth and Beauty. In practical terms, this means the goal is make the picture
look as much as possible like what I saw, as opposed to as good as possible.”
Simple yellow flower, captured with twenty-year old analog technology, enhanced
with AI.
I can’t claim that I follow that strictly; most of the pictures in this space
come out of the camera looking less pleasing than what I remember seeing, but I
will confess that the version you see is often prettier than that memory.
Usually, that results from the application of a bunch of Adobe technologies.
Is that OK? It’s a judgment call. Is there anything that isn’t a judgment call?
Funny you should ask, because Adobe just announced the Firefly Generative AI 3
model, around which the next version of Photoshop is being built. Hitting those
links and just scrolling through the pictures will give you a feeling for what
this software will do.
Let me put a stake in the ground. I believe these things:
If you use generative tools to produce or modify your images, you have abandoned
photointegrity.
That’s not always wrong. Sometimes you need an image of a space battle or a
Triceratops family or whatever.
What is always wrong is using this stuff without disclosing it.
The C2PA angle
Last October, I wrote up C2PA, a useful digital watermarking technology that can
be used to label images and video. That piece’s predictions look like they’re
coming true; several manufacturers have announced C2PA support. I’m not going to
take the space here to describe C2PA again.
I do note that Photoshop already supports C2PA and when it writes a watermark
saying “Edited with Photoshop”, that label includes a very few words about what
it did: cropping, levels adjustment, and so on; no details.
I believe strongly that when people use Adobe’s Firefly generative AI to create
or augment pictures, Photoshop should by default turn C2PA labeling on, and
disclose in the watermark whether it is fully-generated or just augmented. Sure,
the person generating the image can always take that watermark out, but they
can’t change its contents, and assuming C2PA becomes ubiquitous, the absence of
a watermark would be reasonable grounds for suspicion.
Fruit tree blossoms, not open yet, captured with twenty-year old analog
technology, enhanced with AI.
AI + photointegrity?
Over the last couple of years, the way I use Adobe Lightroom has changed a whole
lot, and it’s mostly because of AI. Specifically, smart select. Lightroom now
offers Select functions for Subject, Background, Sky, and Object. There’s also a
very useful “Duplicate and invert” for any selection. I use these for almost
every photo I take, especially Select Sky. The amount of light in the sky
differs from that down here on the surface, and I’m pretty sure that our eyes
compensate for that. Almost every picture looks more “real” when you select the
sky and dial the brightness down (rarely: up) a touch, and maybe bump the
contrast a bit.
This photo would have been a complete failure without those tools.
Allyson’s parents speak to the crowd at her memorial.
Recently we were at a memorial social for our recently-deceased friend Allyson.
It was on a rooftop, on a bright grey day; the volume of light coming out of the
sky was insane, and kept turning my photographic subjects into dark silhouettes.
The photo of Ally’s parents addressing the crowd is not great (her mom’s eyes
are closed) but it at least captures a moment. The original was totally
unusable, because the subjects are under a canopy and thus shaded, while the sky
and cityscape and even mountains were reflecting harshly. So you select the
subject, you invert and duplicate, you add light to the subject and subtract
from the rest, and you get something that looks exactly like what I saw.
Of course, this depends on a good camera with a lot of dynamic range that can
fish detail out of shadows.
I think this process retains photointegrity.
AI-enhanced analog
What happened was, the sun came out after the rain, everything is blooming this
time of year, and I wanted to take pictures. I was rummaging for lenses and
there was this dark shape at the back of the shelf. “What’s that?” I thought. It
turned out to be an old Pentax with “Macro” in its name. Just the thing! Here’s
what the combo looks like.
By the way, one reason the Internet is still good is that random enthusiasts
maintain obscure databases, for example of camera lenses, from whence this smc
Pentax-D FA 100mm F/2.8 Macro, an alternate version of which rejoices in the
name “Schneider-Kreuznach D-Xenon”. It seems to have been manufactured only
around 2004. I wrote about buying it in 2011 and shooting flowers and dancers
with it in 2014; lotsa groovy pix in both.
Anyhow, this lens does a fabulous job of isolating foreground and background.
Given this to chew on, Lightroom’s AI gizmo does a fabulous job of selecting
just the flower (or background). So it’s easy to sharpen the flower and fade the
bokeh; the old lens and the bleeding-edge software were made for each other.
But I digress.
Photointegrity matters
It mattered in 2004 and it matters more every passing year as our level of trust
in online discourse falls and the power of generative AI grows. We have the
tools to help address this, but we need to think seriously, and use them when
appropriate.
MORE
April 300
24.6.2024, 6:00SEI Blog (Feed)
What Recent Vulnerabilities Mean to Rust
In recent weeks several vulnerabilities have rocked the Rust community causing
many to question its safety. This post examines two such vulnerabilities.
MORE
April 290
Today, 9:19mark nottingham (Feed)
No One Should Have That Much Power
It’s a common spy thriller trope. There’s a special key that can unlock
something critical – business records, bank vaults, government secrets, nuclear
weapons, maybe all of the above, worldwide.
Our hero has to stop this key from falling into bad people’s hands, or recover
it before it’s too late. Perhaps at one point they utter something like the
title of this post. You walk out of the theatre two hours later entertained but
wondering why someone would be silly enough to create such a powerful artefact.
In a surprising move, law enforcement officials are once again calling for such
a thing to be created. Repeatedly.
These authorities and their proxies say that they must have access to encrypted
communications to keep us safe. They have been doing so for years – at first
bluntly, now in a more subtle way. Encryption backdoors aren’t politically
viable, so they take pains to say that they don’t want them while at the same
time asking for a level of access that cannot be achieved except through
backdooring encryption.
If you create a way to recover messages sent through a service, that’s a
backdoor. If you run some code that evaluates messages on the endpoints and
flags them if they meet some criteria, that isn’t an improvement; it’s a
backdoor that can be abused in myriad ways. Centralising access to encrypted
content creates unavoidable systemic risks.
This means that any such mechanism has to be handled like weapons-grade
plutonium: losing control is a disaster of epic (or even existential)
proportions. The few national governments who have nuclear capability struggle
greatly to manage that risk; why would we intentionally entrust something as
powerful to every government in the world or potentially even every local police
department? Or will it be just a privileged few governments that will have
access?
The current crop of suggestions seem to concede that governments shouldn’t have
direct access. Instead, they want services to backdoor themselves and act as
gatekeepers to law enforcement. That’s not an improvement; it’s still
centralized, and it makes these companies responsible for any misuse of the data
that they have access to, requiring everyone on the planet to trust a few big
tech companies with our private and most intimate conversations – hardly a
direction that society wants to go in in 2024. ‘Trust me, I’m in charge’ is a
poor model of governance or security.
These ‘solutions’ also ignore the reality that the ‘bad guys’ will just use
other tools to communicate; information is information. That will leave law
abiding people giving up their privacy and security for little societal gain.
Law enforcement has more power than ever before because of digital technology.
They are able to collect, process, summarise and track much more efficiently and
at much greater scale. Genuinely new insights and capabilities are possible. So,
when they want access to encrypted data because things have ‘gone dark’, it’s
reasonable to ask ‘as compared to what?’
No one should have that much power, because messaging and other encrypted
services have become people’s memories, their casual hallway chats, their
intimate whispers. Yes, there is longstanding legal precedent for searching
someone’s papers and home, but the barriers to doing so are considerable – not
just those imposed by law, but also physics. There are few such inherent limits
on a key that can trivially enable access to what amounts to anyone’s mind or
identify anyone who thinks about a particular topic. Law enforcement struggles
to solve real and serious problems, but the power they’re asking for is too vast
and too easily misused, and they are failing to appreciate how it would operate
on a global Internet.
One of the assumptions built into these calls is that if the tech community
would just nerd harder, a solution could be somehow magically found that
preserved privacy and security while letting the ‘good guys’ have access. With
all respect to the valuable work that law enforcement does to protect society,
it’s equally as valid to ask them to just police harder.
MORE
May 10
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #49: April 26, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get Platformonomics Updates By Email
Subscribe
Busy week with first quarter earnings reports — lots of CAPEX!!!
My Writings European Union Designated an Advanced Persistent Threat
Previous:
BREAKING: European Union Designated an Advanced Persistent Threat
News Q1 CAPEX Scorecard
The CAPEX numbers are rolling in:
Google: $12.01B +91%, new all-time-high! Meta: $6.72B, -5%, but strong CAPEX
guidance sinks stock! Microsoft: $14B +79%, new all-time-high!
Amazon reports next week.
Previous:
Follow the CAPEX: Cloud Table Stakes 2023 Retrospective
Q1 Google CAPEX
Good trend — Google may finally have awoken:
Guidance (implies CAPEX could surpass $50 billion in 2024):
Looking ahead, we expect quarterly CapEx throughout the year to be roughly at or
above the Q1 level
…most nearly all, I should say, of the CapEx was in our technical
infrastructure. We expect that our investment in office facilities will be about
less than 10% of the total CapEx in 2024, roughly flat with our CapEx in 2023,
but is still there.
Previous:
Follow the CAPEX: Cloud Table Stakes 2023 Retrospective, Follow the CAPEX:
Triangulating NVIDIA
Q1 Microsoft CAPEX
Comparison with Google (an even better trend):
Notable:
Currently, near-term AI demand is a bit higher than our available capacity.
Guidance:
We expect capital expenditures to increase materially on a sequential basis
driven by cloud and AI infrastructure investments. As a reminder, there can be
normal quarterly spend variability in the timing of our cloud infrastructure
buildout and the timing of finance leases. We continue to bring capacity online
as we scale our AI investments with growing demand.
Therefore, we now expect full-year FY24 operating margins to be up over 2 points
year-over-year even with our cloud and AI investments, the impact from the
Activision acquisition, and the headwind from the change in useful lives last
year.
To scale to meet the growing demand signal for our cloud and AI products, we
expect FY25 capital expenditures to be higher than FY24. These expenditures over
the course of the next year are dependent on demand signals and adoption of our
services, so we will manage that signal thru the year. We will also continue to
prioritize operating leverage and therefore, we expect FY25 operating margins to
be down only about one point year-over-year, even with our significant cloud and
AI investments as well as a full year of impact from the Activision acquisition.
Impressive:
Free cash flow grew faster (+21%) than earnings (+20%), despite the big bump in
CAPEX.
Previous:
Follow the CAPEX: Cloud Table Stakes 2023 Retrospective, Follow the CAPEX:
Triangulating NVIDIA
Q1 Meta CAPEX
We haven’t historically tracked Meta because they’re not a cloud provider. But
they are one of the biggest CAPEX spenders ($28 billion in 2023) and are
accelerating that spend for generative AI. Huge props to Meta for tanking their
stock 20% by upping their CAPEX guidance by $5 billion for 2024! We revere
CAPEX-first companies!!!
Meta didn’t do a very good job explaining how they will make money from their
increasing CAPEX investments. As described in a recent Zuckerberg interview,
Meta is much more comfortable spending now and figuring it out later than Wall
Street. But makes one wonder if Meta doesn’t get into model hosting for third
parties in the future, making them more of a cloud competitor.
One explanation for the planned CAPEX bump:
Guidance:
We anticipate our full year 2024 capital expenditures will be in the range of
$35 billion to $40 billion, increased from our prior range of $30 billion to $37
billion as we continue to accelerate our infrastructure investments to support
our AI roadmap. While we are not providing guidance for years beyond 2024, we
expect CapEx will continue to increase next year as we invest aggressively to
support our ambitious AI research and product development efforts.
Notable — talking about CAPEX and energy as peers:
As we’re scaling CapEx and energy expenses for AI…
Previous:
Follow the CAPEX: Triangulating NVIDIA, Cloud Power Up
Related:
Russian court sentences Meta spokesperson to six years in absentia (a badge of
honor)
Meanwhile, at the Front of the GPU Queue Hashicorp’s Acquisition by IBM
Some quick thoughts:
Congratulations to all my friends at Hashi. $6.4 billion! The consolidation game
is afoot and will continue — we still have too many sub-scale software
companies. I feel slightly responsible as I suggested Hashi was a better
acquisition than Red Hat five years ago. I also at that time expressed
skepticism about IBM’s bombastic claim that acquiring Red Hat “changes
everything about the cloud market”. Narrator: “it didn’t”. Hopefully Hashi can
avoid the fate of other IBM acquisitions (company slogan: Where software goes to
die). We will however reserve the headline “IBM Makes a Hash of Hashicorp”
should it be needed in the future. The most interesting question is does IBM
revert Hashi’s recent license change and try to undo the OpenTofu fork. IBM has
been on its own quest to tighten up access to ostensibly open source RHEL so
will be interesting to see how they play this.
And, just to point out the obvious, a Hashicorp acquisition doesn’t address
IBM’s fundamental issues:
Previous:
Very Cold Take on IBM, Red Hat and Their Hybrid Cloud Hyperbole, SaaS Sprawl and
the Potential for Market Consolidation
Related:
On IBM acquiring HashiCorp
Platformonomics ClownWatch: IBM
The OG CAPEX clown nailed the quarter with CAPEX declining 21% to a barely
discernible $361 million (about 2.5 days of Microsoft CAPEX spend), while
continuing to pretend they are an AI company (and they’re already pretending
Hashi is an AI thing). IBM retains its position at the top of the ClownWatch
list.
Previous:
Platformonomics ClownWatch, Follow the CAPEX: The Clown Car Race Checkered Flag,
Introducing Platformonomics ClownWatch, IBM and the Art of Misleading Investors,
This Week in Securities Fraud, Clown CAPEX, IBM’s “Cloud” Business (or Lack
Thereof), IBM: How Much Longer Do the Good Times Last?, IBM’s Lost Decade
Platformonomics ClownWatch: Tesla
Elon says Tesla should be valued as an “AI robotics company” and not a car
company. People have thoughts on what that would mean financially:
But if we turn the all-seeing-eye of CAPEX to Tesla, we find:
The claimed spend of $1 billion in “AI infrastructure CAPEX” is a suspiciously
round number. Almost IBM-esque. But it is also Dr Evil-esque relative to what
others are spending on AI infrastructure. Even noted CAPEX clown Oracle spends
more than that on CAPEX. Telsa spent $2.8 billion in total CAPEX in Q1 (and
we’re under the impression they have manufacturing plants and stuff). The
previous four quarters were all over $2 billion so the $1 billion claim looks
more like marketing than a big leap in investment. Tesla has never spent more
than $9 billion in CAPEX annually. Telsa’s CAPEX is less than 3% of revenue,
which is about what Microsoft and Oracle used to spend when they were pure
software companies. Google and Microsoft now spend double digits of revenue.
UPDATE: that 3% number was erroneously quarterly CAPEX over annual revenue.
Tesla’s CAPEX as a percentage of revenue this quarter was 13%. But again, they
have manufacturing plants and stuff.
So I am delighted to announce Tesla has been placed on Negative Watch. Further
disparities between their AI rhetoric and their cold, hard CAPEX spend may
result in the company being designated a full-fledged AI Clown.
And it looks like xAI may shortly be joining the list ($6 billion doesn’t take
you very far in the frontier AI world):
Previous:
Platformonomics ClownWatch
Software Migration Alert: DarkTrace
When private equity comes amalgamating, it is time to start migrating.
Especially when it comes to cybersecurity…
Previous:
Software Migration Alerts, Perfidious Private Equity
McKinsey: It Might Just Be Happening
Criminal convictions can lead to the death penalty.
Previous:
A Call for the Corporate Death Penalty, McKinsey Karma?, McKinsey a Source of
Bad Banking Advice (Shocking!)
Related:
McKinsey: Last Week Tonight with John Oliver, Red Hat tries on a McKinsey cap in
quest to streamline techies’ jobs
Oracle Moves to Nashville
In the future, every city will be Oracle headquarters for 15 minutes.
And we have an exclusive photo of the entire Oracle Cloud headquarters region
being migrating to Nashville:
Previous:
Follow the CAPEX: The Clown Car Race Checkered Flag
Cloud Repatriation is Going Just Great: Continued Radio Silence
Previous:
Cloud Repatriation is Going Just Great: Radio Silence from Equinix, Cloud
Repatriation is Going Just Great: Equinix, New Cloud Repatriation Hypothesis,
Cloud Repatriation Where Art Thou?, Cloud Repatriation: The Search Continues,
Cloud Repatriation: Still Not a Thing, Platformonomics Repatriation Index – Q1
2023: Surf’s Up?
Related:
What Happens When Hyperscalers And Clouds Buy Most Servers And Storage?
Interesting If True So You Want to Build an AI Company: Episode 3
Their administrative bloat is your opportunity.
Previous:
So You Want to Build an AI Company: Episode 2, So You Want to Build an AI
Company
MORE
June 60
Today, 14:28Phil Windley's Technometria (Feed)
Using X.509 Certs for DID Provenance
Summary: The abundance of X.509 certificate authorities who already perform
identity proofing for businesses provides a rich resource that can be leveraged
to boot the verifiable data ecosystem.
When you used a verifiable credential to prove something about yourself, the
verifier can know cryptographically: (1) the identifiers for the issuer, (2) the
credential hasn't been tampered with, (3) the credential was issued to you, and
(4) the credential hasn't been revoked. These four checks are important because
their establish the fidelity of the data being transferred. They don't, however,
tell them whether they can trust the issuer. For that, they need to take the
issuer's decentralized identifier (DID) that they got from credential
presentation and determine who it belongs to.
At the most recent Internet Identity Workshop, Drummond Reed gave a session on
how X.509 certificates could help with this. The first step, like always, is to
resolve the DID and retrieve the DIDDoc that associates keys and endpoints with
the DID. The endpoint can be an HTTP server and, of course, should have an X.509
certificate providing TLS security. That certificate, at the very least, has a a
domain name to bind that to the certificate's public key. It can, if you pay for
the feature, also include information about the entity that applied for the
certificate. The certificate authority proofs that information and is vouching
for it when they sign the certificate.
The key to making the X.509 certificate useful for checking the provenance of a
DID lies in one key change. X.509 certificates can contain and extended field
called a Subject Alternative Name. This following figure shows how it can help.
Using X.509 Certificates to establish the owner of a DID (click to enlarge)
In this figure:
The issuer (Attestor) creates the DID they will use to issue the certificate
along with its associated DIDDoc, including an HTTP endpoint for DID
verification. Attestor applies for a X.509 certificate for that endpoint,
including in the application the DID they created in (1). The certificate
authority does it's usual proofing of the application and issues a certificate
that includes the DID in the Subject Alternative Name field. The issuer creates
a credential definition in the usual way that includes their DID and writes it
to whatever Verifiable Data Registry their DID method dictates. Attestor issues
a credential to a holder (Alice) using that credential definition. At some later
time, Alice presents the credential to the verifier (Certiphi). Certiphi
resolves the DID to get the DIDDoc and retrieves the verfication endpoint from
the DIDDoc Certiphi retrieves the certificate for that endpoint1. Certiphi
verifies the certificate by checking it's signature and ensures that the DID in
the DIDDoc for the credential matches the one in certificate.2
The issuer's DID has now been tied in a verifiable way to whatever information
is in the certificate. Provided the certificate includes information about the
entity beyond the domain name, the verifier can use that information to
determine whether or not the credential is authentic (i.e., issued by who the
credential definition purports issued it). That might be all the evidence they
need to determine whether to trust the entity. Certificate authorities could
also issue verifiable credentials to the customer attesting the same verified
claims—after all, it's one more product they can offer.
The benefit of doing issuer validation using X.509 certificates is that there
are already many trusted X.509 certificate authorities in business who already
do proofing of attributes about businesses. That's a huge chunk of the
verifiable data ecosystem that doesn't need to be built because it can be
leveraged. To make this work, digital certificate authorities would need to
start offering to validate DIDs and include them in a certificate as a Subject
Alternative Name. I don't discount that this will take some bureaucratic
maneuvering. Certificate authorities will need to see a business opportunity.
I'd love to see Digitcert or someone do a pilot on this.
Notes Note that this step might be combined with the previous step if the
Verifiable Data Registry is the same server as the endpoint, but that's not
necessarily going to be the case for a number of reasons. Note that this does
not create a call back wherein Attestor can determine which credential was used,
preserving the privacy of the presentation. Attestor does know one of its
credentials has been presented to Certiphi. If this information leakage bothers
you, then any web-based DID method is potentially a problem.
Tags: identity ssi decentralized+identifiers verifiable+credentials x.509
MORE
April 250
Relationships are Entangled
Summary: People aren't digitally embodied. As a result, their online
relationships are anemic. As we think about the kinds of digital identity
systems that will help people live authentic online lives, we must build
identity systems that give people tools to operationalize rich digital
relationships.
Identity is the ability to recognize, remember, and react to people,
organizations, systems, and things. In the current web, companies employ many
ponderous technological systems to perform those functions. In these systems, we
are like ghosts in the machines. We have "accounts" in companies' systems, but
no good way to recognize, remember, and react to them or anyone else. We are not
digital embodied.
One of the great benefits of embodiment is the ability to form and
operationalize rich digital relationships. I've written a lot about the nature
of digital relationships.
Relationships and Identity Authentic Digital Relationships Ephemeral
Relationships Operationalizing Digital Relationships Relationships in the
Self-Sovereign Internet of Things The Architecture of Identity Systems Are
Transactional Relationships Enough? Fluid Multi-Pseudonymity
One of the discussions at VRM Day caused me to think about a feature of digital
relationships I hadn't considered before. Someone said that if you think about a
graph with people (or things, organizations, and so on) as the nodes, the
relationships are the edges, like so1:
A single, bi-directional relationship (click to enlarge)
In this figure Alice and Bob have a bi-directional relationship. This is how
I've normally thought about it and how I'd have drawn it. But in today's
discussion, someone said that the relationship is shared and that Alice and Bob
both control it. But I realized that viewpoint is too simple. Specifically,
Alice and Bob each have a different perspective of that relationship and will
use it separately.
For example, imagine that Alice is the cashier at a grocery store and Bob is a
customer. Alice gives great service, so Bob seeks her out when he shops. Alice
on the other hand has no particular recollection of Bob from encounter to
encounter. For Alice, the relationship is ephemeral, but for Bob, it's longer
term. The nature of each relationship is different. So, we might look at it like
this:
Two uni-directional relationships (click to enlarge)
But after discussing it some more, I realized that these relationships aren't
independent. They're entangled like this:
Entangled relationships (click to enlarge)
In the example I gave above, as Bob seeks out Alice more and more, Alice might
come to recognize him and call him by name, changing the nature of her
relationship with Bob. And that may influence the nature of Bob's relationship
with Alice. Over time, these interactions influence both relationships. So,
while Alice and Bob both have control over their relationship with the other,
actions by one influence the other.
I frequently say that we don't build identity systems to manage identities, but
rather to manage relationships. The problem with contemporary identity systems
is that they are all one sided, controlled by one party—almost always a company.
As I've said before, people are not digitally embodied and thus have no good way
to manage their online relationships. As we strive to build better digital
identity systems, I think it's paramount that we build systems that provide
people with tools that embody them and provide them with the ability to
operationalize their online relationships. These are more than decentralized;
they are self-sovereign.
Notes Peer decentralized identifiers (DIDs) are a great technology for creating
bi-directional relationships.
Tags: identity relationships
MORE
April 250
Today, 17:55ongoing by Tim Bray (Feed)
Mobile Typing Pain
I ran a Fediverse poll asking how people go about entering text on mobile
devices. The results shocked me: Half the population just taps away. Do you?
Read on for details and speculation.
This ongoing fragment embeds links to previous fragments, because I’ve been
worrying and writing about this problem for a long time. Which in itself is
interesting, more evidence that the problem is hard.
The poll post and (long) chain
of responses are here on Mastodon.
People care
First, 3.5K poll responses is more than I usually see on the Fediverse; evidence
that plenty of people have feelings about this. To reinforce that impression,
scroll down through the responses (there are dozens). Many say, essentially,
“Entering text on a mobile device is too hard, so I don’t.”
I’m one of those; I regularly start entering a message into a phone, stop, get
up, and walk across the room to a real keyboard.
Tap tap wow
I widened my eyes when I saw that half the respondents testify to tapping along
letter by letter. I could never. But then I have big fat farmer’s fingers with
soft ends, and am not terribly dextrous.
But, probably, I shouldn’t have been surprised; 21 years ago in this blog I
remarked that “it's pretty impressive to watch a Japanese person pounding text
into their PDA at high speed using just their thumbs.” And today I watch teenage
digits dance on devices like maddened maenads; they seem not to find it tedious.
Swiping etc
A quarter of poll respondents reported swiping words into their phones.
I mentioned above that people have been working on this for a long time. Check
out this progress report from ongoing in 2011. It’s worth noting that Android’s
input method being replaceable was important in driving this innovation.
My own proposal, the Digitator, has failed to break through.
That piece concludes “Anyhow, I’m pretty sure that something will come along.”
But on the evidence it hasn’t, really.
The AI angle: Auto-predict and voice
The least popular poll options were tap-plus-autopredict and voice. I guess I’m
weird, because those are what I mostly use. I suspect many others should too but
don’t, probably because they tried those things a while ago and haven’t
revisited them recently.
In my experience (which, granted, is almost all on Google Pixel devices) the
autopredict and voice options have gotten stronger with almost every release.
Not just a little bit stronger, either. Perhaps it’s just because I’m the white
male Anglophone “canonical human” that designers build for, but I get
dramatically better results than I used to.
Now obviously, most reasonable people will only talk to their phone when they’re
in a private place, which limits the use of that option. But if you can find
privacy, the voice option is getting remarkably good.
Which is to say, I can enter message or email text in at a pace that is
sometimes adequate. Do I enjoy doing this? No, I hate it, as I noted above, and
will make a real effort to switch to a keyboard.
In particular if what I want to enter is important, might matter.
Because anything that matters deserves editing, and it’s rare indeed that I hit
“Send” on a first draft. And while brute-force text entry is edging into
adequacy, editing remains a pool of pain.
Subtext
Two and a half decades into this millennium, the most popular communication
products are optimized for consumption and barely adequate for creation. If I
were paranoid and cynical, I might suspect that this is no accident. Oh wait, I
am. But in fact I think it’s just a hard problem.
MORE
April 250
22.6.2024, 19:00Platformonomics (Feed)
BREAKING: European Union Designated an Advanced Persistent Threat
European Union Designated an Advanced Persistent Threat Threat Actor Seeks to
Degrade
Global Internet
APRIL 22, 2024 – The European Union has been designated an Advanced Persistent
Threat (APT) group for its systematic efforts to undermine cybersecurity and
fundamental capabilities of the Internet around the globe.
Advanced Persistent Threat groups are sophisticated adversaries that use
multiple attack vectors to pursue malicious objectives over an extended period.
The European Union threat actor has repeatedly attempted to undermine Internet
privacy, security, and utility. Attacks include efforts to backdoor encryption
systems, shatter the iOS security sandbox, prohibit end-to-end secure messaging,
arbitrarily censor “unwanted” digital speech, and preemptively restrict the use
of generative AI. The European Union has aggressively tried to expand its
attacks beyond Europe, and often masks its attacks as purported privacy and
security protections.
“The European Union isn’t actually very advanced – they really have no clue
about technology or how it works – but they are extraordinarily persistent in
their efforts to undermine digital privacy and security not just in Europe, but
globally.”
The European Union got its start as a threat actor with denial-of-service
attacks through ineffectual and unnecessary cookie consent dialogs. Global
acquiescence to that GDPR attack emboldened the threat actor to pursue a wide
variety of additional attack vectors (aka “the Brussels Effect”).
In accordance with APT group naming conventions, the European Union threat actor
has been dubbed “les fromages qui puent” (“Stinky Cheese”).
MORE
April 220
24.6.2024, 6:00SEI Blog (Feed)
The Great Fuzzy Hashing Debate
This post details a debate among two researchers over whether there is utility
in applying fuzzy hashes to instruction bytes.
MORE
April 220
Today, 9:19mark nottingham (Feed)
Considerations for AI Opt-Out
Creating a Large Language Model (LLM) requires a lot of content – as implied by
the name, LLMs need voluminous input data to be able to function well. Much of
that content comes from the Internet, and early models have been seeded by
crawling the whole Web.
This now widespread practice of ingestion without consent is contentious, to put
it mildly. Content creators feel that they should be compensated or at least
have a choice about how their content is used; AI advocates caution that without
easy access to input data, their ability to innovate will be severely limited,
thereby curtailing the promised benefits of AI.
The Policy Context
In the US, the Copyright Office has launched an initiative to examine this and
other issues surrounding copyright and AI. So far, they have avoided addressing
the ingestion issue, but nevertheless it has come up repeatedly in their public
proceedings:
“The interests of those using copyrighted materials for AI ingestion purposes
must not be prioritized over the rights and interests of creators and copyright
owners.” – Keith Kupferschmid, Copyright Alliance
“Training of AI language models begins with copying, which we believe has
infringed our copyrights and has already deprived us of hundreds of millions of
dollars in rightful revenues. The additional violation of our moral right of
attribution makes it impossible to tell which of our works have been copied to
train AI and thus frustrates redress for either the economic infringement or the
violation of our moral right to object to use of our work to train AI to
generate prejudicial content. […] OpenAI, for example, has received a billion
dollars in venture capital, none of which has been passed on to the authors of
the training corpus even though, without that training corpus, chatGPT would be
worthless.” – Edward Hasbrouck, National Writers Union
It’s uncertain when (or if) the Copyright Office will provide more clarity on
this issue. Also relevant in the US are the outcomes of cases like Getty Images
(US), Inc. v. Stability AI, Inc.
However, Europe has been more definitive about the ingestion issue. Directive
2019/790 says:
The [exception for copyright] shall apply on condition that the use of works and
other subject matter referred to in that paragraph has not been expressly
reserved by their rightholders in an appropriate manner, such as
machine-readable means in the case of content made publicly available online.1
This is reinforced by the recently adopted AI Act:
Any use of copyright protected content requires the authorisation of the
rightsholder concerned unless relevant copyright exceptions and limitations
apply. Directive (EU) 2019/790 introduced exceptions and limitations allowing
reproductions and extractions of works or other subject matter, for the purpose
of text and data mining, under certain conditions. Under these rules,
rightsholders may choose to reserve their rights over their works or other
subject matter to prevent text and data mining, unless this is done for the
purposes of scientific research. Where the rights to opt out has been expressly
reserved in an appropriate manner, providers of general-purpose AI models need
to obtain an authorisation from rightsholders if they want to carry out text and
data mining over such works.
In other words, European law is about to require commercial AI crawlers to
support an opt-out. However, it does not specify a particular mechanism: it only
says that consent must be ‘expressly reserved in an appropriate manner.’
So, what might that opt-out signal look like?
Robots.txt as an Opt-Out
Since most of the publicly available content on the Internet is accessed over
the Web, it makes sense to consider how an opt-out might be expressed there as a
primary mechanism. The Web already has a way for sites to opt-out of automated
crawling: the robots.txt file, now specified by an IETF Standards-Track RFC.
At first glance, robots.txt intuitively maps to what’s required: a way to
instruct automated crawlers on how to treat a site with some amount of
granularity, including opting out of crawling altogether. Some LLMs have latched
onto this it already; for example, OpenAI allows their crawler to be controlled
by it.
There are a lot of similarities between gathering Web content for search and
gathering it for an LLM: the actual crawler software is very similar (if not
identical), crawling the whole Web requires significant resources, and both uses
create enormous potential value not only for the operators of the crawlers, but
also for society.
However, it is questionable whether merely reusing to robots.txt as the opt-out
mechanism is sufficient to allow rightsholders to fully express their
reservation. Despite the similarities listed above, it is hard to ignore the
ways that LLM ingest is different.
That’s because Web search can be seen as a service to sites; it makes them more
discoverable on the Web, and is thus symbiotic – both parties benefit. LLM
crawling, on the other hand, doesn’t have any benefits to the content owner, and
may be perceived as harming them.
Through the lenses of those different purposes and their associated power
dynamics, a few issues become apparent.
1. Usability and Ecosystem Impact
Robots.txt allows sites to target directives to bots in two different ways: by
path on the site (e.g., /images vs. /users) and by User-Agent. The User-Agent
identifies the bot, allowing sites to specify things like “I allow Google to
crawl my site, but not Bing.” Or, “I don’t allow any bots.”
That might be adequate for controlling how your site appears in search engines,
but problematic when applied to AI. Let’s look at an example.
To stop OpenAI from crawling your site, you can add:
User-Agent: GPTBot Disallow: /
However, that directive doesn’t apply to Google, Mistral, or any other
LLM-in-waiting out there; you’d have to target each individual one (and some
folks are already advising on how to do that).
If you miss one, that’s your fault, and it’ll be in that model forever, so
careful (or just frustrated) people might decide to just ban everything:
User-Agent: * Disallow /
But that has the downside of disallowing AI and search crawlers – even though
presence in search engines is often critical to sites. To avoid that, you would
have to enumerate all of the search engines and other bots that you want to
allow, creating more work.
Significantly, doing so could also have a negative effect on the Web ecosystem:
if sites have a stronger incentive to disallow unknown bots thanks to AI, it
would be much harder to responsibly introduce new crawler-based services to the
Web. That would tilt the table even further in the favour of already established
‘big tech’ actors.
There are two easy ways to fix these issues. One would be to define a special
User-Agent that applies to all AI crawlers. For example:
User-Agent: AI-Ingest Disallow: /
The other approach would be to create a new well-known location just for AI –
for example /.well-known/ai.txt. That file might have the same syntax as
robots.txt, or its notoriously quirky syntax could be ditched for something more
modern.
Either solution above would make it easy for a site to opt-out of AI crawling of
any sort without enumerating all of the potential AI crawlers in the world, and
without impacting their search engine coverage or creating ecosystem risk.
I suspect that many have been assuming that one of these things will happen;
they’re fairly obvious evolutions of existing practice. However, at least two
more issues are still unaddressed.
2. Previously Crawled Content
Web search and LLMs also differ in how they relate to time.
A search engine crawler has a strong interest in assuring that its index
reflects the current Web. LLM crawlers, on the other hand, are ravenous without
regard to its age or current availability on the Web. Once ingested content
forms part of a model, they add value to that model for the lifetime of its use
– and the model often persists for months or even years after the ingested
content was obtained. Furthermore, that content might be reused to create future
models, indefinitely.
That means that a content owner who isn’t aware of the LLM crawler at crawl time
doesn’t have any recourse. From the Copyright Office sessions:
We believe that writers should be compensated also for past training since it
appears that the massive training that has already occurred for GPT and Bard to
teach the engines to think and to write has already occurred[.] – Mary
Rasenberger, The Authors Guild
This shortcoming could be addressed by a relatively simple measure: stating that
the policy for a given URL applies to any use of content obtained from that URL
at model creation time, regardless of when it was obtained.
A significant amount of detail would need to be specified to make this work, of
course. It would also likely necessitate some sort of grandfathering or
transition period for existing models.
Needless to say, the impact of this kind of change could be massive: if 90% of
the sites in the world opt out in this fashion (a la App Tracking Transparency),
it would be difficult to legally construct a new model (or at least market or
use such a model in Europe, under the forthcoming rules).
On the other hand, if that many people don’t want to allow LLMs to use their
content when offered a genuine chance to control it, shouldn’t their rights be
honoured? Ultimately, if that’s the outcome, society will need to go back to the
drawing board and figure out what it values more: copyright interests or the
development of LLMs.
3. Control of Metadata
Another issue with reusing robots.txt is how that file itself is controlled. As
a site-wide metadata mechanism, there is only one controller for robots.txt: the
site administrator.
That means that on Facebook, Meta will decide whether your photos can be used to
feed AI (theirs or others’), not you. On GitHub, Microsoft will decide how your
repositories will be treated. And so on.
While robots.txt is great for single-owner sites (like this one), it doesn’t
meet the needs of a concentrated world – it leverages the power that accrues to
a small number of platform owners to decide policy for all of their users.
Avoiding that outcome means that users need to be able express their preference
in the content itself, so that it persists no matter where it ends up. That
means it’s necessary to be able to embed policy in things like images, videos,
audio files, document formats like PDF, Office, and ePub, containers like ZIP
files, file system paths for things like git repos, and so on. Assuming that a
robots.txt-like approach is also defined, their relative precedence will also
need to be specified.
Luckily, this is not a new requirement – our industry has considerable
experience in embedding such metadata into file formats, for use cases like
content provenance. It just needs to be specified for AI control.
What’s Next?
Policy decisions like that just made by Europe might be the drivers of change in
LLM ingest practices, but I hope I’ve shown that the technical details of that
‘appropriate manner’ of opting out can significantly steer power between AI
companies and content owners.
Notably, while the worldwide copyright regime is explicitly opt-in (i.e., you
have to explicitly offer a license for someone to legally use your material,
unless fair use applies), the European legislation changes this to opt-out for
AI.2 Given that, offering content owners a genuine opportunity to do so is
important, in my opinion.
I’ve touched on a few aspects that influence that opportunity above; I’m sure
there are more.3 As I implied at the start, getting the balance right is going
to take careful consideration and perhaps most importantly, sunlight.
However, It’s not yet clear where or how this work will happen. Notably, the
standardisation request to the European Standardisation Organisations in support
of safe and trustworthy artificial intelligence does not mention copyright at
all. Personally, I think that’s a good thing – worldwide standards need to be in
open international standards bodies like the IETF, not regionally fragmented.
In that spirit, the IETF has recently created a mailing list to discuss AI
control. That’s likely the best place to follow up if you’re interested in
discussing these topics.
See also Recital 18. ↩
And I suspect other jurisdictions might follow the same approach; time will
tell. ↩
For example, some of the input to the Copyright Office mentioned group licensing
regimes. An opt-out mechanism could be adapted to support that. ↩
MORE
April 220
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #48: April 19, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get Platformonomics Updates By Email
Subscribe
The recovery from Clown Week continues.
News Blockbuster News of the Week
Google announces “We are a place of business”. Who knew?
Some employees (and a growing number of ex-employees) are still struggling with
this concept:
Previous:
Google Goes Off the Guardrails
Related:
Nine Google employees arrested after eight-hour sit-in protest, Google fires 28
employees after sit-in protest over Israel cloud contract,
Is Quantum Computing a Scam?
The strongest evidence for quantum computing being a scam is IBM’s avid
involvement (or at least incessant PR). IBM has an unrivaled track record in the
21st century at selling futures that never materialize (e.g. Watson, blockchain,
IBM Cloud, smart cities, enterprise-class Second Life). Somehow they never get
past the elaborate TV ad campaigns.
Previous:
Follow the CAPEX: The Clown Car Race Checkered Flag, Introducing Platformonomics
ClownWatch, IBM and the Art of Misleading Investors, This Week in Securities
Fraud, Clown CAPEX, IBM’s “Cloud” Business (or Lack Thereof), IBM: How Much
Longer Do the Good Times Last?, IBM’s Lost Decade
Power Crunch
With even Oracle discovering that electricity is the long pole for large scale
AI deployments, I think we can now safely say this is common knowledge. Told ya!
Previous:
EU Insanity: AI Energy Suicide, EU Insanity: AI Energy Suicide (Part Deux),
Cloud Power Up
Cantwell Recants?
Last week:
This week:
Great news if true. Hopefully she will take great pride at bringing such
principled and material improvements to this legislation. I still have not heard
from her office, despite checking the box that “I Would Like A Response From The
Senator”.
Previous:
Tik Tok Traitors: Maria Cantwell (Continued), Tik Tok Traitors: Maria Cantwell,
Tik Tok’s Call to Arms: Useful Idiots, Fellow Travelers, Registered and
Unregistered Foreign Agents Unite!, Contact Your Senators
Related:
This senator wants an online privacy law. She’s slowed efforts for years.,
Chinese diplomats are quietly meeting with Hill staffers about TikTok
Private Equity in Action: The VMware Saga May Never End
Previous:
Software Migration Alerts, Private Equity in Action: VMware “Unease” Continues,
Perfidious Private Equity, Private Equity in Action: VMware Yet Again, Private
Equity in Action: VMware (Continued), Private Equity in Action: VMware, Private
Equity Will Buy and Ruin More Software Companies, Software Migration Alert:
VMware (Continued), Software Migration Alert: VMware, Private Equity in Action:
VMware Customer Complaints “Unwarranted”
Related:
Broadcom questioned by EU over VMware licensing changes
Private Equity Raises More Money to Ruin Software Companies
When Vista Equity (or any other PE firm) comes amalgamating, it is time to start
migrating.
Previous:
Software Migration Alerts, Perfidious Private Equity
EU Insanity: Regulatory Contortions
The Information responds on my behalf:
Driving the opinion was European privacy group NOYB, which last November
complained that Meta’s offering—of a free service supported by ads or one that
was ad-free but cost money—wasn’t structured fairly. The privacy group argued
that the subscription was a “privacy fee.” If extended to other services, such a
fee would require people to spend thousands of euros a year to, for instance,
keep their phone “private,” the group said.
How about this idea as an alternative—Europeans who don’t want their data used
could simply stop using Meta’s services? Where is it written that having access
to a social media site is a fundamental human right? What happened to the idea
that a private company has a right to make money? Seriously, if NOYB dislikes
Meta so much, why on earth are its members using Facebook or Instagram to start
with?
Previous:
EU Insanity: Not Learning From Regulatory Failure, EU Announces DMA Struggle
Sessions, EU Insanity: AI Regulatory Suicide, EU Insanity: AI Energy Suicide, EU
Insanity: The Kafka Singularity, EU Insanity: AI Energy Suicide (Part Deux), EU
Insanity: Mistral Edition, Move Fast and Regulate Things (You Don’t Understand),
The EU Will Continue to Fiddle While Rome Burns, When “Move Fast and Regulate
Things” Breaks Down, AI Regulation: Move Fast and Regulate Things
UK Announces Big Tech Struggle Sessions “For The Children”
The struggle sessions will continue until Europe has a tech industry (i.e.
indefinitely).
Previous:
EU Announces DMA Struggle Sessions
Mercantilist Showdown
“Insiders say the immediate impulse of EU policymakers confronting the West
Taiwanese threat to the European auto industry was to levy new fines on American
Big Tech companies.”
Maybe, just maybe, Europe is starting to wake up to its real challenges (even if
the previous two items suggest otherwise).
Previous:
Trade Surplus Region Complains Trade Deficit Region is “Protectionist”,
Collapsing Economic Models: German Edition, EU Rethinking Its Stance on
Mercantilism, German Auto Industry Reaches Hail Mary Stage, How Do You Say
“Burning Platform” in German?, Volkswagen’s Death Throes Continue, The Fate of
the European Economy: Automotive Edition, Europe: Investing in Slave Labor
Related:
Trade Wars Are Class Wars
Viewer Mail – Episode 2
Q: What about Apple’s CAPEX?
A: I haven’t tracked Apple because they don’t have a public cloud. Apple’s CAPEX
spend is both flat and underwhelming in absolute terms. They spend on
manufacturing tooling so the proportion going to data centers is even smaller.
In the past they have relied on the hyperclouds for storage. I don’t know if
they have migrated entirely to their own data centers or not. We’ll see if Apple
gets more excited about CAPEX in the generative AI era.
Got more Viewer Mail questions?
Previous:
Viewer Mail Episode 1
MORE
June 60
Today, 17:55ongoing by Tim Bray (Feed)
Meta.ai Oh My!
“Meet Your New Assistant” says the announcement, going on with “Built With Llama
3”. And oh my goodness has it ever got a lot of coverage. So I thought I might
as well try it.
My first cut was a little unfair; I asked it about a subject on which I am
unchallenged as the world’s leading expert: Tim Bray. (That’s probably
overstating it: My wife is clearly in the running.)
So I asked meta.ai “What does Tim Bray think of Google?” Twice; once on my phone
while first exploring the idea, and again later on my computer. Before I go on,
I should remark that both user interfaces are first-rate: Friction-free and
ahead of the play-with-AI crowd. Anyhow, here are both answers; it may be
relevant that I was logged into my long-lived Facebook account:
The problem isn’t that these answers are really, really wrong (which they are).
The problem is that they are terrifyingly plausible, and presented in a tone of
serene confidence. For clarity:
I am not a Computer Scientist. Words mean things.
I worked for Google between March of 2010 and March of 2014.
I was never a VP there nor did I ever have “Engineer” in my title.
I did not write a blog post entitled “Goodbye, Google”. My exit post, Leaving
Google, did not discuss advertising nor Google’s activities in China, nor in
fact was it critical of anything about Google except for its choice of
headquarters location. In fact, my disillusionment with Google (to be honest,
with Big Tech generally) was slow to set in and really didn’t reach critical
mass until these troubling Twenties.
The phrase “advertising-based business model”, presented in quotes, does not
appear in this blog. Quotation marks have meaning.
My views are not, nor have they been, “complex and multifaceted”. I am
embarrassingly mainstream. I shared the mainstream enchantment with the glamor
of Big Tech until, sometime around 2020, I started sharing the mainstream
disgruntlement.
I can neither recall nor find instances of me criticizing Google’s
decision-making process, nor praising its Open-Source activities.
What troubles me is that all of the actions and opinions attributed to meta.ai’s
version of Tim Bray are things that I might well have done or said. But I
didn’t.
This is not a criticism of Meta; their claims about the size and sophistication
of their Llama3 model seem believable and, as I said, the interface is nifty.
Is it fair for me to criticize this particular product offering based on a
single example? Well, first impressions are important. But for what it’s worth,
I peppered it with a bunch of other general questions and the pattern repeats:
Plausible narratives containing egregious factual errors.
I guess there’s no new news here; we already knew that LLMs are good at
generating plausible-sounding narratives which are wrong. It comes back to what
I discussed under the heading of “Meaning”. Still waiting for progress.
The nice thing about science is that it routinely features “error bars” on its
graphs, showing both the finding and the degree of confidence in its accuracy.
AI/ML products in general don’t have them.
I don’t see how it’s sane or safe to rely on a technology that doesn’t have
error bars.
MORE
April 190
Today, 14:28Phil Windley's Technometria (Feed)
Web 2.0 is Collapsing Under its Own Weight
Summary: The overhead of performing even simple tasks online is getting larger
and larger. I question the security of almost all these supposedly "secure"
messaging systems. And I'm tired of the 'Utopia of Rules' mindset pervasive in
every organization. It's exhausting how they expect customers to constantly
adapt to their needs.
I don't know if you recall the game Kerplunk. It's a classic children's game
that has been around for decades. I remember playing it with my sister. The
basic setup involves a transparent plastic tube, a number of sticks, and
marbles. The sticks are threaded through the tube to form a web or nest at the
bottom on which the marbles rest. We'd take turns removing a stick at a time,
trying not to let any marbles fall through the web and out of the tube. At some
point, the remaining sticks can't hold the marbles and everything falls down.
The modern web reminds me more and more of a big Kerplunk game and I think the
marbles are about to fall. What started out as an easier way to do things like
shop, bank, and get health care information has become increasingly complex over
time. More and more of the email I receive seems to be simply directing me to
log into some bespoke system to retrieve a message or engage in some workflow.
And even with a password manager, the act of logging in is often a chore with
different user interfaces, custom MFA requirements, and weird rules for
passwords. Once you're on the system, session time-outs induce their own form of
anxiety since stepping away for a few minutes to attend to something else might
require going through the whole Kafkaesque process all over again. The modern
web has turned into a dystopian theater of the absurd where even reading a
simple appointment reminder from your doctor requires several minutes of
stress-inducing interaction with baroque systems and processes.
And it's not just doctors, of course, banks, government agencies, hospitals,
ecommerce sites, and customer service systems all adopt these special purpose
messaging systems. If you ask these organizations why they use bespoke messaging
systems, they'll list things like "timely and improved communication,"
"convenience," and "privacy and security." But the real reason is that it's more
convenient for them because these systems are integrated with their backends and
make their processes more manageable. There's certainly nothing about them
that's more convenient, timely, or better than email for their customers1.
I also question the privacy and security premise. Email can be insecure. And
your email provider can see the contents of your emails. But the messaging
system run by your doctor or bank is likely less secure than the email systems
run by Apple, Google, and the others. And achieving privacy by making everything
incompatible so that you have to use a different system for each correspondent
is like chopping off your finger to prevent hangnails.
How did we get here? Bureaucracy. Not just government bureaucracy, but
bureaucracy of all kinds. In Utopia of Rules2, David Graeber talks about how
power imbalances force the less powerful group to perform what he calls
interpretive labor, the work of understanding and implementing what's better or
more convenient for the more powerful partner. People are not equal participants
in online interactions. We don't have the tools to be fully embodied online3.
Because of this we are forced to play by the rules organizations online who are
digitally embodied with servers, identity systems, customer management systems,
and so on. And part of that is being forced to use their inconvenient and anemic
messaging systems.
What's the answer? People need tools. I think digital wallets (a bad name for an
important tool), autonomic (peer) identifiers with strong cryptography, and
verifiable credentials are a huge step forward. These tools provide the means
for people to be peers online rather that mere ghosts in someone else's machine.
That's why I insist on using the term self-sovereign rather than decentralized
to describe these systems. Cogito Ergo Sum.
Notes For a deeper dive into why one-off messaging systems are never as good as
email, see Rich Sharing and Personal Channels. Email and other useful messaging
systems exhibit a property called rich sharing that makes them much more robust
that the simple idea of "sharing a message" would bring to mind. If you're
interested in power imbalances and how they come about, I can't recommend
Graeber's book highly enough. He had such a keen understanding of this problem
and wrote about it in a way that's both informative and entertaining. I talk
about this in more detail in Chapter 17 of Learning Digital Identity when I
discuss authentic digital relationships.
Photo Credit: Playing Kerplunk from DALL-E (public domain) Prompt: Draw a
picture of a boy and girl playing kerplunk that's 1200x500 pixels
Tags: web identity authentication authorization verifiable+credentials
MORE
April 150
24.6.2024, 6:00SEI Blog (Feed)
Comparing the Performance of Hashing Techniques for Similar Function Detection
This blog post explores the challenges of code comparison and presents a
solution to the problem.
MORE
April 150
Today, 17:55ongoing by Tim Bray (Feed)
Topfew Release 1.0
Back in 2021-22, I wrote a series of blog posts about a program called “topfew”
(tf from your shell command-line). It finds the field values (or combinations of
values) which appear most often in a stream of records. I built it to explore
large-scale data crunching in Go, and to investigate how performance compared to
Rust. There was plentiful input, both ideas and code, from Dirkjan Ochtman and
Simon Fell. Anyhow, I thought I was finished with it but then I noticed I was
using the tf command more days than not, and I have pretty mainstream
command-line needs. Plus I got a couple of random pings about whether it was
still live. So I turned my attention back to it on April 12th and on May 2nd
pushed v1.0.0.
I added one feature: You can provide a regex field separator to override the
default space-separation that defines the fields in your records. Which will
cost you a little performance, but you’re unlikely to notice.
Its test coverage is much improved and, expectedly, there are fewer bugs. Also,
better docs.
Plan
I think it’s pretty much done, honestly can’t think any useful new features. At
some point, I’ll look into Homebrew recipes and suchlike, if I get the feeling
they might be used.
Obviously, please send issues or PRs if you see the opportunity.
Who needs this?
It’s mostly for log files I think. Whenever I’m poking around in one of those I
find myself asking questions like “which API call was hit most often?” or “Which
endpoint?” or “Which user agent?” or “Which subnet?”
The conventional hammer to drive this nail has always been something along the
lines of:
awk '{print $7}' | sort | uniq -c | sort -nr | head
Which has the advantage of Just Working on any Unix-descended computer. But can
be slow when the input is big, and worse than linear too. Anyhow, tf is like
that, only faster. In some cases, orders of magnitude faster. Plus, it has
useful options that take care of the grep and sed idioms that often appear
upstream in the pipe.
Topfew’s got a decent README so I’m not going invest any more words here in
explaining it.
But it’s worth pointing out that it’s a single self-contained binary compiled
from standalone Go source code with zero dependencies.
Performance
This subject is a bit vexed. After I wrote the first version, Dirkjan
implemented it in Rust and it was way faster, which annoyed me because it ought
to be I/O-bound. So I stole his best ideas and then Simon chipped in other good
ones and we optimized more, and eventually it was at least as fast as the Rust
version. Which is to say, plenty fast, and probably faster than what you’re
using now.
But you only get the big payoff from all this work when you’re processing a
file, as opposed to a stream; then tf feels shockingly fast, because it divides
the file up into segments and scans them in parallel. Works remarkably well.
Unfortunately that doesn’t happen too often. Normally, you’re grepping for
something or teeing off another stream or whatever. In which case, performance
is totally limited by reading the stream; I’ve profiled the hell out of this and
the actual tf code doesn’t show up in any of the graphs, just the I/O-related
buffer wrangling and garbage collection. Maybe I’m missing something. But I’m
pretty sure tf will keep up with any stream you can throw at it.
Tooling
Over the years I’ve become an adequate user of GitHub CI. It’s good to watch
that ecosystem become richer and slicker; the things you need seem to be there
and for an OSS hobbyist like me, are generally free. Still, it bothers me that
Everything Is On GitHub. I need to become aware of the alternatives.
I still live in JetBrains-land, in this case specifically Goland, albeit
unfashionably in Light mode. It scratches my itches.
Anyhow, everything is easier if you have no dependencies. And our whole
profession needs to be more thoughtful about its dependencies.
Dirty secret
I’ve always wanted to ship a two-letter shell command that someone might use.
Now I have. And I do think tf will earn a home in a few folks’ toolboxes.
MORE
May 40
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #47: April 12, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get Platformonomics Updates By Email
Subscribe
Clown Week is here!
News Follow the CAPEX: The Clown Car Race Checkered Flag
As the Clown Week cornerstone, we call a winner in the CAPEX Clown Car Race:
(Oracle left, IBM right)
This visit to Clown City includes picking a victor between IBM and Oracle to be
the cloudiest clown, the biennial telling of the joke about Oracle’s CAPEX being
indistinguishable from the x-axis, and wondering why Oracle is struggling so
much with its modest cloud infrastructure build-out. I also express
disappointment that not one of Bank of America, GAIA-X, and Trump Media ever
achieved epic superclown status, despite so much potential.
Reminder: I don’t set companies’ CAPEX budgets, I just work with the decisions
they’ve made.
Previous:
Follow the CAPEX: Keeping Up With The Clowns, Follow the CAPEX: Separating the
Clowns from the Clouds, Follow the CAPEX: Clown Watch, This Week in Securities
Fraud, Clown Week Preview: Oracle CAPEX
Platformonomics ClownWatch
This Clown Week we say farewell to cloud-washing clowns and shift our focus to
AI-washing clowns. The Laws of Clownodynamics tell us clownishness is never
created nor destroyed.
Our new Platformonomics ClownWatch service monitors companies for large
disparities between flowery AI rhetoric and their actual CAPEX spend.
Previous:
Introducing Platformonomics ClownWatch
Software Migration Alert: Model N
Private equity has come for Model N. If you are a Model N customer, be warned
the PE clowns are coming to ruin your software. You need to immediately start
your migration plan.
We have a new summary page of Software Migration Alerts.
Previous:
Perfidious Private Equity, Private Equity Buys Software Company from Private
Equity: Avetta, Private Equity Buys IT Company from Private Equity: Presidio,
Private Equity in Action: VMware Customer Complaints “Unwarranted”, Software
Migration Alert: Jama Software, Software Migration Alert: Everbridge, Private
Equity in Action: VMware (Continued), Private Equity in Action: VMware, Private
Equity Will Buy and Ruin More Software Companies, Software Migration Alert:
VMware (Continued), Software Migration Alert: VMware, Software Migration Alert:
Rover, Software Migration Alert: Avid Technology, Software Migration Alert:
EngageSmart, This Week’s Software Migration Alerts
Cloud Repatriation is Going Just Great: Radio Silence from Equinix
Not just clowns but fraudulent clowns?
Previous:
Cloud Repatriation is Going Just Great: Equinix, New Cloud Repatriation
Hypothesis, Cloud Repatriation Where Art Thou?, Cloud Repatriation: The Search
Continues, Cloud Repatriation: Still Not a Thing, Platformonomics Repatriation
Index – Q1 2023: Surf’s Up?
EU Insanity: AI Energy Suicide (Part Deux)
Needless to say, there is no Clown Week without the European Union!
Previous:
EU Insanity: Not Learning From Regulatory Failure, EU Announces DMA Struggle
Sessions, EU Insanity: AI Regulatory Suicide, EU Insanity: AI Energy Suicide, EU
Insanity: The Kafka Singularity, EU Insanity: Mistral Edition, Move Fast and
Regulate Things (You Don’t Understand), The EU Will Continue to Fiddle While
Rome Burns, When “Move Fast and Regulate Things” Breaks Down, AI Regulation:
Move Fast and Regulate Things, Cloud Power Up
Related:
AI Datacenter Energy Dilemma – Race for AI Datacenter Space, Irish power crunch
could be prompting AWS to ration compute resources
Antitrust Incoherence: Roomba Aftermath Edition
In the absence of a coherent doctrine that tells everyone where the lines are on
the field, the regulators are just clowns. Where is the regulatory response to
Jassy’s points?
Previous:
Antitrust Incoherence: Apple Edition, Antitrust Incoherence: Spotify Edition,
Antitrust Incoherence: Roomba Edition, The Incoherence Doctrine: The FTC Strikes
Again, A New Antitrust Doctrine, The DOJ Play at Home Game
McKinsey a Source of Bad Banking Advice (Shocking!)
Evil clowns are a thing.
Add attempting to destabilize the banking system to McKinsey’s long list of
crimes (opioids crisis, insider trading, also Enron, other autocracies, hybrid
cloud, et al.).
I reiterate my call for McKinsey to get the corporate death penalty. Would be a
huge net win for civilization.
Someone described McKinsey this week as one of the first LLMs: they’re eloquent
even when hallucinating wildly.
Previous:
A Call for the Corporate Death Penalty, McKinsey Karma?
Related:
McKinsey: Last Week Tonight with John Oliver
Putting the A and I into Authoritarianism
I had assumed the EA/AI doomer clowns had packed it in after the conviction of
poster boy SBF and their inability to articulate any causal extinction
mechanisms. Or at least assumed that the problem was relegated to the EU. But it
seems they are still on the march in the US.
We should probably start treating Asana like a private equity company (i.e.
don’t use them).
Previous:
EU Insanity: Not Learning From Regulatory Failure, EU Insanity: AI Regulatory
Suicide, EU Insanity: The Kafka Singularity, EU Insanity: Mistral Edition, Move
Fast and Regulate Things (You Don’t Understand), The EU Will Continue to Fiddle
While Rome Burns, When “Move Fast and Regulate Things” Breaks Down, AI
Regulation: Move Fast and Regulate Things
Related:
How a billionaire-backed network of AI advisers took over Washington
MORE
June 60
Follow the CAPEX: The Clown Car Race Checkered Flag
Oracle, left. IBM, right.
We’ve used capital expenditures (CAPEX) to separate the clouds from the clowns
for over a decade. Clouds consume copious CAPEX. Clowns confabulate.
It is time for another inspection tour of Clown City (previous visits: 2018,
2020, 2022). Once a bustling stop on the cloud-washing promotional circuit,
Clown City is now but a shadow of its former self. Remember (colorfully
bewigged) visitors like Cisco Cloud, HPE Helion, Rackspace, Verizon Cloud, and
VMware Cloud? They all eventually learned – the hard way – that clouds are built
with CAPEX, not chatter.
Sadly, a once-promising new generation of potential clowns never rose to the
occasion of repopulating Clown City and entertaining us with the gap between
their cloud rhetoric and their CAPEX spending.
The only activity left on the sleepy streets of Clown City is the CAPEX Clown
Car Race between the last two of our self-proclaimed cloud pretenders: IBM and
Oracle. It is time to declare a winner in this (admittedly bush league) race!
The CAPEX Clown Car Race checkered flag marks the end of the cloud-washing era.
But clown fans should not despair. Clowns are eternal. The First Law of
Clownodynamics says clownishness is neither created nor destroyed.
There are always companies cloaking themselves in the new hotness without
possessing the proper prerequisites for participation. When the hotness moves,
so do the clowns.
But some domains require real investment, which means the all-seeing-eye of
CAPEX still exposes poseurs.
Hello AI clowns! Welcome to Platformonomics ClownWatch
CAPEX might be an even better tell in AI than it was with cloud, because GPUs
ain’t cheap and software now has COGS (a development which may prove
regrettable).
But first, we have a drag race approaching the finish line.
The CAPEX Clown Car Race
Oracle got off to a very poor start in our race, with Larry Ellison harrumphing
about cloud computing:
Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it?
It’s complete gibberish. It’s insane. When is this idiocy going to stop?”
Eventually Oracle got cloud religion after some embarrassing but certainly not
unexpected attempts to substitute hot air for CAPEX. Nothing motivates like
losing half your database market share.
Through 2022 it even looked like Oracle might be serious in the only way that
matters: up-and-to-the-right CAPEX spending.
But 2023 saw a catastrophic 27% drop in Oracle’s CAPEX spending. While their
absolute and directional spending is both disappointing and probably disastrous,
it doesn’t matter because their opponent in the CAPEX Clown Car Race is IBM
(company motto: “Down and to the right”).
There is a deeply philosophical question in how you win a clown car race. Is the
winner the most clowny or the least clowny? With next to no consideration, we’re
going with the latter and calling a winner.
Congratulations Oracle – based on your CAPEX, you’re the cloudiest of the
clowns! But Oracle is still a clown, and certainly not a hyperscale cloud (there
is no “big four” despite the best efforts of Oracle PR to slip away from the
children’s table).
And IBM gets a clowniest clown participation trophy. IBM — I’ve always believed
you could do this!
Below we’ll look at IBM and Oracle’s CAPEX spending, amuse ourselves with the
current fairy tales they’re telling, ask what is going on at Oracle, and then
make the brutal comparison with the CAPEX boomtown of Cloud City. And we’ll end
with a quick “where are they now” look at that once-promising new generation of
aspiring clowns.
Get Platformonomics Updates By Email
Subscribe
IBM
Company motto: “Down and to the Right”
In what is not even remotely a surprise, IBM hit new record lows in 2023 for
both absolute CAPEX spending and CAPEX spending as a percentage of revenue. The
hypers of “hybrid cloud” cut CAPEX by 20%, spending less than $1.5 billion
(across the entire company, not just cloud infrastructure), which is less than
half of what they spent as recently as 2020.
These numbers confirm there is no cloud in “hybrid cloud”. Like soylent green,
“hybrid cloud” is people – consultants (and mostly offshore consultants). There
is no cloud business at IBM (as we have been saying for over a decade).
In perhaps related news, the leader of IBM Cloud quietly departed for another IT
consulting company (one that doesn’t pretend to be a platform company).
But don’t shed too many tears for IBM. The company is in the midst of a bold
strategic transformation. A transformation from a cloud to an AI . Because the
absence of CAPEX in either domain ensures you are a .
Meet the new shell game. Same as the old shell game.
IBM is now running its cloud playbook for AI. The company opened their Q4 2023
earnings release wanting you to think they are a generative AI company:
“In the fourth quarter, we grew revenue in all of our segments, driven by
continued adoption of our hybrid cloud and AI offerings. Client demand for AI is
accelerating and our book of business for watsonx and generative AI roughly
doubled from the third to the fourth quarter,” said Arvind Krishna, IBM chairman
and chief executive officer.
You’d almost think IBM was seeing material revenue from AI. But when asked to
“elaborate specifically on exactly what the book of business means” by a veteran
Wall Street analyst familiar with IBM’s antics, much bobbing and weaving ensues:
So Toni, on the AI book of business, this is not all revenue in the quarter. I
would just begin with that statement to set it straight. At this stage, we
wanted to start looking at what is our momentum, what is the sentiment from our
clients. So we went to a measure that is more reflective of, I’ll use the word
signings. What is the commitment the clients are making to us? Consulting is
straightforward. It is the signings. Consulting signings are anywhere from 12 to
24 months on average is how much time they play out over there. And on software,
it’s what they’re committing to. And we are using SaaS ACV. So it’s a 12-month
commitment, which is typical for as a service as well as, since we do offer our
portfolio both ways as license or as a service, it includes the license piece as
well. Now over a long-term, let’s call it a couple of years or more, yes, the
book of business should turn into an amount of revenue in a quarter, but that’s
going to take a bit of time to catch up. But we felt that this gives the better
indicator right now of what is our traction and what is our acceleration in that
part of the business.
This is the same game IBM played for cloud. Chant the buzzwords and hope
investors won’t notice the company isn’t actually investing and doesn’t have
competitive products.
As they did with cloud, IBM’s AI numbers are not something they actually report
to the SEC, yet lead with in investor communications. I don’t know if that is
securities fraud, but I know IBM has no GPUs.
Oracle
Company motto: “That’s Not Just a Rack, It’s an Entire Region”
Data note: we do Oracle a solid by comparing their March 2023 through February
2024 (FYQ4 to FYQ3) results to the 2023 calendar year results of other
companies. This lets Oracle bring a full two months from their glorious future
to the comps. Hopefully that doesn’t give them too unfair an advantage.
When we last checked in on the database vampire, we noted they were (finally)
ramping their CAPEX:
Oracle, on the other hand, is at long last starting to put its money where its
mouth has been (though the mouth’s lead looks insurmountable). The database
vampire doubled their annual CAPEX spend in the last year (using their March
2021 through February 2022 results). The company promised to spend $4 billion in
CAPEX in FY22 and it looks like will hit that mark by May. And they surpassed
IBM in annual CAPEX spending this year.
But after spending more than $8 billion in our ersatz calendar 2022, Oracle has
fallen off the CAPEX wagon. Oracle CAPEX declined 27% to under $6 billion from
2022 to 2023.
Oracle’s commentary in the last several quarters has (commendably!) focused on
CAPEX, with the CAPEX discussion taking up more time in each successive
conference call. Oracle repeatedly tells us they have “enormous” cloud demand,
are capacity constrained, and are building out data centers incredibly fast. But
something has gone off the rails in Oracle’s cloud infrastructure build-out
because their CAPEX spending has declined by double digits in each of the last
three quarters.
In FY23 Q1 (Sept 2023), Oracle says:
Because we have far more demand than we can supply, our biggest challenge is
building data centers as quickly as possible.
Capital expenditures were $8.3 billion over the last four quarters and we are
clearly beginning to see the cash flow benefits stemming from our cloud
transformation. CapEx was $1.3 billion in Q1 as we continue to build capacity
for bookings and our customers’ growing needs.
Given the demand we have and see in the pipeline, I expect that fiscal year 2024
CapEx will be similar to this past year’s CapEx.
Yet Oracle CAPEX for FYQ1 was down 24%. And they reiterate the guidance to spend
$8+ billion in FY24 CAPEX (ending May 2024).
In FY2024 Q2 (Dec 2023), Oracle told us:
The demand for Oracle’s Cloud Infrastructure and Generative AI is consistently
increasing quarter after quarter.
We have to build 100 additional cloud data centers because there are billions of
dollars more in contracted demand than we currently can supply. Cloud
Infrastructure demand is huge and growing at an unprecedented rate.
CapEx was $1.1 billion in Q2 as we continue to build capacity for bookings and
our customers’ growing needs. Given the enormity of our pipeline and backlog, I
expect CapEx will be somewhere around $8 billion this fiscal year, meaning our
second half CapEx will be considerably higher as we bring online more capacity.
Yet Q2 CAPEX was down 56% and the lowest spend in eight quarters. And they
slightly reduce guidance for the fiscal year ending in May 2024 to $8 billion.
By FY2024 Q3 CAPEX discussion dominated their conference call remarks (as it
should in all calls):
Where if not for some continuing supply constraints, consumption growth would
have been even higher.
Now while we spent $2.1 billion on CapEx this quarter, the $1.7 billion in the
cash-flow statements is slightly lower just due to the timing of payments. So
the $2.1 billion is actually what we spent and will pay for.
We are working as quickly as we can to get the cloud capacity built out given
the enormity of our backlog and pipeline. I expect the CapEx will be somewhere
around $7 billion to $7.5 billion this fiscal year, meaning our Q4 CapEx should
be considerably higher.
We have enormous amounts of demand. I tried to make that clear last quarter, and
we have more capacity coming online. But we have tried to – we’re trying to
focus on much larger chunks of data center capacities and electricity and all of
that and that’s just – that all to come.
Let me add that Oracle has been building data centers at a record level and a
lot of people I think are aware that we can build fairly small data centers to
get started when we want to.
We can go very small. We can get a full cloud data center with Ultra services in
10 racks.
But this is what I want to point out. We’re also building the largest data
centers in the world that we know of. We’re building an AI data center in the
United States where you could park eight Boeing 747s nose-to-tail in that one
data center. So, we are building large numbers of data centers, and we were –
and some of those data centers are smallish, but some of those data centers are
the largest AI data centers in the world.
So, we’re bringing on enormous amounts of capacity over the next 24 months
because the demand is so high, we need to do that to satisfy our existing set of
customers.
So, for fiscal year ’25, looking at about $10 billion in CapEx because it’s also
involves not only some big centers, but it also involves expansions of existing
centers. So we’ve already got some areas that we will be filling out. So at
least preliminarily, we’re looking at $10 billion for next year. And then it’s
not too complicated to figure out the math here when I’m looking at somewhere
between $7 billion and $7.5 billion for the full year and you’ve got all the
numbers for one, two, and three at this point.
And I would include for Q3 the one we just are announcing. I would add in the
amount we haven’t paid yet as the CapEx number for this quarter. Okay? And then
I guess that would be and then Larry gets the second question. But anyway, so
$2.1 billion for this quarter and you’ve got Q1 and Q2 and I’m going to be
somewhere between $7 billion and $7.5 billion for the full year, which is
actually a little bit lower than I thought. But we were able to do pretty well.
You know-how we spend very carefully.
So, there is a tremendous amount of demand, the data centers take longer to
build, and we would like that said, we are getting very good at building them
quickly and getting the building the power and the communication links in, we’re
doing faster than we have ever happened in the past.
It’s very different than it used to be. So, we’re able to bring additional
capacity online very quickly if we have that the electric power and the
communication lines. So, is the long pole in the tent is actually building the
structure, connecting the electricity, connecting the communication lines.
Despite claiming they’re building data centers “at a record level”, Q3 CAPEX was
down 36%. They strangely want credit for more CAPEX spending than what they
reported to SEC (again, securities fraud questions are not addressed here). And
Larry tried to distract with a soliloquy on how many 747s would fit in a future
Oracle data center (when you only fly private, you may not realize airlines
don’t fly 747s any more).
Guidance for the full fiscal year CAPEX spend has come down by over a billion
dollars. The lower target still requires a huge ramp in Q4, and roughly doubling
spending from Q3. But most of all, we see the first acknowledge of constraints
on data centers build-outs, in particular electron availability.
And this double-digit CAPEX decline occurs amidst the AI frenzy, a trend Oracle,
of course, claims to be leading. 2023 was an odd year to slash infrastructure
investment if you’re big in AI (or say you are).
The fundamental question about Oracle’s cloud infrastructure ambitions is does
the company just not know how to build data centers with more than a couple
racks or have they concluded they don’t want to (or can’t) spend the kind of
money this game requires?
Oracle has been on a very public cloud scale learning curve. First they
pretended they didn’t need much CAPEX because, of course, Oracle’s stuff was
just so much better than anyone else’s.
Then they won a fraction of Zoom’s cloud business, hyped it in time-honored
Oracle fashion, and were humbled when they couldn’t fulfill the “extreme”
capacity demanded.
While it is cute that Oracle counts a single rack as a data center and ten racks
is a “Ultra” data center, the hyperclouds operate at many orders of magnitude
greater scale. Oracle is now trying to transition beyond bonsai data centers and
seems to be struggling with the concrete and steel world of data centers (with
their need for building permits, connectivity and power).
No doubt Oracle will someday learn why hyperclouds are building smaller data
centers and not 747 hangars.
The hyperclouds have decades of experience building cloud-scale data centers at
this point. They manage multi-year lead times and are deeply engaged in the “mad
scramble” for power, which is the biggest constraint for data centers today.
Oracle is now guiding to a FY25 CAPEX spend of – gasp — $10 billion, but given
their recent inability to actually spend to their guidance, that may still be
optimistic.
The other possibility is Oracle is having second thoughts about the financial
hit associated with transforming an asset-light software company into a serious
cloud infrastructure player. In 2022, Oracle’s CAPEX as a percentage of revenue
hit 18%, comparable to what hyperclouds can spend. But that spend also came with
a roughly $2 billion profit hit. They quickly reined in that percentage by over
a third in 2023.
But the financial issue isn’t just the impact on Oracle profits. Tragically,
they aren’t actually competing with fellow clown car IBM. They’re competing with
Amazon, Google and Microsoft and must soberly contemplate their financial
wherewithal to play in that league.
For all of Oracle’s ramp in CAPEX in recent years, they are over $150 billion
behind cumulative hypercloud spending. And they are falling further and further
behind with every passing quarter. In 2023, AWS spent $24.8 billion on CAPEX
(over four times Oracle), Google spent $32.3 billion (over five times Oracle),
and Microsoft $41.2 billion (almost seven times Oracle). Microsoft spent more on
CAPEX in just 2023 than Oracle has in its entire nearly 50 year history.
Oracle’s $10 billion in CAPEX guidance for FY25 adds a nice incremental zero to
their spend (and hits a milestone the hyperclouds all passed in 2016), but it
still doesn’t come close to what the hyperclouds are spending. If you add up
Oracle’s actual CAPEX spending and guidance for their fiscal years 2022 through
2025, it doesn’t match what Google and Microsoft spent in 2023.
To give a sense of how dramatically Oracle is being left behind, here is the
combined CAPEX spending of AWS, Google and Microsoft (corporate level spend for
Google and Microsoft, but ~80% of that is cloud infrastructure), minus Oracle’s
spending (which is also corporate level). The gap has grown from $20 billion in
2015 to over $90 billion in 2023.
For completeness, to make Oracle’s clown car status abundantly clear, and to
make my biennial favorite joke about Oracle being indistinguishable from the
x-axis, here is annual and cumulative CAPEX for both the hyperclouds and Oracle.
The Oracle plan to catch up to the hyperclouds remains unclear to me.
What Ever Happened to…
While our once-promising cohort of new clowns disappointed in both their
hyperbole and investment, they remain entertaining in other ways:
Bank of America – still dominant as the worldwide leader in financial crime, but
is also now insolvent in the wake of rising interest rates. And still have spent
ZERO on CAPEX since 2011 (bank accounting FTW). Their alum and pal at IBM who
was leading the charge for a compliance-oriented private cloud doohickey bailed,
so expect B of A to eventually be the last bank to embrace the public cloud.
GAIA-X – the EU’s hand waving assertion of their strategic cloud autonomy “based
on European values” is, in the words of one booster, “a paper monster that will
exist but will not have any impact in the market”. Others say it “failed to
reach critical mass or really take off”, “operates too much at the meta level”,
is “still a long way from clear, tangible use cases” and “never got out of this
theoretical sinkhole”. Even IBM spends more on CAPEX in a year than GAIA-X’s
multi-year budget. Trump Media & Technology Group – “Net cash used in investing
activities for the twelve months ended December 31, 2023 was approximately $2.2
thousand” ($2,200.00). Emphatically serverless!
We now return to our regular programming.
MORE
June 60
24.6.2024, 6:00SEI Blog (Feed)
The Latest Work from the SEI: an OpenAI Collaboration, Generative AI, and Zero
Trust
This post highlights the latest work from the SEI in the areas of generative AI,
zero trust, large language models, and quantum computing.
MORE
April 100
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #46: April 5, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get Platformonomics Updates By Email
Subscribe
The clown culture of over-promising and under-delivering has rubbed off, but
(CAPEX) Clown Week is still coming! The artwork is fabulous.
I did a return appearance on the TelcoDR podcast to talk about, what else, cloud
CAPEX. Even restrained myself to just one small shot at McKinsey.
News NVIDIA’s Mainframe Envy
I have no quibble with the data center as the new unit of compute, but am
skeptical NVIDIA is going to pull off its own vertically integrated stack
spanning silicon, systems and software. Beyond NVIDIA, data center
infrastructure is exciting again! Also we may have to integrate nuclear power
plants into the new stack.
Previous:
Follow the CAPEX: Triangulating NVIDIA, Cloud Power Up
Amazon Desperately Seeks Compression Algorithm for Experience
Previous:
Most Greatest AI Company in Entire Universe Makes Major Strategy Pivot, SEC
Embraces Platformonomics ClownWatch, Warns Amazon and IBM, The AWS Generative AI
Soap Opera, The Amazon AI Inferiority Complex
Aspiring Technology Company Neither Interested in Technology Nor Understands
Technology
The New York Times’ CEO says “we are trying to more firmly establish the Times
as a world-class digital product and tech company.” Yet the database is
seemingly too advanced for them.
Previous:
Living in a Glass House: The New York Times On Tech, Living in a Glass House:
What is the New York Times?, Does the New York Times Editorial Page Ever Talk to
the Business Side of the House?
Private Equity Buys Software Company from Private Equity: Avetta
Usually it takes just one private equity firm to ruin a software company.
Imagine what happens to a software company that gets flipped among private
equity firms (because markups have to happen, even if the market won’t pay
them).
Previous:
Perfidious Private Equity, Software Migration Alert: Jama Software, Software
Migration Alert: Everbridge, Private Equity in Action: VMware (Continued),
Private Equity in Action: VMware, Private Equity Will Buy and Ruin More Software
Companies, Software Migration Alert: VMware (Continued), Software Migration
Alert: VMware, Software Migration Alert: Rover, Software Migration Alert: Avid
Technology, Software Migration Alert: EngageSmart, This Week’s Software
Migration Alerts
Private Equity Buys IT Company from Private Equity: Presidio
It is private equity all the way down:
The company has had several private equity owners since it was founded in 2003.
American Securities acquired Presidio in 2011 for an undisclosed amount and had
sold it to New York-based Apollo Global Management Inc three years later for
about $1.3 billion, Reuters reported at the time.
BC Partners had acquired the company in 2019 and delisted it from the Nasdaq in
a $2.1 billion take-private deal, two years after Apollo Global took it public.
Presidio had acquired several smaller rivals, including Irish IT consulting firm
Arkphire and Charlotte, North Carolina-based ROVE, under BC Partners’ ownership.
Private Equity in Action: VMware Customer Complaints “Unwarranted”
Private equity and the EU are a great pairing and I hope they get to spend a lot
of time together:
Despite Broadcom execs’ efforts to convince people that its changes are
reasonable and will eventually end up financially benefitting stakeholders,
there’s still effort from industry groups to get federal regulators involved
with how Broadcom is running VMware.
As reported by Dutch IT magazine Computable on Friday, representatives from
Beltug, a Belgian CIO trade group; Le Cigref, a French network of companies
interested in digital technology; the CIO Platform Nederland association for
CIOs and CDOs; and VOICE e.V., a German association for IT decisionmakers, sent
a letter [PDF] to European Commission President Ursula von der Leyen and
European Commissioner Thierry Breton on Thursday to “strongly condemn”
Broadcom’s businesses practices and ask the commission to take action.
Previous:
Private Equity in Action: VMware “Unease” Continues, Perfidious Private Equity,
Private Equity in Action: VMware Yet Again, Private Equity in Action: VMware
(Continued), Private Equity in Action: VMware, Private Equity Will Buy and Ruin
More Software Companies, Software Migration Alert: VMware (Continued), Software
Migration Alert: VMware
EU Insanity: Not Learning From Regulatory Failure
So do you admit the errors of your micromanaging regulatory ways or just pack up
your tool bag and take it to a new market?
Too bad about the European telco market. But at least there isn’t much of a
European tech market to ruin.
Previous:
EU Announces DMA Struggle Sessions, EU Insanity: AI Regulatory Suicide, EU
Insanity: AI Energy Suicide, EU Insanity: The Kafka Singularity, EU Insanity:
Mistral Edition, Move Fast and Regulate Things (You Don’t Understand), The EU
Will Continue to Fiddle While Rome Burns, When “Move Fast and Regulate Things”
Breaks Down, AI Regulation: Move Fast and Regulate Things
Tik Tok Traitors: Maria Cantwell (Continued)
Maria Cantwell (D-Washington D-West Taiwan?) looking to poison pill the Tik Tok
bill in the Senate? Feel free to ask her office what is going on.
Previous:
Tik Tok Traitors: Maria Cantwell, Tik Tok’s Call to Arms: Useful Idiots, Fellow
Travelers, Registered and Unregistered Foreign Agents Unite!, Contact Your
Senators
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: NYC Mayor Eric
Adams
Previous:
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Elon Musk Part
II, The Donald, Jeff Yass, Microsoft Bing, DC Lobbyists Part III, Hollywood, DC
Lobbyists Part II, NBA, Warner Bros. Discovery, Germany, DC Lobbyists,
Elon/Twitter, The Hugo Awards, Harvard University, Wall Street, Apple
MORE
June 60
Today, 17:55ongoing by Tim Bray (Feed)
OSQI
I propose the formation of one or more “Open Source Quality Institutes”. An OSQI
is a public-sector organization that employs software engineers. Its mission
would be to improve the quality, and especially safety, of popular Open-Source
software.
Why?
The XZ-Utils backdoor (let’s just say #XZ) launched the train of thought that
led me to this idea. If you read the story, it becomes obvious that the key
vulnerability wasn’t technical, it was the fact that a whole lot of Open-Source
software is on the undermaintained-to-neglected axis, because there’s no
business case for paying people to take care of it. Which is a problem, because
there is a strong business case for paying people to attack it.
There are other essential human activities that lack a business case, for
example tertiary education, potable water quality, and financial regulation. For
these, we create non-capitalist constructs such as Universities and Institutes
and Agencies, because society needs these things done even if nobody can make
money doing them.
I think we need to be paying more attention to the quality generally, and safety
especially, of the Open-Source software that has become the underlying platform
for, more or less, our civilization. Thus OSQI.
They’re out to get us
For me, the two big lessons from #XZ were first, the lack of resources
supporting crucial Open-Source infrastructure, but then and especially, the
demonstration that the attackers are numerous, skilled and patient. We already
knew about numerous and skilled but this episode, where the attacker was already
well-embedded in the project by May 2022, opened a few eyes, including mine.
The advantage, to various flavors of malefactor, of subverting core pieces of
Open-Source infrastructure, is incalculable. #XZ was the one we caught; how many
have we missed?
What’s OSQI?
It’s an organization created by a national government. Obviously, more nations
than one could have an OSQI.
The vast majority of the staff would be relatively-senior software engineers,
with a small percentage of paranoid nontechnical security people (see below).
You could do a lot with as few as 250 people, and the burdened cost would be
trivial for a substantial government.
Since it is a matter of obvious fact that every company in the world with
revenue of a billion or more is existentially dependent on Open Source, it would
be reasonable to impose a levy of, say, 0.1% of revenue on all such companies,
to help support this work. The money needn’t be a problem.
Structure
The selection of software packages that would get OSQI attention would be left
to the organization, although there would be avenues for anyone to request
coverage. The engineering organization could be relatively flat, most people
giving individual attention to individual projects, then also ad-hoc teams
forming for tool-building or crisis-handling when something like #XZ blows up.
Why would anyone work there?
The pay would be OK; less than you’d make at Google or Facebook, but a decent
civil-service salary. There would be no suspicion that your employer is trying
to enshittify anything; in fact, you’d start work in the morning confident that
you’re trying to improve the world. The default work mode would be remote, so
you could live somewhere a not-quite-Google salary would support a very
comfortable way of life. There would be decent vacations and benefits and
(*gasp*) a pension.
And there is a certain class of person who would find everyday joy in peeking
and poking and polishing Open-Source packages that are depended on by millions
of programmers and (indirectly) billions of humans. A couple of decades ago I
would have been one.
I don’t think recruiting would be a problem.
So, what are OSQI’s goals and non-goals?
Goal: Safety
This has to come first. If all OSQI accomplishes is the foiling of a few
#XZ-flavor attacks, and life becoming harder for people making them, that’s just
fine.
Goal: Tool-building
I think it’s now conventional wisdom that Open Source’s biggest attack surfaces
are dependency networks and build tools. These are big and complex problems, but
let’s be bold and set a high bar:
Open-Source software should be built deterministically, verifiably, and
reproducibly, from signed source-code snapshots. These snapshots should be free
of generated artifacts; every item in the snapshot should be human-written and
human-readable.
For example: As Kornel said, Seriously, in retrospect, #autotools itself is a
massive supply-chain security risk. No kidding! But then everyone says “What are
you gonna do, it’s wired into everything.”
There are alternatives; I know of CMake and Meson. Are they good enough? I don’t
know. Obviously, GNU AutoHell can’t be swept out of all of the fœtid crannies
where it lurks and festers, but every project from which it is scrubbed will
present less danger to the world. I believe OSQI would have the scope to make
real progress on this front.
Non-goal: Features
OSQI should never invest engineering resources in adding cool features to
Open-Source packages (with the possible exception of build-and-test tools). The
Open-Source community is bursting with new-features energy, most coming from
people who either want to scratch their own itch or are facing a real blockage
at work. They are way better positioned to make those improvements than anyone
at OSQI.
Goal: Maintenance
Way too many deep-infra packages grow increasingly unmaintained as people age
and become busy and tired and sick and dead. As I was writing this, a plea for
help came across my radar from Sebastian Pipping, the excellent but unsupported
and unfunded maintainer of Expat, the world’s most popular XML parser.
And yeah, he’s part of a trend, one that notably included the now-infamous
XZ-Utils package.
And so I think one useful task for OSQI would be taking over (ideally partial)
maintenance duties for a lot of Open-Source projects that have a high ratio of
adoption to support. In some cases it would have to take a lower-intensity form,
let’s call it “life support”, where OSQI deals with vulnerability reports but
flatly refuses to address any requests for features no matter how trivial, and
rejects all PRs unless they come from someone who’s willing to take on part of
the maintenance load.
One benefit of having paid professionals doing this is that they will blow off
the kind of social-engineering harassment that the #XZ attacker inflicted on the
XZ-Utils maintainer (see Russ Cox’s excellent timeline) and which is
unfortunately too common in the Open-Source world generally.
Goal: Benchmarking
Efficiency is an aspect of quality, and I think it would be perfectly reasonable
for OSQI to engage in benchmarking and optimization. There’s a non-obvious
reason for this: #XZ was unmasked when a Postgres specialist noticed performance
problems.
I think that in general, if you’re a bad person trying to backdoor an
Open-Source package, it’s going to be hard to do without introducing performance
glitches. I’ve long advocated that unit and/or integration tests should include
a benchmark or two, just to avert well-intentioned performance regressions; if
they handicap bad guys too, that’s a bonus.
Goal: Education and evangelism
OSQI staff will develop a deep shared pool of expertise in making Open-Source
software safer and better, and specifically in detecting and repelling multiple
attack flavors. They should share it! Blogs, conferences, whatever. It even
occurred to me that it might make sense to structure OSQI as an educational
institution; standalone or as a grad college of something existing.
But what I’m talking about isn’t refereed JACM papers, but what my Dad, a
Professor of Agriculture, called “Extension”: Bringing the results of research
directly to practitioners.
Non-goal: Making standards
The world has enough standards organizations. I could see individual OSQI
employees pitching in, though, at the IETF or IEEE or W3C or wherever, with work
on Infosec standards.
Which brings me to…
Non-goal: Litigation
Or really any other enforcement-related activity. OSQI exists to fix problems,
build tools, and share lessons. This is going to be easier if nobody (except
attackers) sees them as a threat, and if staff don’t have to think about how
their work and findings will play out in court.
And a related non-goal…
Non-goal: Licensing
The intersection between the class of people who’d make good OSQI engineers and
those who care about Open-Source licenses is, thankfully, very small. I think
OSQI should accept the license landscape that exists and work hard to avoid
thinking about its theology.
Non-goal: Certification
Once OSQI exists, the notion of “OSQI-approved” might arise. But it’d be a
mistake; OSQI should be an engineering organization; the cost (measured by
required bureaucracy) to perform certification would be brutal.
Goal: Transparency
OSQI can’t afford to have any secrets, with the sole exception of
freshly-discovered but still-undisclosed vulnerabilities. And when those
vulnerabilities are disclosed, the story of their discovery and characterization
needs to be shared entirely and completely. This feels like a bare-minimum basis
for building the level of trust that will be required.
Necessary paranoia
I discussed above why OSQI might be a nice place to work. There will be a
downside, though; you’ll lose a certain amount of privacy. Because if OSQI
succeeds, it will become a super-high-value target for our adversaries. In the
natural course of affairs, many employees would become committers on popular
packages, increasing their attractiveness as targets for bribes or blackmail.
I recall once, a very senior security leader at an Internet giant saying to me
“We have thousands of engineers, and my job requires me to believe that at least
one of them also has another employer.”
So I think OSQI needs to employ a small number of paranoid traditional-security
(not Infosec) experts to keep an eye on their colleagues, audit their finances,
and just be generally suspicious. These people would also worry about OSQI’s
physical and network security. Because attackers gonna attack.
Pronunciation
Rhymes with “bosky”, of course. Also, people who work there are OSQIans. I’ve
grabbed “osqi.org” and will cheerfully donate it in the long-shot case that this
idea gets traction.
Are you serious?
Yeah. Except for, I no longer speak with the voice of a powerful employer.
Look: For better or for worse, Open Source won. [Narrator: Obviously, for
better.] That means it has become crucial civilizational infrastucture, which
governments should actively support and maintain, just like roads and dams and
power grids.
It’s not so much that OSQI, or something like it, is a good idea; it’s that not
trying to achieve these goals, in 2024, is dangerous and insane.
MORE
April 30
24.6.2024, 6:00SEI Blog (Feed)
Applying Large Language Models to DoD Software Acquisition: An Initial
Experiment
This SEI Blog post illustrates examples of using LLMs for software acquisition
in the context of a document summarization experiment and codifies the lessons
learned from this experiment and related work on applying generative AI to
software engineering.
MORE
April 10
23.6.2024, 18:04The Architect Elevator (Feed)
The Serverless Illusion
Abstractions can become illusions. Is Serverless one of them?
MORE
April 170
Today, 17:55ongoing by Tim Bray (Feed)
A057X
Yes, “A057X” is cryptic, but my new lens’s official monicker is “150-500mm
F/5-6.7 Di III VC VXD” so let’s stick with that part number. It’s from Tamron
and this is the Fujifilm X-Mount variation. Lens-geeking is my favorite part of
photo-geeking and it’s great that more manufacturers are opening up to
third-party lens builders.
Last May I wrote that I wanted a big-ass super-telephoto and now I have one.
Let’s start with a little comparo. Here is (roughly) the same 2km-away landscape
shot on the decades-old Tokina 400mm I’d been using since 2009, and on the new
Tamron.
If you care about this sort of thing you might want to enlarge these. A person
is visible in the bottom picture, and another if you’re using Lightroom on a 4K
screen.
Now let’s be honest; the color and flavor of the earlier picture is nicer,
because the sun was just right; that’s why I strapped on the old glass. But the
new-lens picture shows that yes, we do still make progress in analog
technologies, and given the same light, there’d be more you could do with with
today’s lens.
Anyhow, here’s what it looks like.
That’s on a Fujifilm X-T2, one of the bulkier of Fuji’s X-cameras. What’s not
instantly obvious is that the camera and lens are sitting on the lens’s tripod
shoe. That camera is now eight years old and needs to be replaced, but I’m not
fully won over by the latest X-cams and the lens was an easier trigger to pull.
The reviews all said “Considering what it does, it’s amazingly small and light!”
Maybe, but in fact it’s a big freakin’ heavy hunk of metal and glass. A tripod
really helps.
For the birds
Tripod? But everyone seems to think that this kind of lens is for shooting birds
in flight. So I took it to our cabin this weekend to test that hypothesis. Thus
I learned that you really can’t shoot birds unless you’re hand-holding the
camera. And even then, you can’t unless you’ve been practicing. I managed to get
one picture of a bird in flight, but it was just a seagull and not a terribly
handsome one either.
Then a couple of visitors settled at the top of a nearby Douglas Fir. Here’s
one. Yes, the sky was that blue.
Isn’t it handsome? If you look close, though, its tail is jammed against a
branch. But then it bent over to peer out at something.
Aren’t those feathers beautiful? This was a big-ass tree and I wasn’t right next
to it, either. Yay Tamron.
Little, big
Turns out this thing can focus relatively close-in for an item of its ilk, so
you can do, um what would one call it, macro-at-a-distance?
That’s a teeny little blossom. But when I’m looking out over the water, I always
end up taking pictures of the mountains on the other side.
That one is a damn long way away. The picture suffers from being reduced to fit
into your browser. I wish I could give everyone in the world Lightroom and a
good 4K monitor.
Note that…
None of the pictures via this lens could have been captured on any mobile-phone
camera in the world. You have to go pretty far these days to get into that
territory.
MORE
April 10
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #45: March 29, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get Platformonomics Updates By Email
Subscribe
The last two weeks have been eventful, so we have a lot to cover after my
absence. Buckle up!
News Amazon CAPEX Plans
Bloomberg looks at cloud CAPEX and the accompanying “mad scramble” for
electricity to power those data centers.
A $150 billion number over the next 15 years is unimpressive and inadequate ($10
billion a year). AWS spent $133 billion on CAPEX over the last nine years and
averaged $22 billion a year over the last four years. That’s way too low to be
competitive (GPUs are expensive!). But after their first ever decline in CAPEX
spending in 2023, who knows what is going on at AWS.
Previous:
Follow the CAPEX: Cloud Table Stakes 2023 Retrospective, Follow the CAPEX:
Triangulating NVIDIA, Follow the GPUs: Cloud CAPEX, more CAPEX, Cloud Power Up,
Behold the Nuclear Cloud, Nuclear Powered Cloud Data Centers Are Happening, A
Nuclear-Powered Cloud, When Nuclear-Powered Data Centers?
Microsoft/OpenAI CAPEX Plans
It isn’t $7 trillion but still a good start. Presumably nuclear-powered. And
perhaps off-world? Orbital computing is on my list of topics to chronicle.
Previous:
Follow the CAPEX: Cloud Table Stakes 2023 Retrospective, Follow the CAPEX:
Triangulating NVIDIA
Antitrust Incoherence: Apple Edition
Hipster antitrust remains intellectually incoherent and provides no clear lines
for anyone on the playing field. The Apple case deserves more than a few
one-liners, but I have learned the audience for musings on antitrust is quite
limited. But I may have to write a follow-up to my last treatise on the current
state of antitrust. Or at least dig into the many ridiculous connections being
made around this case between Apple and Microsoft.
Previous:
Antitrust Incoherence: Spotify Edition, Antitrust Incoherence: Roomba Edition,
The Incoherence Doctrine: The FTC Strikes Again, A New Antitrust Doctrine, The
DOJ Play at Home Game
EU Announces DMA Struggle Sessions
The struggle sessions will continue until Europe has a tech industry (i.e.
indefinitely).
Previous:
EU Insanity: AI Regulatory Suicide, EU Insanity: AI Energy Suicide, EU Insanity:
The Kafka Singularity, EU Insanity: Mistral Edition, Move Fast and Regulate
Things (You Don’t Understand), The EU Will Continue to Fiddle While Rome Burns,
When “Move Fast and Regulate Things” Breaks Down, AI Regulation: Move Fast and
Regulate Things
The Most Important Issue in AI
The topic everyone is talking about is how the AI market landscape is unfair to
venture capitalists. High capital requirements? Unfair! The importance of
distribution and customer feedback? Unfair! Incumbents paying attention? Unfair!
We all need to focus on how to make life easier for our most important class:
VCs.
Previous:
The VC Antitrust Doctrine, VC-induced Indigestion, The Looming Layoffs for
Venture Capitalists, Ghost VCs, Useful Idiots, Fellow Travelers and Unregistered
Foreign Agents: Jeff Yass
Thought Leadership (in Mascots) Shot: Chaser:
Know your strengths! Don’t pretend to be a software company if you’re not one!
Previous:
Salesforce Rallies Its Deep Bench of AI Experts (and Cartoon Characters),
Bluster, Bombast and Bullshit: Just Another Day at Salesforce, Salesforce’s
Shamelessness is Staggering, Salesforce Gonna Salesforce, The Spectacle that is
Dreamforce
Most Greatest AI Company in Entire Universe Makes Major Strategy Pivot
“Generative AI is poised to be the most transformational technology of our time,
and we believe our strategic collaboration with Anthropic will further improve
our customers’ experiences, and look forward to what’s next,” said Swami
Sivasubramanian, vice president of data and AI at AWS cloud provider.
Amazon spends $2.75 billion on AI startup Anthropic in its largest venture
investment yet
Amazon finally starts talking about their impact on the generative AI market in
the future, not present tense. Progress! And I’ve completely lost track of how
many steps we are into the AI marathon!
Previous:
SEC Embraces Platformonomics ClownWatch, Warns Amazon and IBM, The AWS
Generative AI Soap Opera, The Amazon AI Inferiority Complex
Cloud Repatriation is Going Just Great: Equinix
Prime cloud repatriation beneficiary Equinix has had to resort to the WorldCom
playbook in order to put up their mediocre growth numbers? I still need to make
fun of the AI data center bubble.
Previous:
New Cloud Repatriation Hypothesis, Cloud Repatriation Where Art Thou?, Cloud
Repatriation: The Search Continues, Cloud Repatriation: Still Not a Thing,
Platformonomics Repatriation Index – Q1 2023: Surf’s Up?
Related:
Web3 is Going Just Great (a recurring look at cloud repatriation’s sibling VC
thought leadership scheme)
Product Market Fit for Google Gemini?
As clichéd as “Orwellian” has become, Orwell remains underappreciated.
Previous:
Google: Still Not Code Red?, Google Goes Off the Guardrails, AI Marketing
Hallucinations: Google Edition, The Google Pivot Away from “AI-Safety First”,
“Google has more than 160 people working full time“, Google: Code Red Now?
Victory Lap: Instability AI
Called it.
Previous:
Instability AI, Stability AI: Not So Stable, Seeing Post Facto Red Flags Ex Ante
Software Migration Alert: Jama Software
As we all now find ourselves chanting, when private equity comes amalgamating,
it is time to start migrating.
Previous:
Perfidious Private Equity, Software Migration Alert: Everbridge, Private Equity
in Action: VMware (Continued), Private Equity in Action: VMware, Private Equity
Will Buy and Ruin More Software Companies, Software Migration Alert: VMware
(Continued), Software Migration Alert: VMware, Software Migration Alert: Rover,
Software Migration Alert: Avid Technology, Software Migration Alert:
EngageSmart, This Week’s Software Migration Alerts
MariaDB Saved from Clutches of Private Equity
Software Migration Alert averted!
Previous:
Perfidious Private Equity
Private Equity in Action: VMware “Unease” Continues
Broadcom’s acquisition of VMware is going just great! Unless you’re a customer
and apparently “confused”.
VMware has quickly become the poster child for why you must start migrating when
private equity comes amalgamating. You were warned.
Previous:
Perfidious Private Equity, Private Equity in Action: VMware Yet Again, Private
Equity in Action: VMware (Continued), Private Equity in Action: VMware, Private
Equity Will Buy and Ruin More Software Companies, Software Migration Alert:
VMware (Continued), Software Migration Alert: VMware
Related:
Broadcom-owned VMware kills the free version of ESXi virtualization software
Tik Tok Traitors: Maria Cantwell
Maria Cantwell (D-Washington D-West Taiwan?) seems to be key resistance to the
Tik Tok bill in the Senate. Contact her office. Maybe they’ll respond to you — I
didn’t warrant a response.
Previous:
Tik Tok’s Call to Arms: Useful Idiots, Fellow Travelers, Registered and
Unregistered Foreign Agents Unite!, Contact Your Senators
The Meme War with China is Going Just Great
(For the record, this is my first non-sarcastic use of “going just great”)
This is the war with West Taiwan we want to have:
Previous:
One, Two, Three, Four: We Want a Meme War
MORE
June 60
24.6.2024, 6:00SEI Blog (Feed)
5 Recommendations to Help Your Organization Manage Technical Debt
This SEI Blog post summarizes recommendations arising from an SEI study that
apply to the Department of Defense and other development organizations seeking
to analyze, manage, and reduce technical debt.
MORE
March 250
Today, 14:28Phil Windley's Technometria (Feed)
Decentralizing Energy
Summary: The Accidental Superpower discussed a post-Bretton Woods world where
easy, safe shipping cannot be assumed. In this "scared new world," renewables
change the dynamics of energy flows by moving production closer to energy use.
My wife, Lynne, recently gave me a copy of Peter Zeihan's book, The Accidental
Superpower: Ten Years On. The book was originally published in 2014, but Zeihan
has updated it by inserting chapters talking about what he got right in 2014,
what he got wrong, and why. The focus of the book is geopolitics—how geography
and demographics shapes the world order—and how Bretton Woods changed that in
significant ways. The book makes the case that so much of what made Bretton
Woods useful to the US and why the US engaged with the rest of the world for the
70 years following World War II is changing. As it changes the free trade system
enabled by Bretton Woods is also changing. This will have significant impact on
every country in the world.
Much of what changes has to do with energy. One of the things1 Zeihan got right
was his assertion that unlike much of the rest of the developed world, the US
doesn't need to import energy—specifically oil—we are a net energy importer.
This changes the dynamic wherein the US is willing to be the protector of
shipping lanes for the entire world. As a result, the future could see a US that
has the luxury of ignoring events in the Middle East, Ukraine, and elsewhere,
whereas Europe (to take just one example) cannot. The book is full of other
interesting predictions and conclusions just like this one. I encourage you to
read it if you find this as fascinating as I do.
Zeihan makes a big deal of shale oil production, which accounted for 66% of US
production in 2022. But as I read this, I was thinking about renewables. As I
wrote in 2020, I've gone in big on solar power at my house, love my EV, and have
replaced most things in the house (like the furnaces) with versions that run on
electricity. I did this because it made my life easier and saves me money. The
fact that it's good for the environment is a bonus.
But, solar and wind are not just renewable, they also allow energy production to
be decentralized in ways oil and natural gas can't. Oil and natural gas deposits
are where they are. Some countries are blessed with them and the others have to
buy from those countries. And they're often far away, requiring shipping through
potentially hostile waters. But that's not true of renewables. They can usually
be built and located where ever the need is2. This changes geopolitical equation
in significant ways. Areas of the world that are not energy independent, like
Europe, are moving toward renewables too slowly to prevent future energy shocks.
The problem with renewables is that they're long-lead items—they take years to
plan and bring online.
Petroleum and Bretton Woods enabled the modern world, providing portable,
storable sources of energy that could easily and safely move to where ever it
was needed.3 If we are indeed at the end of the Bretton Woods era, the world is
in for significant changes as it adjusts to a life where free trade, and easy
access to petroleum-based energy, cannot be assumed. Moving energy production
closer to the places it's used is one strategy for dealing with this
world-altering disruption. Buckle up.
Notes There are other things that are important to the books overall conclusion
besides energy. I'm just cherry picking that because I was thinking about it.
For example, the US is largely self-sufficient from an overall import/export
standpoint. We don't import nearly as much as many other countries and could
replace what we do import relatively easily. It's not just renewables. Nuclear
power can also be located closer to demand than an oil deposit. I started my
career as a nuclear metallurgist, so I'm a fan. I think many countries are going
to be sorry they've closed nuclear plants and made them too hard to construct
profitably. The feats of engineering that have enabled these energy flows is
truly astounding.
Photo Credit: Oil Tanker at Sunset from Terski (Pixabay)
Tags: climate+change solar geopolitics energy
MORE
March 190
24.6.2024, 6:00SEI Blog (Feed)
API Security through Contract-Driven Programming
This blog post explores contract programming and specifically how that applies
to the building, maintenance, and security of APIs.
MORE
March 180
Today, 17:55ongoing by Tim Bray (Feed)
Bye, Allyson
She’s gone. She lived well. We’ll miss her.
We’ve known Ms McGrane since 2005, when she was a co-conspirator on the
wonderful little local Northern Voice blogging conference. We worked on other
stuff together and hung out now and then and carpooled to the Prairies once and
I can’t remember ever getting the slightest bit upset with her.
Here is a good-bye note from her partner Shane. If you want to leave a note
somewhere, leave it there.
Ally (rhymes with “valley”) was a fine dog-parent and a strong grant-writer and
a first-rate teacher and a connoisseur of fine cooking equipment and Canadian
football. If you’ve been to much in the way of Vancouver theatre and dance
events over the years, there’s a good chance that she produced the event or
secured its funding or educated the people who did those things.
I remember having coffee with her a couple years ago, she advising me on one of
my projects, laughing together at the Byzantine complexities of granting
bureaucracies and the childlike money-obliviousness of arts leaders and the
excellence of the coffee on that morning. Easy to be with.
Mesothelioma is a bitch; 8% 5-year survival rate, and there wasn’t that much
they could do for her by the time they got the diagnosis right. We visited her
last week and she was herself, cynical about her situation but it seemed more or
less at peace.
I won’t miss her as much as the dogs will, but there’s still a gap in my life.
MORE
March 180
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #44: March 15, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get PLATFORMONOMICS Updates By Email
Subscribe
No newsletter next week. But I hope to get the Clown Week update out before
that.
News Tik Tok’s Call to Arms: Useful Idiots, Fellow Travelers, Registered and
Unregistered Foreign Agents Unite!
I have been dutifully chronicling people and organizations who, intentionally or
unintentionally, advance the aims of the Chinese Communist Party in the West.
They are all now being mobilized for the Tik Tok battle.
The pending legislation gives Tik Tok the choice to abandon CCP control or
abandon doing business in America. The degree to which Tik Tok and the CCP (and
their speaking points are indistinguishable) have invoked a Code Red and gone to
the mattresses is a masterful case study for Google on how to muster for
existential battle (to cross the streams of some unrelated threads). They are
spraying cash across the political ecosystem and there are armies of mercenary
lobbyists and politicians gleeful to take it.
Noah Smith captures the situation: “This is a test of whether America is a real
nation, or an anarchistic playground for totalitarian empires.”
Lenin once observed of the lobbying industry: “The Capitalists will sell us the
rope with which we will hang them.”
I find the case for CCP control of Tik Tok and repeated misconduct persuasive.
And Tik Tok is banned in West Taiwan along with all other western social media
apps, so basic reciprocity is ample justification for this legislation.
I hope someone is collecting a comprehensive list of everyone taking coin from
Tik Tok and the CCP. http://www.TikTokTraitors.com looks available.
Contact Your Senators
The fate of the Tik Tok legislation will be decided in the Senate, where a a
lobbying onslaught has been unleashed.
For Seattle area readers, Washington Senator Maria Cantwell is at the center of
this battle as chair of the Senate Commerce Committee. Her former staff
represent Tik Tok, which raises questions about what influence they have with
their former boss.
Should you be interested in her position on the Tik Tok bill and how she is or
is not influenced by former staffers, you can Share Your Thoughts with her
office. Or contact other Senators.
Related:
TikTok ban faces uncertain fate in Senate; Washington state reps vote against
House bill
One, Two, Three, Four: We Want a Meme War
We are in an ideological war, not unlike the Cold War, with West Taiwan. The
Chinese Communist Party seeks to upend the global system and eliminate threats
to CCP rule, one of which they fear most is the very existence of alternative
forms of government. The CCP is not content to stay home and enjoy their
communist paradise, but aggressively meddle, coerce, and suborn across the
globe.
This war is a battle of ideals, particularly over the Western principles of
individual liberty, democratic rule, free markets and free expression. (I will
stipulate it is unclear if the West still believes in those principles, but
suggest they should).
Memes are the distilled essence of free expression, intrinsically a weapon of
free expression, and therefore an ideal medium for waging this ideological war.
There is nothing the CCP fears more than free expression. Yet they are the
thinnest-skinned aspiring great power the world has ever seen, so cannot help
but be drawn into battles on hostile territory. We, however, are a meme
juggernaut. A shitposting superpower.
Watching CCP propaganda arms straight-faced championing Western ideals like free
speech and fair competition is the battle we want to have.
Previous:
Xi Jinping Thought on Wall Street Running Dogs, The Perils of Working for a Cult
of Personality, Press Releases We’d Like to See, Best Nickname for Emmanuel
Macron, Winnie-the-Pooh: Lover of Honey, Champion of Freedom, Missing the
(Bamboo) Forest for the (Apple) Trees
Clown Week Preview: Oracle CAPEX
Oracle had a nice upward CAPEX curve going there for two years, exactly what you
want to see from a wannabe cloud provider. But that seems to be over. Stay tuned
for a deeper look at what is going on with Oracle’s CAPEX spend. As always, it
is hard to distinguish between what is cluelessness and what are lies.
It is tough when you take the free cash flow hit by ramping your CAPEX, yet
still find yourself falling ever further behind. A tiny solace is that at least
they’re not IBM.
Previous:
Follow the CAPEX: Keeping Up With The Clowns, Follow the CAPEX: Separating the
Clowns from the Clouds, Follow the CAPEX: Clown Watch, This Week in Securities
Fraud
EU Insanity: AI Regulatory Suicide
So impressive to see the future so clearly. And even more impressive given a
lack of proximity to the nascent technology being regulated.
Previous:
EU Insanity: Mistral Edition, Move Fast and Regulate Things (You Don’t
Understand), The EU Will Continue to Fiddle While Rome Burns, When “Move Fast
and Regulate Things” Breaks Down, AI Regulation: Move Fast and Regulate Things
Related:
Breton Says Atos’s Problems Emerged After He Quit to Join EU
EU Insanity: AI Energy Suicide
The US faces many challenges in expanding power generation and distribution and
getting back on the road to energy abundance. But at least we’re not Europe.
From a good Semianalysis piece on the AI Datacenter Energy Dilemma ($):
Some countries and regions such as the US will be able to respond flexibly with
a low electrical grid carbon intensity, low-cost fuel sources with supply
stability, while others such as Europe will be effectively handcuffed by
geopolitical realities and structural regulatory constraints on power.
In Western Europe, electricity generation has been slowly declining, with a 5%
drop cumulatively over the past five years.
Given Europe’s energy situation, the EU average industrial tariff reached $0.18
USD/kWh in 2022, with the UK at $0.235 USD/kWh and datacenter heavyweight
Ireland at $0.211 USD/kWh, nearly triple the electricity cost in the US. Like
Asia, Europe imports over 90% of its gas in the form of LNG, mainly sourced from
the Middle East (and also still from Russia, despite the ongoing war), so their
entire industrial base, not just Datacenters, is subject to geopolitical risk,
as most readers will vividly remember from the onset of the war in Ukraine.
Given the political and geopolitical realities, adding a massive amount of power
generation capacity to host the AI Datacenter boom in Europe would be very
challenging.
I made fun of Mistral when it was funded, and then made fun of the EU’s reaction
to Mistral wanting to actually build a business. But the French for a change not
being enthusiastic about the EU’s regulatory agenda makes sense. The French 1.)
have Mistral (even if it is just Llama 2) 2.) are strong at math and 3.) lucked
out that Putin invaded Ukraine, narrowly averting the shutdown of their nuclear
power plants and following the German path to energy suicide.
Previous:
Cloud Power Up, Behold the Nuclear Cloud, Nuclear Powered Cloud Data Centers Are
Happening, A Nuclear-Powered Cloud, When Nuclear-Powered Data Centers?
EU Insanity: The Kafka Singularity
Forget turtles, it is regulators all the way down. What if the EU itself ground
to a halt after getting caught in its own regulatory machinery?
Previous:
EU Insanity: Mistral Edition, Move Fast and Regulate Things (You Don’t
Understand), The EU Will Continue to Fiddle While Rome Burns, When “Move Fast
and Regulate Things” Breaks Down, AI Regulation: Move Fast and Regulate Things
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Elon Musk Part
II
With a Tesla factory in West Taiwan, Elon is compromised on this and all other
issues relating to West Taiwan. He and his mouthpieces are misrepresenting the
Tik Tok legislation as a free speech issue, which is ironic yet totally
consistent.
Previous:
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: The Donald,
Jeff Yass, Microsoft Bing, DC Lobbyists Part III, Hollywood, DC Lobbyists Part
II, NBA, Warner Bros. Discovery, Germany, DC Lobbyists, Elon/Twitter, The Hugo
Awards, Harvard University, Wall Street, Apple
MORE
April 230
18.6.2024, 16:30All Things Distributed (Feed)
District heating: Using data centers to heat communities
An inside look at the Tallaght District Heating Scheme, where Heat Works is
using recycled heat from an AWS data center to warm a community in Dublin,
Ireland.
MORE
March 130
Today, 9:19mark nottingham (Feed)
There Are No Standards Police
It happens fairly often. Someone brings a proposal to a technical standards body
like the IETF and expects that just because it becomes an RFC, people will adopt
it. Or they’ll come across a requirement in an RFC and expect it to be enforced,
perhaps with some kind of punishment. Or they’ll get angry that people don’t pay
attention to an existing standard and do their own thing. This is so common that
there’s a ready response widely used by IETF people in these situations:
“There are no standards police.”
In other words, even if you do consider Internet standards to be a regulatory
force, there is no enforcement mechanism. One of their key characteristics is
that they’re voluntary. No one forces you to adopt them. No one can penalise you
for violating a MUST; you have to want to conform.
Of course, you can still feel compelled to do so. If an interoperability
standard gets broad adoption and everyone you want to communicate with expects
you to honour it, you don’t have many options. For example, if you want to have
a Web site, you need to interoperate with browsers; most of the time, they write
down what they do in standards documents, and so you’ll need to conform to them.
But that’s the successful path. For every HTTP or HTML or TCP, there are
hundreds of IETF RFCs, W3C Recommendations, and other standards documents that
haven’t caught on – presumably much to their authors’ dismay. Adopting and using
those documents was optional, and the market spoke: there wasn’t interest.
This aspect of the Internet’s standards has been critical to its success. If
people were forced to adopt a specification just because some body had blessed
it, it would place immense pressure on whatever process was used to create it.
The stakes would be high because the future of the Internet would be on the
line: businesses would play dirty; trolls would try to subvert the outcomes;
governments would try to steer the results.
Of course, all of those things already happen in Internet standards; it’s just
that the stakes are much lower.
So, voluntary adoption is a proving function – it means that not all of the
weight of getting things right is on the standardisation process, and that
process can be lighter than, for example, that used by the governments or the
United Nations (I’ll get back to that in a minute). That’s important, because it
turns out that it’s already incredibly difficult to create useful, successful,
secure, private, performant, scalable, architecturally aligned technical
specifications that change how the Internet works within all of the other
natural constraints encountered; it’s threading-the-needle kind of stuff. And we
need to be able to fail.
Historically, voluntary standards have been encouraged by governments in their
purchasing and competition policies - for example, OMB Circular A-119, EU
Regulation 1025/2012, and the EC guidelines on horizontal agreements. Standards
bodies are a ‘safe space’ where competitors can cooperate without risking
competition enforcement, so long as they follow a set of rules – and one of the
biggest rules is that adoption should be voluntary, not mandatory or coerced (at
least by those setting the standard).
But it’s no secret that the policy landscape for the Internet has changed
drastically. Now, there is increasing interest in using interoperability
standards as a mechanism to steer the Internet. Academics are diving deep into
the cultures and mechanisms of technical standards. Civil society folks are
coming to technical standards bodies and trying to figure out how to incorporate
human rights goals. Regulation is coming, and policy experts are trying to
figure out how to get involved too.
This influx has caused concern that that these relative newcomers are mistakenly
focusing on standards as a locus of power when, in fact, the power is expressed
in the adoption of a standardised technology. For example, Geoff Huston recently
wrote an opinion piece along these lines.
I have no doubt that some still come to the IETF and similar bodies with such
misapprehensions; we still have to remind people that ‘there are no standards
police’ on a regular basis. However, I suspect that at least the policy people
(including regulators) largely understand that it’s not that simple.
That’s because modern regulators are very aware that there are many influences
on a regulatory space. They want to learn about the other forces acting on their
target, as well as persuade and inform. Similarly, those who are involved in
policymaking are intensely aware of the diffuse nature of power. In short, their
world view is more sophisticated than people give them credit for.
(All that said, I’m still interested and a bit nervous to see what Global
Digital Compact contains when it becomes public.)
Another concern is that governments might try to influence Internet standards to
suit their purposes, and then exert pressure to make the results mandatory –
short circuiting the proving function of voluntary standards.
Avoiding that requires separating the legal requirement from the standards
effort, to give the latter a chance to fail. For example, MIMI may or may not
succeed in satisfying the DMA requirement for messaging interop. It is an
attempt to establish voluntary standards that, if successful in the market,
could satisfy legal regulatory requirements without using a preselecting
standards venue.
Of course, that pattern is not new – for example, accessibility work in the W3C
is the basis of many regulatory requirements now, but wasn’t considered (AFAIK)
by regulators until many years after its establishment.
Because of the newly intense focus on regulating technology, there’s likely to
be increasing pressure on such efforts: both the pace and volume of
standardisation will need to increase to meet the requirements that the
standards bodies want to attempt to address. I suspect aligning the timelines
and risk appetites of standards bodies and regulators are going to be some of
the biggest challenges we’ll face if we want more successes.
So right now I believe the best way forward is to create ‘rails’ for
interactions with legal regulators – e.g., improved communication, aligned
expectations, and ways for an effort to be declined or to fail without
disastrous consequences. Doing that will require some capacity building on the
parts of standards bodies, but no fundamental changes to their models or
decision-making processes.
This approach will not address everything. There are some areas where at least
some regulators and the Internet standards community are unlikely to agree.
Standards-based interoperability may not be realistically achievable in some
instances, because of how entrenched a proprietary solution is. Decentralising a
proprietary solution can face many pitfalls, and may be completely at odds with
a centralized solution that already has broad adoption. And, most fundamentally,
parties that are not inclined to cooperate can easily subvert a voluntary
consensus process.
However, if things are arranged so that when conforming to a voluntary consensus
standard that has seen wide review and market adoption is considered to be prima
facie evidence of conformance to a regulatory requirement, perhaps we do
sometimes have standards police, in the sense that legal requirements can be
used to help kickstart standards-based interoperability where it otherwise
wouldn’t get a chance to form.
MORE
March 130
24.6.2024, 6:00SEI Blog (Feed)
Example Case: Using DevSecOps to Redefine Minimum Viable Product
This SEI blog post, authored by SEI interns, describes their work on a
microservices-based software application, an accompanying DevSecOps pipeline,
and an expansion of the concept of minimum viable product to minimum viable
process.
MORE
March 120
Today, 17:55ongoing by Tim Bray (Feed)
Play My Music
When I’m away from home, I still want to listen to the music we have at home
(well, I can live without the LPs). We had well over a thousand CDs so that’s a
lot of music, 12,286 tracks ripped into Apple Lossless. Except for a few MP3s
from, well, never mind. This instalment of the De-Google Project is about ways
to do that with less Big-Tech involvement.
The former Google Play Music, now YouTube Music, allowed you to load your tunes
into the cloud and play them back wherever your phone or computer happened to
be. Except for it used to be easy to upload — just point the uploader at your
iTunes library — and now it’s hard, and then Google removed YouTube Music’s
shuffle-your-uploads feature from Android Auto. Also they fired a bunch of
YouTube Music contractors who were trying to unionize. So screw ’em.
I discovered three plausible ways to do this. First and most simply, dump the
tunes onto a USB drive; wherever you are in the world, you can usually plug one
in and play tunes from it.
Second, there’s Plex; you run a Plex server on one of your computers at home (in
our case a recent Mac Mini) which you point at music and video directories, and
it’ll serve them to clients on the Web or on phones or on platforms like WebOS
and Roku.
Also, it’ll serve your media to anywhere in the world, using UPnP to drill an
outgoing hole through your firewall. Obviously, this could make a
security-sensitive person nervous and does bother me a bit, because UPnP’s
history has featured some nasty vulnerabilities. I have a to-do to check whether
the version on my dumbass telco ISP router is reasonably safe. I believe that
Tailscale would offer a better security posture, but don’t want one more thing
to manage.
Finally, Apple Music can apparently do what YouTube Music does; let you upload
your tunes into the cloud and play them anywhere. But moving from one Big-Tech
provider to another doesn’t feel like progress.
Does it work?
Setting it up on Plex was a Just-Works experience. The process even reached out
through our modern Eero mesh to the old telco router and convinced it to set up
the appropriate UPnP voodoo. If you open the Plex server admin interface it
occasionally complains about a double-NAT situation but works anyhow.
Getting the USB working was kind of hilarious. First of all, I bought a 512G USB
stick. (My Mac says it only has 460GB, but what’s 50G between friends?) USB-A
because that’s what the car has. It took a couple of hours to copy all the music
onto it.
Then I plugged the USB stick into the car and it showed up instantly in the
“Sources” tab of the media player, but greyed out. I snickered when I noticed
that all the car infotainment menus were crawling and stuttering. Asking the
car’s mighty electronic brain to index that mountain of music was making it
sweat. Anyhow, after a few minutes, I could access the USB and now it works
fine, mostly.
By “mostly”, I mean that when I tell it to play music off the USB, it takes a
few seconds for the music to start, then a minute or more to get its shit
together and present a coherent picture of what it’s playing. And on one
occasion, the music player just randomly switched over to the radio. So I
suspect my inventory is pushing the poor little toy computer in the car pretty
hard. But once it’s going, the presentation is nice:
A few items to note here:
“Musick” is the name I gave the USB key.
That recording is Jesus’ Blood Never Failed Me Yet, a truly unique piece of work
by British composer Gavin Bryars. Opinions vary; I think it’s magical but it’s
one of the few pieces of music that I am absolutely forbidden to play anywhere
my wife can hear it.
The car software is way more flexible than Android Auto; this is just one of the
car’s three screens and there are a lot of options for distributing your music
and weather and maps and climate control across them.
Which is better?
It’s complicated. Obviously, the USB option doesn’t require any network
bandwidth. And I think the album-art presentation is nicer than Plex’s. (You can
see that here).
The audio quality is pretty well a wash. Plex is a little louder, I suspect them
of Loudness-War tactics, which is probably OK in a car with its inevitable
background noise. Plex also crossfades the song transitions, clever and pleasing
but really not essential.
Plex is really nice software and I feel a little guilty that I’m not sending
them any money. They do have a “Pro” level of service; must check it out.
Then of course Plex needs Android Auto. Which on the one hand I’m probably going
to be running a lot if I’m driving around town to appointments. But… Android
Auto is already a little shaky some days, not sure whether it’s crashing or the
car software is creaking or it’s just yet another lousy USB-C connection (I am
developing a real hate for that form factor).
Realistically, given that our car (a Jaguar I-Pace EV) wasn’t a big seller and
is five years old, can I really count on Google and Jaguar to do what it takes
to keep Android Auto running?
At this point I need to say a big “Thanks!” to everyone on Fedi/Mastodon who
gave me good advice on how to approach this problem.
Anyhow, as of now, we have two alternatives that work well. The De-Googling
march continues forward.
MORE
March 110
The De-Google Project
My family, like most, depends on a lot of online services. And again like most,
a lot of those services come from Big Tech giants in general and (in our case)
Google in particular. And like many people, we are becoming less comfortable
with that. So I’m going to try to be systematic about addressing the problem.
This post summarizes our dependencies and then I’ll post blog pieces about
updates as I work my way through the list. (The first is already posted, see
below.)
I’m calling this the “De-Google” project because they’re our chief supplier of
this stuff and it’s more euphonious than “De-BigTechInGeneral”.
NeedSupplierAlternatives Office Google Workspace ? Data sharing Dropbox ? Video
meetings Google Meet Jitsi, ? Maps Google Maps Magic Earth, Here, something
OSM-based Browser Apple Safari Firefox, ? Search Google Bing-based options Chat
Signal Photo editing Adobe Lightroom & Nik Capture One, Darktable, ? In-car
interface Google Android Auto Automaker software Play my music Plex, USB
Discover music Google YouTube Music Qobuz, Tidal, Deezer, Pandora, ? TV Prime,
Roku, Apple, Netflix, TSN, Sportsnet ?
The “Supplier” color suggests my feelings about what I’m using, with blue
standing for neutral.
Criteria
To replace the things that I’m unhappy with, I’m looking for some combination
of:
Open source
Not ad-supported
Not VC-funded
Not Google, Apple, Microsoft, or Amazon
Office
We’ve been using Gmail for a really long time and are used to it, and the
integration between mail and calendar and maps basically Just Works. The price
is OK but it keeps going up, and so do our data storage requirements, what with
all the cameras in the family. Finally, Google has stewardship of our lives and
are probably monetizing every keystroke. We’re getting a bit creeped out over
that.
I think that calendars and email are kind of joined at the hip, so we’d want a
provider that does both.
As for online docs, I will not be sorry to shake the dust of Google Drive and
Docs from my heels, I find them clumsy and am always having trouble finding
something that I know is in there.
Data sharing
Dropbox is OK, assuming you ignore all the other stuff it’s trying to sell you.
Maybe one of these years I should look at that other stuff and see if it’s a
candidate to replace one or two other services?
Video meetings
I dislike lots of things about Zoom and find Microsoft Teams a pool of pain, but
have been pretty happy with Google Meet. Nobody has to download or log into
anything and it seems to more or less Just Work. But I’d look at alternatives.
Maps
As I wrote in 2017, Google maps aggregate directions, reviews, descriptions,
phone numbers, and office hours. They are potentially a nuclear-powered monopoly
engine. I use Maps more and more; if I want to contact or interact with
something whose location I know, it’s way quicker to pull up Maps and click on
their listing than it is to use Google search and fight through all the ads and
spam.
The calendar integration is fabulous. If you have Android Auto and you’re going
to a meeting, pull up the calendar app and tap on the meeting and it drops you
right into directions.
The quality of the OpenStreetMap data is very good, but obviously they don’t
have the Directions functions. Who does? Obviously, Here does, and I was
enthused about it in 2019; but Android Auto’s music powers drew me back to
Google Maps. Aside from that, Magic Earth is trying, and their business model
seems acceptable, but the product was pretty rough-edged last time I tried it.
Browser
Safari is my daily driver. These days Chrome is starting to creep me out a bit;
just doesn’t feel like it’s on my side. Also, it’s no longer faster than the
competition. I’d like to shift over to Firefox one day when I have the energy
Then there are the Arcs and Braves and Vivaldis of this world, but I just
haven’t yet invested the time to figure out if one of these will do, and I do
not detect a wave of consensus out there.
By the way, DuckDuckGo has a browser, a shell over Safari on the Mac and Edge on
Windows. Lauren uses it a lot. Probably worth a closer look.
Search
The decline of Google Search is increasingly in everyone’s face. Once again, it
refuses to find things on this blog that I know are there.
Others in the family have already migrated to DuckDuckGo, and I now feel like an
old-school lagger for still not having migrated off Google. I wish there were
someone else taking a serious run at indexing the Web other than Bing — from yet
another tech giant — but here we are.
Lauren tells me to have a closer look at Ecosia, which seems very wholesome.
Chat
At the moment you will have to pry Signal out of my cold, dead, hands. You
should be using it too. ’Nuff said.
Photo editing
I pay my monthly tribute to Adobe, about whom my feelings aren’t as negative as
they are about the mega Tech Giants. I’d like not to pay so much, and I’d like
something that runs a little faster than Lightroom, and I’d like to support open
source. But… I really like Lightroom, and sometimes one absolutely needs
Photoshop, so I’m unlikely to prioritize this particular escape attempt.
In-car interface
Choices are limited. I see little point in migrating between Android Auto and
CarPlay, which leaves the software the auto maker installed. Which, in my
five-year-old Jaguar is… well, not bad actually. I think I could live with the
built-in maps and directions from Here, even with the British Received
Pronunciation’s butchery of North American place names.
But, I don’t know, we might stay with Android Auto. Check out this screenshot
from my car.
(Pardon the blurs and distortions.)
This is Android Auto displaying, as it normally does when I’m driving, maps and
music. By default, Google Maps and YouTube Music. But not here; on the right is
Plex, playing my own music stored on a Mac Mini at home.
On the left, it’s even more interesting: This is neither Google maps nor a
competitor; it’s Gaia GPS, the app I normally use to mark trail while
bushwhacking through Pacific Northwest rain forests. Somehow I fat-fingered it
into place either in the car or on my phone.
The lesson here is that (for the moment at least) Android Auto seems to be
genuinely neutral. It knows the general concepts of “apps that play music” and
“apps that are maps” and is happy to display whichever ones you want, not just
Google’s. (As a former Android geek who knows about Intents and Filters, I can
see how this works. Clever.)
So far, Android Auto doesn’t show ads, but I suppose it’s monetizing me by
harvesting traffic information to enrich its maps and I guess that’s a bargain I
can live with. I use that data myself when I want to go somewhere and there are
multiple routes and I can see which one is backed up by sewer work or whatever.
Discover music
I’ve been paying for YouTube Music since before it existed, and I’m genuinely
impressed with the way its algorithm fishes up new artists that it turns out I
really like. But just now Google laid off a bunch of YouTube Music “contractors”
(de facto, employees) who tried to organize a union, so screw ’em.
I haven’t investigated any of the alternatives in depth yet.
Play my music
In the decades where Compact Disks were the way to acquire music, I acquired a
lot. And ripped it. And pushed it up into Google’s musical cloud. And (until
recently) could shuffle my musical life on YouTube Music. But they removed that
feature from Android Auto, so screw ’em.
But I now have two good ways to do this. Check this out in Play My Music.
TV
The same gripe as everyone else: The streaming services have re-invented Cable
TV, which I only got around to dumping a couple of years ago. The right solution
is obvious: Pay-per-view at a reasonably low price, then the services could
compete on producing great shows that people will pay to see, rather than
sucking you into yet another subscription.
I suspect this column will stay red for quite a while. It’s amazing how much
business leaders hate simple business models where there’s a clean clear
one-time price for a product and customers have a clean clear choice who they
buy their products from.
The path forward
I don’t know if I’ll ever turn the center column all-green. And I don’t need to;
progress is progress. Anyhow, doing this sort of investigation is kind of fun.
MORE
March 110
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #43: March 8, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get PLATFORMONOMICS Updates By Email
Subscribe
Short edition this week, despite the insanity. But Clown Week cometh! (Think
Shark Week for CAPEX obsessives).
News Behold the Nuclear Cloud
Previous:
Cloud Power Up, Nuclear Powered Cloud Data Centers Are Happening, A
Nuclear-Powered Cloud, When Nuclear-Powered Data Centers?
Antitrust Incoherence: Spotify Edition
European Antitrust prioritizes protecting European firms. And they don’t have
many tech firms to protect…
Previous:
Antitrust Incoherence: Roomba Edition, A New Antitrust Doctrine
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: The Donald
This is going to make so many heads explode. Do tribal affiliations flip
overnight after Dear Leader weights in, reversing his prior stance?
Previous:
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: DC Lobbyists
Part III, Hollywood, DC Lobbyists Part II, NBA, Warner Bros. Discovery, Germany,
DC Lobbyists, Elon/Twitter, The Hugo Awards, Harvard University, Wall Street,
Apple
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Jeff Yass
Nothing is more important than investor IRR.
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Microsoft Bing
So much kowtowing. To what end?
Previous:
Best Nickname for Emmanuel Macron, Winnie-the-Pooh: Lover of Honey, Champion of
Freedom, Press Releases We’d Like to See
MORE
April 230
Today, 14:28Phil Windley's Technometria (Feed)
Identity Metasystems and Lessons from Building the Sovrin Foundation
I recently spoke with Riley Hughes of Trinsic on his Future of Identity podcast
about the birth of Sovrin Foundation, its inevitable growing pains,
self-sovereign identity, identity metasystems, and adoption. Give it a listen.
I'm grateful to Riley for having me on as a guest.
Tags: identity ssi podcasts
MORE
March 50
24.6.2024, 6:00SEI Blog (Feed)
10 Lessons in Security Operations and Incident Management
This post outlines 10 lessons learned from more than three decades of building
incident response and security teams throughout the globe.
MORE
March 50
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #42: March 1, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get PLATFORMONOMICS Updates By Email
Subscribe
News A CAPEX Obsessive’s Work is Never Done
Previous:
Follow the CAPEX: Cloud Table Stakes 2023 Retrospective, Follow the CAPEX:
Triangulating NVIDIA, more CAPEX
Google: Still Not Code Red?
We (yet) again ask if Google fully appreciates its predicament. They did manage
to get an anodyne and perfunctory email out a few days after the guardrails
self-immolation.
7 observations while reading the Google CEO email about Gemini:
⁃It gets off to a bad start with the use of “problematic” — a word used almost
exclusively by political activists, corporate bureaucracies, and the progressive
left. At a time when Google is being accused of being… https://t.co/xxPTl8hIwx
— Lulu Cheng Meservey (@lulumeservey) February 28, 2024
The search for Sundar’s successor has moved to the alumni network. But here’s my
neologism for the breakup option discussion:
Previous:
Google Goes Off the Guardrails, AI Marketing Hallucinations: Google Edition, The
Google Pivot Away from “AI-Safety First”, “Google has more than 160 people
working full time“, Google: Code Red Now?
Related:
“Corporate surrealism”, “…don’t reduce something by calling it a technical
problem when it’s really a broad-based company problem“
Google’s Cronkite Moment?
When you’ve lost Ben Thompson…
Related:
Cronkite moment
EU Insanity: Mistral Edition
I tried to summarize all the crazy assumptions, inconsistencies and hypocrisy
around EU responses to Mistral partnering with Microsoft, but just couldn’t. The
EU poses an immense cognitive and rhetorical challenge. I have entire posts on
the shelf because it is so hard to write prose that is commensurate with the
sheer level of insanity from the EU.
Previous:
Move Fast and Regulate Things (You Don’t Understand), The EU Will Continue to
Fiddle While Rome Burns, When “Move Fast and Regulate Things” Breaks Down, AI
Regulation: Move Fast and Regulate Things
EU Insanity: Performative Regulation has Consequences New Cloud Repatriation
Hypothesis
What if cloud repatriation really is happening, but is serverless?
Previous:
Cloud Repatriation Where Art Thou?, Cloud Repatriation: The Search Continues,
Cloud Repatriation: Still Not a Thing, Platformonomics Repatriation Index – Q1
2023: Surf’s Up?,
Private Equity in Action: VMware Yet Again
You mark up my portfolio, I’ll mark up yours…
Previous:
Perfidious Private Equity, Private Equity in Action: VMware (Continued), Private
Equity in Action: VMware, Private Equity Will Buy and Ruin More Software
Companies, Software Migration Alert: VMware (Continued), Software Migration
Alert: VMware
Related:
Everything is Super
Another day, another definition from the “supercloud” svengalis. At this precise
moment “supercloud” is currently defined as an “editorial event“, while throwing
“superchips” and “superapps” onto the pyre as they finally start to discover
that AI is the actual thing.
Previous:
“Supercloud”: Still Dead, “Supercloud” RIP
A Call for the Corporate Death Penalty
If Arthur Anderson got the corporate death penalty for its role in the Enron
fraud, the death penalty must be in consideration for serial malignancy McKinsey
(opioids crisis, insider trading, also Enron, other autocracies, hybrid cloud,
et al).
Previous:
McKinsey Karma?
Related:
McKinsey: Last Week Tonight with John Oliver
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: DC Lobbyists
Part III
Shaming Westerners who brazenly advance West Taiwan’s aims is working. So the
shaming will continue.
Previous:
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: DC Lobbyists
Part II, NBA, Warner Bros. Discovery, Germany, DC Lobbyists, Elon/Twitter, The
Hugo Awards, Harvard University, Wall Street, Apple
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Hollywood
Previous:
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: DC Lobbyists
Part II, NBA, Warner Bros. Discovery, Germany, DC Lobbyists, Elon/Twitter, The
Hugo Awards, Harvard University, Wall Street, Apple
Related:
Band in China (South Park)
MORE
April 230
24.6.2024, 6:00SEI Blog (Feed)
CERT Releases 2 Tools to Assess Insider Risk
The average insider risk incident costs organizations more than $600,000. To
help organizations assess their insider risk programs, the SEI CERT Division has
released two tools available for download.
MORE
February 280
Today, 17:55ongoing by Tim Bray (Feed)
Money Bubble
I think I’m probably going to lose quite a lot of money in the next year or two.
It’s partly AI’s fault, but not mostly. Nonetheless I’m mostly going to write
about AI, because it intersects the technosphere, where I’ve lived for decades.
I’ve given up having a regular job. The family still has income but mostly we’re
harvesting our savings, built up over decades in a well-paid profession. Which
means that we are, willy-nilly, investors. And thus aware of the fever-dream
finance landscape that is InvestorWorld.
The Larger Bubble
Put in the simplest way: Things have been too good for too long in
InvestorWorld: low interest, high profits, the unending rocket rise of the
Big-Tech sector, now with AI afterburners. Wile E. Coyote hasn’t actually run
off the edge of the cliff yet, but there are just way more ways for things to go
wrong than right in the immediate future.
If you want to dive a little deeper, The Economist has a sharp (but paywalled)
take in Stockmarkets are booming. But the good times are unlikely to last. Their
argument is that profits are overvalued by investors because, in recent years,
they’ve always gone up. Mr Market ignores the fact that at least some of those
gleaming profits are artifacts of tax-slashing by right-wing governments.
That piece considers the observation that “Many investors hope that AI will ride
to the rescue” and is politely skeptical.
Popping the bubble
My own feelings aren’t polite; closer to Yep, you are living in a Nvidia-led
tech bubble by Brian Sozzi over at Yahoo! Finance.
Sozzi is fair, pointing out that this bubble feels different from the cannabis
and crypto crazes; among other things, chipmakers and cloud providers are
reporting big high-margin revenues for real actual products. But he hammers the
central point: What we’re seeing is FOMO-driven dumb money thrown at technology
by people who have no hope of understanding it. Just because everybody else is
and because the GPTs and image generators have cool demos. Sozzi has the
numbers, looking at valuations through standard old-as-dirt filters and shaking
his head at what he sees.
What’s going to happen, I’m pretty sure, is that AI/ML will, inevitably,
disappoint; in the financial sense I mean, probably doing some useful things,
maybe even a lot, but not generating the kind of profit explosions that you’d
need to justify the bubble. So it’ll pop, and my bet it is takes a bunch of the
finance world with it. As bad as 2008? Nobody knows, but it wouldn’t surprise
me.
The rest of this piece considers the issues facing AI/ML, with the goal of
showing why I see it as a bubble-inflator and eventual bubble-popper.
First, a disclosure: I speak as an educated amateur. I’ve never gone much below
the surface of the technology, never constructed a model or built
model-processing software, or looked closely at the math. But I think the
discussion below still works.
What’s good about AI/ML
Spoiler: I’m not the kind of burn-it-with-fire skeptic that I became around
anything blockchain-flavored. It is clear that generative models manage to embed
significant parts of the structure of language, of code, of pictures, of many
things where that has previously not been the case. The understanding is
sufficient to reliably accomplish the objective: Produce plausible output.
I’ve read enough Chomsky to believe that facility with language is a defining
characteristic of intelligence. More than that, a necessary but not sufficient
ingredient. I dunno if anyone will build an AGI in my lifetime, but I am
confident that the task would remain beyond reach without the functions offered
by today’s generative models.
Furthermore, I’m super impressed by something nobody else seems to talk about:
Prompt parsing. Obviously, prompts are processed into a representation that
reliably sends the model-traversal logic down substantially the right paths. The
LLMbots of this world may regularly be crazy and/or just wrong, but they do
consistently if not correctly address the substance of the prompt. There is
seriously good natural-language engineering going on here that AI’s critics
aren’t paying enough attention to.
So I have no patience with those who scoff at today’s technology, accusing it
being a glorified Markov chain. Like the song says: Something’s happening here!
(What it is ain’t exactly clear.)
It helps that in the late teens I saw neural-net pattern-matching at work on
real-world problems from close up and developed serious respect for what that
technology can do; An example is EC2’s Predictive Auto Scaling (and gosh, it
looks like the competition has it too).
And recently, Adobe Lightroom has shipped a pretty awesome “Select Sky” feature.
It makes my M2 MacBook Pro think hard for a second or two, but I rarely see it
miss even an isolated scrap of sky off in the corner of the frame. It allows me,
in a picture like this, to make the sky’s brightness echo the water’s.
And of course I’ve heard about success stories in radiology and other
disciplines.
Thus, please don’t call me an “AI skeptic” or some such. There is a there there.
But…
Given that, why do I still think that the flood of money being thrown at this
tech is dumb, and that most of it will be lost? Partly just because of that
flood. When financial decision makers throw loads of money at things they don’t
understand, lots of it is always lost.
In the Venture-Capital business, that’s an understood part of the business
cycle; they’re looking to balance that out with a small number of 100x startup
wins. But when big old insurance companies and airlines and so on are piling in
and releasing effusive statements about building the company around some new
tech voodoo, the outcome, in my experience, is very rarely good.
But let’s be specific.
Meaning
As I said above, I think the human mind has a large and important
language-processing system. But that’s not all. It’s also a (slow,
poorly-understood) computer, with access to a medium-large database of facts and
recollections, an ultra-slow numeric processor, and facilities for estimation,
prediction, speculation, and invention. Let’s group all this stuff together and
call it “meaning”.
Have a look at Climbing towards NLU: On Meaning, Form, and Understanding in the
Age of Data by Emily Bender and Alexander Koller (2020). I don’t agree with all
of it, and it addresses an earlier generation of generative models, but it’s
very thought-provoking. It postulates the “Octopus Test”, a good variation on
the bad old Chinese-Room analogy. It talks usefully about how human language
acquisition works. A couple of quotes: “It is instructive to look at the past to
appreciate this question. Computational linguistics has gone through many
fashion cycles over the course of its history” and “In this paper, we have
argued that in contrast to some current hype, meaning cannot be learned from
form alone.”
I’m not saying these problems can’t be solved. Software systems can be equipped
with databases of facts, and who knows, perhaps some day estimation, prediction,
speculation, and invention. But it’s not going to be easy.
Difficulty
I think there’s a useful analogy between the narratives around AI and of
self-driving cars. As I write this, Apple has apparently decided that generative
AI is easier than shipping an autonomous car. I’m particularly sensitive to this
analogy because back around 2010, as the first self-driving prototypes were
coming into view, I predicted, loudly and in public, that this technology was
about to become ubiquitous and turn the economy inside out. Ouch.
There’s a pattern: The technologies that really do change the world tend to have
strings of successes, producing obvious benefits even in their earliest forms,
to the extent that geeks load them in the back doors of organizations just to
get shit done. As they say, “The CIO is the last to know.”
Contrast cryptocurrencies and blockchains, which limped along from year to year,
always promising a brilliant future, never doing anything useful. As to the
usefulness of self-driving technology, I still think it’s gonna get there, but
it’s surrounded by a cloud of litigation.
Anyhow, anybody who thinks that it’ll be easy to teach “meaning” (as I described
it above) to today’s generative AI is a fool, and you shouldn’t give them your
money.
Money and carbon
Another big problem we’re not talking about enough is the cost of generative AI.
Nature offers Generative AI’s environmental costs are soaring — and mostly
secret. In a Mastodon thread, @Quixoticgeek@social.v.st says We need to talk
about data centres, and includes a few hard and sobering numbers.
Short form: This shit is expensive, in dollars and in carbon load. Nvidia pulled
in $60.9 billion in 2023, up 126% from the previous year, and is heading for a
$100B/year run rate, while reporting a 75% margin.
Another thing these articles don’t mention is that building, deploying, and
running generative-AI systems requires significant effort from a small group of
people who now apparently constitute the world’s highest-paid cadre of
engineers. And good luck trying to hire one if you’re a mainstream company where
IT is a cost center.
All this means that for the technology to succeed, it not only has to do
something useful, but people and businesses will have to be ready to pay a
significantly high price for that something.
I’m not saying that there’s nothing that qualifies, but I am betting that it’s
not in ad-supported territory.
Also, it’s going to have to deal with pushback from unreasonable climate-change
resisters like, for example, me.
Anyhow…
I kind of flipped out, and was motivated to finish this blog piece, when I saw
this: “UK government wants to use AI to cut civil service jobs: Yes, you read
that right.” The idea — to have citizen input processed and responded to by an
LLM — is hideously toxic and broken; and usefully reveals the kind of thinking
that makes morally crippled leaders all across our system love this technology.
The road ahead looks bumpy from where I sit. And when the business community
wakes up and realizes that replacing people with shitty technology doesn’t show
up as a positive on the financials after you factor in the consequences of
customer rage, that’s when the hot air gushes out of the bubble.
It might not take big chunks of InvestorWorld with it. But I’m betting it does.
MORE
April 190
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #41: February 23, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get PLATFORMONOMICS Updates By Email
Subscribe
News Follow the CAPEX: Triangulating NVIDIA
I wrote a post about what we can learn from the intersection of NVIDIA’s revenue
and hypercloud CAPEX spending.
Previous:
Follow the CAPEX: Triangulating NVIDIA, more CAPEX
Related:
Jim Chanos on NVIDIA sales/hypercloud CAPEX
Google Goes Off the Guardrails
Generative AI is augmented reality, created by holding a mirror up to humanity,
and then “guardrailing” that reality into something altogether different (and
idealized).
Google has made Elon’s case in a way that Elon himself never could (and is still
unlikely to execute on successfully).
And yet another sign Google isn’t anywhere near a wartime footing. Pay-per-view
of this debacle’s postmortem would be huge.
The Tiananmen Square filter is particularly bizarre given Google has less
exposure to West Taiwan than most Big Tech companies.
Previous:
AI Marketing Hallucinations: Google Edition, The Google Pivot Away from
“AI-Safety First”, “Google has more than 160 people working full time“, Google:
Code Red Now?
Does the New York Times Editorial Page Ever Talk to the Business Side of the
House?
New York Times slogan: “All the Hypocrisy About Tech That’s Fit to Print!”
Previous:
Living in a Glass House: The New York Times On Tech
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: DC Lobbyists
Part II
Shaming Westerners who brazenly advance West Taiwan’s aims may work. So the
shaming will continue.
Previous:
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: DC Lobbyists,
Elon/Twitter, The Hugo Awards, Harvard University, Wall Street, Apple
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: NBA
Previous:
Press Releases We’d Like to See: Daryl Morey, Trey Parker and Matt Stone Awarded
the 2020 Nobel Peace Prize
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Warner Bros.
Discovery
A sanitized Xinjiang travelogue no less.
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Germany
Previous:
Collapsing Economic Models: German Edition, EU Rethinking Its Stance on
Mercantilism, German Auto Industry Reaches Hail Mary Stage, How Do You Say
“Burning Platform” in German?, Volkswagen’s Death Throes Continue, The Fate of
the European Economy: Automotive Edition, Europe: Investing in Slave Labor
MORE
April 230
Follow the CAPEX: Triangulating NVIDIA
Previous CAPEX obsessing
Lets compare NVIDIA’s Data Center segment revenue to the CAPEX spending of the
hyperclouds (Amazon, Google, Microsoft, henceforth AGM) plus Meta over the last
couple years (AGMM collectively). We’d like to know much of NVIDIA’s revenue is
from the hyperclouds (and honorary hypercloud sidekick Meta) and how much of
hypercloud CAPEX is going to NVIDIA for AI infrastructure.
Above we see the AI liftoff in NVIDIA’s Data Center business in the last year.
ChatGPT launched five quarters ago (November 30, 2022) while the NVIDIA H100
shipped “in the fall” of 2022.
NVIDIA’s fiscal year ends in January, but below we will compare their quarters
with the overlapping calendar quarters of their big customers, so remember the
NVIDIA revenues go a month later than the hyperclouds.
The chart above compares all-up, corporate level CAPEX spend of AGM (so includes
Amazon’s #bonkers pandemic spending on logistics infrastructure). NVIDIA’s total
Data Center revenues hit 49% of AGM all-up CAPEX in Q4.
Now we compare AGM’s estimated spending on data center CAPEX (based on
proprietary Platformonomics analysis aka, in proper analyst tradition, a guess).
NVIDIA Data Center revenue is at 81% of that estimated AGM data center spending.
It is hard to imagine NVIDIA getting half of hypercloud CAPEX, so that suggests
NVIDIA is spreading out the GPUs across lots of customers.
Next we add Meta to the all-up corporate spend picture. I don’t usually track
Meta as they don’t have a cloud (and likely won’t due to a recurring tendency to
pull the rug out from under developers, which is a bad look for aspiring
platforms), but they do spend a lot on CAPEX1 and more recently have gone all-in
on GPUs (though it is really unclear what they are doing with them beyond
training Llama — perhaps LLM-powered search?). That takes NVIDIA Data Center
revenue down to 40% of AGMM CAPEX in Q4.
Finally, we’ll add our proprietary guess of data center infrastructure spending
by AGM plus Meta. NVIDIA Data Center revenue is about 65%. Again, that suggests
they’re spreading the GPUs well beyond the hyperclouds and Meta.
None of the above tells us anything about what the hyperclouds and Meta are
spending, collectively or individually, on AI infrastructure. NVIDIA obviously
has a lot of other customers (enterprises, universities, nation states, et al.)
and are over-allocating scarce supply to boutique GPU clouds2 (e.g. CoreWeave,
Llama Labs, Oracle) in hopes of building leverage over the hyperclouds (who
happen to be doing their own competitive silicon).
NVIDIA did say in their conference call:
“In the fourth quarter, large cloud providers represented more than half of our
data center revenue, supporting both internal workloads and external public
cloud customers.”
So over $9 billion of their revenue went to the hyperclouds (and they may
generously include other not-so-hyper providers in that bucket, i.e. what we
call “clowns“).
Microsoft and NVIDIA
Much more interesting is what NVIDIA says about customer concentration in their
SEC filings. Our assumption is that Microsoft is NVIDIA’s largest customer. From
these disclosures, we can construct the following:
Microsoft was likely responsible for 19% of NVIDIA’s revenue in FY24 and 22% in
the fourth quarter. This suggests Microsoft spent $11.58 billion with NVIDIA in
NVIDIA’s FY24. Microsoft also buys (a few) GPUs for Surface devices so it isn’t
entirely AI infrastructure, but it is close.
And if Microsoft spent almost $5 billion with NVIDIA in Q4, that leaves ~$4
billion to split between Amazon, Google, and perhaps other “large cloud
providers”. It is unclear if Meta is in NVIDIA’s “large cloud provider”
category, but if so, it would suggest Amazon and Google are getting very small
allocations.
A second customer gets called out in Q3 as accounting for 13% of revenue in Q3
and 10% of revenue for the first three quarters of the year ($2.4B and $3.9B
respectively). This is probably Meta (too early for Amazon who took a long time
to make peace with NVIDIA and Google is dividing their investment between NVIDIA
and their own TPUs). Customer two didn’t warrant a breakout in any other
quarter.
If we switch to Microsoft’s calendar (so the NVIDIA numbers are off by a month),
we can look at spend with NVIDIA vs. Microsoft’s total CAPEX spend. It peaks to
43% by Q4! The mad scramble for GPUs is accelerating!
$11.8 billions tops my prediction of how much Microsoft spent on generative AI
infrastructure from just a couple weeks ago:
Microsoft is reputed to be the largest customer for both NVIDIA (Q4 2022, Q2
2023, 2H 2023) and AMD (plus is doing its own AI silicon). The abrupt 4% bump in
CAPEX as a percentage of revenue, after a steady 13-14% for years prior, is the
best proxy for the incremental AI spending in 2023. That suggests an incremental
AI-driven spend of about $9 billion, or 22% of overall CAPEX.
That means CAPEX intensity for the rest of Microsoft’s (non-AI) cloud
infrastructure is actually declining, even as overall Azure cloud revenue grew
by 30% (to which they attributed 6 points to AI). Either they’re stretching the
infrastructure/not investing as far ahead of demand or there really is something
to the extensions of server lifetimes (which I still dismiss as accounting
hijinks downstream from raw CAPEX investments).
Microsoft’s $11.58 billion spend translates at list prices to about 385,000
H100s (on top of whatever they bought in 2022). Presumably you also get a unit
discount when you write a three comma check. There is also some (required)
networking gear in there too3, but that just muddles a nice big number.
NVIDIA CAPEX
NVIDIA’s own CAPEX is measly, just $1.07 billion for the fiscal year, and down
42% from the prior year. Less than 2% of revenue. Fabless indeed.
What have I missed here?
Seventh largest in the CAPEX Extended Universe I track, just behind TSMC. ︎Who
may be deadbeats? ︎In the conference call, NVIDIA said a couple things about
networking which is also in the Data Center segment and complements the GPUs in
AI infrastructure: “Compute revenue grew more than 5x and networking revenue
tripled from last year.” and “Networking exceeded a $13 billion annualized
revenue run rate. Our end-to-end networking solutions define modern AI data
centers. Our InfiniBand solutions grew more than 5x year on year.” [$13 billion
run rate equates to $3.25 billion in Q4, which is about 18% of NVIDIA’s Data
Center business]. ︎
MORE
February 230
24.6.2024, 6:00SEI Blog (Feed)
OpenAI Collaboration Yields 14 Recommendations for Evaluating LLMs for
Cybersecurity
This SEI Blog post summarizes 14 recommendations to help assessors accurately
evaluate LLM cybersecurity capabilities.
MORE
February 210
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #40: February 16, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get Updates By Email
Subscribe
News CAPEX Everywhere
The Hamas data center under UN headquarters in Gaza had eight racks. In Oracle
parlance, that is four regions.
Previous:
Follow the CAPEX: Keeping Up With The Clowns
Cloud Repatriation Where Art Thou?
With Q4 2023 numbers in, the Platformonomics Repatriation Index continues its
decline (i.e. cloud prevails). This index’s construction is extremely favorable
for cloud repatriation, yet we still don’t see it. Digital Realty Trust and
Equinix should be huge beneficiaries from any cloud repatriation. Even when we
include their “other revenue” and only compare them against AWS, the slowest
growing cloud, we still don’t see any signs of repatriation. The data center
companies’ 2024 guidance is for single digit growth, so they don’t seem to see
it either.
They’re not getting any AI tailwind either, which is a topic for another week,
but here’s a glimpse of the future:
Data centers are not the salvation for the beleaguered commercial real estate
market, even if that is the superficial conventional wisdom amongst investors.
Previous:
Cloud Repatriation: The Search Continues, Cloud Repatriation: Still Not a Thing,
Platformonomics Repatriation Index – Q1 2023: Surf’s Up?, The Inexorable
Attraction Between Terrible Things: Cloud Repatriation and Private Equity,
Private Equity in Action: Data Centers
SEC Embraces Platformonomics ClownWatch, Warns Amazon and IBM
Previous:
Introducing Platformonomics ClownWatch, IBM and the Art of Misleading Investors,
This Week in Securities Fraud, Clown CAPEX, IBM’s “Cloud” Business (or Lack
Thereof), IBM: How Much Longer Do the Good Times Last?, The AWS Generative AI
Soap Opera, The Amazon AI Inferiority Complex
Media Wants More Sources Revealed
The never-ending hypocrisy in media coverage of technology never fails to
entertain.
Previous:
Living in a Glass House: The New York Times On Tech
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: DC Lobbyists
They’re registered foreign agents, which is even worse. Aid and Comfort.
Previous:
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Harvard
University, Useful Idiots, Fellow Travelers and Unregistered Foreign Agents:
Wall Street, Useful Idiots, Fellow Travelers and Unregistered Foreign Agents:
Apple
Related:
Lawmakers weigh blacklist for firms lobbying for Chinese military-linked
companies
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Elon/Twitter
Elon is a very compromised geopolitical actor.
Previous:
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Harvard
University, Useful Idiots, Fellow Travelers and Unregistered Foreign Agents:
Wall Street, Useful Idiots, Fellow Travelers and Unregistered Foreign Agents:
Apple
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: The Hugo Awards
Western self-censorship on behalf of West Taiwan is such a bad look. Yet
pervasive.
Previous:
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Harvard
University, Useful Idiots, Fellow Travelers and Unregistered Foreign Agents:
Wall Street, Useful Idiots, Fellow Travelers and Unregistered Foreign Agents:
Apple
MORE
March 60
Today, 17:55ongoing by Tim Bray (Feed)
Social Photos
I like taking pictures, and I like sharing pictures wherever I hang out online.
A problem with this is knowing that the pictures will very rarely look as good
in other people’s browsers and apps as they do to me in Lightroom on a big
bright 4K screen. Thus this piece, a basic investigation of how photos are
processed and transformed on Mastodon, Bluesky, and Threads.
I was never that much of an Instagram poster; Insta does a good job of taking
your crappy phone pix and juicing them up with filters so they look way better.
That’s irrelevant to me, because not only do I like taking pictures, I like
polishing them with Lightroom and Silver Efex and so on. So with a few
exceptions, everything I want to share gets pulled onto my Mac and edited before
I share it. And once I’ve done that, why would I post pictures anywhere but
where I have my normal conversations?
The picture
Here it is:
Taken with a Pixel 7 out an airplane window somewhere just west of Havre,
Montana. It seems like there are two layers of clouds at the left of the picture
but if you look closely, the lower one I think is the Rocky Mountains in the
distance.
That’s a big picture, both in its subject and raw size: The Pixel version, after
editing, is 3814x2290. Also it has a lot of fine detail, and rewards zooming in.
When I post it, I’d like some sense of the bigness to come across, and when
tapped to enlarge, I’d like it to wow people a little, especially those
fortunate enough to be looking at big screens. And I’d like it to be at least OK
on your phone.
Normally, pictures here in the blog are limited to max 720x720 in the column of
text, and the larger version you get by clicking to 1440x960. But in this case,
if you click you get a 2558x1536 version, the objective being that that’ll be
big enough to fill almost any screen it gets viewed on.
Methodology and apology
The question I want to investigate is, “which platforms are going to make my
pictures look good?” But I haven’t really figured out yet how to do that. To
start with, what kind of picture is going to do best as a metric to judge the
processing quality?
Anyhow, I picked this one and posted it to Mastodon, Bluesky, and Threads, and
here gather data about the results. But hey, why not tap those links on whatever
device you’re using right now and see what you think about how the picture looks
there?
The columns are:
Bytes: the size of the photo as downloaded.
WxH: width and height, in pixels.
“Q”: the JPG quality, as reported by Imagemagick’s identify --verbose. The
quotes are there because I’m not sure how to interpret, or even whether it’s any
use at all.
BytesWxH“Q” Original16715142558 153694 Blog form6249611440 86594 BlueskyAndroid
FS302972864 663 BlueskyAndroid mini42410345 345 BlueskyWeb FS5363452000 120180
BlueskyWeb mini1123351000 60180 MastodonWeb FS15551112558 153690 MastodonWeb
mini86374619 37290 PhanpyWeb FS15551112558 153690 PhanpyWeb mini86374619 37290
ThreadsWeb FS8880672160 129790 ThreadsWeb mini8880672160 129790
Note that each of the posts included not one but two pictures, because I was
also interested in how the platforms allocated screen space. The platforms
typically have two display modes, “mini”, as shown in the feed, and “FS” for
Full Size, what you get when you click on the picture.
Original/Blog form
I think that ideally, I’d like each platform’s presentation of the picture, when
you click on it, to have the same number of pixels and for each pixel to have
the same color value, as in my original.
Bluesky
First of all are numbers from the Android app, but please don’t take them
seriously. The process of extracting them from the Pixel’s screen and getting
them onto my Mac involved multiple irritating steps, each one of which may have
damaged the bits. So I didn’t repeat the exercise for the other platforms. They
are mostly here to encourage me, should I pursue this further, to find a good
clean way to extract this information.
I do note, however, that the “mini” form in the Bluesky Android feed really
crushes those poor little pictures down and, for this particular picture, offers
no suggestion that it’s big.
The Web version of Bluesky does not preserve my pixels, but coerces the size
down to 2K and 1K width in FS and mini versions.
Mastodon and Phanpy
Phanpy is an alternate client for Mastodon; I think it’s very good and it’s my
daily driver. The table reveals that, in this case, the alternate client pulls
in the same images as the official Web client, which is good.
It also reveals that Mastodon preserves the picture’s dimensions, but obviously
reprocesses it somehow, because the photos grow (somewhat) smaller. I wish they
didn’t do that. It’s open-source, I should peek in and see what they actually
do.
Phanpy does a better job of actually showing the pictures in-feed than the
official Mastodon client, and both are nicer than Bluesky.
Threads
I had difficulty, because the Threads Web client is a tangly JavaScript fever
dream, so it’s really hard to get at the underlying photos, but my efforts
suggested that it uses the same picture for the “mini” and “FS” versions, just
getting the browser to scale them down.
Furthermore, Threads doesn’t want pictures to be more than 2160 pixels wide.
Maybe I’m wrong
Because the experimental work was manual and thus highly prone to fumblefingers
and brain farts. If you think that any of these numbers are wrong, you may be
right; please yell at me.
I hesitate to offer a conclusion because this is, as noted at the top, the first
steps in what could be a large and interesting research project, one that I
probably don’t have the expertise to conduct. But, here are a few anyhow.
First, they all do a pretty good job. Second, none of them actually offer an
opportunity to view my bits exactly as uploaded, which I think they should.
Third, client designers should follow Phanpy’s lead in figuring out how to make
better use of screen real-estate to highlight images.
What Lewis Carroll Said
And I quote: “What is the use of a book,” thought Alice, “without pictures or
conversations?”
MORE
February 210
Today, 14:28Phil Windley's Technometria (Feed)
Zero Trust with Zero Data
Summary: The physical world is full of zero trust examples, but they gather
attributes for the access control decisions in a very different way than we're
used to online.
Presenting your ID to buy beer is used so often as an example of how verifiable
credentials work that it's cliche. Cliche or not, there's another aspect of
using an ID to buy beer that I want to focus on: it's an excellent example of
zero trust
Zero Trust operates on a simple, yet powerful principle: "assume breach." In a
world where network boundaries are increasingly porous and cyber threats are
more evasive than ever, the Zero Trust model centers around the notion that no
one, whether internal or external, should be inherently trusted. This approach
mandates continuous verification, strict access controls, and
micro-segmentation, ensuring that every user and device proves their legitimacy
before gaining access to sensitive resources. If we assume breach, then the only
strategy that can protect the corporate network, infrastructure, applications,
and people is to authorize every access. From Zero Trust
Referenced 2024-02-09T08:25:55-0500
The real world is full of zero trust examples. When we're controlling access to
something in the physical world—beer, a movie, a boarding gate, points in a
loyalty program, prescription drugs, and so on—we almost invariably use a zero
trust model. We authorize every access. This isn't surprising, the physical
world is remarkably decentralized and there aren't many natural boundaries to
exploit and artificial boundaries are expensive and inconvenient.
The other thing that's interesting about zero trust in the physical world is
that authorization is also usually done using Zero Data. Zero data is a name
StJohn Deakin gave to the concept of using data gathered just in time to make
authorization and other decisions rather than relying on great stores of data.
There are obvious security benefits from storing less data, but zero data also
offers significantly greater convenience for people and organizations alike. To
top all that off, it can save money by reducing the number of partner
integrations (i.e., far fewer federations) and enable applications that have far
greater scale.
Let's examine these benefits in the scenario I opened with. Imagine that instead
of using a credential (e.g., driver's license) to prove your age when buying
beer, we ran convenience stores like a web app. Before you could shop, you'd
have to register an account. And if you wanted to buy beer, the company would
have to proof the identity of the person to ensure they're over 21. Now when you
buy beer at the store, you'd log in so the system could use your stored
attributes to ensure you were allowed to buy beer.
This scenario is still zero trust, but not zero data. And it's ludicrous to
imagine anyone would put up with it, but we do it everyday online. I don't know
about you, but I'm comforted to know that every convenience store I visit
doesn't have a store of all kinds of information about me in an account
somewhere. Zero data stores less data that can be exploited by hackers (or the
companies we trust with it).
The benefit of scale is obvious as well. In a zero data, zero trust scenario we
don't have to have long-term transactional relationships with every store,
movie, restaurant, and barber shop we visit. They don't have to maintain
federation relationships with numerous identity providers. There are places
where the ability to scale zero trust really matters. For example, it's
impossible for every hospital to have a relationship with every other hospital
for purposes of authorizing access for medical personal who move or need
temporary access. Similarly, airline personal move between numerous airports and
need access to various facilities at airports.
Finally, the integration burden with zero trust with zero data is much lower.
The convenience store selling beer doesn't have to have an integration with any
other system to check your ID. The attributes are self-contained in a
tamper-evident package with built-in biometric authentication. Even more
important, no legal agreement or prior coordination is needed. Lower integration
burden reduces the prerequisites for implementing zero trust.
How do we build zero data, zero trust systems? By using verifiable credentials
to transfer attributes about their subject in a way that is decentralized and
yet trustworthy. Zero data aligns our online existence more closely with our
real-world interactions, fostering new methods of communication while decreasing
the challenges and risks associated with amassing, storing, and utilizing vast
amounts of data.
Just-in-time, zero data, attribute transfer can make many zero trust scenarios
more realizable because it's more flexible. Zero trust with zero data,
facilitated by verifiable credentials, represents a pivotal transition in how
digital identity is used in authorization decisions. By minimizing centralized
data storage and emphasizing cryptographic verifiability, this approach aims to
address the prevalent challenges in data management, security, and user trust.
By allowing online interactions to more faithfully follow established patterns
of transferring trust from the physical world, zero trust with zero data
promotes better security with increased convenience and lower cost. What's not
to like?
Photo Credit: We ID Everyone from DALL-E (Public Domain) DALL-E apparently
thinks a six-pack has 8 bottles but this was the best of several attempts.
Here's the prompt: Produce a photo-realistic image of a convenience store clerk.
She's behind the counter and there's a six pack of beer on the counter. Behind
her, clearly visible, is a sign that says "We I.D. Everyone" .
Tags: identity ssi zero+trust zero+data authorization verifiable+credentials
MORE
February 150
18.6.2024, 16:30All Things Distributed (Feed)
What I've been reading since re:Invent
After a busy conference season, I've taken some time to catch up on reading and
make a dent in the pile of books on my nightstand. Here's what I've started,
finished, and picked up since re:Invent.
MORE
February 130
24.6.2024, 6:00SEI Blog (Feed)
Using ChatGPT to Analyze Your Code? Not So Fast
This blog post explores the efficacy of ChatGPT 3.5 in identifying errors in
software code.
MORE
February 130
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #39: February 9, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get Updates By Email
Subscribe
CAPEX Week is over! It is a huge step down, but on to the Superbowl!
News Follow the CAPEX: Cloud Table Stakes 2023 Retrospective
I published my annual look at hypercloud CAPEX spending this week. The best part
of publishing is all the people who come out of the woodwork with great
perspective to add. The worst part is all the jokes I think of right after
publishing.
The scale of hypercloud CAPEX investment is immense. But apparently not immense
enough:
Previous:
Follow the CAPEX: Cloud Table Stakes 2023 Retrospective
Introducing Platformonomics ClownWatch
CAPEX spending helped us separate the clowns from the clouds.
CAPEX is also a great lens for generative AI, which requires even more expensive
infrastructure (thanks NVIDIA!). Once again, we can contrast flowery rhetoric
with hard investment.
IBM (no surprise) is the first member of the Platformonomics ClownWatch list of
AI poseurs. IBM is running the same playbook they used for cloud: chant the
buzzwords, cut actual CAPEX spending, talk up irrelevant products, hope to book
some consulting business from less discerning enterprise customers, and try not
to go to jail for securities fraud.
Amazon CEO Andy Jassy said “every single business” at Amazon had “multiple”
generative AI initiatives. Except, it seems, the people who build out the AWS
infrastructure. In the middle of the AI boom where GPUs are the most coveted
items on Earth, AWS CAPEX investment was down 10% in 2023 (even as the business
grew by 13%). The disconnect between Amazon’s incessant AI chatter and shrinking
investment requires us to put AWS on negative watch for potential addition to
the ClownWatch AI list. Stay tuned.
Previous:
IBM and the Art of Misleading Investors, This Week in Securities Fraud, Clown
CAPEX, IBM’s “Cloud” Business (or Lack Thereof), IBM: How Much Longer Do the
Good Times Last?, The AWS Generative AI Soap Opera, The Amazon AI Inferiority
Complex
Viewer Mail #1
Q: Was the cloud infrastructure build-out a ZIRP phenomenon? AWS seems to have
ended debt financing about the time interest rates started to normalize.
A: I don’t think so. The cloud is a real business funded from cash flows and
still growing, which is the antithesis of ZIRP phenomena. Meta and Microsoft are
still using finance leases to fund server purchases. And in the case of Amazon,
I think they just have more cash compared to the early days (and they have more
cash because they’ve run out of things to invest in, including, it seems, AWS
infrastructure).
Previous:
The Great Startup Reset: Why Founders Should Prepare for Lower Valuations (ZIRP
phenomena)
Server Depreciation
I’m writing too much a lot about depreciation. Traditionally my view is gross
investment is what is interesting as that corresponds to the growth in
infrastructure. Depreciation is just an after-the-fact bean counter adjustment.
But depreciation adds up to real money (or at least real accounting adjustments)
when you have tens of millions of servers and extend their useful lives by 50%
(from four years to six). Moore’s Law needs to get back in gear or the
accountants will win this battle.
Previous:
BREAKING: Depreciation Schedules, Depreciation Schedules Meet Moore’s Law,
Follow the CAPEX: Cloud Table Stakes 2023 Retrospective
Software Migration Alert: Everbridge
As you know, when private equity comes amalgamating, it is time to start
migrating.
Previous:
Perfidious Private Equity, Private Equity in Action: VMware (Continued), Private
Equity in Action: VMware, Private Equity Will Buy and Ruin More Software
Companies, Software Migration Alert: VMware (Continued), Software Migration
Alert: VMware, Software Migration Alert: Rover, Software Migration Alert: Avid
Technology, Software Migration Alert: EngageSmart, This Week’s Software
Migration Alerts
So You Want to Build an AI Company: Episode 2
Their administrative bloat is your opportunity.
Previous:
So You Want to Build an AI Company
MORE
March 60
Follow the CAPEX: Cloud Table Stakes 2023 Retrospective
Tl;dr: Cloud CAPEX is once again both exciting and revealing!
Previous retrospectives: 2016, 2017, 2018, 2019, 2020, 2021, 2022 plus
earlier/other CAPEX musings.
Capital expenditures (CAPEX) are old school. You acquire some abiding apparatus
around which you build a business. It is the antithesis of the “asset light”
avoidance of hard work or the financial shenanigans that characterize many
trendy business models. Buy some (typically unglamorous and/or unwieldy)
machinery and earn back your investment over time.
The CAPEX that begets cloud infrastructure has been mostly uneventful in recent
years, ever since it helped us separate the clouds from the clowns (the cloud
pretenders who talked a good game but didn’t put real money where their mouths
were). But times change! Cloud CAPEX is again both exciting and revealing thanks
to generative AI.
Cloud CAPEX is fascinating at multiple levels. The sheer magnitude of hypercloud
CAPEX spending is breathtaking and glorious in and of itself. The hypercloud
trio, who I quaintly think of as software companies, are marshaling matter
across a variety of businesses (not just cloud infrastructure) on the same scale
as the world’s very largest metal-benders.
Cloud infrastructure is a multi-hundred-billion-dollar industry, with the
majority of IT spend still an opportunity ahead of them. Hypercloud CAPEX not
only tells us what is happening in the market, but also what the providers think
will happen, as they must invest ahead of revenue.
And now generative AI is disrupting the cloud infrastructure business, toppling
architectures, customer priorities and industry pecking orders. Cloud CAPEX
gives perspective on how AI platitudes are turning into GPU purchases.
There is lots of good analysis about who has the most GPUs or which silicon
might challenge NVIDIA. As fun (and interesting) as that is, that is not our
purpose here. We’ll stick to what the cloud infrastructure lens reveals about
both cloud and AI investment. We’ll try to stick to the data and save the really
speculative conclusions for later. And we’ll even resist (almost) making fun of
the rise of GPUs as an asset class (because everything should be
financialized!).
Standard disclaimer: Unless otherwise indicated, the reported numbers are the
companies’ total CAPEX spend, not just cloud infrastructure, so includes land,
office buildings, campus redevelopments, warehouses, panopticonvenience stores,
manufacturing tooling, self-driving cars, delivery vehicles, flying machines,
flying delivery machines, satellite constellations, hardware that both is and is
not required for quantum computing, and – what should be the absolute top
priority for Congressional hearings – the still missing-in-action Google space
elevator. The numbers include finance leases for both Amazon and Microsoft, as
well as build-to-suit leases for Amazon (the leases are debt instruments used to
finance specific CAPEX expenditures, namely servers and buildings).
Get Updates By Email
Subscribe
Now the numbers!
SUMMARY
The three hypercloud companies – Amazon, Google, and Microsoft – collectively
spent over $127 billion on CAPEX in 2023, flat from 2022. That is company-wide
CAPEX. Their combined cloud infrastructure CAPEX was on the order of $80 billion
(we don’t get clean breakouts from Google or Microsoft).
Amazon’s (relative) CAPEX austerity continues, as the company spent a measly
$53.7 billion, a decline of 20%, following a 9% decline in 2022. Unlike last
year, it wasn’t just retail fulfillment retrenchment. AWS infrastructure
spending also declined for the first time ever. Given how much Amazon talks
about generative AI, it is a very odd year to cut AWS CAPEX.
Google eked out a 2% increase to $32.3 billion. Their much-anticipated 2022
server fleet refresh still hasn’t happened. There may be a glimmer of an AI
infrastructure uptick in the fourth quarter, but otherwise nothing that screams
“Code Red”.
Microsoft CAPEX grew 45% to $41.2 billion. Microsoft is patient zero in the mad
scramble for GPUs with its OpenAI partnership. OpenAI is nothing without GPUs,
and those GPUs are in Azure. Microsoft crossed the chasm from training to
inference at scale, serving hundreds of millions of monthly users. Microsoft’s
AI investments are impossible to miss.
Amazon still spends more than any other (non-Chinese1) company in the world,
while Google and Microsoft stand amongst the biggest CAPEX spenders on the
planet.
The three hypercloud companies’ cumulative CAPEX spend since 2000 is over $820
billion, with $250 billion of that spending in the last two years. Even in the
event of continued sobriety at Amazon, that number should easily pass a trillion
dollars invested in 2025.
Looking at CAPEX as a percentage of revenue shows Amazon’s decline back to 2015
levels, the fizzling out of Google’s quadrennial server refresh cycle, and
Microsoft’s generative AI spike.
This year we’ll review the hypercloud companies in reverse alphabetic order.
Microsoft
Microsoft has gone from perennially the most boring to the most interesting of
our CAPEX contestants. After being smoothly monotonic since 2016, and very
consistent as a percentage of revenue, Microsoft’s CAPEX jumped by 45% (+$12.8
billion) in 2023 (ChatGPT was introduced November 30, 2022).
FUN FACT: Microsoft spent more on CAPEX in 2023 than Oracle has in its entire
history.
The company said calendar fourth quarter CAPEX spending was actually
“lower-than-expected due to delivery for a third-party capacity contract
shifting from [fiscal year] Q2 to Q3” (NVIDIA or AMD?) and they expect “capital
expenditures to increase materially” in 2024. In June the company sent the
rarely-fielded CFO/CTO tag team to warn Wall Street of its coming CAPEX binge,
introduce the concept of software COGS, and assure them it would all pay off.
Microsoft is reputed to be the largest customer for both NVIDIA (Q4 2022, Q2
2023, 2H 2023) and AMD (plus is doing its own AI silicon). The abrupt 4% bump in
CAPEX as a percentage of revenue, after a steady 13-14% for years prior, is the
best proxy for the incremental AI spending in 2023. That suggests an incremental
AI-driven spend of about $9 billion, or 22% of overall CAPEX.
But this number understates Microsoft’s mad scramble for GPUs. The company is
also spending billions to rent capacity from various boutique GPU clouds
(including CoreWeave, Lambda Labs, and Oracle). That matrix multiplication
machinery shows up as OPEX, not CAPEX.
Microsoft even identifies GPU availability as a risk factor in its 10-K:
Our datacenters depend on the availability of permitted and buildable land,
predictable energy, networking supplies, and servers, including graphics
processing units (“GPUs”) and other components.
Now they just have to turn all this investment into profitable business. And
profit margin expectations at Microsoft are very high…
Google
Google has been a disappointment to CAPEX obsessives for the last two years. We
were hoping for their fifth quadrennial server upgrade cycle to hit in 2022 with
CAPEX spiking back to at least 17% of revenue, thereby boosting annual CAPEX to
over $48 billion.
Instead, we got an anemic bump from 2021’s nine-year low of 10% of revenue all
the way up to 11% in 2022 (it was still 28% dollar growth to $31.5 billion in
CAPEX given their ever-growing revenue base). In 2023 Google CAPEX nudged up 2%
to $32.3 billion.
We remain hopeful that despite the bean counters seemingly winning the battle
between depreciation schedules and a withering Moore’s Law, that fifth refresh
cycle is merely delayed as the useful accounting life of servers has been
extended from four years to six years.
It is amusing that on the list of “discipline” and “efficiency” initiatives
Google felt worth surfacing to Wall Street is improved “machine utilization”.
Presumably that means there are material savings to be had (they also announced
they were eliminating staplers2). One can easily imagine individual development
teams having (and having forgotten about) tens of thousands of servers in their
couch cushions3. So there is a scenario where Google’s infrastructure was
(vastly?) overbuilt and some of it can be recycled to meet growth demands.
FUN FACT: Google spent more on CAPEX in 2023 than IBM has over the last decade.
On the AI front, Google faces the most interesting strategic quandary of the
hyperclouds. Google invented transformers and has long led in AI research.
Letting others capitalize on their inventions would (merely) merit a Fumbling
the Future sequel. But to the degree generative AI poses a real and disruptive
threat to Google’s search franchise (one of the best businesses ever), their
response is both incredibly important and incredibly closely scrutinized.
That response, as Google plays strategic defense for the first time, has been
muddled. The CEO dedicated time to denying he invoked a “Code Red” response to
ChatGPT (he certainly should have invoked a “Code Red”, so why deny it?)4. They
are (appropriately) trying to downplay any disruption to search, but a
competitive version of Gemini is late. Questions are coming from inside the
house about management’s ability to transition the company from peacetime to
wartime.
Infrastructure should be an immense advantage for Google as they respond to the
“Code Red”. But that 2023 bump in CAPEX of 2% doesn’t even keep up with
inflation (though IBM has been triumphant about that level of “growth”). So
there was no infrastructure “Code Red” in 2023, and the contrast with Microsoft
is stark.
But if we drill down to the quarterly trend, Google’s CAPEX did grow
sequentially through 2023, with over a third of their annual spend coming in the
fourth quarter. We expect that will continue in 2024, with Google’s guidance of
“notably larger” CAPEX. The sleeping giant is at least stirring, but they’re
still at least a year behind Microsoft.
In terms of the implications of AI’s rise for the cloud computing business, I’ve
argued that Google Cloud is a hobby for Google, well down the CEO’s list of
priorities. If Google’s core franchise is at risk, I think hobby status becomes
even more pronounced, as (strategic) attention is all you have5.
Amazon
The biggest cloud CAPEX news from 2023 is the first ever decline in AWS
infrastructure investment. Amazon’s overall CAPEX spending fell 20% to $53.7
billion (still the biggest corporate CAPEX spend ex-China), while AWS spending
fell 10% to $24.8 billion. AWS was outspent on infrastructure this year by
Microsoft and perhaps also Google.
FUN FACT: Amazon in austerity mode still spent more on CAPEX in 2023 than all
three US mobile operators combined (ATT, T-Mobile, Verizon)
There are two broad dynamics in play here. The first is regime change (both
financial and in leadership) at Amazon, combined with a lot of previous excess
(some called it #bonkers but “CAP-EXcess” would have been good too) that needed
to be “optimized”.
For a long time (call it the Bezos Doctrine), Amazon tried to reinvest every
single penny back into the business and minimize accounting profits. By 2015,
they couldn’t reinvest cash flow fast enough and the company began to show
growing profits and free cash flow (despite their very best intentions).
The pandemic interrupts this trend, as Amazon revenues soared with people stuck
at home with nothing to do but shop, while the company simultaneously mounted
one last throwback #bonkersbonkers retail infrastructure investment blowout in
2021 (they invested $73.7 billion in CAPEX to double the size of their
fulfillment network and build their own UPS-sized transportation network,
overbuilding just as the pandemic ended, a binge from which they are still
cleaning up “optimizing”).
But now Amazon is inexorably reverting to that pre-pandemic profit curve. Amazon
is now “a profit deal”, which means costs, including CAPEX, get actual scrutiny.
New CEO Andy Jassy has embraced financial optimization with gusto (broad
layoffs, asking why Alexa exists much less is losing $5 billion a year, adding
“rinky dink” ads to Prime Video, etc.), and has not exempted his baby AWS. This
regime change probably marks the calcification of Amazon’s footprint, as once
you become a profit optimizer, it is very hard to deviate from that path to make
big, bold, new investments. But beyond whacking the money-losing projects, they
still need to keep the franchise retail and cloud businesses growing and
profitable. And both of those require massive CAPEX.
Beyond the regime level changes, 2023’s material decline in AWS CAPEX is quite
alarming for what it says about both the existing cloud business and how they
are faring in the AI race.
AWS has been reinvesting ~35% of revenue in recent years in cloud
infrastructure. If you squint at the chart below, you’ll see the rate of
investment roughly turning into a similar level of revenue growth the following
year. But that relationship has broken down in the last two years, as revenue
growth has slowed to 12-13%. That suggests that AWS is overbuilt relative to
recent revenue growth.
But a surplus of older gear doesn’t help with generative AI. One observation
about Amazon generally, and AWS in particular, is they don’t tend to talk about
things unless they’re behind. And they’ve been running their mouth non-stop
about generative AI, so cutting billions in CAPEX spend alongside that
rhetorical frenzy is quite a surprise.
Amazon and AWS face a host of challenges around generative AI. Despite all the
rhetoric, they’re way behind, and this is a space where catching up is
especially hard. Their Titan LLM is missing in action (and on the wrong side of
their own “there is no compression algorithm for experience” quip). They had to
license Anthropic for Amazon’s own internal use, though the announcement was
dressed up to look like an endorsement of AWS’s generative AI infrastructure.
But worse, their existing infrastructure may actually be a hindrance. It has
been argued AWS’s infrastructure is “poorly adapted” for the generative AI
world. And they clearly got sideways with NVIDIA, which means their H100
shipments are “significantly lower than their share of the public cloud”.
It looks like Amazon tried to push NVIDIA around, as they’re accustomed to
doing, but lost. The power dynamics have changed and NVIDIA now has the upper
hand6. Amazon resisted for months, but eventually capitulated, and had to host
NVIDIA’s DGX Cloud (and even say nice things about it despite really not wanting
to do it) to get more GPUs.
But beyond product and vendor travails, slashing CAPEX by 10% in the middle of
the AI race is an enormous red flag (and different than a Code Red). It makes
Amazon’s incessant claims to generative AI leadership all the harder to stomach.
As a result, we are adding AWS to the negative watch list, putting them at risk
of being added to the “AI clown” list (where they would join initial inductee
IBM). If Google is at least a year behind Microsoft, AWS is even further behind.
And their guidance doesn’t suggest they have a clear CAPEX plan for 2024:
CapEx will go up in 2024. I’m not giving a number today, but we do — we’re still
working through plans for the year, but we do expect CapEx to rise as we add
capacity in AWS for region expansions, but primarily the work we’re doing with
generative AI projects.
As a final observation for the most hard core of CAPEX obsessives, AWS’s use of
finance and built-to-suit leases have dropped to almost nothing (less than half
a percent of AWS CAPEX in 2023). This is notable as they were ~80% as recently
as 2019. It was also interesting to hear the CFO say, “We define our capital
investments as a combination of CapEx plus equipment finance leases.” So no
respect for build-to-suit leases.
What’s Next?
There are a couple things on the CAPEX agenda:
Triangulate the cloud CAPEX numbers against NVIDIA’s numbers when they report in
a couple weeks. Add Meta to the CAPEX club. They’re not a hypercloud (and aren’t
likely to be given their developer DNA, or lack thereof), but they spend almost
as much as the hyperclouds on CAPEX ($28.1 billion in 2023). And they’re
gobbling GPUs. How much of that CAPEX supports Facebook/Instagram/Whatsapp vs
metaverse/hardware vs. new things? Are they building generative AI-powered
search? Check in on the clown car race amongst the CAPEX pretenders (after
Oracle announces earnings).
Please comment below (or contact me privately) with what I got wrong here and
what else I should know about!
Because I neither believe nor want to look up the Chinese CAPEX numbers ︎Perhaps
Google, with all its AI experience, considers staples a bigger risk than the
more traditional existential risk of paper clips? ︎My bet is there are
individual hypercloud dev team environments with more servers than IBM Cloud.
︎“Schrödinger’s Code Red” would be a good application for Google’s quantum
computer. ︎It is probably a bad sign when a joke needs an explanatory footnote,
but that was an “Attention is All You Need” reference. I also considered mashing
that up with “You Can’t Always Get What You Want“. ︎To the point where NVIDIA
are trying to revive the vertically integrated computing model of yore, spanning
chips, systems, software and cloud services. But that is a topic for another
day. ︎
MORE
March 60
Today, 14:28Phil Windley's Technometria (Feed)
Acceptance Networks for Self-Sovereign Identity
Summary: We can't have broad adoption of verifiable credentials until we find a
way to scale their presentation by providing tooling that credential verifiers
can use to reduce their risk and gain confidence in the facts presented to them.
When I hand a merchant in London a piece of plastic that I got from a bank in
Utah to make a purchase, a tiny miracle happens. Despite the fact that the
merchant has never met me before and has no knowledge of my bank, she blithely
allows me to walk out of the store with hundreds of dollars of merchandise,
confident that she will receive payment. I emphasized the word confident in the
last sentence because it's core to understanding what's happened. In the past,
these kinds of transactions required that the merchant trust me or my bank. But
in the modern world, trust has been replaced by confidence.
We often mix these concepts up and I'm as guilty as anyone. But trust always
involves an element of risk, whereas confidence does not. These are not binary,
but rather represent a spectrum. In the scenario I paint above, the merchant is
still taking some risk, but it's very small. Technology, processes, and legal
agreements have come together to squeeze out risk. The result is a financial
system where the risk is so small that banks, merchants, and consumers alike
have confidence that they will not be cheated. There's a name in the financial
services industry for the network that reduces risk so that trust can be
replaced with confidence: an acceptance network.
Acceptance Networks
An acceptance network is the network of merchants or service providers that
accept a particular form of payment, usually credit or debit cards, from a
particular issuer or payment network. The term refers to a broad ecosystem that
facilitates these transactions, including point-of-sale terminals, online
payment gateways, and other infrastructure. Each component of the acceptance
network plays a crucial role in ensuring that transactions are processed
efficiently, securely, and accurately. This drives out risk and increases
confidence. Acceptance networks are foundational components of modern payment
ecosystems and are essential to the seamless functioning of digital financial
transactions. Visa, Mastercard, American Express, and Discover are all examples
of acceptance networks.
Before the advent of acceptance networks, credit was a spotty thing with each
large merchant issuing it's own proprietary credit card—good only at that
merchant. My mom and dad had wallets full of cards for JC Penney, Sears,
Chevron, Texaco, and so on. Sears trusted its card. Chevron trusted its card.
But it was impossible to use a Chevron card at Sears. They had limited means to
verify if it was real and no way to clear the funds so that Chevron could pay
Sears for the transaction.
That scenario is similar to the state of digital identity today. We have
identity providers (IdPs) like Google and Apple who control a closed ecosystem
of relying parties (with a lot of overlap). These relying parties trust these
large IdPs to authenticate the people who use their services. They limit their
risk by only using IdPs they're familiar with and only accepting the (usually)
self-asserted attributes from the IdP that don't involve much risk. Beyond that
they must verify everything themselves.
Fixing this requires the equivalent of an acceptance network for digital
identity. When we launched Sovrin Foundation and the Sovrin network1 in 2016, we
were building an acceptance network for digital identity, even though we didn't
use that term to describe it. Our goal was to create a system of protocols,
processes, technology and governance that would reduce the risk of
self-sovereign identity and increase confidence in an identity system that let
the subjects present verifiable credentials that carried reliable attributes
from many sources.
I've written previously about identity metasystems that provide a framework for
how identity transactions happen. Individual identity systems are built
according to the architecture and protocols of the metasystem. Acceptance
networks are an instantiation of the metasystem for a particular set of users
and types of transactions. A metasystem for self-sovereign identity might have
several acceptance networks operating in it to facilitate the operation of
specific identity systems.
Problems an Acceptance Network Can Solve
To understand why an acceptance network is necessary to reduce risk and increase
confidence in identity transactions, let's explore the gaps that exist without
it. The following diagram shows the now familiar triangle of verifiable
credential exchange. In this figure, issuers issue credentials to holders who
may or may not be the subject of the credentials. The holder presents
cryptographic proofs that assert the value of relevant attributes using one of
more of the credentials that they hold. The verifier verifies the proof and uses
the attributes.
Verifiable Credential Exchange (click to enlarge)
Let's explore what it means for the verifier to verify the proof. The verifier
wants to know a number of things about the credential presentation:
Were the credentials issued to the entity making the presentation? Have any of
the credentials been tampered with? Have any of the credentials been revoked?
What are the schema for the credentials (to understand the data in them)? Who
issued the credentials in the proof?
The first four of these can be done cryptographically to provide confidence in
the attestation. The technology behind the credential presentation is all that's
necessary. They can be automated as part of the exchange. For example, the proof
can contain pointers (e.g., DIDs) to the credential definitions. These could
contain public keys for the credential and references to schema.
The last one—who issued the credential—is not a technical matter. To see why,
imagine that Alice (as holder and subject) has been issued a credential from her
university (the issuer) giving information about her educational experiences
there. She's applying for a job and wants to present the credential to a
prospective employer (the verifier). How does the employer know that Alice
didn't just make the credential herself or buy it from a diploma mill?
Knowing who issued the credential is not something that can be done solely with
technology (although it can help). The employer in this scenario wants more than
an identifier for the issuer. And they want to know that the public key really
does belong to the university. In short, the employer wants to resolve the
identifier to other information that tells them something about the university
and the credential. There are lots of ways to do that—people have been doing
this sort of thing for centuries: states keep registries of businesses
(universities are businesses), accreditation organizations keep registries of
schools they've accredited, the Department of Education has registries of
various institutions of higher education in the US, and so on.
The employer could make use of these by building its own database of university
identifiers it trusts. And every time a new one shows up, they could investigate
and add it to their registry (or not)2. But going back to the magic of the
credit card scenario that I opened this article with, if every merchant had to
keep their own registry of banks, the experience wouldn't be magical for me or
the merchant. The financial acceptance network makes it easy for the merchant to
have confidence that they'll be paid because they have not only technology, but
processes, protocols, governance, and legal agreements that make the
verification process automatable.
Acceptance Networks for Digital Identity
For some use cases, keeping your own registry of the issuers you trust works.
But for many, it's just too much work and makes it difficult to make use of a
variety of credentials. This kind of "localized trust" is unwieldy in an
identity system that might involve millions of issuers and identifiers and
credentials for billions or even trillions of subjects. I've written extensively
about identity metasystems and what they provide to help bridge the gap. This
one, on how metasystems help provide life-like identity for digital systems is
perhaps the most comprehensive. Acceptance networks implement metasystems.
An acceptance network for digital identity must have a number of important
properties, including the following:
Credentials are decentralized and contextual—There is no central authority for
all credentials. Every party can be an issuer, a holder (identity owner), or a
verifier. Verifiable credentials can be adapted to any country, any industry,
any community, or any set of trust relationships.
Credential issuers decide on what data is contained in their credentials—Anyone
can create a credential schema for their use case. Anyone can create a
credential definition based on any of these schemas.
Verifiers make their own trust decisions about which credentials to
accept—There's no central authority who determines what credentials are
important or which are used for what purpose. The acceptance network supplies
the technical underpinnings for credential exchange and support protocols for
automating the verification of credential issuers.
Credential verifiers don't need to have any specific technical, contractual, or
commercial relationship with credential issuers—Verifiers do not need to contact
issuers to perform verification.
Credential holders are free to choose which credentials to carry and what
information to disclose—People and organizations are in control of the
credentials they hold (just as they are with physical credentials) and determine
what to share with whom.
You may be thinking "but these are mostly about decentralized decision making."
While it would be easier to imagine the acceptance network as a big directory,
that solution can't possible support all the different ways people and
organizations might want to use credentials. That doesn't mean an acceptance
network couldn't be run by a single organization, like some financial services
networks. Just that it has to support a variety of credential ecosystems running
common protocols. I also think that there will be more than one and most issuers
and verifiers will be part of several (again, like in financial services).
Structure of an Acceptance Network
One of the things we can take away from the architecture of financial services
acceptance networks is that they are built in layers. No one has thought more
about how this can work than Drummond Reed and the Trust Over IP Foundation
(ToIP).3 This figure, from ToIP, shows how such a stack works.
Trust Over IP Stack (click to enlarge)
The layers build on each other to provide something the lower level didn't.
Layer 1 is the foundational functionality, like DID methods. Layer 2 builds on
that to support creating digital relationships with anyone. Layer 3 uses those
relationships to effect credential exchange. Layer 4 is the ecosystems that say
things about the issuers for different use cases. The dual stack emphasizes the
need for governance at every layer.
The acceptance network specifies the accepted protocols and technologies. The
acceptance network also supports ecosystems, providing governance models and
technology. The acceptance network is involved at each layer. Here are some
examples of things an acceptance network might do at each layer:
Layer 1—limit the allowed DID methods and certify them. Layer 2—require that
wallets and agents using the network support specific versions of the DIDComm
protocol. Provide a certification framework for wallet and agent vendors for
security and interoperability. Layer 3—require specific versions of the exchange
protocols. Participate in protocol development. Provide a certification
framework for specific implementations to aid with security and
interoperability. Layer 4—support the formation, certification, and discovery of
credential ecosystem providers. Govern what is required to be a certified
ecosystem provider and provide models for acceptable ecosystem governance.
As part of it's overall governance of the ecosystem, the acceptance network also
provides model legal agreements for and between the various participants, trust
mark rights (think of the Visa logo), and drives a uniform user experience.
The following diagram shows the credential exchange from the preceding figure
with an acceptance network providing support to the verifier so that it can have
confidence in the data the issuer has supplied through the holder.
Acceptance Network in Operation (click to enlarge)
Credential issuers who know their credential might be widely used would join one
or more acceptance networks. They agree to follow the rules and regulations in
the governance framework of the acceptance network. The acceptance network
issues a credential to them that they can use to prove they are a member.4 The
acceptance network maintains a registry—likely a registry of registries—that
verifiers can use to discover information about the issuer of a credential that
has been presented to them.
Using an Acceptance Network
Returning to our previous scenario, Alice holds a credential issued by her
university. She presents it to a prospective employer who wants to know that the
credential is from an accredited university. Alice's university has been
accredited by an accreditation organization5. They have followed their process
for accrediting Alice's university and issued it a credential. They have also
added the university to their registry. The university and the accrediting
organization are members of an acceptance network. The employer's systems know
to automatically query the acceptance network when it received a credential
proof from a issuer it does not know. Doing so provides the assurance that the
issuer is legitimate. It could also provide information about the accreditation
status of the university. This information reduces the risk that the employer
would otherwise bear.
In this scenario, the employer is trusting the processes and structure of the
acceptance network. The employer must decide which acceptance networks to use.
This is much more scalable than having to make these determinations for every
credential issuer. The acceptance network has allowed the verification process
to scale and made the overall use of verifiable credentials easier and less
risky.
A Note on Implementation
This discussion of acceptance networks has undoubtedly brought images to your
mind about how it is structured or how to build one. The comparison to financial
services acceptance networks points to a network run by an organization. And the
term registry brings to mind a database of some kind. Why these are certainly
possibilities, I think it's also possible to imagine more decentralized
solutions. For example, the registry could be a distributed ledger or
blockchain. The governance is likely most easily done by an organization, but
there are other options like a decentralized autonomous organization (DAO). The
scenario I described above illustrates a federated system where certifying
authorities for specific ecosystems determine their own methods, processes, and
requirements, but link their registry to that of the acceptance network.
Conclusion
As I mentioned above, we've been solving the problem of how to know which
institutions to trust for centuries. We have ways of knowing whether a
university is accredited, whether a bank is real, whether a company is actually
registered and what its reputation is. What is missing is an easy way to make
use of this information digitally so that processes for reducing risk can be
automated. Acceptance networks rationalize the process and provide the needed
tooling to automate these checks. They reduce the many-to-many problem that
exists when each verifier has to determine whether to trust each issuer with a
more scalable many-to-several system. Acceptance networks allow credential
presentation to scale by providing the needed infrastructure for giving
verifiers confidence in the facts that holders present to them.
Notes You can see in the linked post how we used trust to describe what we were
building, even as we were reducing risk and inspiring confidence. Note that this
investigation could make use of technology. Knowing the universities name, they
could look up a well known location on the universities web site to find the
identifier. They could use PKI (digital certificates) to be sure they're talking
to the right place. They could look up the university in an online registry of
accredited universities. Trust over IP isn't the only one working on this. Marie
Wallace of Accenture and Stephen Wilson of Lockstep Partners have been writing
about this idea. Note that there could be different levels or types of members
who perform different roles in the ecosystem and make different agreements. An
example is the Northwest Commission on Colleges and Universities.
Photo Credit: Data flowing over networks from DALL-e
Tags: ssi identity decentralization
MORE
February 70
1.5.2024, 16:56James Governor's Monkchips (Feed)
Why you should attend the State of Open Conference 2024 in London this week
This week it’s The State of Open Conference 2024 at The Brewery, London. It was
great last year. I heartily recommend you attend. As I said on twitter at the
time:
The UK now has its own OSCON. the event will happen again and will go from
strength to strength.
Attendees and speakers were a who’s who of open source, open hardware and open
culture people generally. The open data track was particularly lively. There
were so many of my friends there, it really felt like my people had all
congregated in London for the day. The event also felt very inclusive, in terms
of both speakers, but also attendees. It reflected London’s rich diversity.
The speaker list is extremely impressive again this year.
But the real reason I think SOOCon24 is so important is the focus on policy,
governance and open source sustainability. Open source is under a great deal of
pressure right now. VCs are encouraging their portfolio companies to adopt
“business source” licenses, which are not actually open source. Why does this
matter? As my colleague Stephen O’Grady argues:
A world in which non-compete licensing grows at the expense of open source is
problematic enough. A world in which vendors blur the definition of open source
such that regular users can no longer differentiate between the two is much,
much worse.
Pedantic as it may seem, then, the question of whether something is actually
open source really does matter, as those who would redefine the term will find
out if they get their way.
This movement has also bled into the current AI explosion. What is “Open” AI?
That’s something we need to work out – and major market players are casually
calling things open source, which frankly aren’t. Another area of governance and
policy under scrutiny is regulation of AI – we can’t just leave this as the era
of “You Only Live Once.” Controls will be necessary, and governments are
scrambling to put them in place. At SOOCon24 the organisation behind the
conference Open UK will be capturing opinions and data to feed back the UK
government about regulation going forward. I believe we’re going to see AI Bill
of Materials requirements regulated at national level.
It’s a pivotal time, and these discussions are vitally important – that’s why
they need a home. We’re literally talking about the economic foundations of the
digital economy, the means of production which have served us pretty well these
past couple of decades, and the opportunities for making and learning which have
made tech such a transformative success. Authors and creators need stable
foundations to work on. Copyright and licensing matters. Back to Stephen:
Instead of the embarrassment of riches of open source projects we have today
that developers may take up and use for whatever they choose without reference
or restriction, we’d have a world dominated by projects carrying varying,
conflicting usage restrictions that would render the licenses incompatible with
one another and not usable by some.
I am glad Amanda Brock and team are pulling this event together, for all of the
reasons outlined above, and I look forward to seeing you there. I believe there
are a few tickets available.
If you’re interested in AI and prompt engineering, and all of the craft,
sustainability and social angles, you should also check out my conference Monki
Gras 2024: Prompting Craft. March 14th and 15th, Shoreditch London. Tix here.
MORE
February 50
24.6.2024, 6:00SEI Blog (Feed)
Applying the SEI SBOM Framework
This SEI Blog post examines ways you can leverage your software bill of
materials (SBOM) data, using the SEI SBOM Framework, to improve your software
security and inform your supply chain risk management.
MORE
February 60
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #38: February 2, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get Updates By Email
Subscribe
You’re all no doubt recovering from this week’s CAPEX festivities.
News
Follow the GPUs: Cloud CAPEX
We’re wrapping up the Superbowl for CAPEX obsessives, when the hypercloud
companies reveal their annual infrastructure investment. After a few boring
years, CAPEX is back to the center of the world as generative AI requires new
(and expensive) infrastructure. As in the early days of cloud, CAPEX is a great
tell on who is actually investing in AI and who is just bloviating (obligatory
notice: you can’t spell bloviating without A and I). I’ll publish a full
breakdown in the next couple days, but will leave you with a few tastes here.
Collectively, Amazon, Google and Microsoft’s corporate CAPEX spending (so more
than just cloud infrastructure) was nearly unchanged from 2022, while their
cumulative CAPEX spending this century passed $820 billion. But Amazon continues
to drop from their #bonkers pandemic spend, while Google was up just 2% and
Microsoft up 45% (GPUs!):
Amazon’s new-found restraint expanded beyond the retail business this year, with
AWS CAPEX spending declining for the first time ever, even as AWS revenue grew
by 13%:
Stay tuned for the full annual report.
Previous:
CAPEX
Antitrust Incoherence: Roomba Edition
Another scrapped acquisition underscores the utter incoherence of antitrust
policy today. It should be obvious we need a coherent doctrine that gives
everyone a sense of where the lines are on the playing field.
Roomba was a middling, non-strategic acquisition in a competitive market, but
nicely illustrates the insanity of the different doctrines in play today:
European Antitrust (EU) prioritizes protecting European firms (like this Bosch
robotic vacuum cleaner boasting of its “five ways vacuuming just became more
fun”!) and raising revenue from American tech firms (after all, a continent
can’t live just on wine and cheese). Hipster Antitrust (US FTC) says no to all
Big Tech acquisitions, because Big Tech is Bad! (The hipster antitrust white
whale is the Instagram acquisition, and some day, they fear, some other
acquisition might also be successful). The middlemen oligopolies at the heart of
our insanely bloated and inefficient healthcare system? Evidently not an
antitrust problem. VC Antitrust says yes to all acquisitions because, dammit,
nothing is more important than VC returns. (I have yet to hear a coherent
antitrust argument for approving Adobe’s failed acquisition of Figma, which runs
afoul of traditional antitrust. And note the FTC didn’t actually move against
the Figma acquisition, providing yet another huge indictment of their
priorities).
Needless to say, none of these are good doctrines.
And note private equity gets credit for putting Roomba into “a debt
straightjacket” after the deal was scrapped. When private equity comes
amalgamating, it is always time to start migrating.
Previous:
A New Antitrust Doctrine
Private Equity in Action: Data Centers
“This is Blackstone Inc.’s bet on the AI revolution.”
Just putting a marker down on this one.
Previous:
Private Equity in Action: Media Division, Private Equity in Action: VMware
(Continued), Private Equity in Action: VMware, Private Equity Will Buy and Ruin
More Software Companies, Software Migration Alert: VMware, Software Migration
Alert: VMware (Continued), Perfidious Private Equity
IBM and the Art of Misleading Investors
IBM opened their Q4 earnings release with:
“In the fourth quarter, we grew revenue in all of our segments, driven by
continued adoption of our hybrid cloud and AI offerings. Client demand for AI is
accelerating and our book of business for watsonx and generative AI roughly
doubled from the third to the fourth quarter,” said Arvind Krishna, IBM chairman
and chief executive officer.
You’d almost think IBM was an AI company and seeing real revenue from AI. But
when asked to “elaborate specifically on exactly what the book of business
means”, much bobbing and weaving ensues:
So Toni, on the AI book of business, this is not all revenue in the quarter. I
would just begin with that statement to set it straight. At this stage, we
wanted to start looking at what is our momentum, what is the sentiment from our
clients. So we went to a measure that is more reflective of, I’ll use the word
signings. What is the commitment the clients are making to us? Consulting is
straightforward. It is the signings. Consulting signings are anywhere from 12 to
24 months on average is how much time they play out over there. And on software,
it’s what they’re committing to. And we are using SaaS ACV. So it’s a 12-month
commitment, which is typical for as a service as well as, since we do offer our
portfolio both ways as license or as a service, it includes the license piece as
well. Now over a long-term, let’s call it a couple of years or more, yes, the
book of business should turn into an amount of revenue in a quarter, but that’s
going to take a bit of time to catch up. But we felt that this gives the better
indicator right now of what is our traction and what is our acceleration in that
part of the business.
IBM is running the same playbook they ran for cloud. Chant the buzzwords and
hope investors won’t notice IBM isn’t actually investing and don’t have
competitive products. As with cloud, IBM’s AI results are not something they
actually report to the SEC, yet lead with in investor communications.
Previous:
This Week in Securities Fraud, IBM’s “Cloud” Business (or Lack Thereof), IBM:
How Much Longer Do the Good Times Last?
Move Fast and Regulate Things (You Don’t Understand)
“The first law of this kind”. Indeed.
Previous:
The EU Will Continue to Fiddle While Rome Burns
The GPU Chip Race
I spoke to the New York Times about the big tech companies creating their own
GPUs to get out from under NVIDIA’s thumb. In my defense, this is a rare topic
where the Times doesn’t have a conflict of interest in their tech coverage.
Previous:
GPUs are CAPEX; CAPEX is Increasingly GPUs, Living in a Glass House: The New
York Times On Tech, Living in a Glass House: What is the New York Times?
“Supercloud”: Still Dead
I’m not sure if this is an attempted exit strategy (finally!) or yet another
demonstration that “supercloud” has always been a definitional random walk with
a dash of Tourette’s Syndrome (more likely), but the sultans of “supercloud” are
taking a victory lap for a “prediction” that their architectural baby is just
CloudFlare. And if CloudFlare had a good year, so too must have “supercloud”!
Never mind that the majority of prior definitions explicitly excluded the idea
of CloudFlare being the Platonic form of “supercloud”. But they do seem to have
finally noticed that generative AI is a thing so hopefully they’ll move onto
that and dial down the supercloudifragilisticexpialidociousness.
Previous:
“Supercloud” RIP
Trade Surplus Region Complains Trade Deficit Region is “Protectionist”
Mercantilist nations with surplus manufacturing capacity have concerns about
where they will be able to dump their surplus.
Previous:
The EU Will Continue to Fiddle While Rome Burns
Related:
European Union Trade & Investment Summary, Trade Wars Are Class Wars
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Harvard
University
Henceforth we shall refer to China as West Taiwan.
Previous:
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Wall Street,
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Apple
With Twitter engagement circling the drain, please comment here.
MORE
March 60
Today, 17:55ongoing by Tim Bray (Feed)
Vision 1993
I’ve plowed through the first wave of AVP (Apple Vision Pro) reviews, and it
seems pretty obvious that, at the current price and form factor, it’s not gonna
be a best-seller. But I remain a strong believer in Augmented Reality (the AVP
is VR not AR, for the moment). As I was diving into the reviews, a little voice
in the back of my head kept saying “I once read about what this is trying to
be.”
What I was remembering was Virtual Light, a 1993 novel by William Gibson,
allegedly set in 2006. It paints a clear picture of a future that includes AVP’s
descendants. So I re-read it. Maybe looking back is the way to look forward.
But first…
I wanted to say: It’s a terrific book! If you haven’t read it you might really
like it. I hadn’t in years and I sure enjoyed the re-read. The people in it are
charming, and it’s built around a fabulous physical artifact that drives the
plot. No, I don’t mean AR goggles, I mean San Francisco’s Bay Bridge, which in
Virtual Light and two subsequent novels, has been wrecked by an earthquake and
become a huge countercultural shantytown, one of the coolest venues Gibson has
ever invented, and that’s a strong statement. Also, protagonists Chevette and
Rydell are two of his best characters; another strong statement.
Anyhow, I don’t think it’s much of a spoiler to say that the AR devices I’m
writing about, despite being what the title refers to, are peripheral to the
plot. It turns out that one such device contains information that’s secret
enough to attract hired killers, skip tracers, and crooked Homicide cops to
recover it when it gets stolen; plenty of plot fuel right there.
Quoting
Here are a few out-takes from the book describing the titular technology.
Quote:
Nothing in it but a pair of sunglasses, expensive-looking but so dark she hadn’t
even been able to see through them last night.
Quote:
…she took that case out.
You couldn’t tell what it was made of, and that meant expensive. Something dark
gray, like the lead in a pencil, thin as the shell of one of those eggs, but you
could probably drive a truck over it… She’d figured out how you opened it the
night before: finger here, thumb there. It opened. No catch or anything, no
spring… Inside was like black suede, but it gave like foam under your finger.
Those glasses, nested there. Big and black. Like that Orbison in the poster… She
pulled them from the black suede… They bothered her … they weighed too much. Way
too heavy for what they were, even with the big earpieces. The frames looked as
though they’d been carved from slabs of graphite.
She put them on. Black. Solid black.
“Katharine Hepburn.” Skinner said.
Quote:
Warbaby wore a black Stetson set dead level on his head, the brim turned up all
the way around, and glasses with heavy black frames. Clear lenses, windowpane
plain.
Quote:
“You date you some architects, some brain-surgeons, you’d know what those are…
Those VL glasses. Virtual light.”
“They expensive, Sammy Sal?”
“Shit, yes. ’Bout as much as a Japanese car… Got these little EMP-drivers around
the lenses, work your optic nerves direct. Friend of mine, he’d bring a pair
home from the office where he worked. Landscape architects. Put ’em on, you go
out walking, everything looks normal, but every plant you see, every tree,
there’s this little label hanging there, what its name is. Latin under that…”
Quote (at a crime scene with Warbaby and Freddie):
Rydell noticed the weight as he slid them on. Pitch black. Then there was a
stutter of soft fuzzy ball-lightning, like what you saw when you rubbed your
eyes in the dark, and he was looking at Warbaby. Just behind Warbaby, hung on
some invisible wall, were words, numbers, bright yellow. They came into focus as
he looked at them, somehow losing Warbaby, and he saw that they were forensic
stats.
“Or,” Freddie said, “you can just be here now —”
And the bed was back, sodden with blood, the man’s soft, heavy corpse splayed
out like a frog. That thing beneath his chin, blue-black, bulbous.
Rydell’s stomach heaved, bile rose in his throat, and then a naked woman rolled
up from another bed, in a different room, her hair like silver in some
impossible moonlight—
Rydell yanked the glasses off…
Quote:
“Here. Check it out.” He put them on her.
She was facing the city when he did it. Financial district… “Fuck a duck,” she
said, those towers blooming there, buildings bigger than anything, a stone
regular grid of them, marching in from the hills. Each one maybe four blocks at
the base, rising straight and featureless to spreading screens likke the
colander she used to steam vegetables. Then Chinese writing filled the sky.
Hmmm…
What does Gibson’s 30-year-old vision teach us?
The devices are still heavier than you’d like, but light enough to wear all the
time out in the real world.
Still expensive.
They look super-cool.
They are transparent while in use.
You can use them to show pictures or share information the way you would today
by handing over a phone or tablet.
How you get information into them was as un-solved in 1993 as it is today.
But the real core value is the “A” in “AR” — augmenting an aspect of the real
world that you’re looking at. Even if only by hanging text labels on it.
For me, that last point is at the center of everything. I want to be in a park
at night and see fiery snakes climbing all the trees. I want to walk into a
big-box store and have a huge glowing balloon appear over the Baking Supplies. I
want floating labels to attach to all the different parts of the machine I’m
trying to fix.
Watching TV, by yourself, on a huge screen, is not the future. Augmenting
reality is.
The AVP? Some of its tech constitutes necessary but far from sufficient steps on
the way from here to that 1993 vision.
MORE
March 280
DC Again
For the second time this winter I’ve been to Washington and back. Herewith
pictures and feelings. Everyone’s seen plenty of photos of The Capital City Of
The United States so I’ve tried for fresh views. My feelings are more mainstream
than my pictures, I’m pretty sure; the stories DC tells aren’t subtle.
Apologies
I know folks in the region and I have standing offers from people whose taste I
trust to introduce me to others whose company they’re sure I’d enjoy. I ignored
those people and offers. Sorry about that, and I have an excuse. This trip was
another workin’ for The Man episode (the man being Uncle Sam). Specifically, I
was there for a seven-hour deposition by attorneys representing Meta. I felt
this to be a Performance, one that mattered and therefore worthy of my full
attention. So I needed to get centered, be in the zone. To walk and think.
Don’t ask me how the deposition went, I dunno. When you’re speaking at a
conference or rally or whatever, if the audience laughs at your jokes you know
it’s probably going well. But you don’t throw jokes at defendants’ lawyers.
That’s all I’m gonna say. Once again, I hope there’ll be lurid rear-view blog
fodder once this is over.
The Wharf
This trip, like the last, took me to DC’s Southwest Waterfront district. Only
this time, I visited the waterfront. Here’s the view looking out.
Or, I should properly say, The Wharf, as reflected below.
It’s a walkway along the Potomac, several blocks long, backed by a solid wall of
restaurants and bars. The first evening I went down there, it was a
freakishly-warm 24°C and this Canadian enjoyed the hell out of a
restaurant-patio dinner. An extremely expensive dinner. I shouldn’t complain,
because I was also happy walking along the river’s edge, and I made two
different stranger couples happy by offering to take pictures of them in front
of one waterfront vista or another. Few smiles are cheaper.
So, I recommend the Wharf. But, it’s really expensive. Which highlights a
problem I’m starting to have with Washington DC. Like my hometown, there’s far,
far too much money there.
Bad vibe
After I flew in, pretty late one evening, I hit the hotel bar for pizza and
beer. Pretty weird: Two big TVs, one Fox and one CNN. A certain class of
American White Male Person, generally bulgy and prosperous, vibing more on the
Fox side, talking (I eavesdropped) about football in Atlanta suburbs and being
the agent for George Lazenby and how they’d had to grovel before a powerful
woman named Barbara because they’d done something stupid and their career was
over unless Barbara absolved them. They all had Good Relationships with
Important People who could Make Things Happen. If they hadn’t wanted to be
eavesdropped they wouldn’t have talked so loud.
Museums
The day before the Big Event I decided to tourist — there are all those museums,
plus I wanted to get physically tired so that I’d sleep well. I started at the
Hirschhorn because I love ambitious contemporary art showplaces. Granted, when I
visit them, usually at least half the work seems weak or irrelevant or deranged.
I don’t care, I admire the ambition, a contemporary artist has to try going
somewhere nobody’s ever gone before and of course the failure rate is high.
These places often have big rooms featuring artists trying to do big things,
visually or intellectually or both. It’s just a special kind of space, and when
I leave a big contemporary gallery, the outside world seems sepia-toned, free of
sharp mental edges.
None of the current exhibits really shook my grip on reality, which is what good
contemporary art is supposed to do, but I enjoyed my visit; here are a couple of
snaps.
Above: Cupboard by Simone Leigh.
Below: From Wheel of Life by Jessica Diamond.
I hit the National Archive museum: Disappointing, unless you regard America’s
founding documents as sacred texts. In and of themselves, they’re not much to
look at.
Finally, the Museum of the American Indian. I found the collection a little
thin, albeit with a clear-eyed view of all the lies and thefts and betrayals.
But, that name…
The city
Washington is obviously kind of a company town and these days, most Federal
departments only ask people to show their faces one day a week, usually Tuesday.
It also suffers from the urban-American sin of being car-optimized, shot through
with broad rivers of asphalt. Which, except for Tuesdays, are now pretty well
empty. You can cross one of these six-lane behemoths more or less anywhere, any
time. I understand the Mayor is furiously lobbying the Feds to arm-twist the
civil servants back into the offices but it doesn’t look like it’s working.
The National Mall
It’s the big grass strip between the Capitol and the Washington Monument, dotted
with Smithsonia and, on a chilly damp weekend day, hosting several flag-football
games, well-organized and offering flashes of real talent. Heart-warming, I
thought. Also a temporary white structure with music coming out of it and a sign
saying “David’s Tent”. Hey, random free music is an opportunity and the door was
open. It turned out to be a Christian worship joint and there was this frowning
dude alone on stage strumming and singing: “holy, holy, holy” over and over. I
only stayed inside for a minute or two and that was a lot of holy holies. There
were two people in the front row of the front section, and as for the rest…
They need a better product manager.
Eventually I ended up on the Capitol steps, the same ones the Trumpers stormed
that January 6th. Lots and lots of those sectional fences that failed so badly
were still queued up there. I hoisted an end of one with one arm, no strain. I’m
not sure what they’re for, actually.
Anyhow, here’s the view down the Mall from there. You might want to enlarge it.
This picture started out sort of dreamy and abstract, then I bashed the hell out
of it with Lightroom and Silver Efex. I claim it looks like what I saw, only
more so.
Wandering back
To my hotel I mean. The route went by an endless cavalcade of Congressional
office buildings. Here’s one: check out the flag deployments, I guess we know
where those particular congresspeople stand.
By this time, I’d touristed for enough hours that my feet were pretty sore and I
was finding the serried office-block ranks sort of oppressive. Also, I was damn
hungry, and then my life was saved by My Own Pizza, entirely unpretentious,
selling good pies for a good price. All the customers were tourists with kids or
local blue-collar workers, which in DC means Black. Way better vibe than my
hotel bar.
On the last trudge of the day, this:
Asleep on a vent that I guess offers warm air. It’s raining.
These buildings host the wealthiest organization that has ever existed on this
planet.
MORE
February 30
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #37: January 26, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get Updates By Email
Subscribe
You no doubt are in final preparations for next week. I certainly am.
News Private Equity in Action: Media Division
Private equity relentlessly demonstrates, despite all their claims to the
contrary, they are not very good operators of the businesses they buy. I’m sure
their financial modeling is impeccable, but their business and product strategy
intuitions are laughable (“hey, we can lay off even more employees and just use
ChatGPT for our media business”).
We’ve said it before, and will no doubt say it many times again, but when
private equity comes amalgamating, it is time to start migrating. You don’t want
to rely on anything private equity is running into the ground.
Previous:
Private Equity in Action: VMware (Continued), Private Equity in Action: VMware,
Private Equity Will Buy and Ruin More Software Companies, Software Migration
Alert: VMware, Software Migration Alert: VMware (Continued), Perfidious Private
Equity
This Week in Securities Fraud
As we prepare for the single biggest week of the year (Cloud CAPEX Week, coming
next week)!, lets cleanse our palates by checking in on one of our favorite
CAPEX clowns (i.e. non-spenders of CAPEX).
IBM beat (their own) earnings guidance and posted barn-burner revenue growth of
2.2% for 2023 (inflation was 3.4%). The market went wild and IBM stock is at a
ten year high (though still short of my generational call to sell IBM at $209
because they were missing the cloud transition. They have underperformed every
benchmark since).
IBM is running their cloud computing playbook again for AI. They talk up AI
without making any real investment, and hope investors can’t distinguish them
from real companies that are actually investing. It worked for them in the last
24 hours, but as with cloud computing, it is hard to see their slippery words
competing in the long term against hundreds of billions of dollars of real
CAPEX.
(Boy does the Twitter clown emoji suck).
IBM’s total CAPEX and CAPEX as a percentage of revenue are at record lows. Where
are IBM’s GPUs? Selling busloads of offshore consultants who implement other
companies’ AI technology is probably not what investors think they’re getting
with “IBM the AI company”.
Previous:
Follow the CAPEX: Keeping Up With The Clowns, IBM’s Lost Decade, IBM
Misadventures
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Wall Street
The Chinese Communist Party has decreed henceforth improved investor confidence
in the Chinese economy, a revival of animal spirits, and a bullish outlook for
the Chinese stock market. (Communist cadres, admittedly, may lack a nuanced
appreciation of how authoritarian edicts affect a market already suffering from
too much authoritarianism).
The CCP’s bestest allies in the whole wide world, Wall Street, are of course
rallying in support of the party proclamation.
Previous:
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Apple, Xi
Jinping Thought on Wall Street Running Dogs, The Perils of Working for a Cult of
Personality, Press Releases We’d Like to See, Best Nickname for Emmanuel Macron,
Winnie-the-Pooh: Lover of Honey, Champion of Freedom, Missing the (Bamboo)
Forest for the (Apple) Trees
With Twitter engagement circling the drain, please comment here!
MORE
March 60
24.6.2024, 6:00SEI Blog (Feed)
The Top 10 Skills CISOs Need in 2024
This post outlines the top 10 skills that CISOs need in 2024 and beyond.
MORE
January 310
10 Benefits and 10 Challenges of Applying Large Language Models to DoD Software
Acquisition
This post presents 10 benefits and 10 challenges of applying LLMs to the
software acquisition process and suggests specific use cases where generative AI
can provide value.
MORE
January 220
Today, 17:55ongoing by Tim Bray (Feed)
Lofree Flow
Back in 2008, I complained here about Apple keyboards. Apple still hasn’t
addressed my complaint (hard to believe, I know). So, 15 years later, as in late
2023, I picked up a Lofree “Flow”, which I gather had a Kickstarter and
advertises itself as “The smoothest mechanical keyboard”. I’ve been using it
long enough to offer opinions.
The problem with Apple keyboards is illustrated by the picture below; The Lofree
is in the middle.
They’re all wireless. While the small Apple product at the bottom is really old,
today’s equivalent has the same problems: There are no Home, End, PgUp, and PgDn
keys, and the arrow keys are annoyingly small. The larger Apple at the top
wastes space on the accountants’ number pad.
The LoFree is small enough and has the keys I want.
Why?
There are several places where I work regularly, and none of them feature a
large desk, to the extent that if I have one or more of coffee, printed
document, camera, or whatever else on the desk, things get crowded. So small is
good.
Also, I use the navigation keys but never the number grid.
Also, those last few years at AWS a few of the engineers near where I sat had
fancy keyboards with multiple colors and would argue about key-feel options.
Now, I generally like Apple keyboards and managed to avoid buying any of the
infamous “butterfly” models. But there was this rave review in The Verge and I
was trying to avoid some boring work that I was supposed to do, and there was a
Black Friday sale, so here I am, my fingers now laying down a mellow rhythm
section behind the creation of the prose melody you are now reading.
What’s good
The feel and the sound. I got the tactile “Phantom” keys rather than the linear
“Ghost” option, so I can’t report on the latter, but I don’t play twitchy games
and the consensus seems to be that tactile is good for a fast touch typist. I’m
not as blindingly fast as I used to be but I’m still north of 100wpm. It may be
relevant that I have big fat farmer’s fingers and have always hit keyboards
pretty hard.
I’m struggling a bit for vocabulary to describe how this thing feels. I’ll
settle for “eager” — the keys feel like they’re working with me to inject these
blogwords into the noösphere.
As for the sound, it’s just delicious; low but distinct, and to my ears,
euphonious.
Obvious problems
You might as well work with the thing plugged in, because the battery isn’t big
enough and (perhaps to compensate) the Bluetooth goes to sleep quickly and (when
unplugged) wakes up slowly.
The backlighting is lousy; it illuminates the edges of the keys adequately, but
the letterforms only weakly. (Which for a touch typist is usually not a
problem.) The “ambient” lighting is ridiculous; think of the flames on Wayne and
Garth’s Mirthmobile. And if you have the lights turned up it runs the battery
down even faster.
I should mention that the enthusiast community is annoyed that they have trouble
(on some systems) customizing the keyboard layout, and that the selection of key
options is limited. My modestly-customized Mac keyboard layout just worked.
Mobility
My biggest problem is that switching back and forth between the Lofree and an
Apple keyboards makes my fingers clumsy for enough minutes to be annoying. Easy
enough, just carry the Lofree around. It’s not big and despite the
metal-not-plastic frame, is acceptably light. Except for, there isn’t a carrying
case on offer. Which feels like a real miss.
Success?
Oh, definitely. Typing on it makes me happy. None of the problems interfere much
given the way I use it. I guess the nav buttons are a little small but my
fingers are starting to know where they are. Those big fat arrow keys are great.
No, I’m not going to tumble over the edge onto the slippery slope of keyboard
obsession. But this first step turned out fine.
MORE
February 50
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #36: January 19, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get Updates By Email
Subscribe
Things still seem a little slow early in 2024. Not sure how much of that is the
Davos reality distortion black hole and how much is people (wisely) saving their
energy for the upcoming annual CAPEX numbers.
News Private Equity in Action: VMware (Continued)
VMware has become a page-by-page read-along of the private equity playbook.
There is no investment in future features or products; the franchise products
shall be milked. Always remember: “When private equity comes amalgamating, it is
time to start migrating”.
Previous:
Private Equity in Action: VMware, Private Equity Will Buy and Ruin More Software
Companies, Software Migration Alert: VMware, Software Migration Alert: VMware
(Continued), Perfidious Private Equity
Whatever Happened to the AI Safety People?
Will calls for airstrikes soon be extended to every AGI-capable script kiddie?
The magic words “open source” trump safety-ism? Where has the hysteria gone?
Previous:
Everyone In Silicon Valley Wants To Be Henry Kissinger, Existential Risk Now Has
a Precise Threshold, You Can’t Spell Alien Invasion Without A and I, Existential
AI Risk + Twitter-level Nuance
Fiddling While Rome Burns: Robotic Vacuum Cleaner Edition
Despite facing actual (as opposed to the AI safety-ism kind) existential
threats, the EU sees a future selling wine, cheese, and robotic vacuum cleaners.
Previous:
The EU Will Continue to Fiddle While Rome Burns
Fiddling While Rome Builds: AI Regulatory Speaking Points Edition
If you chant “competitive advantage” enough, it will actually become so, right?
Magic PR words trump actual regulations?
Previous:
The EU Will Continue to Fiddle While Rome Burns
So You Want to Build an AI Company
The blue part seems like a good place to start. There is a similar chart for
education.
With Twitter engagement circling the drain, please comment here!
MORE
March 60
Today, 17:55ongoing by Tim Bray (Feed)
Mourning Google
On March 15, 2010, I started a new job at Google. The fourteen years since that
day feel like a century. The title of my announcement was Now A No-Evil Zone
and, OK, I can hear the laughing from ten timezones away. I tried, then, to be
restrained, but there are hardly words to describe how happy and excited I was.
I had escaped from the accretion disk the former Sun Microsystems was forming
around Oracle, that blackest of holes. And Google, in 2010, was the coolest
place in the world to work.
Let me quote myself from a little bit further into that piece, on the subject of
Google: “I’m sure that tendrils of stupidity and evil are even now finding
interstitial breeding grounds whence they will emerge to cause grief.” Well,
yeah.
This is in my mind these days as I’m on a retired-Googlers mailing list where
the current round of layoffs is under discussion and, well, it really seems like
the joy has well and truly departed the Googleplex.
But they did.
(The Alphabet “Investor Relations” page
is also its home page.)
It’s not just Google
The last two decades of my career featured the arcing then crashing of popular
regard for Big Tech. It’s hard to believe now, the years when those lovably
nerdy Bay Area kids were leading humanity to a brighter, better-lit future; our
leaders were lionized and when people found out you actually worked for Google,
their eyes widened and you could feel the focus.
These days, Big Tech features in hostile congressional hearings, mass layoffs,
and messy antitrust litigation. It offers few experiences that can be
uncritically enjoyed.
While I was inside the Rooms Where It Happened, it was actually pretty hard to
notice the public trust in our work auguring into the mountainside of alienation
and cynicism. It’s not that I think the companies are the problem, it’s the
machineries and imperatives of Late Capitalism, which for a while we foolishly
thought Internet companies could route around.
“Ten blue links”
I remember the dismissive phase well: Ten blue links was boring, it was the
past, it was not what people wanted. They want answers to their questions,
complete and correct, so much more wholesome than an abbreviated sampling of the
General Internet Uproar. And that was partly right: When I type in “-12C in F”
or “population of vietnam” I just want a number.
But those Ten Blue Links surfaced by the PageRank-that-was had a special magic.
I found them intensely human, a reflection of the voices populating what remains
of the Web, the only platform without a vendor. This was true when I was there
and I said so, but was laughed at.
And now, in Anno Domini 2024, Google has lost its edge in search. There are
plenty of things it can’t find. There are compelling alternatives. To me this
feels like a big inflection point, because around the stumbling feet of the Big
Tech dinosaurs, the Web’s mammals, agile and flexible, still scurry. They
exhibit creative energy and strongly-flavored voices, and those voices still
sometimes find and reinforce each other without being sock puppets of
shareholder-value-focused private empires.
Psychopaths
For my money, that was the center of Google’s problem. Larry and Sergey were
smart guys who recognized they didn’t know shit about corporateness and quickly
got into a pattern of hiring and empowering psychotic pricks who were presumably
“good at business”. Not gonna talk about some of the things I saw because these
people are wealthy and litigious.
But I do have a question.
What to use?
Among Google products, I mean. These days, when I use Google Search or Chrome or
Maps I just don’t feel like they’re on my side. And maybe that’s not
unreasonable; after all, I’m not paying for them. Problem is, the best
alternatives aren’t obvious.
For now, here’s the direction I think I’m going: Use Chrome for Google stuff:
Maps, Calendar, Docs, Translate. Safari and Firefox for non-Google stuff; they
ain’t perfect but I think they’re better aligned with my interests.
Our family company is still on Google Workspace or whatever it is they call
Dasher these days: Mail, Contacts, Photos, Calendar, Meet. It’s OK. We pay for
it and the price is sane. I don’t feel like it’s looking for ways to monetize
each keystroke. I’d totally consider a less-scary alternative.
I fear the combination of Google Maps and Reviews because it stinks of monopoly.
But I use Maps anyhow in my car via Android Auto because it’s nicely integrated
with YouTube Music (which I like) and Google Calendar. For a while I used the
Here.com maps and liked them a lot. I guess I could listen to YouTube over
Bluetooth.
Did I mention Android? I can’t stop using it, because I used to work in that
building and because I decline to use iOS; If I wrote code for it I might not be
able to give it away. And I carry Pixel phones, because I love the cameras.
Having said that, hearing Andy Rubin’s name still makes my gut clench.
I love YouTube because I end most evenings, after everyone’s gone to bed, with a
live musical performance by someone wonderful. But enshittification is creeping
in at the edges.
That cafe
In 2012 I moved from Android to Google’s Identity group. It happened to be in
the same buildings as Google+, at a time when Google was definitely putting all
its wood behind that arrow. Larry and Sergey’s offices were there too (not a
coincidence). There was a major fringe benefit: Access to the Cloud Café.
It was ethereal — OK, pretentious — almost beyond belief. Almost entirely
vegetarian, rare plants hand-gathered by Zen monks and assembled into jewel-like
little platelets-full that probably strengthened eleven different biochemical
subsystems just by existing. And the desserts were beyond divine. Admittedly,
sometimes when I left, my Norwegian-farmer metabolism grumbled a bit about not
having had any proper food, but still.
It was wonderful. It was absurd. And I got a $90K bonus that year because
Google+ hit its numbers.
It’s over, I think. It’s OK to miss it.
MORE
January 190
24.6.2024, 6:00SEI Blog (Feed)
The Latest Work from the SEI
This SEI Blog post summarizes some recent publications from the SEI in the areas
of supply chain risk management, technical debt, large language models, quantum
computing, acquisition, and trustworthiness in AI systems.
MORE
January 150
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #35: January 12, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
SUBSCRIBE
Get Updates By Email
Subscribe
Slowish week. No doubt everyone is busy preparing for the release of annual
CAPEX numbers in a couple weeks.
News Private Equity in Action: VMware
First layoffs. Then price increases. Now scaling back the long tail of customers
to “600 customers who will struggle to change suppliers“. This is the private
equity playbook and why we keep chanting “when private equity comes
amalgamating, it is time to start migrating”.
Previous:
Software Migration Alert: VMware, Software Migration Alert: VMware (Continued),
Perfidious Private Equity
How Many Models? Better Late Than Never
I don’t want to live in a world where someone else is making the world a better
place. I want to live in a world where someone else is making my jokes come
true.
Previous:
Press Releases We’d Like to See: Iceland Embraces the Bitcoin Economy
Everyone In Silicon Valley Wants To Be Henry Kissinger
It’s not just a job, it’s existential!
I’m sure they won’t get played on this…
Previous:
Existential Risk Now Has a Precise Threshold, You Can’t Spell Alien Invasion
Without A and I, Existential AI Risk + Twitter-level Nuance
The European China Shock
The “China Shock” had a huge impact on US manufacturing with major economic,
political and social consequences. The German auto industry, which is the
cornerstone of the European economy (along with wine, cheese and megalomaniacal
regulators), is next on the receiving end, with similar consequences likely.
Previous:
The EU Will Continue to Fiddle While Rome Burns, The EU’s Reckoning Approaches,
Collapsing Economic Models: German Edition, EU Rethinking Its Stance on
Mercantilism, German Auto Industry Reaches Hail Mary Stage, How Do You Say
“Burning Platform” in German?, Volkswagen’s Death Throes Continue, The Fate of
the European Economy: Automotive Edition, Europe: Investing in Slave Labor
With Twitter engagement circling the drain, please comment here!
MORE
March 60
24.6.2024, 6:00SEI Blog (Feed)
The Top 10 Blog Posts of 2023
Every January on the SEI Blog, we present the 10 most-visited posts of the
previous year. This year’s top 10 highlights our work in zero trust, large
language models, DevSecOps, and artificial intelligence.
MORE
January 90
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #34: January 5, 2024
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
Get Updates By Email
Subscribe
We’re back and Happy New Year! We’ll start the year with some predictions about
what will (and will not) happen in 2024 (at least as it will be chronicled
here).
We Will Talk About AI
Incessantly.
We will fixate on the trajectory of generative AI. Will frontier models continue
to improve or plateau? Almost every question of how the industry unfolds is
downstream of that dynamic.
Companies that don’t lead in AI but feel like it is their birthright to lead
based on good work decades ago will beg to differ (often using early-in-the-race
metaphors or blah-blah-blah “enterprise” blah-blah-blah).
More than a few investors still see AI as a revolutionary new technology cycle
rebooting everything that lets them invest like its 2021 (due diligence, schmoo
diligence). We will question their judgment, especially those who securitize
GPUs
The megalomaniacally self-important, Luddities and the media (but then I repeat
myself) will continue to frame generative AI as a scary existential issue, while
the self-appointed hall monitor industrial complex continues their power grab.
AI discourse will continue to be framed through the lens of dystopian science
fiction movies (which is an odd choice for “guess the next word” technology).
Whatever the hype, you can’t spell CAPEX without AI AI is a CAPEX-driven
phenomenon, so following the CAPEX means following the GPUs.
Cleanup on the SaaS Aisle Will Continue
We still have too many SaaS companies on the shelves. The reduction in inventory
will continue. We just have to hope there are more cleanup participants than
private equity.
Private Equity Will Buy and Ruin More Software Companies
As Larry Ellison (perhaps apocryphally) says, every ecosystem needs a scavenger.
After years of excess, the software industry is in dire need of a thorough
scavenging. In theory this is what private equity says they do: fix broken
and/or overcapitalized businesses. And private equity loves software.
The model is straightforward: buy a software company using a lot of debt, slash
expenses (engineers are expensive!), jack up prices and then hope to flip it
before customers can migrate.
The problem is there is an ocean of private equity money (~$5 trillion) chasing
too few relevant deals, and, more problematically, private equity doesn’t
actually know how to fix businesses, especially software businesses. The list of
software that got better when private equity got involved is a very, very short
list (let me know if you can think of any). Private equity will no doubt get the
money, but customers end up holding the bag.
Hence our slogan “when private equity comes amalgamating, it is time to start
migrating” (rhyming remains difficult).
VMware is quickly becoming the poster child for private equity buyouts. Layoffs.
Price increases. And more private equity software deals are coming. Alteryx.
DocuSign. We’ll be issuing software migration alerts as private equity deals
happen.
The EU Will Continue to Fiddle While Rome Burns
Even as the complete bankruptcy of their economic, energy and security
strategies has been revealed to all over the last two years. the EU still dreams
of being a “regulatory superpower”. Infused with cookie consent banner
confidence, the EU has turned its attention to AI.
Despite prioritizing speed over comprehension, the EU have failed in their
stated goal to “move fast and regulate things”. China, the UK and US all beat
the EU across the regulatory finish line and now even the French (pause and let
that sink in) think they’ve gone too far.
Her defence of the AI Act comes after Macron argued the legislation risks
leaving European tech companies lagging behind those based in the US and China.
“We can decide to regulate much faster and much stronger than our major
competitors,” the French leader said earlier this month. “But we will regulate
things that we will no longer produce or invent. This is never a good idea.”
Those comments were seen as potentially setting up a new fight over the EU’s new
regulatory regime for AI which is considered among the strictest to be proposed
anywhere in the world.
Though the AI Act was agreed this month, the law still needs to be ratified by
member states in the coming weeks. France, alongside Germany and Italy, are in
early discussions about seeking alterations or preventing the law from being
passed.
(Remember, it is only dirigisme if you’re in France. Anywhere else it is just
sparkling industrial policy).
Meanwhile, the EU’s economic model is collapsing. The German auto industry, the
engine of the EU economy, is in dire trouble. Everybody loves mercantilism until
you run into a bigger mercantalist (hello China!). Deindustrialization is deeply
corrosive. Populism just getting started in Europe. Brexit may turn out to be
the geopolitical analogue of the Accenture partners who got kicked out of
Anderson Consulting just before Anderson got the death penalty for enabling
Enron.
A continent can’t live solely on fines of American tech companies.
Copyright Holders Will Advance Self-Serving Theories
The New York Times wants to replace Disney as the face of copyright maximalism.
So we’ll learn about fair use, the copyright clause of the Constitution (and why
the EU is yet again irrelevant in setting technology norms), the underlying
social contract behind copyright, rent-seeking, try to find any actual and
material damages, why we all stand on the shoulders of giants, and how a few
sands of grain on a beach tend to overstate their importance.
The 6600 tokens I’ve contributed to the LLM training corpus are my infinitesimal
contribution to an immeasurably valuable canon of human thought and expression
(and my best shot at immortality).
Debt, Deglobalization, Demographics and Despotism Will Dominate
Technology has had a great run on center stage, but there are other forces at
play. I’m thinking of calling them the Four Dorsemen, but obviously am open to
other suggestions given that is a terrible term.
Things That Will Not Be
Some things won’t change: cloud repatriation, “supercloud” and metaverse real
estate still won’t be things in 2024.
With Twitter engagement circling the drain, please comment here!
MORE
January 60
Today, 17:55ongoing by Tim Bray (Feed)
Five Electric-Jag Years
I got a note from Jaguar advising that my free five-year “InControl Remote and
Protect” subscription was expiring and would be $99/year (Canadian) going
forward. That’s right, this month is five years since I picked up our 2019
Jaguar I-Pace and joined the EV tribe. Thus this (final?) visit to the Jaguar
Diary series.
$99, you say?!
Yeah. What you get is a mobile app (and Web site) that does useful things,
including:
Turn on the climate control to warm or chill the car while you’re having
breakfast. This is a big deal in Canada.
Make it honk so you can find it in a big parkade.
Check whether you remembered to lock it, and do so if you didn’t.
Keep a diary of all your trips, which is nice and I guess super-useful if you
expense your driving.
Since several of these require that Jaguar operate servers (hey, on AWS in
Dublin) I guess I shouldn’t mind paying. Feels a little pricey but hey, I bought
a Jag so I shouldn’t care? And I wouldn’t, except for they’re almost certainly
harvesting data from the car like crazy and selling it. Which I call
double-dipping.
What about the car?
I have not regretted buying it for a single second of those five years. It’s
comfy, faster than strictly necessary, reliable, practical, and cheap to run,
even with that extra $99/year. Go read the other diary entries for that stuff. I
guess the only thing to add is that, five years in, it still feels pretty well
new. It’s fun to drive. The battery seems to hold about the same number of
kilometres.
But #WarOnCars!
These days, my social-media feed contains many people who point out that Cars
Are Bad and the spaces humans live in should be optimized for humans, and you
Really Shouldn’t Like Cars.
And I agree, mostly. I totally want to choke cars out of the spaces we live in,
to create a fifteen-minute city. Simultaneously, I like cars for their own sake,
for their engineering and aesthetics, for the joy of being able to go from my
front door to anywhere else on the continent while seated comfortably, listening
to good music.
Yes, those viewpoints are in conflict but so what. People, statistically, also
like alcohol and nicotine and speeding and adultery and Reality TV and junk
food. And can agree, abstractly, that indeed, those things are bad. It all comes
down to protect me from what I want.
There are two problems: First, the entire western edge of North America was
built around sprawl and highways. Second, Late Capitalism’s egregious inequality
has arranged that it’s hard for most people to afford to live near their jobs,
or even where the public transit is good.
So yeah, as we develop our cities, let’s exclude cars to the extent possible.
And let’s do something about the economy too. I will vote for regulations that
restrict my use of my car. And to the #WarOnCars troops: I’m on your side, but
don’t tell me I shouldn’t like them.
To start with, here’s a free idea: There should be a charge for occupying city
space with your car, and it should depend heavily on the car’s size and weight.
EV trends
I suspect that central Vancouver has one of North America’s highest EV
densities. On our block, our side of the street, are a Nissan Leaf, a Tesla, a
Hyundai Kona EV, and me. And there’s frequently a Rivian parked out front, don’t
know where it lives. In fact I’m starting to see a lot of Rivians. If you need a
truck, the Rivian looks like a nice one, but I don’t think people in this
neighborhood do.
When I bought the Jag I was worried it was like buying a PC in the Nineties;
wait six months and there’ll be something way better. I got to test that
hypothesis because a good friend just picked up a Hyundai Ioniq 6, 2023 World
Car of the Year. We went for a drive and yeah, the state of the art has
improved.
The Ioniq is, and feels, lighter than the Jag. It charges a lot faster. Its
Android Auto implementation is nicer. The dashboard graphics are gracefully
space-age. The shifter is clever and intuitive. No, it doesn’t have the Jag’s
raw power or silky way through turns. But on balance, it is really a whole lot
of car for the money. I’d buy one.
The most important electric vehicles aren’t going to be personal automobiles.
They’re going to be the buses and trains that eventually come to fill in the
public-transit grid and turn cars into rarely-needed luxury options. They’re
going to be the trucks that are currently a huge source of carbon loading.
Cars will be with us for a while. But they should be lighter and smaller and
fewer. And electric.
MORE
January 60
Happy New Year!
Customarily, on this day we go for a walk by the sea. This year “we” was just
me, because Post-Covid. I have pictures; subdued pictures, it was that sort of
day. Herewith a few of those, and year-end ramblings on optimism, AI/ML,
cameras, and social media.
Optimism?
The climate catastrophe is gonna get worse before it starts getting better. But
I see rays of light that might illuminate 2024. I really don’t think the
Americans are going to elect That Guy again. I think unemployment will stay low
and worker power will increase correspondingly. I think there’s a significant
chance we get a vaccine that actually stops Covid transmission, as opposed to
today’s, which mostly just moderate its effects (still important of course). I
think the health problems in my immediate family will improve a bit — Lauren is
showing early signs of recovery from Post-Covid.
Did I mention the climate catastrophe? I hope our political leaders come to
their senses, get out from under the Carbon Hegemony, and do the necessary
things that will necessarily bankrupt much of the Petroleum sector. If they
don’t, I think it near-inevitable that some of those defending the planet’s
future will discard their commitment to non-violence. There is nothing people
won’t do to protect their children.
Weirdly, and assuming that our species’ self-inflicted climate-disaster injuries
aren’t fatal, there is an upside. This situation falsifies the central premise
of Late Capitalism: That continued unending growth is essential, or even
desirable. Particularly in the inevitable case where declining birthrates become
pervasively global and there are fewer people each year needing goods and
services.
Put another way: Jeff Bezos can blow off “Day 2” as much as he wants. But the
Day-1 growth-at-all-costs dogma isn’t sustainable or even survivable. Day 2 is
inevitable, and we need to learn how to make it good.
AI/ML
I’ve spent my working life in software, and AI seems to be the only thing anyone
wants to talk about. I’m not smart enough to know where this tech ends up
fitting in. Also, I’m arrogant: I don’t think anyone else is smart enough
either. It’s painfully obvious that we’re in the midst of a bubble; just watch
the VC froth. A lot of that money is going to the same place as the billions
they gave to the crypto-bros.
I do have a recommendation: Assuming you’re busy and have a lot of input, don’t
waste time reading “future of AI” predictions. Nobody knows.
Photography
When I went down to the sea, I took a Fujifilm X-Cam with the Samyang 135mm/F2
bolted on, and of course my Pixel. All but one of these pictures are
Fuji/Samyang. This is my chance to opine, once again, that the best way to use a
camera that’s not a phone is to strap a difficult and opinionated lens on it
then follow where it leads.
I’m not that optimistic about the future of “real” cameras. When you watch the
reviews from passionate camera-philes like Chris and Jordan over at Petapixel,
you realize that, to the extent that newer cameras are better, the improvement
is at the margins; for example, shooting elite athletes at a distance. All
modern cameras take great pictures, most times. This notably includes the one in
your phone; but its lens is the opposite of difficult.
2023 saw two real steps forward in camera technology: C2PA and global shutter.
Global shutter is cool but of interest to only a few, and C2PA’s impact is
strictly on the structure of belief; the technology itself is boring. Neither
will help you get a better cat picture.
Social media
Most of my 2023 hours were filled by family health issues, my expert-witness gig
with Uncle Sam, and what comes after Twitter. On the latter, I know only one
thing for sure: That privately-owned centralized social media has not worked,
will not work, can not work. Decentralized federation is the only sane path
forward and we are right now making that up as we go along. Am I crazy to think
that few things matter more than the forces that shape the broader human
conversation?
I know that if you’ve been reading me at all, you’ve heard this enough, but
forgive me, it’s too late to stop now: I think the member-owned social-media
co-op we’re building at CoSocial offers a plausible glimpse of a resilient, fun,
billionaire-proof social-media future. I’m an old guy but I’m as excited as a
kid about this path forward.
This space
2024 will be this blog’s 21st year of operation. No month has had fewer than
three pieces and my hope is to do as well or better going forward. Not writing
feels like not breathing.
During the latter half of 2023, I produced two large legal submissions in
connection with my Uncle-Sam gig, well over 400 pages in total. They are stuffed
full of confidential information and will be read by only a small handful of
people, then forgotten. That makes me sad, but producing them was still fun.
Back in 2018, I wrote enough Song of the Day pieces to fill a half-year’s days,
and enjoyed it a lot. Most of the material was old; I was mining my own personal
musical journey. Nothing wrong with that.
But these last few years, I’ve been listening to lots of new music and, once
Uncle Sam has settled down, I’ll play a variation: Music of the Day. Most of it
will be new-ish or at least new to me. And up front, I confess that most of that
is driven by YouTube Music guessing what Tim might like. So don’t let anyone
tell you I’m against AI in the general case.
Happy 2024, and good luck!
We’re going to need it.
MORE
January 30
Planes, Cameras, Capitals
Since Covid started I haven’t traveled, except for a short hops to visit Mom in
Saskatchewan. But I spent Monday and Tuesday in Washington DC workin’ for The
Man (the man being Uncle Sam) and came away with notes on planes and hotels and
cameras and people.
First, camera news
The rest of this piece is miscellaneous travel notes, aimed at people who are
interested in Washington DC or the travel experience. But you might want to skim
through it anyhow for the pictures. As usual, I traveled with a camera bag
containing an excellent Fujifilm and a variety of lenses. I never broke it out.
The results from the Pixel 7 are just unreasonably good.
See the moon? This picture should hardly even be possible. It was dusk, the
contrast was stark, the moon fetching but faint, and the sky very dark. It only
took a little Lightrooming to prettify the sky and sharpen a bit.
DC
I’ve always liked DC and this time I was in a new neighborhood, Southwest
Waterfront, which is pretty nice even with too many large Federal agencies.
A residential street in Southwest Waterfront, near the alley in the previous
picture. It has a bit of a fakey “HDR” look but that’s actually what it looked
like, the traditional streetlights work well with the stone frontage. I posted
these two pictures, and another nearby, on Mastodon as a quiz, challenging
people to identify the city. One frighteningly-smart person did.
There are cities that feel unwelcoming, but DC isn’t one of them. On the way
from the airport to my hotel via (excellent!) public transit I got lost twice,
consulted a taxi dispatcher and random cop for help. I had a shopping mission
where I needed guidance from big-store staff. I ate a couple of solo dinners,
tucked into the corners of large-ish establishments at unpopular times to
minimize plague risk. Nobody made me feel like I was bothering them, everyone
was happy to help, and in the empty-ish restaurants, staff dropped by to just
shoot the shit a bit.
100% of the people I’m talking about were Black. Just a coincidence?
By the way, I heartily recommend Walter’s Sports Bar — I figured that since I
was in the Nation’s Capital, the most American possible thing to have would be a
burger in a sports bar. The place is comfy, the food is fine, and, as noted, the
people are nice.
What happened?
On this sort of trip, I’d normally write up the payload — the meat of the
meetings and the shape of the work. But it is, as they say, “the subject of
current litigation.” I promise, assuming I remain of sound mind after this is
over, to share as much as I legally can. It should entertain.
Plague protection
Given that each episode of Covid incurs a 5-10% chance of progress to some
flavor of Long Covid, which my wife is already suffering from, and that the top
medical recommendation for Long Covid sufferers is “Don’t get Covid again”, I
was extra ultra paranoid about the possibility of infection. So I wore a KN95 in
all public indoor spaces, to the extent possible, which means except when I was
actually putting food or drink in my mouth. As I write this, I won’t know for a
few more days whether or not it worked.
Other people? not so much. The entire population has decided to “put Covid
behind them” I guess. I can’t begin to understand how they see the trade-offs. I
don’t think I’m crazy and it’d be ungenerous to think that everyone else is.
Enviro-sinner
I can’t write about this without addressing the environmental issues. A handy
online flight-emissions calculator suggests this little jaunt worsened the
global CO2 problem by 1.4 metric tons. Ouch.
I could point out that this level of sin is a tiny pale shadow of what I
committed in my decades of jet-setting on behalf of one employer or another, or
that my trip, in support of presumably-worthy high-stakes litigation, was of
benefit to the species. Doesn’t really make it OK. I am now lobbying The Man to
make future meetings virtual rather than physical.
Planes
Meh. Like many things in life, the experience on offer has declined over the
decades, as the “business class” experience has simultaneously improved; a
symptom of our society’s current insanely-dysfunctional level of inequality.
Since I have a vast inventory of points left over from my jet-set phase, I
upgraded both ways. Shoot me. Or, shoot out the window.
These pictures are miraculous, shot through a not-terribly-clear airplane window
with backing light trying to reflect off it. This is the first time the
“computational photography” power of a Pixel has scared me a bit, because the
picture actually looks quite a bit better than what my eyes saw. And that was
before I juiced it up with Lightroom. Hmmm.
I simultaneously miss travel and have enjoyed the past few years of not fighting
airlines and airports; my long-held belief is that this is an industry that
hates its customers. I have reserved a special level of hate for Toronto’s
Terminal 1.
Thus, you can imagine my surprise when my rollie busted a wheel in DC and I
decided to check it through to Vancouver, and they just checked it through! No
need to do the recover-and-recheck in Toronto. And also, you can come in from
the US and go out again on domestic without passing through security. I guess I
must tip my hat to my old enemy.
Oh, and (noted reluctantly) more good news. The video system on one leg of the
flight was Android-based (telltale boot screen) and wow, it was miles better
than any previous in-flight entertainment experience. I knew about Android Auto,
but I guess there’s now Android Airplane. So the pilots can say “OK Google, land
on runway 23”? I hope it doesn’t need a reliable USB-C connection.
Postmodern hotel
How can a hotel be interesting? This chain I’d never heard of that I’m not gonna
name had rooms right across the street from work and the reviews were good and
the price was good. I’m not naming them because I think their concept is sound
but they haven’t nailed the execution yet. The idea is that the rooms are
teeny-tiny (like I’ve experienced in Japan) but on the ground level there’s this
huge sprawling “Living Room” with lots of desks and sofas and tables and a big
TV lounge and a bar with decent basic food. The decor is breathlessly hip
everywhere.
I watched Monday Night Football there, enjoying the company of a
Mexican-American family who were crushed when Seattle pulled off that absurd
last-minute win over Philadelphia; tears were shed on Jalen-Hurts-branded
jerseys.
Also, excellent breakfast.
I think they might be onto something, except for I had a hard time sleeping
because the duvet was too thick and the pillows were too thick, so I was cooking
and my neck was hurting.
I filled out the feedback form and got an email from a real person, so maybe
it’ll get better. I mean, the core competence of a hotel has to be getting you a
good night’s sleep, so this isn’t an excusable miss. Anyhow, it’s years since
I’ve stayed at a hotel that wasn’t a boring beige cookie-cutter.
Travel!
It’s what humans do; go read Bruce Chatwin. I’ve missed it. But, to be enjoyed
in moderation.
MORE
December 230
Today, 9:19mark nottingham (Feed)
RFC 9518 - What Can Internet Standards Do About Centralisation?
RFC 9518: Centralization, Decentralization, and Internet Standards has been
published after more than two years of review, discussion, and revision.
It’s no secret that most people have been increasingly concerned about Internet
centralization over the last decade or so. Having one party (or a small number
of them) with a choke hold over any important part of the Internet is counter to
its nature: as a ‘network of networks’, the Internet is about fostering
relationships between peers, not allowing power to accrue to a few.
As I’ve discussed previously, Internet standards bodies like the IETF and W3C
can be seen as a kind of regulator, in that they constrain the behaviour of
others. So it’s natural to wonder whether they can help avoid or mitigate
Internet centralization.
I started drafting a document that explored these issues when I was a member of
the Internet Architecture Board. That eventually became
draft-nottingham-avoiding-internet-centralization, which became an Independent
Stream RFC today.
But it was a long journey. I started this work optimistic that standards could
make a difference, in part because Internet standards bodies are (among many
things) communities of people who are deeply invested in the success of the
Internet, with a set of shared end user-focused values.
That optimism was quickly tempered. After digging into the mechanisms that we
have available, the way that the markets work, and the incentives on the various
actors, it became apparent that it was unrealistic to expect that standards
documents – which of course don’t have any intrinsic power or authority if no
one implements them – are up to the task of controlling centralization.
Furthermore, centralization is inherently difficult to eradicate: while you can
reduce or remove some forms of it, it has a habit of popping up elsewhere.
That doesn’t mean that standards bodies should ignore centralization, or that
there isn’t anything they can do to improve the state of the world regarding it
(the RFC explores several); rather, that we should not expect standards to be
sufficient to effectively address it on their own.
You can read the RFC for the full details. It covers what centralization is, how
it can be both beneficial and harmful, the decentralization strategies we
typically use to control it, and finally what Internet standards bodies can do.
One final note: I’d be much less satisfied with the result if I hadn’t had the
excellent reviews that Eliot Lear (the Independent Submissions Editor) sourced
from Geoff Huston and Milton Mueller. Many thanks to them and everyone else who
contributed.
MORE
May 20
24.6.2024, 6:00SEI Blog (Feed)
Acquisition Archetypes Seen in the Wild, DevSecOps Edition: Clinging to the Old
Ways
This SEI blog post draws on SEI experiences conducting independent technical
assessments to examine problems common to disparate acquisition programs. It
also provides recommendations for recovering from these problems and preventing
them from recurring.
MORE
December 180
Today, 17:55ongoing by Tim Bray (Feed)
Recent Music Books
Seems that for the past few months most of the books I’ve read have been sci-fi
(which I wrote up here) or about music. Herewith notes on four of the latter.
The subjects are Philip Glass, John Cale, Cuba, and getting loaded.
Glass
Words Without Music is Philip Glass’s autobiography. I should start by saying
that I’m a big fan, bought lots of albums back in the day. For anyone unfamiliar
with the flavor, I recommend the following: Open up your favorite streaming
service and say “Play Mishima by Philip Glass”. You’ll know pretty quick whether
you like it. If you do, you won’t be alone; I don’t have hard data but I think
Phil is probably the best-selling practitioner of “New Music”, i.e. contemporary
stuff that isn’t Pop music.
I caught a live concert too, Phil and the Philip Glass Ensemble, in which he
plays but doesn’t lead; (Early editions of the Ensemble included Steve Reich on
keys.) They performed the Koyaanisqatsi sound-track while the movie played. What
a sound!
Any Glass fan is going to want to read this, I think. But it’s not problem-free.
First: He talks tons about his process and his high-level thinking about putting
his music together, but zero about its music-theory basis. By the way, one
reason he’s so prolific is that he doesn’t have to write a Master Score as he
composes: He just holds the music in his head and writes out the individual
parts, one by one. I saw a documentary once which showed him writing musical
lines at a comfortable handwriting speed, saying with an amused expression “This
part, you see, this part goes pretty fast.”
Second, it’s a depressing reminder of how deeply the Reagan-Thatcher dogma has
savaged the fabric of our society. Glass was a bright kid in a middle-class
family who went from an elite public school to an elite college with
Nobel-Laureate teachers, then to an elite music school, then to Paris to study
at the feet of Nadia Boulanger. The Paris section, by the way, is an astonishing
read; Whatever you think of his music, the man studied his craft with heroic
intensity. Then he settled in New York and by, moving furniture and driving
taxi, earned enough to rent a loft and compose furiously, turning the world of
“New Music” inside out. Try to pull that off today. Everything’s been
financialized and efficiency-maximized and there’s little space left for variant
shoots of any art form to thrive then twist them sideways.
Oh, another irritant: Most of the book is written in an extremely transparent
flat-aspect style, which gets out of the way and I respect, and I was thinking
“good solid prose, it’s a pity Phil doesn’t try to reach back and bring it a
little bit, like he does in his music.” And then in the very last chapter, he
does. Here’s a paragraph, relating his reaction when asked about what it felt
like when composing one of his big pieces:
I don’t know … Because I’m not sure that I am there at that moment. The ordinary
witness has been lost — the artist Philip has robbed the daily Philip of his
ability to see himself. That’s very clearly what happens when people say “I
wrote it in a dream,” or “I don’t know where the music came from. … All they’re
really saying is “I don’t remember how I did it,” and they make up an outside
source. But the real source is not any of those things. It’s a process that the
artist has learned. He has tricked himself into gaining that extra attention
that he needed to do the work.
I kinda wished that Phil had let loose some of that writing energy on more parts
of the book. Whatever, it’s a valuable piece of the historical record.
Cale
John Cale, a Welshman, is a founding member of the Velvet Underground and one of
life’s Really Interesting People. Disclosure: His album Sabotage/Live is central
to the way I think of music: Live is better. Loud is better. Terrifying is best.
I stage-managed one of the concerts on the tour that album showcases; that show
went severely off the rails in a way that gives me a distant echo of PTSD all
these decades later. I may write about it some year.
Anyhow, I’m here to write about What’s Welsh For Zen, a sort of autobiography,
in large format with plenty of photography and art splashed across all the
pages. I wanted to read it and discovered that it’s only available used and for
hundreds of dollars. So I took it out of the public library for free; isn’t it
great to be a member of a civilization?
Anyhow, Cale was a member of the same white-hot New York art scene that Phil
Glass was, only with Lou Reed and Andy Warhol and lots of drugs. Boy, does John
ever hate Lou. But he invests a lot of words in explaining what kind of a person
Lou is and what it’s like to work with him. Or try to. Whatever, they produced
some pretty fucking wonderful music together. Nobody ever said making art had to
be fun.
Cale’s portrayal of Warhol is way kinder. What I notice, looking back all these
decades, is that everyone I’ve read writing about Warhol seems to be describing
a different person. Warhol managed the Underground for a while and it’s pretty
clear that some of the ideas he brought to their oeuvre, in particular
performance practices, have become integral to popular music at large.
Anyhow, Cale plays a significant but not leading role in the story of how Rock
music became what it is today. I’m glad that he put all this stuff on the
record.
Getting loaded
In Vancouver’s library system you go online, you find the book you want, you put
it on hold, and after a while you get an email telling you it’s arrived at your
local branch. Whenever I bike over there I go look at the featured-books shelves
and occasionally pick one up.
When I was picking up the Phil Glass book I noticed Too Late To Stop Now: More
Rock’n’Roll War Stories by Allan Jones, who spent decades in the pop-music
journalism profession, back when you could make a decent living in journalism of
many flavors. This is, um, extremely lightweight, mostly tales of the author
ingesting massive quantities of alcohol and cocaine and weed while hanging out
with Rock Stars you might have heard of. Parts of it work well for an oldster
like me because we remember the rage and excitement in the air when the New Wave
swept away Prog Rock. Boy, does Mr Jones hate anything even remotely
prog-related and, to be fair, those geezers kinda brought it on themselves.
Anyhow, what saves it is that he’s consistently funny.
There’s a connection: One of the segments covers an extended conversation with
John Cale, which re-iterates the awfulness of working with Lou Reed, but in this
matter Cale comes off better through a third-party pen than his own. Anyhow, if
you were listening to music in the late Seventies this has a good chance of
going deep on some artist you really cared about. And it might open your ears to
something new; in my case, to the work of Roy Harper, whom I’d heard of but not
actually heard, and now I have and am glad of it.
Cuba
What happened was, I was watching a YouTube of a live concert by Rhiannon
Giddens, which I recommend doing because she is by the way totally a goddess.
She tends to chat at the audience a bit between songs, and in connection with
something I totally forget, she recommended Cuba and Its Music: From the First
Drums to the Mambo, by Ned Sublette. I thought it sounded interesting. During
the depths of Covid’s first wave, I took a few months of private Afro-Cuban
music lessons via Zoom; bought a nice pair of Congas, even. I recommend this for
anyone who’s even a bit musically literate and interested in rhythm. Just
learning about the Clave rhythm and Bell pattern, and a bit of son and rumba
lore, changed the way I think about rhythms. If you’re ever doing rhythm in a
jam, throwing in a bit of clave feel will make everything magically funkier.
So, I recommend this book, but… wow, it’s huge. It’s “only” 688 pages, the
listing says (I read it in the Kindle app on my tablet) but it feels twice as
long; took me weeks to finish. It is monumentally thorough; by the time you’re
finished, you will be damn erudite on the history and culture of Cuba from the
Pre-Columbian era through to the Fifties. It’s advertised as being “Part 1” but
was published in 2004, so I’m not sure about Part 2.
The Spanish organized-crime mob — I’m talking about Columbus and his
successors — pretty well wiped out Cuba’s Indigenous population (although I
learned in writing this that there are people who to this day claim to be Taíno
and preserve that culture). Thus, there remain four input streams that
intertwined to create Cuba’s remarkably-rich mix of language and religion and
especially music:
Spanish, which, given the dates, included strains of…
Moorish, being the still-strong influence of Al-Andalus.
Then there were the enslaved Africans; they were not just one people, but from a
variety of nations, and brought along with them two main currents of language
and musical culture:
The first, from West Africa’s southern coast — think of the range from Côte
d'Ivoire to Benin, which was itself complex, including flavors from the
coastline and then up into the Sahel, where once again there was a Muslim/Arabic
influence, and last but definitely not least,
The Congo, a general term here for southern Africa‘s eastern shore: Equatorial
Guinea down to Angola.
In Cuba, the Church was less efficient in its proselytizing than elsewhere in
the New World, and thus the African religions, and even bits and pieces of the
languages, survive and have a hefty influence on some of Cuba’s musics. Yes,
that’s musics, plural; it’s not just one thing at all.
Anyhow, to get the beginnings of a feel for the feel, type “Arsenio Rodriguez”
or “Tito Puente” into your favorite music source and see what happens.
Am I ever happy to have read this book, and if I don’t stop now, this blog piece
will start to inherit its punishing length and complexity. I’ve probably said
enough for you to make a good guess whether it’s for you.
Meta-music
I already have a couple of shelves of books on music, a high proportion being
biographical, and reading these outings reminded me of why. Books on music is a
habit I recommend.
MORE
December 130
24.6.2024, 6:00SEI Blog (Feed)
Applying Generative AI to Software Engineering: Navigating Ethical and
Educational Landscapes
The post explores the application of generative AI in software engineering with
an emphasis on the ethical and educational landscapes.
MORE
December 120
Today, 17:55ongoing by Tim Bray (Feed)
Recent Sci-Fi
Seems that for the past few months most of the books I’ve read have been sci-fi
or about music (which I wrote up here). Herewith notes on the most recent
sci-fi/fantasy. Featuring Emily Tesh, Martha Wells, John Scalzi, Sandra Newman,
Vajra Chandrasekera, Arkady Martine, and P. Djèlí Clark.
Used to be I’d put Amazon links in when I mentioned books, and route a few
commission bucks into my Amazon account. No longer. While I’m not a fanatic, if
I can do something using a Big Tech or an alternative, I’m going to be trying
the alternative. Alternatives are good.
Twisty space opera
Some Desperate Glory is the debut from Emily Tesh and I expect great things from
her, because this is pretty great. Let’s see, we have an earnest young trainee
at a fascist outer-space military academy, but her Faith In The Mission is
slipping. Wait… I’m hearing echoes from plenty of old-and-not-that-great sci-fi
pulp.
And yeah, the first 40% of the book, while it’s sharply-written and keeps you
turning pages, is treading a pretty well-worn path. Then it goes sideways. More
than once. I mean the sideways paths are reasonably well-trodden too but still
surprising and clever and entertaining.
I can’t help noticing that there’s all this good space opera written by
lesbians? Not obvious from first principles why that should be, but OK.
Murderbot and…
I suspect everyone knows about Murderbot now. The latest is System Collapse and
if you’re going to read it, which I recommend, it’s probably a good idea to to
go back and re-read Network Effect first; the new book is an extremely immediate
sequel and it will probably help to refresh your mind on who all these people
and bots are. System Collapse is a little shorter and lighter in weight, which
is OK. If you like Murderbot you’ll like it fine.
Then there’s Ms Wells’ Witch King, a huge, complicated saga of epic conflict
between somewhat-divine characters. And they’re all interesting enough
characters. But I don’t know, they just didn’t grab me the way the Murderbot
cast does. Witch King is really well-crafted. The combat scenes are explosive.
I’ll have to give another of Ms Wells’ non-Murderbot works a try, but this one
didn’t work that well for me.
Scalzi fun
During the course of the last year I read The Kaiju Preservation Society and
Starter Villain, both by John Scalzi. These are blasts of pure fun, with
razor-sharp dialog, jaw-dropping set pieces, and lots of laughs. Nothing here
will change your life but I’m pretty sure you won’t regret dropping a few bucks
on either. If only for the dolphins with the attitude problem.
1984++
Just like every other member of the world’s Anglophone population, 1984 was
compulsory one of my high-school years and yeah, one doesn’t forget it, admires
it even, but I wonder if anyone really likes it? Hardly a pleasant experience.
Anyhow, Julia, by Sandra Newman, builds around Winston Smith’s story from his
lover’s point of view. It’s a bigger book than the original and you won’t forget
it either, whether you actually like it that much. It’s compelling, and the
perspective Ms Newman gets in backing off a bit from the hyperfocus on Winston’s
world, in considering Airstrip One and Oceania a little more widely, is entirely
convincing and pushes your mind in different directions.
Julia is a more interesting person than Winston and her experience is more
intensely felt. I liked parts of it. I won’t read it again. It attaches a sort
of coda to the story after its natural ending that didn’t really work for me,
but I can’t think of what I’d replace it with. If 1984 made an impression on
you, this will quite likely leave you with one of equal or greater strength.
Bright doors
Vajra Chandrasekera is from Colombo, Sri Lanka. In the admirable Jo Walton’s
September 2023 Reading List she got all excited about Chandrasekera’s The Saint
of Bright Doors. She says “Everything is slightly too big and too bright, and
details keep piling up and slipping out of control, and it’s all stirred
together with a dash of Kafka—but in a good way.” Can’t disagree. Fetter, who
casts no shadow, leaves his sorcerous murderous mother to find his fortune in
the Big City…
It’s as colorful as anything I’ve read in years. I really enjoyed that, although
the cleverly-constructed world is perhaps a bit more interesting than the story
inhabiting it. It’s, uh, not space opera and not romance and not fantasy and not
1984 but its author has clearly drunk from all those wells.
More lesbian space opera!
A Memory Called Empire, by Arkady Martine, won the 2020 Best-Novel Hugo so it’s
hardly obscure. I liked it, and its sequel A Desolation Called Peace (Hugo
2022), a whole lot. It’s got a Galactic Empire and, like most space operas set
in one of those, you get to meet the Galactic Emperor and his family and court.
In fact, the first book spends most of its time right there. Which is fine,
because our plucky heroine Mahit Dzmare and the people she gets to know are
plenty of fun and there’s plenty of action, and an Aztec undercurrent.
The first book is slightly lacking in space battles and aliens and so on, but
the second solves both those problems in the first few pages, and it’s a good
space battle and they’re excellent aliens. And then romance, and spicy sex, and
sordid politics, and, well, not boring at all. It’s called the Teixcalaan Empire
series and I’m pretty sure there will be more.
I enjoyed Ms Martine’s work enough that I also picked up Rose/House, which is
shorter, and beautifully constructed, and defies description. There’s this house
in the desert, there’s a corpse in it, and the house is really hard to get into.
I think it’s fair to say it’s a stronger piece of work than the imperial space
operas. But I’ll still totally snap up the next Teixcalaan-Empire book.
Dealing with Djinn
When I looked up P. Djèlí Clark after reading A Master of Djinn, I discovered
that he’s super-political; issues of class and race and imperialism are all over
his Web site — he’s a Black American. They’re all over the book too, now that I
think about it, but so smoothly and well-worked-in that I never noticed while
reading it.
The book is a detective story, with Djinn, set in “Egypt in the 1920s”; I put
that in quotes because the 1920’s weren’t like that, and neither is Egypt.
Anyhow, it’s action-packed; maybe a little over-written, there are places where
it could do with a little less atmosphere and a little more dialog and action.
But the Djinn are great and so’s the heroine and it’s all very satisfying in the
end.
Books are good
I find it very supportive to my currently-somewhat-assailed mental health to
drag my eyes away from the global clusterfuck surrounding us and sit in a soft
chair looking on words on pages. You might too?
MORE
December 130
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #33: December 8, 2023
Platformonomics TGIF is a weekly roll-up of links, comments on those links, and
perhaps a little too much tugging on my favorite threads.
This is the last issue of the year. May your new year be filled with
non-performative competence, pluralism, reason, universalism and vigor (a
contrarian hope to be sure).
News AI Marketing Hallucinations: AWS Edition
With generative AI, Amazon finds themselves on the wrong end of their favorite
expression that “there is no compression algorithm for experience”. (And the
evidence is growing that there is a ton of work that goes into model quality
after the training is done, and sees benefits from scale, which makes it ever
harder for laggards to catch up).
Amazon not only over-promised and under-delivered with their generative AI
efforts at re:invent, they even managed to raise the expectations bar to claim
only AWS could deliver some new nirvana of enterprise LLM capabilities. The
immediate and egregious failure to do so badly hurts their credibility, not just
for their insatiable desire to be seen as the generative AI leader, but also
across all the areas where they actually do lead.
Previous:
The AWS Generative AI Soap Opera
AI Marketing Hallucinations: Google Edition
Google seems to have taken the AWS re:invent marketing approach as a challenge
instead of a cautionary tale. Unlike Amazon, Google has largely managed to keep
their generative AI insecurities to themselves (and as the original inventor of
the transformer with a two hundred billion dollar advertising business, they
have a lot more to be insecure about).
But as we hit a year since Google’s CEO may or may not have declared “Code Red”
in response to ChatGPT (we did learn Google definitively has “Code Yellow“),
they clearly felt compelled to do something. They announced their Gemini model,
accompanied by two sneaky marketing moves where they got caught. One was a faked
demo of their multi-modal capabilities and the other was comparing GPT-4
performance to the Gemini Ultra model which isn’t available.
Previous:
The Google Pivot Away from “AI-Safety First”, “Google has more than 160 people
working full time“
What Comes After Titanium?
The Apple reseller (aka the phone companies) TV ads are amusing as the only
thing they can find to say about the latest iPhones is “Titanium”.
Year End Reflections On Some Favorite Threads Cloud CAPEX – I will update the
numbers after the clouds report in January, but CAPEX is all about the GPUs
right now. And on the clown CAPEX front, it is almost time to call a winner in
the clown car race. Cloud Repatriation – still not a thing. Sorry VCs who picked
this as an investing theme. “SuperCloud” – has hit its two-year anniversary of
not being a thing. Congratulations!!!
Previous:
Follow the CAPEX: Cloud Table Stakes 2022 Retrospective, Follow the CAPEX:
Keeping Up With The Clowns, Platformonomics Repatriation Index, “Supercloud” RIP
AI Alliance: Wah-Wah, Wah-Wah
Beyond the edgy white-on-black press release, what exactly should we expect from
this august alliance beyond platitudes? The fact IBM is still pretending Red Hat
is somehow an independent entity participating on their own accord suggests a
greater focus on numbers than substance.
Software Migration Alert: VMware (Continued)
When private equity comes amalgamating, it is time to start migrating. Why?
Because private equity ruins software companies.
VMware CEO Raghu Raghuram has left the building. He will be missed. So too
apparently has the security talent, which also will be missed. As I’ve
previously observed, private equity really struggles to model cybersecurity in
their spreadsheets:
There is one area where private equity-owned software companies are showing
uncharacteristic leadership: they’re at the epicenter of some of the largest
cybersecurity breaches.
Previous:
Software Migration Alert: VMware, Perfidious Private Equity
McKinsey Karma?
The John Oliver episode doesn’t cover all of McKinsey’s misdeeds, but does an
excellent (and entertaining) job on the ones it does cover.
Previous:
2020 Platformonomics Blog Retrospective
Related:
McKinsey: Last Week Tonight with John Oliver
MORE
December 90
24.6.2024, 6:00SEI Blog (Feed)
Creating a Large Language Model Application Using Gradio
This post explains how to build a large language model across three primary use
cases: basic question-and-answer, question-and-answer over documents, and
document summarization.
MORE
December 40
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #32: December 1, 2023
Welcome to the New and Improved Platformonomics.
Subscribe to get this weekly newsletter and other posts delivered via email.
The OpenAI Soap Opera
Good thing I was off last week and didn’t add to all the effervescent interim
takes on this saga. What a clown show.
My guess is season 2 of everyone’s favorite new hit show, Governance, will focus
on Anthropic. The dramatic tension rests on whether they still want to be the
doomer-i-est of AI companies (they left OpenAI seeing it as completely cavalier
about AI risks), or if the OpenAI board absurdity cured them of that.
Previous: Culture Clash Conjecture: Amazon and Anthropic
The AI Doomer Soap Opera
Even Nick Bostrom, the father of the paperclip maximizer, “is worrying he may
have yelled “Terminator!” in a crowded theater.”
Previous: Why Not Cut Out the Middleman and Just Name AI Safety Rules After
Dystopian Science Fiction Movies?, Existential Risk Now Has a Precise Threshold,
You Can’t Spell Alien Invasion Without A and I, Existential AI Risk +
Twitter-level Nuance
The AWS Generative AI Soap Opera
ChatGPT launched a year ago on November 30th, right in the middle of AWS’s
annual re:invent developer conference. AWS has been talking incessantly about
generative AI ever since, but because their release cycle is wrapped around
re:invent, we’ve been waiting for this last week to see if their bits match
their words. The short answer is no, and re:invent was another episode of
talking way too much about generative AI relative to what was delivered. The
claim to be “reinventing generative AI” with a bunch of late and me-too
announcements just hurts their credibility. We got a lot of “three-tier
strategy” arm-waving (note there is no actual foundation model tier) and
glorification of fondue and cuckoo clocks (i.e. ye old Switzerland strategy).
I’m not alone in being underwhelmed:
It is totally fine to say you’re just going to be an infrastructure provider for
generative AI (especially if that is what you’re doing). But claims to
leadership in all things when you’re manifestly not competitive (or even
present) don’t help your cause. And the more you talk about generative AI, the
more you distract from your palpable plumbing prowess, where you are the leader
and what the vast majority of your customers care most about. In other words,
don’t overindex on your weaknesses, yet here we are.
There were also a bunch of IBM vibes, between the repeated reminders of
long-past glories and vague claims that “only we can provide enterprise
capabilities”, like IBM made about cloud computing (except for the having an
actual cloud part).
In terms of the announcements, the Q “spokesmodel” looks to be a RAG chatbot of
AWS documentation, presumably on Anthropic (and the q about the NYT story on Q
being for general information workers is whether that was Amazon exaggeration or
just the Times’ traditional struggles with understanding technology). Titan
Image Generator I suspect is Stable Diffusion under the hood. Guardrails is the
AWS version of the Copilot stack. And still no sign of a competitive LLM of
their own (and it gets harder and harder to catch up with every passing day).
But most of all, the “three steps into a 10k race” metaphor seems to have
finally been deprecated, for which we are all thankful.
Previous: re:Invent or irrelevant?, Scuttling Titan(ic), Scaling Olympus?,
Anthropic Adds Billions For More Existential AI Hand-wringing, Culture Clash
Conjecture: Amazon and Anthropic, Titan or Titanic?, The Amazon AI Inferiority
Complex
Instability AI
Previous: Stability AI: Not So Stable, Seeing Post Facto Red Flags Ex Ante
Private Equity Shot: VMware Private Equity Chaser: VMware
Broadcom isn’t a private equity firm, but they’re absolutely running the private
equity playbook. History strongly suggests price increases are next. RIP VMware.
Software Migration Alert: VMware
When private equity comes amalgamating, it is time to start migrating. Why?
Because private equity ruins software companies.
Previous: Perfidious Private Equity, Software Migration Alert: Avid Technology,
Software Migration Alert: EngageSmart, This Week’s Software Migration Alerts
Software Migration Alert: Rover
When private equity comes amalgamating, it is time to start migrating. Why?
Because software companies go to the dogs under private equity ownership.
“We Have the GPUs!!!”
I don’t know this research firm but interesting if true.
And the claim “server unit shipments for 2023 could crash by up to 20 percent”
isn’t auspicious for Team Repatriation. Nor are Dell (servers and networking
+9%) and HPE’s (“The Compute division, which contains HPE’s traditional server
business, dropped 31% to $2.6 billion, a steeper fall than analysts projected“)
latest results.
Previous: Cloud Repatriation: The Search Continues, Cloud Repatriation: Still
Not a Thing, Platformonomics Repatriation Index – Q1 2023: Surf’s Up?, The
Inexorable Attraction Between Terrible Things: Cloud Repatriation and Private
Equity
Company Killed By Its Customers
Elon wants you to know that eX-Twitter’s problems have absolutely nothing to do
with erratic 3am decisions by a part-time CEO who doesn’t understand the
business for which he drastically overpaid.
Related: Elon Tries to Cheer Up Linda Yaccarino After Her Trainwreck Code
Conference Interview, Says “Hold My Beer” (watch the whole interview with
Jonathan — there is so much more than than Elon telling advertisers to f*ck off)
Technology and the Liberal Arts
Apple’s control freak censorship proclivities make it very hard to be “the new
HBO” and perhaps signal the end of the golden age of television.
Previous: Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Apple
MORE
December 40
18.6.2024, 16:30All Things Distributed (Feed)
Tech predictions for 2024 and beyond
The coming years will be filled with innovation in areas designed to democratize
access to technology and help us keep up with the increasing pace of every-day
life -- and it starts with Generative AI.
MORE
December 10
Today, 17:55ongoing by Tim Bray (Feed)
Late Light
Late in the year, I mean. We’re hurtling toward the solstice and the photon flow
in the short hours between official sunup and sundown hardly deserves the name
“daylight”. But when the Pacific Northwest cloud and rain and fog let up, the
always-slanting sunlight is very pure.
Which I plan to salute but then disrespect via whimsical photomanipulation. Not
apologizing either.
What happened was, I ran a few neighborhood errands in the rare November clarity
and then there was this tree.
That’s about how it looked.
[Narrator: Enter Lightroom.]
But here’s the thing. That torrent of autumnal yellow is cool and I liked it,
but I thought, well, maybe I could do something with that; good raw material!
Say, turn it down a bit so the color is speaking not shouting.
And yes, I liked that color and thought it freed up the tree’s shape.
And the sky looks nice too but I think also distracting..
The observant reader will have noticed that I was walking round the tree
pointing my phone at it, which all the strangers who noticed smiled and nodded
at, because those leaves.
Anyhow, subtracting color seemed to be going in a good direction, so why not Go
All The Way?
Look at the right edge of the photo, there’s a B&W bird! If you believe shape
and contrast are the most important things about a picture, this one subtracts
everything else.
I think I’ve done enough to that poor tree. Just a little later, I pointed the
lens (by the way everything here is Pixel 7) at the sidewalk just in front of my
feet.
Those would be oak leaves.
Winter sucks and there’s plenty of it incoming. It will however not be entirely
free of light, so keep your eyes open.
MORE
November 300
Today, 14:28Phil Windley's Technometria (Feed)
SSI is the Key to Claiming Ownership in an AI-Enabled World
I've been trying to be intentional about using generative AI for more and more
tasks in my life. For example, the image above is generated by DALL-E. I think
generative AI is going to upend almost everything we do online, and I'm not
alone. One of the places it will have the greatest impact is its use in personal
agents, determining whether or not these agents enable people to lead effective
online lives.
Jamie Smith recently wrote a great article in Customer Futures about the kind of
AI-enabled personal agents we should be building. As Jamie points out: "Digital
identity [is how we] prove who we are to others." This statement is particularly
resonant as we consider not just the role of digital identities in enhancing
personal agents, but also their crucial function in asserting ownership of our
creations in an AI-dominated landscape.
Personal agents, empowered by AI, will be integral to our digital interactions,
managing tasks and providing personalized experiences. As Bill Gates says, AI is
about to completely change how you use computers. The key to the effectiveness
of these personal agents lies in the robust digital identities they leverage.
These identities are not just tools for authentication; they're pivotal in
distinguishing our human-generated creations from those produced by AI.
In creative fields, for instance, the ability to prove ownership of one's work
becomes increasingly vital as AI-generated content proliferates. A strong
digital identity enables creators to unequivocally claim their work, ensuring
that the nuances of human creativity are not lost in the tide of AI efficiency.
Moreover, in sectors like healthcare and finance, where personal agents are
entrusted with sensitive tasks, a trustworthy, robust, self-sovereign identity
ensures that these agents act in harmony with our real-world selves, maintaining
the integrity and privacy of our personal data.
In this AI-centric era, proving authorship through digital identity becomes not
just a matter of pride but a shield against the rising tide of AI-generated
fakes. As artificial intelligence becomes more adept at creating content—from
written articles to artwork—the line between human-generated and AI-generated
creations blurs. A robust, owner-controlled digital identity acts as a bastion,
enabling creators to assert their authorship and differentiate their genuine
work from AI-generated counterparts. This is crucial in combating the
proliferation of deepfakes and other AI-generated misinformation, ensuring the
authenticity of content and safeguarding the integrity of our digital
interactions. In essence, our digital identity becomes a critical tool in
maintaining the authenticity and trustworthiness of the digital ecosystem,
protecting not just our intellectual property but the very fabric of truth in
our digital world.
A good place to start is with our "humanness." On an earlier version of this
post, Timo Hotti commented that the most important use of verifiable credentials
might be to prove that you're human. There are a number of ways to do this.
Proof that I have a driver's license, at least for now, proves that I'm human.
Bank credentials could also be used to prove humanness because of
know-your-customer (KYC) regulations. I suggested something like this a year or
so ago as a way of cutting down on bots on Twitter.
As we embrace this new digital frontier, the focus must not only be on the
convenience and capabilities of AI-driven agents but also on fortifying our
digital identities so that your personal agent is controlled by you. Jamie ends
his post with five key questions that we shouldn't lose sight of:
Who does the digital assistant belong to? How will our personal agents be
funded? What will personal agents do tomorrow that we can’t already do today?
Will my personal agent do things WITH me and FOR me, or TO me? Which brands will
be trusted to offer personal agents?
Your digital identity is your anchor in the digital realm, asserting our
ownership, preserving our uniqueness, and fostering trust in an increasingly
automated world, helping you operationalize your digital relationships. The
future beckons with the promise of AI, but it's our digital identity that will
define our place in it.
Tags: ssi identity verifiable+credentials ai
MORE
November 280
24.6.2024, 6:00SEI Blog (Feed)
Don’t Wait for ROI on Model-Based Analysis for Embedded Computing Resources
This SEI Blog post examines the design and implementation of embedded computing
resources for CPS, the complexities of which drive the need for model building.
MORE
November 280
Today, 9:19mark nottingham (Feed)
How to Run an Australian Web Site in 2024
A while back, the eSafety Commissioner declined to register the proposed
Industry Codes that I’ve previously written about. Now, they’ve announced a set
of Industry Standards that, after a comment period, will likely be law.
If you run an online service that’s accessible to Australians, these Standards
will apply to you. Of course, if you don’t live here, don’t do business here,
and don’t want to come here, you can probably ignore them.
Assuming you do fall into one of those buckets, this post tries to walk through
the implications, as a list of questions you’ll need to ask yourself.
I’m going to try to focus on the practical implications, rather than “showing my
work” by deep-diving into the text of the standards and supporting legislation.
This is based only upon my reading of the documents and a miniscule dollop of
legal education; if there are things that I get wrong, corrections and
suggestions are gladly taken. Note that this is not legal advice, and the
Standards might change before they’re registered.
Does the Standard Apply to Your Service?
The first question to answer is whether your service is covered by the Online
Safety (Designated Internet Services – Class 1A and Class 1B Material) Industry
Standards 2024.
The short answer is “yes, even that one.”
A Designated Internet Service (DIS) is one that allows “end-users to access
material using an Internet carriage service.” This is a very broad definition
that explicitly applies to Web sites. For simplicity, the remainder of this
article will assume your service is a Web site, even though other information
services can be a DIS.
In a nutshell, if “none of the material on the service is accessible to, or
delivered to, one or more end-users in Australia”, your site is exempt.
Otherwise, it’s covered (unless one of the other Codes or Standards takes
precedence; see below).
So whether you’re Elon Musk or you have a personal Web site with no traffic,
this standard applies to you, so long as it’s available to one Australian person
– even if none actually visit. Don’t be fooled by “Industry” in the title. That
default page that your Web server comes up with when your new Linux box boots
for the first time? Covered. Note that it doesn’t even need to be on the public
Internet; things like corporate Intranet sites are covered, as are content-free
static sites like those used to park domains.
Given how broadly the legislation and standard are written, combined with how
prevalent HTTP and similar protocols are on today’s Internet, it’s also
reasonable to say that APIs are covered; there’s no inherent restrictions on
formats or protocols in the eSafety standards – in fact, the definition of
material in the Act includes “data”.
So, to be safe, any server available on the Internet is covered by the eSafety
scheme, so long as it can be accessed by Australians.
Do You Need a Risk Assessment?
Assuming that your site is covered by the Standard, your next step is to figure
out whether you need to perform a risk assessment.
Assuming that you’re not running a large commercial web site, a (ahem) “high
impact” service (i.e., one that specialises in porn, violent content, and
similar), or an AI-flavoured service, there are two interesting categorise that
might get you out of performing a risk assessment.
The first is a “pre-assessed general purpose DIS.” You can qualify for this if
you don’t allow users in Australia to post any material (including comments), or
if posting is “to review or provide information on products, services, or
physical points of interest or locations made available on the service.” It’s
also OK if they are “sharing […] with other end-users for a business,
informational, or government service or support purpose.”1
Does it seem like your site qualifies? Not so fast; that only covers
“pre-assessment.” A general purpose DIS is a
website or application that […] primarily provides information for business,
commerce, charitable, professional, health, reporting news, scientific,
educational, academic research, health, reporting news, scientific, educational,
academic research, government, public service, emergency, or counselling and
support service purposes.
Unless your site falls cleanly into one of those categories, you don’t have a
general purpose DIS.2
The second is an “enterprise DIS.” This is a site where “the account holder […]
is an organisation (and not an individual).” Basically, if your users are
companies or other organisations and not individual people, you don’t have to do
an assessment.
What Does Your Risk Assessment Contain?
Assuming you need a risk assessment (spoiler: you probably do, to be safe), you
must formulate in writing a plan, and a methodology, for carrying out the
assessment that ensure that the risks mentioned in subsection 8(1) in relation
to the service are accurately assessed.
The risk referred to is that class 1A or class 1B material will be “generated or
accessed by, or distributed by or to, end-users in Australia using the service.”
Storage of such material is also included (even if it isn’t accessed).
To answer your next question, class 1A material is “child sexual exploitation
material”, “pro-terror material”, or “extreme crime and violence material.”
class 1B material is “crime and violence material” and “drug-related material.”
There are long definitions of each of these kinds of material in the standard; I
won’t repeat them here.
Your risk assessment must “undertake a forward-looking analysis” of what’s
likely to change both inside and outside of your service, along with the impact
of those changes. It’s also required to “specify the principle matters to be
taken into account”, including eleven factors such as “the ages of end-users and
likely end-users”, “safety by design guidance”, AI risks, terms of use, and so
forth.
Your risk assessment has to be written down in detail. You must also “ensure
that [it] is carried out by persons with the relevant skills, experience, and
expertise” – although it’s not yet clear what that means in practice or how it
will be enforced.3
What’s Your Risk Profile?
Once you’ve done a risk assessment, you’ll have a risk profile – one of Tier 1,
Tier 2, or Tier 3.
Let’s assume your site has no user-generated content, and you only upload very…
normal… content– like this site.4 You’re likely to be Tier 3.
If so, congratulations! Your work is just about done. Sections 34, 40, and 41 of
the Standard apply to you – basically, the eSafety Commissioner can demand that
you provide them with your risk assessment and how you arrived at it. You also
have to investigate complaints, and keep records.
If you’re not Tier 3 – for example, you blog about drugs or crime, or you allow
user uploads or comments, there are a whole slew of requirements you’ll need to
conform to, which are well out of scope for this blog entry (since I’m mostly
interested in the impact of regulation on small, non-commercial sites). Tip: get
some professional help, quickly.
What Other Standards Will Apply?
Keep in mind that we’ve gone through just one of the proposed Standards above.
The other one is about e-mail and chat services, so if you run a mail server (of
any flavour – maybe even on your infrastructure?), a chat server (e.g., Prosody,
jabberd), or Mastodon server, buckle up.
There are also another set of Industry Codes that cover things like hosting
services, app stores, social media, search engines, and operating systems, if
you happen to provide one of those.
Keep in mind that if you change anything on your site that impacts risk (e.g.,
adding a comment form), you’ll need to re-assess your risk (and likely conform
to new requirements for reporting, etc.).
What Does Enforcement Look Like?
There are a lot of small Internet services out there – there are a lot of IP
addresses and ports, after all. I suspect many people running them will ignore
these requirements – either because they don’t know about them, they think
they’re too small, that the eSafety Commissioner won’t care about their site, or
they’re willing to run the risk.
What is the risk, though?
Section 146 of the Online Safety Act 2021 sets the penalty for not complying
with an Industry Standard at 500 penalty units – currently, AU$156,500 (a bit
more than US$100,000).
In practice, the eSafety Commissioner is unlikely to come after any site if its
content isn’t problematic in their eyes. Whether you want to rely upon that is
up to you. Because the legislation and standard don’t have any exemptions for
small services – even with limited audiences – you are relying upon their
discretion if you don’t have a risk assessment ready for them.
What Do You Really Think?
Improving online safety is an important task that needs more focus from society,
and I’m proud that Australia is trying to improve things in this area. I’m
critical of the eSafety Industry Codes and now Standards not because of their
objective, but because of their unintended side effects.
Both the enabling instrument and this delegated legislation are written without
consideration for the chilling effects and regulatory burden they create on
parties that are arguably not its target. Requiring professional risk assessment
raises costs for everyone, and creates incentives to just use big tech
commercial services, rather than self host – leaning us further into things
being run by a few, big companies.
Moreover, if a small personal site is distributing child porn or inciting
terrorism, they’re not going to be caught because it doesn’t have a properly
considered risk assessment ready to produce on demand – the eSafety Commissioner
already has a range of other powers they can use in that case. They don’t have
the resources to go after the countless small services out there for compliance
issues, so all that will remain is the lingering chilling effects of these
pointless requirements.
I get that most people will ignore these requirements, and the eSafety
Commissioner is presumably relying upon that to give them the leeway to go after
the people they need to target. I just think that creating laws that can be
applied with so much discretion – where technically everyone is in violation,
and the regulator can pick who they prosecute – is a shitty way to run a
democracy.
Is it just me, or is “informational” a hole big enough to drive a truck through
here? ↩
Notably, the site you’re reading this on doesn’t clearly qualify for any of
them, and so when these codes are registered, I’ll likely be doing a risk
assessment (and posting it), even though it doesn’t allow comments any more
(because, spam). ↩
This seems to foretell the establishment of a new industry. ↩
Although it’s always tempting to write a blog entry that depicts, expresses or
otherwise deals with matters of drug misuse or addiction in such a way that the
material offends against the standards of morality, decency and propriety
generally accepted by reasonable adults to the extent that the material should
be classified RC. ↩
MORE
February 240
Today, 14:28Phil Windley's Technometria (Feed)
dApps Are About Control, Not Blockchains
Summary: Decentralized applications, where the identity and application data are
both controlled by the person using the app, provide the means of
disintermediting companies who leverage their privileged position to work for
their own interests and against ours.
I recently read Igor Shadurin's article Dive Into dApps. In it, he defines a
dApp (or decentralized application):
The commonly accepted definition of a dApp is, in short, an application that can
operate autonomously using a distributed ledger system. From Dive Into dApps
Referenced 2023-11-12T15:39:42-0500
I think that definition is too specific to blockchains. Blockchains are an
implementation choice and there are other ways to solve the problem. That said,
if you're looking to create a dApp with a smart contract, then Igor's article is
a nice place to start.
Let's start with the goal and work backwards from there. The goal of a dApp is
to give people control over their apps and the data in them. This is not how the
internet works today. As I wrote in The CompuServe of Things, the web and mobile
apps are almost exclusively built on a model of intervening administrative
authorities. As the operators of hosted apps and controllers of the identity
systems upon which they're founded, the administrators can, for any reason
whatsoever, revoke your rights to the application and any data it contains.
Worse, most use your data for their own purposes, often in ways that are not in
your best interest.
dApps, in contrast, give you control of the data and merely operate against it.
Since they don't host the data, they can run locally, at the edge. Using smart
contracts on a blockchain is one way to do this, but there are others, including
peer-to-peer networks and InterPlanetary File System (IPFS). The point is, to
achieve their goal, dApps need a way to store data that the application can
reliably and securely reference, but that a person, rather than the app
provider, controls. The core requirement for achieving control is that the data
service be run by a provider who is not an intermediary and that the data model
be substitutable. Control requires meaningful choice among a group of
interoperable providers who are substitutable and compete for the trust of their
customers.
I started writing about this idea back in 2012 and called it the Personal Cloud
Application Architecture. At the time the idea of personal clouds had a lot of
traction and a number of supporters. We built a demonstration app called Forever
and later, I based the Fuse connected car application on this idea: let people
control and use the data from their cars without an intermediary. Fuse's
technical success showed the efficacy of the idea at scale. Fuse had a mobile
app and felt like any other connected car application, but underneath the
covers, the architecture gave control of the data to the car's owner. Dave Winer
has also developed applications that use a substitutable backend storage based
on Node.
Regular readers will wonder how I made it this far without mentioning picos.
Forever and Fuse were both based on picos. Picos are designed to be self-hosted
or hosted by providers who are substitutable. I've got a couple of projects
tee'd up for two groups of students this winter that will further extend the
suitability for picos as backends for dApps:
Support for Hosting Picos—the root pico in any instance of the pico engine is
the ancestor of all picos in that engine and thus has ultimate control over
them. To date, we've used the ability to stand up a new engine and control
access to it as the means of providing control for the owner. This project will
allow a hosting provider to easily stand up new instance of the engine and its
root pico. For this to be viable, we'll use the support for peer DIDs my
students built into the engine last year to give owners a peer DID connection to
their root pico on their instance of the engine and thus give them control over
the root pico and all its decedents. Support for Solid Pods—at IIW this past
October, we had a few sessions on how picos could be linked to Solid pods. This
project will marry a pod to each pico that gets created and link their
lifecycles. This, combined with their support for peer DIDs, makes the pico and
its data movable between engines, supporting substitutability.
If I thought I had the bandwidth to support a third group, I'd have them work on
building dApps and an App Store to run on top of this. Making that work has a
few other fun technical challenges. We've done this before. As I said Forever
and Fuse were both essentially dApps. Manifold, a re-creation of SquareTag is a
large dApp for the Internet of Things that supports dApplets (is that a thing?)
for each thing you store in it. What makes it a dApp is that the data is all in
picos that could be hosted anywhere...at least in theory. Making that less
theoretical is the next big step. Bruce Conrad has some ideas around that he
calls the Pico Labs Affiliate Network.
I think the work of supporting dApps and personal control of our data is vitally
important. As I wrote in 2014:
On the Net today we face a choice between freedom and captivity, independence
and dependence. How we build the Internet of Things has far-reaching
consequences for the humans who will use—or be used by—it. Will we push forward,
connecting things using forests of silos that are reminiscent the online
services of the 1980's, or will we learn the lessons of the Internet and build a
true Internet of Things? From The CompuServe of Things
Referenced 2023-11-12T17:15:48-0500
The choice is ours. We can build the world we want to live in.
Tags: dapps picos blockchain pcaa
MORE
November 230
Today, 17:55ongoing by Tim Bray (Feed)
Green and Brown Sauce
Here’s a simple dish that hits the spot as Winter’s chilly dimness comes at us
from all directions. It’s a pasta sauce featuring crispy bacon and braised
greens.
Here are the ingredients: Bacon that I’ve cut up into little squares and sizzled
for twenty or so minutes starting with a bit of olive oil, until they’re that
nice golden-brown shade. Then some braising greens: Kale and chard in this case.
Note: The proportions in the picture are are wrong, there should be more greens,
they always cook down more than I expect. Now, the brown fluid…
You’re going to want some liquid for the braising, and it needs to add flavor.
I’ve seen recipes with wine, broth, beer, and so on. So if there’s nothing in
the fridge you can always make a bit of broth with bouillon. In this case it’s
miso soup, home-made by Lauren because we were too baffed to cook a couple
nights ago and ordered in sushi. Worked great.
Braising
It’s a two-stage process: Brown then simmer. Now, if you’ve got a frying pan
that you’ve just cooked bacon in, you can discard most of the fat then brown the
greens right there. Not for long; a minute is plenty. Then you toss in the
braising fluid, which should only half-cover the veggies.
Timing
The preparatory chopping and crisping takes a while; you want to start working
on this meal 45 minutes before dinner time. In the ingredients picture you can
see that I set the crispy bacon aside.
This evening I was making spaghettini, which only need six or so minutes on the
boil. That’s plenty of time do do the braising. So there’s co-ordination
required, to get the water boiling and the pan simultaneously hot. I toss the
bacon in almost immediately after the broth to share the flavor around, and then
when the pasta’s only got a minute or so to go I scoop some of its water into
the frying pan too, because I read that something proteins something coating
something.
Anyhow, you’re done. Plate the pasta, put the greens and bacon on top, pour some
of the fluid over it.
Bon appetit!
Not writing in this space too much in the moment because I’m workin’ for The Man
and There Is A Deadline. Also playing defense more than I’d like. Hang in there,
folks.
MORE
November 230
24.6.2024, 6:00SEI Blog (Feed)
Explainability in Cybersecurity Data Science
This post provides an overview of explainability in machine learning and
includes illustrations of model-to-human and human-to-model explainability.
MORE
November 200
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #31: November 17, 2023
Welcome to the New and Improved Platformonomics.
Subscribe to get this weekly newsletter and other posts delivered via email.
No issue next week due to an anticipated food coma.
GPUs are CAPEX; CAPEX is Increasingly GPUs
John Luttig has an excellent piece entitled “NVIVIA Envy” examining GPU supply
and demand today and into the future. In particular he tries to triangulate
hypercloud investment and says “each player spends ~20-35% of data center capex
on GPU build-outs”. That might be a little high given we’re really only seeing a
CAPEX spike at Microsoft. He suggests the hyperclouds are buying half of all
H100s and Microsoft was likely 29% of NVIDIA’s data center revenue in the most
recent quarter. Like everyone, he mulls the question of when GPU scarcity turns
into a glut.
Previous: Q3 Cloud CAPEX, Q2 Cloud CAPEX, The Google CAPEX Mystery, Follow the
CAPEX: Cloud Table Stakes 2022 Retrospective
re:Invent or irrelevant?
The annual AWS developer conference approaches at the end of this month. Last
year’s re:Invent keynote was pretty tedious, with innovation going increasingly
asymptotic. But the next day, Open AI launched ChatGPT, resetting the industry
focus and irritating AWS to no end (industry leaders hate it when something new
disrupts their comfortable way of life and leadership status — I learned that at
Microsoft in 1995).
This year AWS no doubt will loudly and repeatedly proclaim they are a player in
generative AI. (Maybe they’ll even take their long awaited “fourth step“). The
question is whether they will have code to back up all their words and
demonstrate they’re on the frontier. With Google luring Anthropic back to a
non-exclusive position, Amazon either needs to have made phenomenal progress on
internal development, or we’re going to be back to a lot of arm waving about
being Switzerland, having a three-tier strategy and tired metaphors. Given their
annual release cadence around this event, the pressure is on to deliver
something this month that substantiates their claims to be relevant in the
generative AI stack.
Previous: Scuttling Titan(ic), Scaling Olympus?, Anthropic Adds Billions For
More Existential AI Hand-wringing, Culture Clash Conjecture: Amazon and
Anthropic, Titan or Titanic?, The Amazon AI Inferiority Complex
BREAKING: Depreciation Schedules
NVIDIA announces the H200, a successor to the much coveted H100. Awaiting word
on how this impacts the GPU collaterization market with their assumption H100s
have a six year useful life.
Previous: Depreciation Schedules Meet Moore’s Law, GPUs as an Asset Class, GPUs
Are Better Than Any Financial Asset (For Now), Brother, Where Art Thy GPUs?
BREAKING: EU Considers Regulating Screen Colors
The stigma endures! Once the EU finishes its search engine, cloud computing
service and LLM, maybe they can do a messaging system?
When “Move Fast and Regulate Things” Breaks Down
Being first provided at least some plausible excuse for having no idea what you
were regulating. But clueless and last? Embarrassing.
Previous: AI Regulation: Move Fast and Regulate Things
Tumbleweeds In The Metaverse
JP Morgan shutters its metaverse thingy:
In early 2022, JPMorgan Chase proudly claimed it was the first bank to enter the
metaverse.
Inside a crypto-focused virtual world called Decentraland, users could visit the
swanky Onyx lounge, named after the bank’s blockchain operations, to mingle with
fellow crypto enthusiasts and watch videos of the bank’s experts discussing
crypto markets.
A virtual portrait of a beaming Jamie Dimon hung on the wall just below the Onyx
logo. A digital tiger roamed the floor. At the time, the bank said that the
metaverse could “lead to uniquely new services and business models” and that
“the virtual real estate market could start seeing services much like in the
physical world, including credit, mortgages and rental agreements.”
But in June, just a year and a half after it opened, JPMorgan quietly shut down
the Onyx lounge as its visitor numbers sank toward zero.
I may have missed the window to write up my dream of applying a Georgist tax
regime to the metaverse.
Previous: Things I Don’t Understand: Pricey Metaverse Real Estate, Things I
Still Don’t Understand: Pricey Metaverse Real Estate
Related: The ‘Georgists’ Are Out There, and They Want to Tax Your Land
IBM Touchy About Being Associated With Nazis
Perhaps with good cause.
Related: IBM Screws Employees, Again
MORE
December 40
The New and Improved Platformonomics
Everyone needs their own homestead on the Internet: a place to opine, ponder,
share, expound, sermonize, debate, learn, connect, gather feedback, be found,
pursue passions, do business, and whatever else keeps you out of trouble (or in
it).
But exercising dominion over your personal plot of digital turf requires some
effort, and shouldn’t be outsourced to Big Tech, no matter how easy they make
it.
As we learn over and over again, the digital landlords have their own interests
and will happily sacrifice yours. Whether it is evolving business priorities,
algorithmic changes, moderation policies or just a proclivity for making erratic
decisions at 3am, being an Internet sharecropper brings needless torment. You
must own your own domain and web site as the foundation of your digital
existence.
I’ve been amusing myself here since 2005 and the post-Twitter turmoil is
motivation to double down. I write to think, share, shitpost, and elicit both
feedback and scrutiny of my various theories about the world. I chronicle my
obsessions and compulsively pull threads (often long after the point has been
made). I surf the hype cycle and am prone to allergic convulsions when
confronting BS. That will all continue, even as some other things here change.
Welcome to the latest incarnation of Platformonomics.
New Design
You’ll notice a new design actually optimized for reading. There is less noise –
all the sidebar stuff is gone. And the fonts should no longer hurt your eyes.
The new design supports my weekly Platformonomics TGIF newsletter as well as the
more traditional (but less frequent) longer posts.
Platformonomics TGIF is a weekly roll-up of links, commentary, updates and
occasional snark. The goal is quicker posts that complement my less frequent
essays and allow more timely pulling of those pet threads. A lot of what once
would have been tweeted now shows up in the newsletter.
Get Updates By Email
Subscribe
You can read it here, or subscribe via RSS, ActivityPub or email. I’ll link to
my posts on Twitter until Elon demands money, and cross-post to Blue Sky,
LinkedIn and Threads. But the epicenter is right here.
Moving to WordPress.com
In addition to the new design, I’m also moving to the WordPress.com mothership.
I’ve run this blog using WordPress software for almost thirteen years, but at
another hoster. I’m excited about the boost WordPress.com brings to reliability,
security and scalability (bring it Hacker News!). And a full set of integrated
services means I don’t have to play Tetris with plug-ins.
My previous hoster has been deteriorating on multiple axes. Down time is way up.
Prices are increasing even as quality declines. And what was once high-quality
support has been shipped overseas. It is almost like they were bought by private
equity. Oh, wait, they were. So I’m following my mantra of “When private equity
comes amalgamating, it is time to start migrating”.
I considered Substack, but WordPress can do everything Substack can (sign up to
receive my newsletter!) and much more, which both broadens options and preserves
optionality. Substack has too narrow an aperture with its focus on email
newsletters. I also worry Substack suffers from the classic startup curse of
having been force fed too much capital at too high a valuation from VC investors
too eager for a quick return. Indigestion kills lots of startups.
Thanks to the folks at Automattic for all the help with the migration.
Future Directions
Beyond writing more, my hope is to drive more interaction with all the fabulous
readers of this site. As Twitter continues to deteriorate, I miss the debate,
insights, and people calling me on my malarkey that used to happen there. More
comments here please! I am exploring other ideas to make this site a better
place for discussion and discourse over and above traditional comments.
Any reactions to the new design?
MORE
December 40
24.6.2024, 6:00SEI Blog (Feed)
Generative AI Q&A: Applications in Software Engineering
This post explores the transformative impacts of generative AI on software
engineering as well as its practical implications and adaptability in
mission-critical environments.
MORE
November 160
18.6.2024, 16:30All Things Distributed (Feed)
Standing on the shoulders of giants: Colm on constant work
The Builders' Library gathers the expertise of Amazon's most experience builders
in one place. One article that really got me thinking was Colm MacCárthaigh's
"Reliability, constant work, and a good cup of coffee" which is about an
anti-fragility pattern that he developed for building simple, more robust, and
cost-effective systems.
MORE
November 170
24.6.2024, 6:00SEI Blog (Feed)
The OSATE Slicer: Fast Reachability Query Support for Architectural Models
Our post introduces the OSATE Slicer, a new extension to the Open Source AADL
Tool Environment that adapts a concept called slicing to architectural models of
embedded, critical systems.
MORE
November 130
Today, 17:55ongoing by Tim Bray (Feed)
Global Sensor Bandwidth
The photo-world is all agog over Sony’s just-announced (but not shipping till
next year) high-end ($6K) camera, the ɑ9 III, because it has a “global sensor”.
No, the “global” label didn’t mean anything to me either, when I first read it.
The write-ups about it have explainers and cool pictures (PetaPixel, DPReview).
I found myself wondering “What is this thing’s bandwidth?” and thus this note.
I’ll toss in another little explainer so you don’t have to click on a link like
a savage.
Non-global shutters
A digital camera sensor has millions of pixels arranged on a grid (in
non-obvious and geometrically interesting ways, but let’s not go there); they
are analog devices that measure how many photons hit them. To produce a digital
image the camera runs a bunch of voodoo across the sensors to produce a digital
integer array that can be saved in memory and eventually displayed as a colored
image on a screen.
But wait, how does the camera go about arranging for the photons to hit the
sensor? Well, there can be an actual physical shutter that opens for a very
short time and then closes again, or there can be a purely electronic-mode
“shutter” that turns on the pixels then reads the values off them after enough
time has passed.
But a physical shutter takes nonzero time to traverse the face of the sensor, so
the pixels at the top are not exposed at the same instant as the pixels at the
bottom. (Of course it’s more complicated than that, there are shutter geometries
and other design tricks but let’s not go there.) Which is normally OK, but
suppose you’re taking a picture of something that’s moving fast. Then you can
get what’s called “banding” or “rolling shutter”, usually shows up as unwanted
curvature. There are other problems with synchronizing a flash (but I don’t use
those) and in video mode.
Electronic shutters don’t make this problem go away. The pixels are arranged in
an array (On my Fujifilm X-T30 6240x4160, on my Pixel 7 4080x3072) and are
typically read off about as you’d expect, a row at a time. Which in practice is
like a shutter.
“Global shutter”
You’ve likely already figured it out. These things advertise that they read all
the pixels off the sensor at once. So, no matter how fast your subject is
moving, you’ll get an image of what it really looked like. And those flash and
video problems vanish. And because circuits are faster than shutters, you can
shoot at an eighty thousandth of a second.
All of which probably doesn’t do much for me, I take pictures of oceans and
flowers and trees mostly. But for people who shoot sports or wildlife or in
extreme lighting situations, this is probably a big deal. And there’s no need
for a physical shutter at all; any time you can get rid of a moving part, that’s
a win.
“Simultaneously?”
One result of all this is that the ɑ9 III can take 120 shots/second. At this
point I should mention that it has 24.6M pixels, small by modern high-end-camera
standards. So, first of all I was wondering how you read those data points
“simultaneously”. I’m not a microelectronics whiz but a few jobs ago I learned a
lot about memory controllers and, well, that’s a lot of integers to move all at
once. Then I wondered, what’s the bandwidth at 120 frames/second?
The first question that arises is, how many bytes is 24.6 million pixels?
Starting with, how many bits per pixel? The answer to this is less obvious. My
first assumption was that since the pixels on my screen have 24 bits of RGB
information it’d be three bytes/pixel, but no, each pixel only measures the
dynamic range of one color, then a process called demosaicing produces the RGB
pixels. so I thought maybe just 8 bits/pixel? As with everything else, it’s more
complicated than that; the answer seems to be somewhere between 10 and 16
bits/pixel.
So I scribbled some Ruby code, whose single argument is a guess at the number of
bits per pixel, and computes how many GB/second those 120 shots are. Here’s the
Ruby in case you want to check my arithmetic.
def data_rate(bits_per_pixel) pixels = 24.6 * 10**6 shots_per_second = 120
bits_per_sensor = pixels * bits_per_pixel bytes_per_sensor = bits_per_sensor /
8.0 bandwidth = bytes_per_sensor * shots_per_second end bpp = ARGV[0].to_f bw =
data_rate(bpp) bw_in_g = bw / 10**9 puts "data rate #{bw_in_g}G"
If you trust that Ruby code, at 10 bits/pixel, the camera is moving 3.69GB/sec;
5.90GB/sec at 16. Which I think is a pretty neat trick for a consumer product,
even a high-end one.
The future
It seems likely that global shutters will probably get a lot cheaper and become
a feature of almost every serious camera. Because those circuit designers and
semiconductor-wranglers are really smart people, and you just know they’re going
to find a whole lot of ways to take this v1.0 implementation and make it cheaper
and better.
What’s interesting is, it’s not obvious to me whether or not global shutters wil
be ubiquitous in mobile-phone cameras. They have way more CPU but way less room
inside. We’ll see.
But, you know what, I’d sort of thought that we were in a plateau of excellence
in camera design, wasn’t expecting any really significant new features to show
up. But what with C2PA and now this in the last couple of weeks, it’s pretty
clear I was wrong. Fun times!
MORE
November 140
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #30: November 10, 2023
Subscribe now before Elon colocates Starship test launches with Twitter.
Scuttling Titan(ic), Scaling Olympus?
The Amazon Generative AI soap opera just never ends (and, credit to them, they
have acknowledged, more than once, it is a long distance race they have barely
started). Anthropic won’t commit to a monogamous relationship with Amazon. Titan
is looking like the Titanic. So Amazon has a new code name for their
aspirational frontier LLM: Olympus. Presumably we’ll hear all about it at
re:Invent re:GPT.
Previous: Anthropic Adds Billions For More Existential AI Hand-wringing, Culture
Clash Conjecture: Amazon and Anthropic, Titan or Titanic?, The Amazon AI
Inferiority Complex
Looking for GPUs
My favorite part of OpenAI DevDay. Is an hour a day even remotely enough?
Previous: Depreciation Schedules Meet Moore’s Law, GPUs as an Asset Class, GPUs
Are Better Than Any Financial Asset (For Now), Brother, Where Art Thy GPUs?
Related: Dumpster Diving Forgiven for GPUs, Larry Ellison Makes Pilgrimage to
Redmond
Sanctions are Not Easy
Previous: “Lord Make Me Compliant, Just Not Yet!”
New York Times Very Concerned about Hallucinations
Yet they neglected to assess the hallucination rate of their own front page:
Software Migration Alert: Avid Technology
When private equity comes amalgamating, it is time to start migrating. Why?
Because private equity ruins software companies.
Previous: Perfidious Private Equity, Software Migration Alert: EngageSmart, This
Week’s Software Migration Alerts
Understanding the Global Economy
A succinct explanation by Michael Pettis of the world’s most important economic
imbalance (Chinese over-investment/under-consumption).
Previous: Paul Krugman is Wrong Even When He is Right
Doing Your Bit to Rebalance the Global Economy
Time for everyone to help the Chinese rebalance their over-dependence on exports
by buying 10% less stuff from China.
Previous: Xi Jinping Thought on Wall Street Running Dogs, The Perils of Working
for a Cult of Personality, Press Releases We’d Like to See, Best Nickname for
Emmanuel Macron, Winnie-the-Pooh: Lover of Honey, Champion of Freedom, Missing
the (Bamboo) Forest for the (Apple) Trees
MORE
November 110
Today, 17:55ongoing by Tim Bray (Feed)
Recent Griffiths
Back in 2014, in Saint Hilda, I posted a rave review of Nicola Griffith’s novel
Hild. I just finished its sequel Menewood and, in between, read her much-smaller
Spear. These are all extremely good books and if you like well-done portrayals
of violent conflict and royal-court politics and historical flavors and hot sex
in just about any combination, you’re apt to like these.
Hild, again
Yes, I read it again when Menewood was about to drop and boy, did I ever enjoy
doing so. I won’t revisit the details from that 2014 review linked above, just
want to re-emphasize the flavor. It blasted my suspension of disbelief to tiny
fragments, then swept them up and tossed them out. I absolutely believe that
this was what being close to the center of the action in post-Roman Britain
looked and felt and smelled like. Plus Hild and the people around her are, well,
fun to be around.
Menewood
This inhabits the world of Hild but does not move the clock that far forward.
It’s going to take Ms Griffith one more big thick book at the very least to turn
Hild into Saint Hilda, the Abbess of Whitby, and that’s a fine thing; I hope to
go along for the ride.
Now, Dear Reader, I have to share with you that I did not enjoy Menewood as much
as I had Hild. Her world built firm, Ms Griffith lets the plot lead the story
along. Yes, there are still smells and slaughters and sinful sex; the atmosphere
remains thick. But inhabiting Hild’s world is not as much fun as first exploring
it.
Also, at the center of the book, there is probably the most harrowing and
gut-wrenching sequence of fictional events and experiences that has ever kept me
shuddering as I raced through the pages. Ladies, gentlemen, and others, it does
not go well for Hild. A lot of the worst things that can happen to a human
happen and not just one at a time either. George R.R. Martin shook up his
readership pretty hard with the awful things he did to his heroes; “Hold my
beer” says Ms Griffith.
Then, the second half of the book, expanding out from the white-hot tangle of
anguish at the center, is maybe a little predictable. Didn’t stop me enjoying
it, even when I could see pretty clearly where it was heading. And I’ll buy the
next Hild book the moment it’s for sale.
Now let’s give a Griffith book an unqualified rave with no Dear-Reader tropes.
Spear
Hild and Menewood are both doorstop-size; Spear a much slighter offering, just
an evening’s reading or maybe two. It is an odd, idiosyncratic, side-looking
variation on the story of Sir Percival and the Holy Grail, which is my personal
favorite piece of Arthurian lore; at one point in mid-life I became obsessive
and Read All The Books. Hmm, should write about that someday. But I digress.
Few of the characters go by their canonical names but Arthur and Guinevere and
Lancelot and Kay and Merlin and Morgan Le Fay and Gawain are all there,
perfectly recognizable and generally good company. The story takes enjoyably
post-modern twists. And, this being Griffith, has spicy lesbian sex and bloody
passages of arms, losers usually receiving no quarter.
Griffith specialties
I have to say that Ms Griffith is preeminent among the authors I’ve read in
recent decades at depicting conflict conducted with swords and lances and
daggers and staffs and so on. In particular, Spear’s fight between Peretur and
the Red Knight is just unequalled; I defy anyone to offer up a superior literary
episode of single combat.
Let me broaden that a bit. Griffith is just really good at describing the
physical experience of life. Pain, lust, odor, heat/cold, weariness, touch,
touch, and more touch. And by the way, seventh-century Britain was a lot
smellier than the world we live in. Read these books, you’ll come as close as
you can, absent a time machine, to smelling those smells. And you’ll be glad you
did.
MORE
November 110
Today, 14:28Phil Windley's Technometria (Feed)
Permissionless and One-to-One
Summary: Symmetric technology democratizes speech. The web, despite all the good
it's done is fundamentally assymetric. We need a model that is permissionless
and one-to-one.
In a recent post, Clive Thompson speaks of the humble cassette tape as a medium
that had a "a weirdly Internet-like vibe". Clive is focusing on how the cassette
tape unlocked creativity, but in doing so he describes its properties in a way
that is helpful to discussions about online relationships in general.
Clive doesn't speak about cassette tapes being decentralized. In fact, I chuckle
as I write that down. Instead he's focused on some core properties. Two I found
the most interesting were that cassette tapes allowed one-to-one exchange of
music and that they were permissionless. He says:
If you wanted to record a cassette, you didn’t need anyone’s permission.
This was a quietly radical thing, back when cassette recorders first emerged.
Many other forms of audio or moving-image media required a lot of capital
infrastructure: If you wanted to broadcast a TV show, you needed a studio and
broadcasting equipment; the same goes for a radio show or film, or producing and
distributing an album. And your audience needed an entirely different set of
technologies (televisions, radios, projectors, record players) to receive your
messages.
From The Empowering Style of Cassette Tapes
Referenced 2023-11-02T08:01:46-0400
The thing that struck me on reading this was the idea that symmetric technology
democratizes speech. The web is based on assymetric technology: client-server.
In theory everyone can have a server, but they don't for a lot of reasons
including cost, difficulty, and friction. Consequently, the web is dominated by
a few large players who act as intervening administrative authorities. They
decide what happens online and who can participate. The web is not one-to-one
and it is decidedly not permissionless.
In contrast, the DIDComm protocol is symmetric and so it fosters one-to-one
interactions that provide meaningful, life-like online relationships. DIDComm
supports autonomic identity systems that provide a foundation for one-to-one,
permissionless interactons. Like the cassette tape, DIDComm is a democratizing
technology.
Photo Credit: Mix Tape from Andreanna Moya Photography (CC BY-NC-ND 2.0 DEED)
Tags: decentralization identity ssi autonomic didcomm
MORE
November 80
Cloudless: Computing at the Edge
Summary: New use cases will naturally drive more computing away from centralized
cloud platforms to the edge. The future is cloudless.
Doc Searls sent me a link to this piece from Chris Anderson on cloudless
computing. Like the term zero data that I wrote about a few weeks ago, cloudless
computing is a great name that captures an idea that is profound.
Cloudless computing uses cryptographic identifiers, verifiable data, and
location-independent compute1 to move apps to the data wherever it lives, to
perform whatever computation needs to be done, at the edge. The genius of the
name cloudless computing is that it gets us out of the trenches of dapps, web3,
blockchain, and other specific implementations and speaks to an idea or concept.
The abstractions can make it difficult get a firm hold on the ideas, but it's
important to getting past the how so we can speak to the what and why.
You'd be rightly skeptical that any of this can happen. Why will companies move
from the proven cloud model to something else? In this talk, Peter Levine speaks
specifically to that question.
One of the core arguments for why more and more computing will move to the edge
is the sheer size of modern computing problems. Consider one example: Tesla Full
Self Driving (FSD). I happen to be a Tesla owner and I bought FSD. At first it
was just because I am very curious about it and couldn't stand to not have
first-hand experience with it. But now, I like it so much I use it all the time
and can't imagine driving without an AI assist. But that's beside the point. To
understand why that drives computing to the edge, consider that the round trip
time to get an answer from the cloud is just too great. The car needs to make
decisions onboard for this to work. Essentially, to put this in the cloudless
perspective, the computation has to move to where the data from the sensors is.
You move the compute to the data, not the other way around.2
And that's just one example. Levine makes the point, as I and others have done,
that the Internet of Things leads to trillions of nodes on the Internet. This is
a difference in scale that has real impact on how we architect computer systems.
While today's CompuServe of Things still relies largely on the cloud and
centralized servers, that model can't last in a true Internet of Things.
The future world will be more decentralized than the current one. Not because of
some grand ideal (although those certainly exist) but simply because the
problems will force it to happen. We're using computers in more dynamic
environments than the more static ones (like web applications) of the past. The
data is too large to move and the required latency too low. Cloudless computing
is the future.
Notes Anderson calls this deterministic computer. He uses that name to describe
computation that is consistent and predictable regardless of how the application
gets to the data, but I'm not sure that's the core idea. Location independence
feels better to me. An interesting point is that training the AI that drives the
car is still done in the cloud somewhere. But once the model is built, it
operates close to the data. I think this will be true for a lot of AI models.
Photo Credit: Cloudless Sunset from Dorothy Finley (CC BY 2.0 DEED - cropped)
Tags: cloudless picos iot tesla
MORE
November 60
24.6.2024, 6:00SEI Blog (Feed)
The SEI SBOM Framework: Informing Third-Party Software Management in Your Supply
Chain
This post presents a framework to promote the use of SBOMs and establish
practices and processes that organizations can leverage as they build their
programs.
MORE
November 70
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #29: November 3, 2023
Subscribe now before Elon MuX does something really erratic!
Why Not Cut Out the Middleman and Just Name AI Safety Rules After Dystopian
Science Fiction Movies?
Previous: “An iron curtain has descended across the continent”, AI Regulation:
Move Fast and Regulate Things, Italy Makes OpenAI Offer They Can’t Refuse
Existential Risk Now Has a Precise Threshold
Suggestions include the Bergeron Constant, the Conga line, the Altman line and
the Cristiano Ronaldo FLOPS line. When will my laptop do 10^26 FLOPs?
Previous: You Can’t Spell Alien Invasion Without A and I, Existential AI Risk +
Twitter-level Nuance
Depreciation Schedules Meet Moore’s Law
Some financiers are furiously hitting F9 in Excel as they realize their
collateralized NVIDIA H100s may not in fact have the six to eight year useful
life they expected a week or two ago. Track H100s on eBay here.
Previous: GPUs as an Asset Class, GPUs Are Better Than Any Financial Asset (For
Now), Brother, Where Art Thy GPUs?
Anthropic Adds Billions For More Existential AI Hand-wringing
Is it vendor financing if Google Cloud has no GPUs available?
Previous: Culture Clash Conjecture: Amazon and Anthropic
OMG, People are Using Electricity
The New York Times has done a search-and-replace on their prior hysterical
stories about power consumption for cloud computing and cryptocurrency, this
time for AI. The scarcity mindset doesn’t seem to learn, even from their own
reporting. Abundant energy is the foundation of advanced civilization. And
businesses will manage costs.
Previous: Cloud Power Up, More Power Consumption Hysteria, Everyone
Hallucinates, Not Just LLMs
MORE
November 40
Today, 9:19mark nottingham (Feed)
Technical Standards Bodies are Regulators
There are lots of ways to view what Internet standards bodies like the IETF and
W3C do. They are horizontal agreements between competitors as well as
mission-driven public-good charities. One might believe they’re the homes of
innovation that brought us the Internet and the Web, or that they’re boring,
ineffective and slow committee talking shops. Some see them as vibrant, diverse
communities, while others believe they’re completely dominated by big tech.
My preferred way of thinking of them these days, however, is as regulators. Just
like the FTC in the US, the eSafety Commissioner in Australia, or the ICO in the
UK, Standards Developing Organizations (SDOs) have a fundamentally regulatory
aspect to them, and considering them in this way clarifies how they relate to
Internet governance.
In particular, it helps to understand what kind of regulator they are, what
tools they use, and the nature of the regime they operate within.
A specific kind of regulator
When most people think of a regulator, they assume it’s always state-backed;
sovereign power (and hopefully a democratic mandate) imbues the regulator with
legitimacy. As Julia Black put it back in 2002:
The core understanding that many have of ‘regulation’ is some form of ‘command
and control’ (CAC) regulation: regulation by the state through the use of legal
rules backed by (often criminal) sanctions. ‘CAC’ has also however become
shorthand to denote all that can be bad about regulation, including poorly
targeted rules, rigidity, ossification, under- or over- enforcement, and
unintended consequences.
Modern conceptions of regulation are much more expansive (or ‘decentered’),
encompassing not only public (government) regulation but also regulation by
private actors. For example, lex mercatoria – commercial law and customs
followed by merchants – goes back to at least medieval times, and is now
considered a kind of regulation. States regularly defer to such ‘soft law’, and
while it can always be overridden in a single jurisdiction by legal power,
policymakers have strong motivations to avoid over-regulating areas that are
capable of self-regulation.
Further complicating Internet regulation is its global span, which means that
more than one state is involved. Transnational Private Regulators (TPRs) are
non-government regulators who work across national boundaries.
Internet SDOs are often used as examples of TPRs. Other common examples include
organisations like the Forestry Stewardship Council, the Fairtrade Foundation,
the International Accounting Standards Board, and the ISEAL Alliance.
Caffagi identified a few factors that have “caused and helped to accelerate the
emergence of TPRs”:
Because “many goods and services today transcend national boundaries [they] can
hardly be regulated by national regulations. This is particularly the case with
global public goods […] for which international regulatory co-operation is
substantially needed to avoid a ‘race to the bottom’ between domestic
regulations.” This is very much the case for the Internet. “There are markets
that exhibit fast-changing dynamics [that are] difficult for public policy
makers to try to regulate[.] In particular, this is the case of high-tech and
knowledge-intensive markets [which] effectively leads policymakers to rely on
private parties, at least for the definition of implementing measures and
technical specifications.” Finally, “there are policy problems that inevitably
require heavy reliance on the expertise of private actors, [who] are the most
informed parties, or the players in the best position to deal with a given
failure, or simply the only parties holding control over central essential
resources.”
Importantly, the legitimacy (and therefore authority) of a TPR isn’t based on
democracy – inherently they have no demos so they cannot be democratic in the
sense that a state is. Instead, they draw on other sources of legitimacy,
including their input (who participates), their output (what impact they have),
and their throughput (what processes they use to assure fair and good outcomes).
With unique regulatory tools
The regulatory tools available to Internet SDOs are specific and limited – they
write down technical specifications that, on a good day, get reflected in code.
This is ‘architectural regulation’, according to Lessig. It sits alongside other
modalities of regulation like law, norms, and markets. Where the FTC uses law,
the IETF uses architecture – shaping behaviour by limiting what is possible in
the world, rather than imposing ex post consequences.
While much of regulatory theory and practice is taken up with issues like
monitoring and enforcement, architectural regulation doesn’t need those tasks to
be performed; the best approximation is conformance testing (which the IETF and
W3C don’t formally do anyway; they certainly don’t attempt certification).
Another interesting aspect of this form of regulation is its quasi-voluntary
nature. Internet standards are optional to adopt and implement; no one is
forcing you to do so. However, if they’re successful and widely adopted, they do
constrain your behaviour while you’re on the Internet, because everyone else is
following them. In that sense, they are mandatory.
Architectural regulation of the Internet is also constrained in how it can
introduce change. While a law can be repealed or overridden by a newer law,
Internet protocol standards have to consider the dependencies that people
already have on infrastructure; we can’t have a ‘flag day’ where we change how
the Internet works. Instead, we have to carefully extend and evolve it, working
within the constraints of what people already do, because once code is deployed,
we lose control.
These features provide interesting advantages to SDOs as regulators. While one
might see a non-state regulator without an enforcement problem as too powerful,
standards’ lack of binding force means that an SDO can’t just impose its will;
its product has to be proven by market adoption. A successful, widely adopted
standard is (qualified) proof of cooperation, and thus has gained legitimacy at
the same time it becomes binding.
In a large regulatory space
If we step back from this, we can now consider the context of this regulation -
Internet Governance overall. Plenty has been written about this that I won’t
attempt to summarise, but there are a couple of aspects that I’d like to point
out.
First of all, there are (obviously) other regulators present too – legal
regulators especially (from various governments around the world), but also
others using various combinations of the regulatory modalities.
Second, Internet Governance is polycentric (also referred to as ‘regulatory
pluralism’) - there is no hierarchy and no regulator can tell another what to
do. There are many sources of power (of various natures) that interact in
different ways – sometimes reinforcing each other, occasionally conflicting.
Lessig talks about this (with ‘constraints’ being a synonym for ‘regulators’):
The constraints are distinct, yet they are plainly interdependent. Each can
support or oppose the others. Technologies can undermine norms and laws; they
can also support them. Some constraints make others possible; others make some
impossible. Constraints work together, though they function differently and the
effect of each is distinct. Norms constrain through the stigma that a community
imposes; markets constrain through the price that they exact; architectures
constrain through the physical burdens they impose; and law constrains through
the punishment it threatens.
Third, the regulatory space is also fragmented. Information, authority,
responsibility, and capacity to regulate are dispersed unevenly across multiple
regulators. As Scott points out, ‘[r]elations can be characterized as complex,
dynamic horizontal relations of negotiated interdependence.’
This means that no regulator in the space is truly independent. Standards have
to operate in the legal contexts where they’re deployed; laws need to take the
reality of the deployed Internet into account. Each party can act unilaterally,
and might even meet their immediate goals, but the reaction to imprudent actions
might be worse than the original issue they were trying to address.
Overall, this is healthy. Power is not concentrated in any one institution.
States are able to claim sovereignty over what happens inside their borders, but
if they differ too much from the global norm, they put at risk the economic and
cultural benefits of being part of the global Internet.
What does this mean for the IETF and W3C?
Accepting the regulatory nature of SDOs leads to a few conclusions.
First, the IETF and W3C need to coordinate more closely with other regulators –
especially national regulators who have their sights set on taming particular
aspects of the Internet.
That doesn’t mean that SDOs should defer to national regulators – far from it.
I’ve heard more than a few conversations where technical people think they need
to implement the law in protocols. This is not the case, because laws are
generally limited to a specific territory; countries can’t regulate the entire
Internet by themselves. Furthermore, laws typically don’t apply to the standards
themselves; instead, they apply to their use.
It doesn’t even mean that standards work should block on getting input from
policymakers (just as policymakers don’t block lawmaking on feedback from
SDOs!); doing so would introduce problematic incentives, muddy the technical
decision-making process, and remove many of the advantages of private
regulation.
It does mean that technical discussions should be informed by ‘policy
considerations’, even if they’re ultimately dismissed. Understanding how legal
regulators see the Internet, what their goals are, and how they attempt to use
the regulatory tools in their hands helps technical regulators evaluate what
additional constraints are likely to be layered onto the Internet. That might
result in alignment between technical regulation and legal regulation, but this
is emphatically not a requirement – in some cases, they might conflict.
Those conflicts should be avoided when they’re unnecessary, so SDOs need to do
their part to inform legal regulators as well, particularly when their proposals
have impact on the architecture.
This is not a new perspective – there has been considerable discussion in both
the IETF and the W3C recently about ‘policy engagement.’ What’s different here
is the emphasis on being a peer of other regulators, rather than automatically
subject to them. That is fundamentally different than the relationship that most
corporate policy units have with regulators, for example.
Second, this view reinforces the notion that regulation by technical standards
bodies has very specific sources of legitimacy – the technical expertise that it
embodies, and the demonstrated success of its output. That legitimacy might be
enhanced by the unique global scope of these bodies – unlike national
regulators, they are responsible for the entire Web and Internet.
That suggests the positions taken by these bodies need to be focused on their
areas of expertise, rather than trying to draw on other sources of legitimacy
(for example, pseudo-democratic ones, or notions of openness, although the
latter does enhance their legitimacy). This is well-recognised in the IETF,
where arguments like Pervasive Monitoring is an Attack are couched in technical
terms, not value-driven ones.
Third, the polycentric and fragmented nature of the regulatory space suggests
that it’s entirely appropriate for architectural regulators like SDOs to focus
on areas where their tools are most effective.
For example, the HTTP Cookie specification has been working towards eradicating
third-party cookies for some time, because they’re horrible for privacy. Some
point out that this doesn’t address the privacy issues with first-party cookies
- a site you’re interacting with can still track your activity, profile you, and
so on.
That doesn’t mean that we should back away from regulating third-party cookies
with architecture; they’re extremely amenable to this form of regulation
(because of the user agency of the browser), and legal regulation of third-party
cookies has proven difficult. On the other hand, regulating first-party privacy
abuses on the Web with architecture is hard – if you interact with someone,
you’re giving them your data – but legal regulation of how entities handle
first-party data is on much firmer ground (provided there is a political will to
do so).
MORE
November 20
23.6.2024, 18:04The Architect Elevator (Feed)
Spooky: Platform Strategy Awakens
What better day to launch The Grim Wrapper than Halloween?
MORE
November 10
1.5.2024, 16:56James Governor's Monkchips (Feed)
RedMonk beers at Kubecon
RedMonk beers are going to be a blast at Kubecon this year. We’ve found just the
place, which reflects what we’re all about. The venue is called Maria’s Packaged
Goods and Community Bar – described as a “Hybrid liquor store & neighborhood
tavern supplying a large rotating menu of rare craft beers.” It has plenty of
outdoor space.
Rare craft beers, community and outdoor seating? Definitely on brand. Definitely
our vibe.
One reason our team was excited when the CNCF announced Kubecon would be in
Chicago this year is that Morgan Harris, our account and engagement manager,
lives in the city. So it felt like we could mix Cloud Native and Chicago Native.
Naturally we asked Morgan to scout a venue for us, and of course she came up
trumps.
The story behind the venue is lovely.
Maria is a South Korean, who moved to Chicago after marrying her husband, an
American serviceman called James back in the 1970s. Sadly he passed away at a
young age. Maria though found her feet in a tough neighborhood and community in
Bridgeport, Chicago. Today she is a local icon – and has a beer in her name –
The Duchess of Bridgeport – a sour red ale we can’t wait to try. Locals call her
“mom” or the Peggy Guggenheim of Bridgeport because of the way she supports
local artists. If you’d like to know more about this history of the place this
is a great article to check out.
The food is Korean Polish, which sounds amazing (think Polish Sausage, Pierogis
and Korean chicken wings), with some nods to Italian. We look forward to hosting
our own community in this community institution. Join us at Maria’s Community
Bar on Wednesday, November 8th. Don’t forget your ID, because Maria herself may
be checking them at the door.
We’ve booked a few tables and look forward to seeing old friends there and
meeting some new ones.
Date: November 8
Time: 7:30-9:30pm CT
Location: Maria’s Packaged Goods & Community Bar; 960 W 31st St
Chicago IL 60608
Bonus post material – be sure to read this great thread about Chicago before you
travel.
So you're looking to attend #KubeCon in Chicago? Welcome! Chicago is an
incredible city and I hope you have a blast while here. I've put some thoughts
together here for anyone coming to the city for the conference. I've only lived
here for just over a year but really like it. 1/
— Kai @kaipmdh@hachyderm.io (@KaiPMDH) October 28, 2023
MORE
October 310
24.6.2024, 6:00SEI Blog (Feed)
Dealing with Noisy Behavioral Analytics in Detection Engineering
This post discusses a process for tuning and related work you can do to make
behavioral analytics more viable in your environment, without sacrificing
analytic coverage.
MORE
October 300
Today, 17:55ongoing by Tim Bray (Feed)
On C2PA
Leica, the German maker of elegant but absurdly-expensive cameras, just released
the M11-P. The most interesting thing about it is a capability whose marketing
name is “Content Credentials”, based on a tech standard called C2PA (Coalition
for Content Provenance and Authenticity), a project of the Content Authenticity
Initiative. The camera puts a digital watermark on its pictures, which might
turn out to be extremely valuable in this era of disinformation and sketchy AI.
Herewith a few words about the camera (Leicas are interesting) but mostly I want
to describe what C2PA does and why I think it will work and how it will feel in
practice.
M11-P
To start with, this thing lists at over $9,000 in the US. There are lots of
awesome lenses for it, and you might be able to find one for under $5,000, but
not usually.
On the other hand, it’s a lovely little thing.
The obvious question: Can it possibly be worth that much money? Well… maybe. Any
camera on sale today, including your phone, can reliably take brilliant
pictures. But people who use Leicas (I never have) rave about the ergonomics, so
you might be a little quicker on the draw. And they say it’s fun to use, which
means you’re more likely to have it with you when the great photo op happens.
And there’s no denying it looks drop-dead cool.
C2PA is puzzling
I’ve been impressed by the whole C2PA idea ever since I first heard about it,
but damn is it hard to explain. Every time I post about it, I get annoying
replies like “I don’t want my camera to track me!” and “This is just NFTs
again!” and “It’ll be easy to fake by tampering with the camera!” All of which
are wrong. I conclude that I’m failing to explain clearly enough.
Whatever, let’s try again.
Signing
Inside the M11-P there is special hardware, and inside that hardware are two
closely-linked little blobs of binary data called the “public key” and the
”private key”; we call this a “keypair”. The hardware tries to be
“tamper-proof”, making it very hard for anyone to steal the private key. (But
nothing is perfect; a real security expert would assume that a serious
well-resourced hacker could crack and steal. More below.)
When you take a picture, the camera makes a little data package called a
“manifest”, which records a bunch of useful stuff like the time, the camera
serial number, the name of the person who owns the camera, and so on. Then it
runs a bunch of math over the private key and manifest data and the image pixels
to produce a little binary blob called the “signature”; the process is called
“signing”. The manifest and the signature are stored inside the metadata (called
“EXIF”) that every digital photo has.
Then, you share the public key with the world. Email it to your colleagues.
Publish it on your website. Whatever. And anyone who gets your picture can run a
bunch of math over the public key and manifest and pixels, and verify that those
pixels and that manifest were in fact signed by the private key corresponding to
the public key the photographer shared.
Geeky interlude for PKI nerds
(If the “PKI” acronym is new to you, do please skip forward to the “Chaining”
section.)
Leica has posted a Content Credentials demo page with a sample image. Big thanks
to Sam Edwards (@samedwards@mastodon.social), who dug around and found the
actual JPG, then taught me about c2patool. All this happened in a nice chatty
set of Mastodon threads starting here; the Fediverse is really the place for
substantive conversation these days.
The actual image.
(That is, once you click to enlarge it. But watch out, it’s 21M).
Applying c2pa to the JPG yields the JSON manifest, which has a selection of
useful EXIF fields. It turns out the signing relies on traditional PKI-wrapped
certs; there’s one associated uniquely with this camera, with a proper signing
chain through a Leica cert, all apparently rooted at D-Trust, part of Germany’s
Bundesdruckerei which also prints money. All very conventional, and whatever
programming language you’re using has libraries to parse and verify. Sadly,
ASN.1 will never die.
By the way, the actual C2PA spec feels way more complicated than it needed to
be, with Verifiable Credentials and Algorithm Agility and JSON-LD and CBOR and
COSE etc etc. I haven’t had the bandwidth to slog all the way through. But…
seems to work?
Chaining
I’ve described how we can attach a signature to a photo and anyone who has the
camera’s public key can check whether it was signed by that camera. That’s
clever, but not very useful, because before that picture gets in front of human
eyes, it’s probably going to be edited and resized and otherwise processed.
That’s OK because of a trick called “signature chaining”. Before I explain this,
you might want to drop by Leica’s Content Credentials page and watch the little
video demo, which isn’t bad at all.
Now, suppose you change the photo in Photoshop and save it. It turns out that
Photoshop already has (a beta version of) C2PA built in , and your copy on your
own computer has its own private/public keypair. So, first of all, it can verify
the incoming photo’s signature. Then when you save the edited version, Photoshop
keeps the old C2PA manifest but also adds another, and uses its own private key
to sign a combination of the new manifest, the old manifest (and its signature),
and the output pixels.
There’s enough information in there that if you have the public keys of my
camera and my copy of Photoshop, you can verify that this was a photo from my
camera that was processed with my Photoshop installation, and nobody else got in
there to make any changes. Remember, “signature chaining”; it’s magic.
If you run a news site, you probably have a content management system that
processes the pictures you run before they hit your website. And that system
could have its own keypair and know how to C2PA. The eventual effect is that on
the website, you could have a button labeled “Check provenance” or some such,
click it and it’d do all the verification and show you the journey the picture
took from camera to photo-editor to content-management system.
Why?
Because we are surrounded by a rising tide of disinformation and fakery and
AI-powered fantasy. It matters knowing who took the picture and who edited and
how it got from some actual real camera somewhere to your eyes.
(By the way, AI software could do C2PA too; DALL-E could sign its output if you
needed to prove you were a clever prompter who’d generated a great fantasy pic.)
But this can’t possibly work!
Like I said above, every time I’ve posted something nice about C2PA, there’ve
been howls of protest claiming that this is misguided or damaging or just can’t
work. OK, let’s run through those objections one by one.
No, because I want to protect my privacy!
A perfectly reasonable objection; some of the most important reportage comes
from people who can’t afford to reveal their identity because their work angers
powerful and dangerous people. So: It is dead easy to strip the metadata,
including the C2PA stuff, from any media file. In the movie linked from the
Leica web site above, you’ll notice that he has to explicitly turn C2PA on in
both the camera and in Photoshop.
Yes, this means that C2PA is useless against people who steal your photos and
re-use them without crediting or paying you.
I can’t see any reason why I’d attach C2PA to the flowers and fripperies I
publish on my blog. Well, except to demonstrate that it’s possible.
No, because I’m not a cryptography expert!
Fair enough, but neither am I. This demo page shows how it’ll work, in practice.
Well, early-stage, it’s kind of rough-edged and geeky. Eventually there’ll be a
nicely-styled “verify” button you click on.
No, because corporate lock-in!
Once again, reasonable to worry about, and I personally do, a lot. Fortunately,
C2PA looks like a truly open standard with no proprietary lock-ins. And the
front page of the Content Authenticity Initiative is very reassuring, with
actual working code in JavaScript and Rust. I’m particularly pleased about the
Rust SDK, because that can be wired into software built in C or C++, which is,
well, almost everything, directly or indirectly.
For example, the Leica-provided image you see above has no C2PA data, because
it’s been resized to fit into the browser page. (Click on it to get the
original, which retains the C2PA.) The resizing is done with an open-source
package called ImageMagick, which doesn’t currently do C2PA but could and I’m
pretty sure eventually will. After which, the picture above could have a link in
the signature chain saying “resized by ImageMagick installed on Tim Bray’s
computer.”
No, because of the “analog hole”, I’ll just take a picture of the picture!
This doesn’t work, because the signing computation looks at every pixel, and
you’ll never get a pixel-perfect copy that way.
No, because bad guys will sign fake images!
Absolutely they will, no question about it. C2PA tells you who took the picture,
it doesn’t tell you whether they’re trustworthy or not. Trust is earned and
easily lost. C2PA will be helpful in showing who has and hasn’t earned it.
No, because it will lead to copyright abuse!
It is definitely sane to worry about over-aggressive copyright police. But C2PA
won’t help those banditos. Sure, they can slap a C2PA manifest, including
copyright claims, on any old image, but that doesn’t change the legal landscape
in the slightest. And, like I said, anyone can always remove that metadata from
the image file.
No, because artists will be forced to buy in!
Yep, this could be a problem. I can see publishers falling overly in love with
C2PA and requiring it on all submissions. Well, if you’re a film photographer or
painter, there’s not going to be any embedded C2PA metadata.
The right solution is for publishers to be sensible. But also, if at any point
you digitize your creations, that’s an occasion to insert the provenance data.
We’ll need a tool that’s easy to use for nontechnical people.
No, because it’s blockchain! Maybe even NFTs!
It’s not, but you can see how this comes up, because blockchain also uses
signature chains, there’s nothing in principle wrong with them. But C2PA doesn’t
need any of the zero-trust collective-update crap that makes anything with a
blockchain so slow and expensive.
No, because hackers will steal the private key and sign disinformation!
Definitely possible; I mentioned this above. When it comes to computer security,
nothing is perfect. All you can ever do is make life more difficult and
expensive for the bad guys; eventually, the attack becomes uneconomic. To steal
the private key they’d have to figure out how to take the camera apart, get at
the C2PA hardware, and break through its built-in tamper-proofing. Which I’m
sure that a sufficiently well-funded national intelligence agency can do, or a
sufficiently nerdy gang of Bolivian narcos.
But, first of all, it wouldn’t be easy, and it probably wouldn’t be terribly
fast, and they’d have to steal the camera, hack it, put it back together, and
get it back to you without you noticing. Do-able, but neither easy nor cheap.
Now, if you’re a Hamas photoblogger, the Mossad might be willing and capable.
But in the real world, when it really matters, the attackers are more likely to
use the XKCD technique.
No, because websites don’t care, they’ll run any old gory clickbait pic!
Absolutely. C2PA is only for people who actually care about authenticity. I
suspect it’s not gonna be a winner at Gab or Truth Social. I hope I’m not crazy
in thinking that there are publishing operations who do care about authenticity
and provenance.
OK then. How will it be used in practice?
I remain pretty convinced that C2PA can actually provide the provenance-chain
capability that it claims to. [Note that the C2PA white papers claim it to be
useful for lots of other things that I don’t care about (thanks to vince for
pointing that out) and this piece is already too long, so I’ll ignore them.]
Which raises the question: Where and how will it be used? I can think of two
scenarios: High-quality publishing and social media.
The Quality Publishing workflow
We’re looking at The Economist or New Yorker or some such, where they already
employ fact checkers and are aggressive about truth and trust. Their photos
mostly come from indies they work with regularly, or big photo agencies.
Let’s look at the indie photographer first. Suppose Nadia has been selling pix
to the pub for years, now they want to do C2PA and Nadia has a camera that can.
So they tell Nadia to send them a picture of anything with C2PA enabled. They
have a little database (Microsoft Access would be just fine) and a little app
that does two things. First, when they get the sample photo from Nadia, there’s
a button that reads the photo, extracts and verifies the C2PA, and writes an
entry in the database containing Nadia’s camera’s public key and the way she
likes to be credited.
From then on, whenever they get a pic from Nadia, they feed it to the app and
press the other button, which extracts the C2PA and looks up the public key in
the database. If it doesn’t match anything, there’s a problem and they probably
shouldn’t run that picture without checking things out. If everything’s OK,
it’ll create a nice little chunk of HTML with the credit to Nadia and a link to
the HTML-ized provenance chain to show to anyone who clicks the “provenance”
button beside the picture.
You know, if I were building this I’d make sure the database record included the
email address, then I’d set the app up so the photog just emails the picture to
the app, then the app can use the pubkey to pull the record and see if the email
sender matches the database.
In the case of the agency photographers, the agency could run the database and
app on its website and the publisher could just use it. Neither option sounds
terribly difficult or expensive to me.
The idea is that displaying the provenance button emphasizes the seriousness of
the publisher and makes publishers who aren’t using one look sketchy.
The social-media workflow
The thinking so far seems to have been aimed at the high-end market I just
discussed; after all, the first camera to implement C2PA is one of the world’s
most expensive. I understand that Nikon has a camera in the pipeline and I bet
it’s not going to be cheap either. [Sad footnote: I gather that Sony is building
this into its cameras too but, being Sony, it’s not using C2PA but some
Sony-proprietary alternative. Sigh.]
But on reflection I’m starting to think that C2PA is a better fit for social
media. In that domain, the photos are overwhelmingly taken on mobile-phone
cameras, and every app, bar none, has a media-upload feature.
Speaking as a former Android insider, I think it’d be pretty easy to add C2PA to
the official Camera app or, failing that, to a C2PA-savvy alternate camera app.
I also think it’d be pretty easy for the Instagrams and TikToks of this world to
add C2PA processing to their media-upload services. Obviously this would have to
be explicitly opt-in, and it’d probably work about the same way as the Quality
Publishing workflow. You have to initially upload something with a C2PA manifest
to get your public key registered and tied to your social-media identity. Then
you’d have to decide whether you wanted to attach C2PA to any particular picture
or film-clip you uploaded.
I dunno, on a snakepit of sketchy information like for example Reddit I think
there’d be real value, if I happened to get a good picture of an cop brutalizing
a protester or a legislator smooching the Wrong Person or Ukrainian troops
entering a captured town, to C2PA-equip that image. Then you could be confident
that the trustworthiness of the image is identical to the trustworthiness of the
account.
And if some particularly-red hot video capture either didn’t have the
“provenance” badge, or it did but was from Igor48295y2 whose account was created
yesterday, well then… I’m not so optimistic to think it’d be dismissed, but it’d
be less likely to leak into mainstream media. And — maybe more important — if it
were super newsworthy and CP2A-attributable to someone with a good record of
trust, it might get on national TV right away without having to wait for the
fact-checkers to track down the photog and look for confirming evidence.
Are you done yet, Tim?
Sorry, this one got a little out of control. But over the decades I’ve developed
a certain amount of trust in my technology instincts. C2PA smells to me like a
good thing that could potentially improve the quality of our society’s public
conversation with itself.
And I’m in favor of anything that helps distinguish truth from lies.
MORE
November 10
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #28: October 27, 2023
Be sure to subscribe below and to the right to receive all my output via email
Q3 2023 Cloud CAPEX
Amazon $12.76B -19%
Google $8.06B +11%
Microsoft $11.2B +70%
(This is corporate level CAPEX, not just cloud infrastructure)
Amazon’s decline seems like the continued reduction in logistics/fulfillment
spending. We’ll get a breakout of AWS CAPEX next quarter. The Google mystery
continues: the normal server refresh is getting pushed ever further out with no
sign of a ramp in GPUs (and hard to argue TPUs are cheap). Microsoft passing
Amazon for total spend would be a milestone.
Previous: Q2 Cloud CAPEX, The Google CAPEX Mystery, Follow the CAPEX: Cloud
Table Stakes 2022 Retrospective
GPUs as an Asset Class
I have suggested developing nations peg their currency to GPUs. We’re not quite
there yet (Argentina, don’t miss your chance!), but the insatiable
financialization impulses of Wall Street are turning GPUs into “a new asset
class”. This will end poorly.
Previous: GPUs Are Better Than Any Financial Asset (For Now), Brother, Where Art
Thy GPUs?
Related: GPUs’ Latest Magic Act: Securing Data Center Debt
Clown CAPEX
IBM is in the midst of a strategic transformation from a cloud to an AI . The
absence of CAPEX in either domain ensures you are a .
Previous: Bonsai AI, Follow the CAPEX: Keeping Up With The Clowns, Follow the
CAPEX: Clown Watch, Follow the CAPEX: Separating the Clowns from the Clouds
Related: DXC Technology Hires Industry Veteran Howard Boville to Senior
Leadership Team
Cloud Repatriation: The Search Continues
So the data center guys aren’t benefiting from cloud repatriation or AI…
Previous: Cloud Repatriation: Still Not a Thing, Platformonomics Repatriation
Index – Q1 2023: Surf’s Up?, The Inexorable Attraction Between Terrible Things:
Cloud Repatriation and Private Equity
The Amazon AI Inferiority Complex
Previous: Excellent Trolling by The Information, Amazon Now Forecasts They Won’t
Be Competitive In Generative AI For Over 13,000 Years, Amazon’s AI
Communications Clown Show: Cause or Effect?, Amazon Pauses Lectures on
Generative AI, Three Steps into a 12-Step Program, Culture Clash Conjecture:
Amazon and Anthropic, AWS: “It’s Day 0.1 in generative AI”, AWS: “We’re three
rankles into a 10k rankle”, “Every Single” Amazon PR Team is Working on
Generative AI (Part I’ve Lost Count), “Every Single” Amazon PR Team is Working
on Generative AI, Titan or Titanic?, Amazon Pioneers LLM-less Generative AI, A
PR Campaign About Nothing: AWS and Generative AI, Day Two of Amazon’s PR
Campaign About Nothing, Amazon’s Relentless PR Campaign About Nothing
Related: Amazon Cranks Up Its AI Euphoria
Saying the Quiet Part Out Loud: AWS Edition
Considering revising “Two pizza teams are organizationally indistinguishable
from Soviet spy cells” to something involving a million monkeys and Shakespeare.
Regulating Your Way to Prosperity
Once the European car industry is gone, what will be left? Wine, cheese,
tourism, anything else?
Previous: The EU’s Reckoning Approaches, Collapsing Economic Models: German
Edition, EU Rethinking Its Stance on Mercantilism, German Auto Industry Reaches
Hail Mary Stage, How Do You Say “Burning Platform” in German?, Volkswagen’s
Death Throes Continue, The Fate of the European Economy: Automotive Edition,
Europe: Investing in Slave Labor
Software Migration Alert: EngageSmart
When private equity comes amalgamating, it is time to start migrating. Why?
Because private equity ruins software companies.
Previous: Perfidious Private Equity
MORE
October 280
Today, 17:55ongoing by Tim Bray (Feed)
Wild World
I’ve come to loathe autumn. It echoes the current stage of my own life a little
too closely. Plus it’s plenty hard to just stay level, any season of this filthy
year. I saw someone on social media asking (may not have the words quite right)
“How you folks holding it together while the world’s burning?” I looked for
something useful and short to say, came up empty. But now maybe this.
There’s the plague and the fascists and mass shooters and people killing babies
for the greater glory of Palestine and Israel. Lies burn hot on every Internet
screen and who’s got time to refute them all? Greed lights fires everywhere.
Feaugh.
Also I have family issues that hurt and teach hard lessons. Long Covid in da
house too.
And among my friends and contemporaries and relations, there’s a steady rumble
of mortality: cancer diagnoses and dementia symptoms and heart trouble and more
like that.
Anyhow, what happened was, last Saturday morning I had stuff to pick up and drop
off at the local library. It’s across from the local farmers market. So I biked
up there and hit both. Nobody else in the family was up to the trip, for a
variety of reasons.
Cool, but I bought sprouts in a nice little bag, no stems.
I got Brussels sprouts and focaccia and apples. The market has a spot for
musicians, last week’s a guy with a strong voice singing old songs everyone
knows; didn’t pay much attention.
All this is good, right? This is the “15 minute city” model, I think. Yes, it
was. I enjoyed it.
So I lugged the books and movies and fruits and vegetables back to the bike
rack, knelt to unlock and stow. Then the minstrel started singing Wild World and
I knew I was in trouble.
I’m placid generally; among the calmest percentiles of the population. I’m
reasonable. I deal with shit. I do a good job of seeming balanced. None of which
helped.
But then a lot of nice things turn bad out there…
Oh, baby, baby, it's a wild world
It's hard to get by just upon a smile
I leaned my head against the bike and wept hard, cheeks wet. Dunno where it came
from. Everywhere I guess. Nobody else was unhooking their bike just then so
maybe nobody noticed.
It’s a wild world, no shit. Hang on for dear life. Teach your children. Then
wish ’em luck. They’re going to need it.
Brussels sprouts
A few minutes in the Instant Pot air fryer with a bit of olive oil and they come
out slightly blackened and just great.
The lesson
You don’t have to keep it together. Losing it sometimes is OK.
MORE
October 290
1.5.2024, 16:56James Governor's Monkchips (Feed)
DevSecOps and Progressive Delivery at Dunelm – modern enterprise development
practices
I saw a great presentation from Dunelm, the UK’s leading home furnishings
retailer, at GitLab’s DevSecOps world tour event in London recently. The company
has clearly successfully retooled for ecommerce – with a builder mentality, and
engineering practices that should stand it in good stead. The company is
accelerating its transformation – in 2022 it was doing 11 production deployments
a day. Now, in 2023, it’s doing 26. One aspect of the talk I appreciated was the
focus on DevSecOps – and by that I mean security enabling and helping developers
to build secure apps, rather than getting in their way.
Jan Claeyssens, DevSecOps Principal Engineer at Dunelm, explained that his role
is to enable and engage with developers and engineering teams:
The development teams are my customers. Security needs to stop saying no but
lean in, listen to what they want and try and help them. No one wants more
checks after they have finished. Security scanners should not impact the APIs
too much.
Claeyssens also pointed out how important education is. You can’t expect
developers to use security features if they don’t know they’re there. Platform
engineering and security teams need to do a better job of developer education in
order to get the results they want. The whole tone from Claeyssens was
refreshing from a security perspective.
Serve the user where they live and show them what the features are. Security at
Dunelm has to help the business become better.
Amen Jan.
Talking of amen, I was really pleased to hear the company has adopted
Progressive Delivery as an approach. Given I coined the term, it was great to
hear concepts read out from an enterprise company. To be fair GitLab has used
Progressive Delivery in its marketing so it should not surprise me that a
customer would be using the language. But it was still pleasing.
Paul Kerrison, Director of Engineering and Architecture at Dunelm said:
Our engineering work is becoming more experiment driven, we are moving towards
progressive delivery, the new kid on the block.”
You get to try more risky things but safely. We can put something in production,
test it with one one cohort, then roll it out more broadly.
Cohorts, phased rollouts, reduced risk with more experimentation, testing in
production. This is the way.
disclosure: GitLab is a client.
MORE
October 240
Today, 14:28Phil Windley's Technometria (Feed)
Zero Data
Summary: Like Zero Trust, Zero Data represents a paradigm that organizations can
embrace to enhance their overall security posture. But the benefits go far
beyond better security.
A few weeks ago, I came across this article from StJohn Deakin from 2020 about
zero data. I've been thinking a lot about zero trust lately, so the name leapt
out at me. I immediately knew what StJohn was speaking about because I've been
talking about it too. My new book, Learning Digital Identity, talks about the
concept. But the name—zero data—is simply brilliant. I want to dig into zero
data in this post. I'll discuss the link between zero data and zero trust in a
future post.
StJohn describes the idea like this:
Personal data should be held by humans first, and by the companies,
organisations and governments that humans choose to interact with, second. The
ultimate in ‘data minimisation’ is for the platforms in the centre to simply
facilitate the interactions and not hold any data at all. This is the exact
opposite of our Google/Facebook/Amazon dominated world where all human data is
being concentrated in a few global silos.
A zero data society doesn’t mean that data isn’t shared between us, quite the
opposite. With increased trust and participation, the data available and needed
to drive our global society will explode exponentially.
From The Future of Data is ‘Zero Data’
Referenced 2023-09-30T17:37:15-0600
If you think about this in the context of how the internet has worked for the
last three decades, the concept of zero data might seem baffling. Yet, consider
a day in your life. How often do you establish lasting relationships—and thus
share detailed information about yourself—with every individual or entity you
come across? Almost never. It would be absurd to think that every time you grab
a coffee from the local store, you'd need to form a lasting bond with the coffee
machine, the cashier, the credit card terminal, and other customers just to
facilitate your purchase. Instead, we exchange only the essential information
required, and relevant parties retain just the data that is needed long term.
To build a zero data infrastructure we need to transfer trustworthy data
just-in-time. Verifiable credentials (VCs) offer a way to represent information
so that its authenticity can be verified through cryptographic means. They can
be thought of as digital attestations or proofs that are created by an issuer
about a subject and are presented by the holder to a verifier as required.
Verifiable Credential Exchange (click to enlarge)
Here are some of the interaction patterns facilitated by verifiable credentials:
Selective Disclosure: VCs enable users to share only specific parts of a
credential. For instance, a user can prove they are of legal age without
revealing their exact date of birth. Credential Chaining: Multiple credentials
can be linked together, enabling more complex proofs and interactions. For
example, an employer might hire an employee only after receiving a VC proving
they graduated and another proving their right to work. Holder-Driven Data
Exchange: Instead of organizations pulling data about users from third parties,
VCs shift the interaction model to users pushing verifiable claims to
organizations when needed. Anonymous Credential Proofs: VCs can be designed to
be presented anonymously, allowing users to prove a claim about themselves
without revealing their identity. For example, VCs can be used to prove the
customer is a human with less friction than CAPTCHAs. Proofs without Data
Transfer: Instead of transferring actual data, users can provide cryptographic
proofs that they possess certain data or prove predicates about the data,
reducing the exposure of personal information. For example, VCs can be used to
prove that the subject is over 21 without revealing who the subject is or even
their birthdate. Adaptive Authentication: Depending on the sensitivity of an
online interaction, users can be prompted to provide VCs of varying levels of
assurance, enhancing security in adaptable ways. I plan to talk about this more
in my next post about zero data and zero trust.
These interaction patterns change traditional data management and verification
models, enabling businesses to retain considerably less data on their clients.
Verifiable credentials have numerous benefits and features of that provide a
positive impact on data management, security, and user trust:
Data Minimization: As we've seen, with VCs, users can prove facts without
revealing detailed data. By selectively sharing parts of a credential,
businesses only see necessary information, leading to overall reduced data
storage and processing requirements. Reduced Redundancy & Data Management:
Trustworthy VCs reduce the need for duplicate data, simplifying data management.
There's less need to track, backup, and maintain excess data, reducing
complexity and associated costs. Expiration, Revocation, & Freshness of Data:
VCs can be designed with expiration dates and can be revocable. This ensures
verifiers rely on up-to-date credentials rather than outdated data in long-term
databases. Trust through Standardized Protocols: VCs, built on standardized
protocols, enable a universal trust framework. Multiple businesses can thus
trust and verify the same credential, benefiting from reduced integration
burdens and ensuring less custom development. Enhanced Security & Reduced
Exposure to Threats: Data minimization reduces the size of the so-called honey
pot, reducing the attraction for cyber-attacks and, in the event of a breach,
limit the potential damage, both in terms of data exposed and reputational harm.
Compliance, Regulatory Benefits & Reduced Liability: Adhering to data
minimization aligns with many regulations, reducing potential legal
complications. Storing minimal data also decreases organizational liability and
regulatory scrutiny. Cost Efficiency: By storing less data, organizations can
achieve significant savings in storage infrastructure and IT operations, while
also benefiting from focused data analytics. Enhanced User Trust & Reputation:
By collecting only essential data, organizations can build trust with users,
gaining a competitive edge in a privacy-conscious market that is increasingly
growing tired of the abuses of surveillance capitalism.
In essence, verifiable credentials shift the paradigm from "data collection and
storage" to "data verification and trust." This is what Marie Wallace means with
her analogy between VCs and music streaming. Online interactions are provided
with the assurance they need without the business incurring the overhead (and
risk) of storing excessive customer data. Zero data strategies not only reduce
the potential attack surface for cyber threats but also offers a variety of
operational, financial, and compliance benefits.
The biggest objection to a zero data strategy is likely due to its decentralized
nature. Troves of user data make people comfortable by giving them the illusion
of ready access to the data they need, when they need it. The truth is that the
data is often unverified and stale. Nevertheless, it is the prevailing mindset.
Gettng used to just-in-time, trustworthy data requires changing attitudes about
how we work online. But the advantages are compelling.
And, if your business model depends on selling data about your customers to
others (or facilitating their use of this data in, say, an ad network) then
giving up your store of data may threaten precious business models. But this
isn't an issue for most businesses who just want to facilitate transactions with
minimal friction.
Zero data aligns our online existence more closely with our real-world
interactions, fostering new methods of communication while decreasing the
challenges and risks associated with amassing, storing, and utilizing vast
amounts of data. When your customers can prove things about themselves in real
time, you'll see several benefits beyond just better security:
Reduced Sign-Up Friction: For services that rely on verified attributes (e.g.,
age, membership status, qualifications), users can provide these attributes
quickly with VCs, eliminating lengthy sign-up or verification processes.
Cross-Platform Verification: A VC issued by one service can be verified and
trusted by another, facilitating smoother cross-platform interactions and
reducing the need for users to repetitively provide the same information. Fewer
intermediaries: VCs can allow for direct trust between parties without the need
for a centralized authority. This fosters more direct and decentralized
interactions.
Zero data, facilitated by verifiable credentials, represents a pivotal
transition in how digital identity is used in online interactions. By minimizing
centralized data storage and emphasizing cryptographic verifiability, this
approach aims to address the prevalent challenges in data management, security,
and user trust. Allowing online interactions to more faithfully follow
established patterns of transferring trust from the physical world, the model
promotes just-in-time data exchanges and reduces unnecessary data storage. As
both businesses and individual users grapple with the increasing complexities of
digital interactions, the integration of verifiable credentials and a zero data
framework stands out as a practical, friction-reducing, security-enhancing
solution for the modern digital landscape.
Tags: zero+data identity verifiable+credentials zero+trust
MORE
October 240
Internet Identity Workshop 37 Report
Summary: The latest IIW was great with many high intensity discussions of
identity by people from across the globe.
We recently completed the 37th Internet Identity Workshop. We had 315 people
from around the world who called 163 sessions. The energy was high and I enjoyed
seeing so many people who are working on identity talking with each other and
sharing their ideas. The topics were diverse. Verifiable credentials continue to
be a hot topic, but authorization is coming on strong. In closing circle someone
said (paraphrashing) that authentication is solved and the next frontier is
authorization. I tend to agree. We should have the book of proceedings completed
in about a month and you'll be able to get the details of sessions there. You
can view past Books of Proceedings here.
As I said, there were attendees from all over the world as you can see by the
pins in the map at the top of this post. Not surprisingly, most of the attendees
were from the US (212), followed by Canada (29). Japan, the UK, and Germany
rounded out the top five with 9, 8, and 8 attendees respectively. Attendees from
India (5), Thailand (3), and Korea (3) showed IIW's diversity with attendees
from APAC. And there were 4 attendees from South America this time. Sadly, there
were no attendees from Africa again. Please remember we offer scholarships for
people from underrepresented areas, so if you'd like to come to IIW38, please
let us know. If you're working on identity, we want you there.
In terms of states and provinces, California was, unsurprisingly, first with 81.
Washington (32), British Columbia (14), Utah (11), Ontario (11) and New York
(10) rounded out the top five. Seattle (22), San Jose (15), Victoria (8), New
York (8), and Mountain View (6) were the top cities.
Doc Searls has several hundred photos from Day 1, Day 2, and Day 3 of IIW on his
Flickr account.
As always the week was great. I had a dozen important, interesting, and timely
conversations. If Closing Circle and Open Gifting are any measure, I was not
alone. IIW is where you will meet people to help you solve problems and move
your ideas forward. Please come! IIW 38 will be held April 16-18, 2024 at the
Computer History Museum. We'll have tickets available soon.
Photo Credits: Doc Searls
Tags: identity iiw
MORE
October 240
24.6.2024, 6:00SEI Blog (Feed)
The 13 Key Elements of an Insider Threat Program
COVID-19 changed the nature of the workplace. In this evolving climate,
organizations need to be increasingly vigilant against insider incidents. In
this post, we present the 13 key elements of an insider threat program.
MORE
October 240
Today, 17:55ongoing by Tim Bray (Feed)
Feminized Feed
My online social life is almost all on the Fediverse (obligatory plug for our
member-owned co-op Mastodon instance) and I find it generally satisfying. But
back in early September, I noticed that my feed was extremely male-dominated. I
set out to fix that and — a rare piece of good news — it worked! Herewith
methods and numbers.
Numbers
I wish I’d been a little more careful before I started this, as in recording the
gender ratio in my feed at a more sophisticated level than “seems to be mostly
men”. And also noting how many people I was following. Oh well, rear-view is
20/20.
Late Friday afternoon, I scrolled back an hour and a bit in my feed and
categorized 205 posts as “men”, “women”, and “neutral”. Here’s what I found.
WomenMenNeutral Posts20553.7%29.8%16.6% Accounts6653.0%30.3%16.7%
So, mission somewhat accomplished. Note that the percentages of accounts and
posts are about the same; no evidence here that either gender is more prolific.
Methods
Almost every day, I pop open my Mastodon “Notifications” tab, go through it, and
gender-check any account who’s followed or replied or liked or boosted but I
don’t already follow. Intermittently and unsystematically, I do the same for
boosted posts from people I don’t follow. If they’re female, and they’ve ever
actually posted or boosted, I follow them.
What does “gender-check” mean, exactly? I try to err on the side of inclusion.
If you offer “she/her” pronouns, OK. If your avatar is a wombat or a potato but
your name is “Cynthia”, yep. If you have neither pronouns nor a feminine account
name, I take a look at your avatar through cisgendered heterosexual male eyes
and make a judgment call. So scientific.
I’ve subsequently unfollowed a small handful of women for the usual reasons.
Findings
My feed is different than it used to be. I find that I lack the words to
describe the difference, even vaguely. But, I’ve no urge to go back. Oh, my
progressive bubble is bubblier; the Fediverse’s women are a lefty lot.
Wow, are there ever a lot of trans women here. And lesbians. But we already knew
that.
Next
I have a huge advantage because I’m a loudmouth who’s been doing social media
for decades, so my Notifications tab is rarely empty. Which means that the
people I add have already chosen to interact with me and are thus likely to
intersect with my interests. So I’m not sure this would work for the many people
who are read-mostly, or who are still building their audience.
Now I’m feeling an obligation to find a good way to help feminize others’ feeds.
But I’m nervous about over-curating; why should I think that the people who
interest me would do the same for others? Would it be crazy to, every week, pick
a dozen random female accounts that I follow and post them to a #FollowFriday?
At the moment, I can’t think of anything better.
But I do recommend that other high-interaction people give this a try. It’s easy
and if you’re like me you won’t want to go back to a mostly-male feed.
MORE
October 210
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #27: October 20, 2023
Be sure to subscribe below and to the right to receive all my output via email.
Excellent Trolling by The Information
The lede from an interview with Amazon’s generative AI product manager, Andy
Jassy:
Paragraph three:
Amazon Now Forecasts They Won’t Be Competitive In Generative AI For Over 13,000
Years
Our previous analysis concluded that if you were running a 10K and had spent a
month on the third step, it would take over 800 years to finish the race. But
we’re now in the fourth month still stuck on that third step AND the race has
been extended to a marathon.
Previous: Amazon Pauses Lectures on Generative AI, Three Steps into a 12-Step
Program, Culture Clash Conjecture: Amazon and Anthropic, AWS: “It’s Day 0.1 in
generative AI”, AWS: “We’re three rankles into a 10k rankle”, “Every Single”
Amazon PR Team is Working on Generative AI (Part I’ve Lost Count), “Every
Single” Amazon PR Team is Working on Generative AI, Titan or Titanic?, Amazon
Pioneers LLM-less Generative AI, A PR Campaign About Nothing: AWS and Generative
AI, Day Two of Amazon’s PR Campaign About Nothing, Amazon’s Relentless PR
Campaign About Nothing
Amazon’s AI Communications Clown Show: Cause or Effect? You Can’t Spell
Misinformation Without MSM
The megaliths of mainstream media deeply embarrassed themselves in the last week
by eagerly acting as unquestioning press agents for Hamas (while simultaneously
bemoaning misinformation on social media that was the corrective to the media’s
misinformation), and then digging in to defend their errors. It isn’t clear if
they’re just committed to a narrative regardless of reality and/or are just bad
at journalism. But we’ve seen this before in their tech coverage.
Previous: Breaking: New York Times Agrees with Tech Industry, New York Times
Gives Up on First Amendment?, Living in a Glass House: The New York Times On
Tech, Living in a Glass House: What is the New York Times?, The World’s Worst
Technology Column (Twitter Threads)
More Power Consumption Hysteria
To quote myself, “hyperbolic power consumption predictions have a dismal track
record” (and from that researcher in particular). We should be focused on
abundant energy, not debating what is and isn’t worthy power consumption under a
scarcity mindset. But if the BBC is worried, they could opt to shut themselves
down to save power. Turning off the BBC would also reduce misinformation, riots,
and failed diplomatic efforts.
Previous: Cloud Power Up
Useful Idiots, Fellow Travelers and Unregistered Foreign Agents: Apple
It is time to start calling out the Chinese Communist Party’s allies in the West
who act on their behalf.
Previous: Xi Jinping Thought on Wall Street Running Dogs, The Perils of Working
for a Cult of Personality, Press Releases We’d Like to See, Best Nickname for
Emmanuel Macron, Winnie-the-Pooh: Lover of Honey, Champion of Freedom, Missing
the (Bamboo) Forest for the (Apple) Trees
MORE
October 210
1.5.2024, 16:56James Governor's Monkchips (Feed)
Introducing the AI Bill of Materials
What’s in the black box? As we go forward we will need a model and machine
readable bill of materials.
It’s becoming increasingly clear that we’re going to need an AI bill of
Materials (AIBOM). Just as with a Software Bill of Materials (SBOM), there are a
set of potentially important questions when we take advantage of an AI model,
which we’re just not set up to meaningfully answer at the moment. The You Only
Live Once (YOLO) approach that OpenAI took when launching ChatGPT is not going
to provide end users with the confidence they need to adopt AI models in
strategic initiatives. Sure we’ll see shadow AI adoption (like shadow IT
adoption, but for AI tools), by marketing departments and sales and so on. The
lines of business won’t allow governance to get in the way of productivity. But
as ever bottom up needs to meet top down, which is where governance comes in.
From an enterprise perspective we will need to get a much better understanding
of the models we’re using, and what went into them. Which is to say, a bill of
materials. Trust and safety are not the enemy. We need to better understand the
AI supply chain.
The AIBOM will need to consider and clarify transparency, reproducibility,
accountability and Ethical AI considerations. After introducing the idea of an
AIBOM to Jase Bell he began to work on a schema, which you can find on GitHub
here. It’s a useful starting point for discussion so please check it out.
Transparency: Providing clarity on the tools, hardware, data sources, and
methodologies used in the development of AI systems.
Reproducibility: Offering enough information for researchers and developers to
reproduce the models and results.
Accountability: Ensuring creators and users of AI systems are aware of their
origins, components, and performance metrics.
Ethical and Responsible AI: Encouraging the documentation of training data
sources, including any synthetic data used, to ensure there’s knowledge about
potential biases, limitations, or ethical considerations.
Weighting, and decisions behind it, become ever more important. Also – origins
are not the only important issue. Sometimes the intended use case is where the
higher duty of care is required. We may want to read the ingredients on a cereal
box, but it’s not a matter of life or death. Taking medicine on the other hand,
you definitely want to know exactly what the ingredients are. So what are we
predicting or generating? The EU regulatory framework for AI discussed below
establishes a hierarchy of low or high risk AI use cases. We’ll see more of
that.
One part of the industry already groping towards the need for an AIBOM as a
business critical issue is commercial open source.There was an interesting post
recently by Matt Asay about AI and open source licensing a few days ago – Making
sure open source doesn’t fail AI. The argument is that open source licensing had
failed in the age of the cloud, and we needed to avoid making the same mistakes.
What jumped out at me however was a quote from Stefano Maffulli, executive
director of the Open Source Initiative (OSI), which certifies what is, and what
is not, open source from a licensing perspective. He said you’d need
“A very detailed description of what went into creating the artifact.”
As Asay writes
“In this world, you’d need to publish all the scripts that went into assembling
the data set, the weights that govern the LLM, the biases you bring to the
model, etc. This, in my view, is a much more interesting and useful way to think
about open source AI, but it’s also far more complicated to deliver in
practice.”
Complicated? Absolutely. But increasingly important.
In a really smart tweet Jordan Hamel makes the case that OpenAI is the Napster
of the LLM revolution.
OpenAI in some ways is the Napster of AI who learned from its mistakes by
getting MSFT on board since they’ve traveled through the legal journey of the
underworld and back and have the $$$ to make it legal. A machine learning model
that can generate copyright derivative material in a variety of modalities does
conflict with existing copyright law and one way or another it’s going to come
to a breaking point. Imagine DMCA for your generated content? Napster blew
people’s minds in the 90’s for good reason and it took well over a decade for
the legal products to exceed its quality and content distribution.
This is spot on. We’ve been shown something incredible, and we want to use it,
obviously. The great softening up has begun. And we need an AIBOM from a
business perspective. Why? The answer is, as ever, found in governance, risk,
and compliance.
Large Language Models (LLMs) could take a wrecking ball to regulated industries.
Any regulation that concerns itself with user privacy, for example, is not going
to survive first contact with LLMs. The HL7 patient data interoperability
standard wasn’t designed with the cloud in mind, let alone AI. Or think about
HIPAA, or GDPR even. So enterprises are justifiably concerned about feeding LLMs
with user data. In areas such as manufacturing, engineering or polluting
industries regulations abhor a black box, but that’s exactly what LLMs are.
Copyright infringement is another potential concern – the first class action
lawsuits have been lodged by authors against OpenAI.Then of course there is the
fear that using public LLMs might lead to security breaches and leakage of trade
secrets. Data residency continues to be a thing, and public LLMs are not set up
to support that either – if German data needs to be held in a German data center
how does that chime with a model running in a US Cloud. And how about prompt
injection as an emerging vector for security threats?
So far tech vendors have been remarkably relaxed about these fears, while
enterprises have been somewhat less confident. Google and Microsoft have
promised to indemnify users if they are challenged on copyright grounds, for
example. Their highly paid corporate lawyers are evidently pretty confident that
a fair use argument will prevail in court, for outputs from AI models. As ever
this is a question about tolerance for risk.
And sometimes the promises about trust don’t stand up to scrutiny. Thus for
example Adobe said it’s Firefly image generation model was “commercially safe”
because artists had signed up for it – this was [apparently a surprise to some
content creators. Adobe, however, has continued pushing its trust credentials
with the introduction of a “made by” symbol for digital images, establishing
provenance, including, for example, if it was made with AI tools.
The EU is moving towards some far-reaching (some might argue over-reaching)
requirements around model-training with its coming EU AI Act
Some notable statements in the positioning document. Considerations of “high
risk” (All high-risk AI systems will be assessed before being put on the market
and also throughout their lifecycle.)
include:
AI systems that are used in products falling under the EU’s product safety
legislation. This includes toys, aviation, cars, medical devices and lifts
(elevators).
Meanwhile, here is the copyright kicker.
Publishing summaries of copyrighted data used for training
Perhaps we can just ignore EU law. A lot of folks consider the GDPR to be more
of an annoyance than anything else. Facebook can easily afford to pay its $1.3bn
fine – that’s just a cost of doing business, right? The US has replied with
sabre rattling that regulation will only serve to entrench the major players.
Some companies might feel confident in ignoring EU law – YOLO – but if they want
to do business in China, that’s not really an option that’s open. This thread
from Matthew Sheehan is essential reading for anyone interested in AI
regulation, or the lack of it. Also this post. The TDLR – China is literally
years ahead on AI regulation. In China at least:
The draft standard says if you’re building on top of a foundation model, that
model must be registered w/ gov. So no building public-facing genAI applications
using unregistered foundation models.
So that’s certainly a potential future. China has an AIBOM-like requirement and
policies and procedures and corporate responsibilities that go with it. We’re
all going to have to think through this stuff – Norway just announced a Minister
for Digitalisation and Governance with Responsibility for Artificial
Intelligence, Karianna Tung.
According to Norwegian Prime Minister Jonas Gahr Støre:
Artificial intelligence offers enormous opportunities, but requires knowledge,
management and regulation. Because it must still be the people who determine the
development of technology, not the technology that controls the people.
Sentiments that I agree with. And regulation – that’s going to need an AIBOM.
Major vendors are talking a lot about trust and AI, and jostling for market
positioning accordingly – again, this is where an AIBOM is going to come into
play.
disclosure : Adobe is a RedMonk client. OpenAI is not.
MORE
October 190
Today, 17:55ongoing by Tim Bray (Feed)
Rock Tech
Last night, my son and I took in Guns N’ Roses’ Vancouver show at “B.C. Place”,
the big football/soccer stadium, its roof closed for the event. It was a fine
show, even though I wasn’t and still am not much of a GnR fan. The show deserves
a few words, and also arena-rock concert technology is changing in interesting
ways.
Enlarge to see Slash.
The band
I impulse-bought the tickets when the show was announced. G&R have real cultural
heft and I’d never seen them, seemed like a good enough reason.
There are things to like: The songs are good. And, I learned, they put on a
long, polished, high-intensity show, really working hard to show the fans a good
time.
Here’s the set list. Is that choice of covers weird or what? I suffered
cognitive dissonance watching fresh-faced high-school girls, in
carefully-constructed trashy-rock-chick black leather, howling gleefully along
to Knockin’ on Heaven’s Door, a 50-year-old song written by an 82-year old being
performed by a 61-year-old.
But G&R has never really done it for me; I find Axl’s vocal histrionics
frequently grating. Slash is flashy and has good riffs, but all of his solos
sound like all of his other solos to me. The lyrics are often gratuitously nasty
and ugly. Axl Rose has historically not been a good person, although in 2018 I
was amused on Twitter at him going off his bad-boy brand.
Tech and staging
In my youth, I spent a few early years as the house stage manager for a few rock
venues and got pretty familiar with the way things were done. In recent years,
my musical tastes have become more niche-y, with the pleasant side effect that I
attend concerts in clubs and small theatres. So I’ve been out of touch with
Arena Rock.
Back in the day, in big venues, the show depended heavily on the use of monster
spotlights like for example the Super Trouper. You might have been way back from
the stage, but when someone was going to belt out a crucial lyric or run down
the front of the stage to shred, the spots would light ’em up, obvious where to
look.
No longer. At the show last night (see the photo above) the musicians were
well-enough lit, but lacked that insane Super-Trouper glow. Which didn’t matter,
because of the huge video screens highlighting whoever is currently the key
performer. If you look close in that picture, you can see Slash on a little
downstage-center platform, about as well as I could from where I was standing.
So most of the people at the show are watching a live TV broadcast most of the
time. Except when they’re looking at their phones which they’re using to record
the broadcast.
I shouldn’t be so negative. I mean, it works, you get to see facial expressions
and guitar moves and so on that you never would unless you were at the very
front of the hall. And playing in front of Super Troupers was notoriously hard
on the eyes, Abba even wrote a song about it: “Super Trouper beams are gonna
blind me…”
Interestingly, G&R didn’t project themselves on the huge backing backing screen;
that was a continuous video presentation, nicely correlated with the music, with
an abstract sci-fi/horror aesthetic. Worked for me.
The sound
A tip o’ the hat to whoever in the G&R team hired the audio crew. They got
sparkling sound in B.C. Place, which is not exactly a regular occurrence.
In particular, they changed the mix all the time. Every time there was a big
guitar break, the instrument was unsubtly boosted for effect, and it was a good
effect. Likewise for vocals and other instruments.
Now, those vocals. Axl Rose was getting a lot of unsubtle technology support for
his singing. He would reach down to a device on his belt and adjust himself
regularly between sections of a song, notably when switching between his normal
mid-range voice and that trademarked Axl shriek. Possibly he’s just lost the
high register and is having it added back synthetically? Also there were
occasional shudder-and-buzz effects added unsubtly.
Sometimes it worked — I mean, you just can’t do Welcome To The Jungle without
going to a glass-shattering yowl. Sometimes it sounded fakey. A couple of times
it just didn’t work, Axl’s lips were moving but no sound was coming out.
Anyhow, glad I went, I loved the crowd, the youngsters in their rock-n-roll
finery and the grizzled middle-agers in basic black. Parents with kids. Couples
mooning, melting into each other during November Rain. The band does a great job
on Live and Let Die. They worked hard to show me a good time and they did. Won’t
go again.
MORE
October 180
24.6.2024, 6:00SEI Blog (Feed)
Assuring Cyber-Physical Systems in an Age of Rising Autonomy
This post discusses research by the SEI and Georgia Tech to address a number of
challenges related to the rising volume of sensor data in autonomous
cyber-physical systems.
MORE
October 160
22.6.2024, 19:00Platformonomics (Feed)
Platformonomics TGIF #26: October 13, 2023
The snark must flow, but not this week…
A Message Not Just For Israelis…
MORE
October 140
1.5.2024, 16:56James Governor's Monkchips (Feed)
Postgres: the next generation. Investing in the next generation of committers.
PostgreSQL isn’t getting any younger. Which is fine – after all, databases
generally improve with age. The platform is going from strength, and is a
default choice for a big chunk of modern software development. But Postgres has
been around for a while – it launched in 1986 – which has an implication for the
folks actually building the database. Just how long will they want to do the
heavy lifting of maintaining a high profile codebase that so many folks rely on?
Postgres is a close knit group and project. Robert Haas, Postgres committer and
chief database scientist at EnterpriseDB writes a regular contribution post and
the latest numbers are salutary – Who Contributed to PostgreSQL Development in
2022?
I calculate that, in 2022, there were 192 people who were the principal author
of at least one PostgreSQL commit. 66% of the new lines of code were contributed
by one of 14 people, and 90% of the new lines of code were contributed by one of
40 people.
The core development community is aging somewhat – the average age is probably
around 50. Which is totally fine. 50 year olds are more than capable of doing a
shitload of work – don’t ask me how I know. Tom Lane, who works at Crunchy Data,
is 68 and he’s still the Postgres project’s fulcrum. Long may that continue.
The Postgres community is amazing. Open Postgres governance is something we can
and do rely on, which is refreshing in the current era of commercial open source
licensing rugpulls. But as an axis to consider in terms of open source
sustainability let’s assume that Postgres is still going strong in say, 20
years. Who is going to be doing the work in 2043? I had a fascinating
conversation with Nikita Shamgunov, CEO of Neon recently and one of the subjects
we discussed was aging in tech projects and its relationship to project
sustainability. Neon is a fully managed Postgres database optimised for
serverless apps, separating storage from compute – the database is just a URL.
That’s the design principle. It allows for branching, with preview deployments –
thus Neon’s partnership with Vercel. Make it easy, make it modern, make it a
zero config API. Neon has 62 employees and has raised $108m so far. It competes
with the likes of Supabase. But back to the subject at hand.
According to Shamgunov:
If you look at the Postgres committer crowd they’re in their 50s, 60s, 40s and
maybe a few in their 30s. It takes a lot of effort to become a committer but
very little to be a contributor – you just need to write good code.
I think we’re doing good to the world by hiring more junior people and training
them to become committers and hopefully maintainers. It’s very important that
the Postgres engine continues to evolve.
Neon is being intentional about investing in the next generation of
contributors, committers and maintainers. The natural move for a lot of
companies is to try and hire the existing top talent, rather than fostering new
blood.
We debated whether to just find more Postgres committers and hire them. But it’s
not clear that would be spending our money in the best way. If we train new ones
it’s better, and that’s how we can keep ramping the Postgres team.
There are some interesting questions here. For example – consider Neon’s IP,
which is currently permissively licensed, but Shamgunov is not an open source
zealot. What happens if in a few years the company decides to relicense, as
other database companies have – see for example Redis, MongoDB and Elastic. Neon
would be perfectly within its rights to relicense under more restrictive terms,
potential community blowback aside. But any code they had contributed to
Postgres? That’s not going to be affected. Having core Postgres maintainers on
staff is a pretty good example of enlightened self interest and should serve to
keep the company honest. Whatever decisions Neon makes in future, assuming they
have employees dedicated to making Postgres better, then the community and core
codebase still wins.
Cohort aging is certainly not a problem that’s unique to Postgres. Anyone
remember the year 2000 bug? Communities and ecosystems do get older, which can
be an issue when it comes to skills and staffing and rejuvenation. IBM has done
a great job of bringing younger developers into the mainframe fold, for example
with vocational education programs at universities – here is a post I wrote
about that a while back.
There are plenty of projects with literally millions of users that are run by
one or two people and don’t have the level of corporate sponsorship with see
with projects such as Postgres or even Kubernetes. Postgres isn’t in any sense
struggling to attract new users – there are plenty of 22 year olds defaulting to
it today. It’s a hugely popular platform. But yes, ensuring the ongoing
maintenance of the project will require some intentionality, funding, and
enlightened self interest.
Disclosure: Neon is not a RedMonk client. Crunchy Data, IBM and Vercel are all
RedMonk clients. This piece is published independently of any client
relationships.
The illustration above was created with Midjourney.
MORE
October 100
24.6.2024, 6:00SEI Blog (Feed)
Secure by Design at CERT
The national cybersecurity strategy calls on tech providers to ensure that all
their products are secure by design and secure by default. This post highlights
the SEI CERT Division's continued and longstanding efforts to ensure security by
design in fielded software.
MORE
October 90