lc

• lc 3 Nov 2025 14:06 UTC

  4 points

  0

  on: An Opinionated Guide to Pri­vacy De­spite Authoritarianism

  The best privacy/​security guide I am aware of is Michael Bazzells book. Michael Bazzell is a former computer crimes investigator, and his methods are red teamed at least in the sense that he works with e.g. people with extremely determined stalkers. Some things that book goes over that this doesn’t:

  • How to buy your home/​car/​P.O. box with LLCs and keep them out of your name, how to get a SIM card not tied to you personally.

  • The who/​what/​where of how your personal information (incl. address, phone number, etc.) gets collected in the first place, and ends up in public databases (which of course the government also leverages). What you can do about data already there, to the extent that you can do something.

  • (For people in really advanced situations) How to disinform in a way that actually works & ends up poisoning records, for example by taking up an electricity bill inside a building you don’t own.

  Obviously the government has capabilities that private individuals don’t, so maybe the threat model here is different. For the most part though I would say that peoples’ biggest privacy/​security risk is that there are infinity public databases with all of their personal information, and anybody with a credit card can pull up their address. Stopping the inflow to those should be priority #1 and the solution isn’t even really that digital, it’s just arcane legal procedures.

• lc 30 Oct 2025 17:46 UTC

  24 points

  0

  in reply to: peterbarnett’s comment on: AISLE dis­cov­ered three new OpenSSL vulnerabilities

  Two of the bugs AISLE highlighted are memory corruption primitives. They could be used in certain situations to crash a program that was running OpenSSL (like a web server), which is a denial of service risk. Because of modern compiler safety techniques, they can’t on their own be used to access data or run code, but they’re still concerning because it sometimes turns out to be possible to chain primitives like these into more dangerous exploits.

  The third bug is a “timing side-channel bug” with a particular opt-in certificate algorithm that OpenSSL provides, when used on ARM architectures. It’s a pretty niche circumstance but it does look legitimate to me. The only way to know if it’s exploitable would be to try to build some kind of a PoC.

  OpenSSL is a very hardened target, and lots of security researchers look at it. Any security-relevant bugs found on OpenSSL are pretty impressive.

• lc 30 Oct 2025 16:49 UTC

  17 points

  0

  on: AISLE dis­cov­ered three new OpenSSL vulnerabilities

  I don’t know if OpenSSL actually goes through the process of minting CVEs for a lot of the security problems they patch, so this may sound more impressive than it is. My company has reported several similar memory corruption primitives to OpenSSL in the last month found by our scanner and I’m not sure if we ever got any CVEs for it.

  Because AI security startups are trying to attract media attention, they have a habit of crediting findings to an AI when they actually involved a bunch of human effort—especially when their tools are not publicly available. You should be healthily skeptical of anything startups report on their own. For a practitioner’s perspective on the state of security scanning, there was a blog post posted last month that provided a good independent overview at the time: https://​​joshua.hu/​​llm-engineer-review-sast-security-ai-tools-pentesters^[1]

  1. ^

     Full disclosure: we’ve since hired this guy, but we only reached out to him after he posted this blog.

• lc 27 Oct 2025 15:47 UTC

  29 points

  41

  in reply to: 1a3orn’s comment on: 1a3orn’s Shortform

  As a rationalist I also strongly dislike subtweeting

• lc 20 Oct 2025 16:35 UTC

  3 points

  0

  on: Cheap Labour Every­where

  One small thing I noticed when living in India is how the escalators would stop moving when people got off them, just to save a little power.

• lc 19 Oct 2025 18:23 UTC

  9 points

  2

  in reply to: Vladimir_Nesov’s comment on: lc’s Shortform

  As soon as you convincingly argue that there is an underestimation, it goes away

  It’s not a belief. It’s an entire cognitive profile that affects how they relate to and interact with other people, and the wrong beliefs are adaptive. For nice people, treating other people you know as nice-until-proven-evil opens up a much wider spectrum of cooperative interactions. For evil people, genuinely believing the people around you are just as self-interested gives you a bit more cover to be self-interested too.

  What links here?

  • Vladimir_Nesov's comment on Shortform by lc (19 Oct 2025 19:49 UTC; 3 points)

• lc 19 Oct 2025 2:00 UTC

  59 points

  52

  on: lc’s Shortform

  Bad people underestimate how nice some people are and nice people underestimate how bad some people are.

• lc 11 Oct 2025 2:31 UTC

  10 points

  −4

  in reply to: Daniel Kokotajlo’s comment on: Daniel Koko­ta­jlo’s Shortform

  You left out the best part:

  “Nishin,” you say. “Nobody is accepting your romantic overtures because of Twitter. Nobody is granting you power. Nobody is offering you mon(ey).”

• lc 7 Oct 2025 2:12 UTC

  104 points

  73

  in reply to: abramdemski’s comment on: abramdem­ski’s Shortform

  Even if this rumor isn’t true, it is strikingly plausible and worrying

  

• lc 30 Sep 2025 15:33 UTC

  8 points

  8

  on: On Dwarkesh Pa­tel’s Pod­cast With Richard Sutton

  Obviously the training data of LLMs contains more than human dialogue, so the claim that the pretrained LLMs are “strictly imitating humans” is clearly false. I don’t know why this was never brought up.

• lc 26 Sep 2025 23:23 UTC

  81 points

  27

  on: lc’s Shortform

  The background of the Stanislav Petrov incident is literally one of the dumbest and most insane things I have ever read (attached screenshot below):

  

Be­ware LLMs’ patholog­i­cal guardrailing

• lc 15 Sep 2025 4:34 UTC

  7 points

  0

  in reply to: Ben Pace’s comment on: lc’s Shortform

  The purpose of these audits is not generally to verify with certainty that you’re doing everything you say. That would be very hard, maybe impossible. Mostly you fill out a form saying you’re doing X. If it turns out later after a breach you weren’t doing the stuff you claimed to do during the audit, you’re sued.

  We’re doing a PoC right now for a company with >400,000 employees. I am not their security team, and we haven’t sold yet, but on our end everything we’ve run into is normal procurement BS. The main thing that happens as you start to sell to larger customers is that you have to fill out a lot of forms saying your product does not use slave labor and such.

• lc 15 Sep 2025 4:29 UTC

  8 points

  0

  in reply to: Max H’s comment on: lc’s Shortform

  There is no such thing as directionally correct. The tweet says “If you use Crowdstrike, your auditor checks a single line and moves on. If you use anything else, your auditor opens up an expensive new Chapter of his book.” This is literally and unambiguously false. No security/​compliance standard—public or private—requires additional labor or verification procedures for non-Crowdstrike EDR alternatives. The steps to pass an audit are the same no matter what solution you’re using for EDR. Further, as a vendor, there is a very low ceiling for supporting most of the evidence collection required for any of the standards you cite, even at large scale. Allowing your users to collect such evidence (often, just screenshotting a stats page) is not nearly the largest barrier to entry for new incumbents in Crowdstrike’s space.

  Further, the larger implication of the above tweet is that companies use Crowdstrike because of regulatory failure, and this is also simply untrue. There are lots of reasons people sort of unthinkingly go with the name brand option in security, but that’s a normal enterprise software thing and not anything specific to compliance.

• lc 12 Sep 2025 19:08 UTC

  44 points

  6

  in reply to: Ben Pace’s comment on: lc’s Shortform

  It’s not the tweets, it’s the retweets. People’s tweets on Twitter are usually not that bad. Their retweets, and, for slightly crazier people, their quote tweets are what contain the bizarre mischaracterizations, because they’re the pulls from the top of the attention-seeking crab bucket.

  I run a company that sells security software to large enterprises. I remember seeing this (since deleted) post Eliezer retweeted last year during the Crowdstrike blue screen incident, and thinking: “Am I crazy? What on earth is this guy talking about?”

  

  The audit requirements Mark is talking about don’t exist. He just completely made them up. ChatGPT’s explanation here is correct; even if you’re selling to the federal government^[1], there’s no “fast track” for big names like Crowdstrike. At absolute maximum your auditor is going to ask for evidence that you use some IDS solution, and you’ll have to gather the same evidence no matter what solution you’re using.

  Now, Yudkowsky is not a mendacious person, and he isn’t going to pump misinfo into the ether himself. But naturally if anybody goes on Twitter long enough they’re gonna see stuff like this, and it will just feel plausible to you. It will pass whatever cogsec antimalware blacklists & heuristics you’ve developed for assessing the credibility of things on the internet.

  Probably because, like, if you overheard this kind of thing at a party, it would be credible! It’s only on this platform, where people are literally stepping over one another to concoct absurd lies for attention, where people are additionally incentivized to present as having personal expertise in the lie to go slightly more viral, and then an algorithm is selectively boosting the people that do that well enough and effectively enough to the top of your feed, that you encounter this nonsense. And then it goes into your world model, and the next time you see someone claim some crazy thing about how the food industry is in cahoots with Big Chicken you’re more likely to believe it, etc. etc.

  1. ^

     And the vast majority of software companies, to be clear, don’t have to do anything like FedRAMP. The largest and most ubiquitous compliance frameworks, like SOC2 or ISO 27001, are self-imposed standards maintained by nonprofits like the AICPA and have nothing to do with the government.

• lc 12 Sep 2025 1:40 UTC

  43 points

  8

  in reply to: AnnaJo’s comment on: lc’s Shortform

  This framing underplays the degree to which the site is designed to produce misleading propaganda. The primary content creators are people who literally do that as a full time job.

  Like, I’ll show you a common pattern of how it happens. It’s an extremely unfortunate example because a person involved has just died, but it’s the first one I found, and I feel like it’s representative of how political discourse happens on the platform:

  

  First I’ll explain what’s actually misleading about this so I can make my broader point. The quote tweeted account, “Right Angle News Network”, reports that “The official black lives matter account has posted a video stating that black people ‘have a right to violence’ amid… the slaying of Iryna Zarutska”. The tweet is designed so that, while technically correct, it appears to be saying the video is about Iryna’s murder. But actually:

  • The video the account posted is taken from a movie made forty years ago.

  • The account doesn’t reference the murder at all. The only connection that the post has to the murder is that it was made a few days after it happened, which I guess means that it was posted “amid” the murder.

  As is typical, the agitator’s tweet (which was carefully designed not to be an explicit lie), is then “quote tweeted” and rephrased by a larger account, who attempts to package the message for more virality. In this case the person just says “Official Black Lives Matter account justifying the murder of Iryna Zarutska”. But that’s not actually established at all! The quote tweeter is just reading a certainty into a tweet that was deliberately engineered to be misread.

  This pattern happens everywhere, for every socially charged topic, on every side. “Your enemies are saying X horrible shit” is possibly the most common form of slander on Twitter. It happens especially often when people are posting about stuff that happens on other platforms, because there it’s extremely easy to lack context or mislead people about what’s going on.

• lc 12 Sep 2025 1:07 UTC

  11 points

  2

  in reply to: Joseph Miller’s comment on: lc’s Shortform

  Only inasmuch he’s a proof-by-example. By that I mean he’s one of the most earnest/​truthseeking users I found when I was still using the platform, and yet he still manages to retweet things outside his domain of expertise that are either extraordinarily misleading or literally, factually incorrect—and I think if you sat him down and prompted him to think about the individual cases he would probably notice why, he just doesn’t because the platform isn’t conducive to that kind of deliberate thought.

• lc 11 Sep 2025 21:22 UTC

  93 points

  67

  on: lc’s Shortform

  I don’t think it’s possible for mere mortals to use Twitter for news about politics or current events and not go a little crazy. At least, I have yet to find a Twitter user who regularly or irregularly talks about these things, and fails to boost obvious misinformation every once in a while. It doesn’t matter what IQ they have or how rational they were in 2005; Twitter is just too chock full of lies, mischaracterizations, telephone games, and endless, endless, endless malicious selection effects, which by the time you’re done using it are designed to appeal to whichever reader in particular you are. It’s just impossible to use the site as people normally do and also practice the necessary skepticism about each individual post one is reading.

• lc 9 Sep 2025 19:12 UTC

  32 points

  25

  in reply to: Richard_Ngo’s comment on: ricraz’s Shortform

  More generally, leftists profess many values which are upheld the most by western civilization (e.g. support for sexual freedom, women’s rights, anti-racism, etc). But then in conflicts they often side specifically against western civilization. This seems like a straightforward example of pessimization.

  Not at all. The trend is that in any given context, American leftists tend to support the ‘weaker’ group against the stronger group, regardless of the merits of the individual cases. They have a world model that says that that most social problems come from “big” people hurting “little” people, and believe the focus of their politics should be remedying this. In the case of Israel-Palestine, Israel and the United States are much more militarily and economically powerful than Gaza, so ceteris paribus^[1] they side with Gaza, just as they side with women, ethnic minorities, the poor, etc. You may disagree with this behavior but it’s fairly consistent.

  By contrast, the argument that Israel is a bastion of western values and therefore leftists should support its war against a smaller neighbor is kind of abstract. The immediate outcome of Israel winning the war is just that Israel gets stronger, not that women in Gaza become more free. There’s also a thing there about Gazans being brown and Israelis not, etc...

  None of this has anything to do with liberals pessimizing their own values, and it feels like you must have a blind spot somewhere if you’re reaching for that explanation when there’s a much simpler and more obvious one readily available.

  1. ^

     Liberals’ protests in support of Palestine are additionally amplified as a result of a media diet that drip feeds them an artificially strong amount of Israeli war crimes, instead of western liberal hysteria.

• lc 9 Sep 2025 2:02 UTC

  6 points

  0

  in reply to: testingthewaters’s comment on: ricraz’s Shortform

  I seriously doubt Richard recommends any of the regimes/​interventions you actually argue against here.