What's your thinking on this? From my perspective Apple security go pretty hard. They have a strong track record of being able to ship architectural mitigations like PACs / MIE / Exclaves first. I guess because Apple control the stack from silicon to userspace.
My thinking was in a historical context, and for their desktop OS's. I know they've been pretty on top of things with iPhones, and MacOS has become a lot better, but for the longest time MacOS was pretty lacking, coasting very much on promoting how much PCs have viruses and macs didn't, which was a marketshare thing more than a security thing. I don't think they got ASLR until later than pretty much everyone else, for example.
They've improved a lot, especially their phones, but I'd still never consider them a company that has a really strong focus on security.
That's a really strange claim given AS was a refinement of a technology other manufacturers have yet to surpass in the ten years since the T1 chip came out.
To this day nobody else ties their SMC, biometric auth, and HSM together as tightly and well as the T1 did. AS was further advancement of that.
Furthermore, Apple protects users against the legal changes that have allowed law enforcement to physically force someone to provide biometric credentials. By default MS just provides biometric auth to make it easier to log in to your system.
iOS always had a strong focus on security but if you take the time period say 2005 - 2015 it did not seem like there was much investment in macOS security at Apple. I am talking about stuff like exploit mitigations and relatively low hanging LPEs. Features like (full) ASLR / SIP / kext controls were added well after competitors.
They were not "coasting" on anything. Everything about OS X has always been designed to protect users from the stuff Apple hasn't caught yet, because they know they can't always catch it first - and Apple has led the pack in nearly every major OS security feature of the last 25 years.
That includes "don't give the user root, and ask the user for their password before doing dangerous things" - four years before Linux distros started moving to a similar model.
Didn’t Microsoft pioneer the privilege escalation prompts in Vista in 2007? It was a joke at the time how little things would hijack the entire screen to allow seemingly mundane things. I didn’t ever use Vista personally or professionally, but macOS has become pretty bad with basically the same model.
IMHO, both are a mode of progressively penalizing developers as a mode of API obsoletion. It doesn't feel like the opportunity to fix a degradation of user experience really motivated app developers in either case.
The difference is Apple is much more likely to progressively make these legacy feature compatibility more difficult for users to configure over time, and to remove them eventually.
Microsoft's Secure Desktop feature is actually incredibly well designed, and provides strong protect against fraudulent prompts or prompt interception attacks.
It is the default (unless they changed it in the last 2 years or so). I know for a fact that my PC and Laptop don't ask for my password and I know for a fact that I reinstalled Windows on my laptop less than 2 years ago and changed nothing regarding the UAC prompt (the closest that is even remotely close is enabling sudo in the settings).
Yeah, they were. Virus writers were not targeting them as a platform because why develop for 10% marketshare when you can target 90% for free. It just wasn't worth it to target as a platform. So there was some level of protection due to lack of interest in distributed attacks, but the OS had very little protection against targeted attacks.
> Apple has led the pack in nearly every major OS security feature of the last 25 years.
What an absurd claim. Apple trails behind, it never leads in this space. Windows 7 had numerous protections that had become standards that Apple still lacked when Windows 10 came out.
Recently there was an Anki vulnerability that gave any website access to any local files. On Windows or Linux this would be deadly. On macOS, Anki can't access my desktop or documents or Chrome storage or password manager storage. I think Apple's been smart about which security features it prioritizes.
> That includes "don't give the user root, and ask the user for their password before doing dangerous things" - four years before Linux distros started moving to a similar model.
Linux distros have always required sudo for "dangerous" things. What distros made users root by default?
> I guess because Apple control the stack from silicon to userspace.
People always say this but there is no real relationship there. When hardware vendors add security technologies to the hardware, the major third party operating systems add support to use it pretty much immediately, and in many cases before the hardware even ships because the hardware vendor publishes the documentation ahead of time.
Try to name something where Apple was the first to support something (by a non-trivial amount of time) not because they were the first to add hardware support but because they released the combination of hardware and software in the time between when e.g. Intel or Qualcomm added hardware support and when Linux or Windows added software support to use it.
I find this complaint hard to square when US developers earn "moon money" compared to both: a) fields requiring similar levels of expertise like EE or Mech-E and b) international developers in similar roles. Plus, equity.
The vast majority of tech workers in the US make nowhere near FAANG-money and have never had meaningful equity.
Also the fact that people in group $X are getting screwed more than people in group $Y is no reason not to fight to not get screwed if you are in group $Y.
This leverage all has to do with the product, how close you are to it and how valuable it is. FAANG product is valuable, but the programmers are still just creating it and usually a small part of it at that. Pilots are the product when the product is "get plane to destination" they are the 1 or 2 people providing that product (ok service). Athletes are the product of sports. It's very valuable and there's only a dozen or so of them to deliver.
Now, using the leverage is the difficulty to unionize. Athletes are a tiny group, pretty easy to organize. Pilots are a small group, also pretty easy to unionize. The fact they have to be licensed means there is a record for all the people needed pull in. Software engineers seem to be 5x-20x larger population than commercial pilots (quick/rough searches). They have no certification or registry organization and have no common affiliations. It's incredibly difficult to organize this group. There's also no regulatory capture requiring developers to be US citizens so, if you did unionize and tried to negotiate too hard the industry would just move away from the US so there's just not a lot of leverage this profession has.
Pilots also spend years logging hours in small airplanes, then regional airlines, getting paid relative peanuts, working crazy hours, rarely home, etc. before they land a high-paying job at a major national airline. And any hint of health problems, depression, substance abuse, etc. they fail their medical and it's all gone.
These "unions" in high paying fields behave more like guilds or cartels than worker's unions - they generally restrict supply. Athletes and Hollywood unions are sort of special cases too, IMHO. I don't think it's reasonable to claim that top earners in those fields earn so much because of their unions - they benefit from natural supply restriction of outliers.
For unions to be as effective in tech as for say pilots or doctors, you'd have to agree on a way to restrict supply (H1B restrictions, more licensing and credentialling etc) to give the union leverage. You have to control the supply taps and rate limit entry to the field.
I think it's hard to say if this would net out better for workers than the current arrangements, which are already the best in the world on nearly every metric.
It also seems like there's a timing issue - if tech workers DID successfully unionise enough to withhold a meaningful fraction of labour, the gains might ultimately end up in the market cap of AI companies via substitution.
Structurally the way it works is that the AMA or ALPA or what have you lobby for regulations that just so happen to limit supply, and heavily push back whenever anyone proposes regulations that would loosen it, usually on safety / quality grounds.
There are also revolving doors between the regulator and the relevant professional bodies.
I'm pro union in cases where employers are a monopsony and workers have few options - it completely makes sense for coal miners in a coal town to form a union to even things out. I just don't think US tech right now meets the conditions for it to make sense, the market is too liquid for employers to capture all the upside.
US tech workers have real problems and complaints - PTO, maternity leave, health care to start - but these feel to me more like structural features of the US labour market? It makes more sense to me that these should be subject to national regulation rather than specific advantages for tech workers carved out by a union.
Its very simple. Look at the profit margins of those companies, there's simply a lot more to share.
If you don't need to buy a product to make a product, or when you have to that's typically pennies on the dollar you can share a lot more of that.
The real difference here is that when the market is favorable you CAN share more. And Samsung is doing so. In the US you probably wouldn't be able to do this because the shareholders will cry and will happily give a 100M bonus to whoever will 'lead' the company better. Where better means diverting as much as possible to the shareholders
The US has some of the highest levels of wealth and wage inequality in the developed world, and it's never had greater economic stratification in 1-2 lifetimes.
The number of people making "moon money" is very, very small compared to everyone else in the industry.
There’s no discussion about risk, investment or variance in the post. I want my life to be uniquely GREAT but unless you apply a bit of strategy the outcome of "do improbable things" could just as well be uniquely BAD.
Everyone notices that huge outlier successes seem to follow their own unique paths but the millions of failures who weren’t as lucky or strategic are quiet or invisible. You can’t just focus on the outcome or the actions, you have to understand the process and respond to feedback.
Successful people get to weird places via search, not throwing darts.
Make lots of small bets and double down on the ones that seem to pay off. Be willing to push things further than “most reasonable people” would but only if you can get concrete signals of reward.
“If you think you can fly, start by trying to take off from the ground”.
Weird question, do you think AIs might prove a lot of theorems that are mainly useful to other AIs (i.e, make nearly no impact on the human culture of working mathematicians), which then get used to prove results that humans do actually care about?
It seems like if AIs can prove and index a huge number of (largely uninteresting to humans) things there might be sort of "parallel cultures"? Big results are most valuable to humans and AIs both (most context efficient!), but a very large number of less general but still non-obvious results might be an effective approach to solving problems?
Funnily enough a lot of this "extension sprawl" is caused by the _difficulty_ of installing tools on locked down Windows machines. I recently moved to a locked down SoE and instead of being able to use regular tools (which require a lengthy negotiation process to install) I now use extensions for absolutely everything, _because_ they're not currently policed in the same way...
At my last workplace I was not allowed to install JSON viewer/prettier extension for my browser, but I was allowed to install VScode with random JSON plugins.
Also predictability, resilience, sovereignty. I'm not worried about other people's outages, that unexpected demand will impact me at an inconvenient time, that someone's watering down my model, that my costs will change unpredictably or that some unforseen error will lead to a huge bill.
It's in the same category as rooftop solar for me. It doesn't have to make strict economic sense if you're the particular type of person who gets peace of mind from control of infrastructure / reduced dependency.
Right but at n=1 you are writing the policies, reviewing them, signing off on them yourself, raising risks, then ducking out the back and running out again with a fake mustache so you can accept the risks you raised... regarding yourself... lol.
Audits rely on a _certain_ amount of ceremony and theatre.
However, since you typically pay for audits / certifications yourself you might find someone who is willing to entertain the charade if you shop around enough. Probably a solo auditing firm :)
I think the idea is that you can launder your team or product AI spend through your AWS account. This matters in Enterprise. It looks like the difference with Bedrock is that you access more "Claude platform" stuff than just the model.
More charitably, this lets an org heavy on AWS use their existing IAM / SSO / Finops processes to manage Claude stuff, this is genuinely helpful when otherwise you have to go thru several teams and build out whole new rails to adopt.
I've always wondered how this plays out in practice. I might certify that I have signing authority but I most certainly do not. What happens in the US (in Delaware?) when there's a dispute?
We had a customer try to back out of a contract by claiming the person signing didn't have authority. It didn't work because the person's manager (who has authority) was included in all of the communication.
Legally it didn't matter whether the signer had authority because the way the signer's company behaved during the signing process implied that the signer had authority.
E.g. If the CTO at a company tells a vendor to "send the contract over to my product manager" then the CTO created the impression with the counterparty that the product manager has authority, and the company will be hound to the contract based on that fact regardless of whether the product manager actually has authority or not.
I'm sure it's more nuanced than this, but my understanding is actual authority is less relevant than implied authority. E.g. if you have your board of directors take away the CEO's authority to sign a contract, it doesn't automatically invalidate everything the CEO signs, since a counterparty can reasonably assume that the CEO has authority just based on their job title.
Generally any W-2 has authority to enter into contracts, strictly from the vendor’s POV. As a vendor you don’t need to get your customer’s publicly listed officer or director to sign off on contracts. The W-2 can also be fired for entering their employer into the contract, but that's not (directly) the vendor's problem.
Once a vendor has entered into a contract, that could change - e.g. "any change orders must be approved by $EMPLOYEE_SET".
It's absolutely wild that every W-2 employee can expose their employer to essentially unlimited liability, but AFAIK, that's the truth.
This is my day job. I couldn't get access to the Claude Platform even with a business goal justification because of the management overhead while having Anthropic model access with Bedrock.
Through AWS, assuming the underlying data governance is reasonable, this will be a much easier pill to swallow.
yes it sounds like a hack to get access to untracked spend in corporate accounts.
In my org, I have to file a form for reimbursement if I bought a pencil for $0.25 but in AWS? spend varies by +/- $5k per month and nobody even questions it. This will definitely make it trivially easy for me to build on Anthropic's services without even telling anybody vs the hoops I would have to jump to get it paid for another way.
Another selling point has been a guarantee of 1:1 api feature and design parity between Anthropic and this Claude platform. Helps if you have workloads you want to balance between providers.
Nah that's not what's happening here. This service is offered under AWS Marketplace. The only argument is actually probably a shared billing console, and that's where it ends. Won't matter for small companies, small fish, but the for the big pond this means new contracts to check, lawyers and so on. So not really a "revolution" happening. News for startups, yes, but not so much for the big corps or gov.
reply