Owning entire stack has benefits for sure, especially if you're dominating market. But it also comes at a huge cost - you now need to pay for R&D for the whole stack yourself.
Tesla was dreaming of dominating market. But it looks like it peaked already and its sales are falling. Having to do R&D for entire stack without growth is a very very costly proposal. It often results in just not doing R&D, and falling behind.
> Tesla has solved the problem of unit profitably manufacturing EVs. Outside America and other petrostates, these are broadly accepted to be the future of transportation. (It’s getting its ass kicked by BYD, which didn’t distract itself with a Cybertruck or what increasingly looks like an Optimus follow-on. But being the only American challenger in a new economy is not worthless.)
They solved it by borrowing from the future and gutting their R&D. That's the main cost in the car industry and Tesla basically just stopped developing new models many years ago, to the point that they struggle with a simple refresh.
> Tesla’s also lead by a man who has consistently made money for his investors. Even when bets are bad, e.g. Twitter, he’s financially engineered an outcome that ensured, at the very least, nobody who backed him lost money.
That man also walks a very thin line between engineering outcomes and fraud, let's not forget that.
> solved it by borrowing from the future and gutting their R&D
Not relevant to unit profitability. Tesla’s American competitors can’t turn a profit on each car production-wise.
> man also walks a very thin line between engineering outcomes and fraud
Sure. But the point is to the degree investors were misled, they were made whole and then some. That’s why they keep backing him. He’s done well by them, regardless of the methods.
> Not relevant to unit profitability. Tesla’s American competitors can’t turn a profit on each car production-wise.
To quote a great commenter here, you can "engineer that outcome". While there are rules, details are mushy and as a result companies can fairly freely decide what do you include in cost per unit.
Is there anyone credibly claiming that Tesla loses--or has always lost--money on every car it made? (I'm including the proviso in case they fucked up their production in the last year, which I both wouldn't be surprised by and haven't looked into.)
In Germany (and probably in the UK too), you now have to be very careful about what you write online. There is actually a section 188 that makes insulting, defaming, or slandering people in political life a criminal offense. You can now face heavy fines for minor insults (“idiot”) or even have your home searched. A VPN can be useful here.
If anyone wants some background info on the "idiot" comment:
A Bavarian man captioned an image of Robert Habeck (the vice chancellor of Germany at the time) with "Schwachkopf Professional" - "Professional Idiot". It was styled after the Schwarzkopf ad campaign. For this, Habeck filed a criminal complaint "to stop hate crime" against the man and the man's apartment was searched by the police and a tablet confiscated. Oh, and he was arrested over it as well. [0]
(The man was also accused of posting some nazi imagery earlier in the year, but the order to search his house seems to be related only to the insult. [1])
Imagine if you could be arrested for calling your (vice) president an idiot.
> Imagine if you could be arrested for calling your (vice) president an idiot.
You must not set foot in the USA, India, China, et cetera, then.
Imagine you say? Getting arrested might be the least of your worries in today's world if you decide to call a president (or the immediate underling) an idiot in many countries :D
This is actually not uncommon in most of the world. American 1A is actually an extremely novel concept most other countries still haven't caught up on.
American 1A is as strong as it's proving to be right now and increasingly proving to be stronger and stronger by the day, since January this year!
Many other countries have protections like that, "on paper" (!!!) - but the point is in how it is used or misused, or rather completely ignored - directly or indirectly, like in the USA currently and many other countries in the world.
The UK, where the government has literally smashed printing presses in the newspaper age when magazines were thought to be publishing embarrassing news about the Crown? Where the government's legal authority to do so is still intact? That UK?
3. Avoiding government-mandated record keeping by ISPs in a country like the UK, where all ISPs have to keep a year of your browsing history and it can be accessed warrant free by 17 different agencies(including DEFRA, the agriculture agency).
And yes, I'm aware that you're most likely trading one surveilence for another - but honestly at this point I'd much rather trust my paid VPN provider with my browsing data than my ISP and ultimately the government.
Given that most of the web has TLS and you can easily do DNS over TLS - that's very very high level metadata, where I personally just don't see much ROI vs to giving that metadata to random company with no regulations whatsoever.
> but honestly at this point I'd much rather trust my paid VPN provider with my browsing data than my ISP and ultimately the government.
Your ISP will need to comply with local laws and regulations, and you'll have some recourse if broken. A third-party VPN operating in an overseas jurisdiction could be doing anything with your data.
Unless it's selling the data back to my own government, I'd rather a foreign commercial VPN provider have that information rather than my own domestic ISP or my own domestic government.
My government can do parallel construction, can send teams of armed gunmen to my house, and otherwise find far more methods to persecute me than the intelligence services of Russia or China can.
Being innocent of any kind of crime does not necessarily remove one from the crosshairs of law enforcement organizations, particularly the FBI, who have an extensive, well-documented history of violating citizens' constitutional rights, conducting partisan witch hunts against political opponents, being a lawless menace to civil rights activists, anti-war activists, gay rights activists, both pro-abortion and anti-abortion activists, and is probably busy right now planning on being a menace to trans inclusivity activists.
There is no such thing as a friendly government, but I'd much rather have my data in the hands of a government 10,000 miles away than in the hands of my own government. My own government hunts, injures, stalks, harasses, socially ostracizes, and even kills my fellow citizens far more than any foreign government ever has.
The original use for a VPN - getting access to private resources - is still very much in play.
I don't just mean being able to access some private web interface you have on a private server in your at home, I mean connecting a satellite office to the main corporate office.
But for all of these consumer marketed VPNs, I think your list has 90%+ covered...
Interesting that we use the same word to describe both technologies, but semantically and technically they are very different.
Perhaps we use the same word to describe them because initially they did use the same technologies, but they have branched out ever since? Maybe IPSec would be a common tech used. But the algorithms are not the same anymore since they serve different purposes (Personal privacy vs corporate/sysadmin security)
In the corporate world VPNs were usually a lower level abstraction security mechanism or a redundant security mechanism to either complement application layer_security, or to hot-patch modern security unto legacy LAN systems. VPN encryption is usually provided by the local router. Common algorithms are IPSec/IKev2.
In the personal privacy world, we are talking about a proxy that hides identification such as IP addresses, and pools connections to provide privacy. The actual encryption is not the main security mechanism even, as it only covers the transit between consumer to proxy, leaving (a potentially longer transit) between the proxy to the actual destination.
In terms of purpose and architecture it's closer to bitcoin tumblers, or Tor or Freenet, or money laundering placement. The fact that they call it VPNs seems to me more of a marketing scheme or political play to avoid association with all of the above, than an actual technical or academical description. If someone were to analyse these technologies, I'm sure a neutral or critical approach would avoid uncritically calling them VPNs in the same way that research is published not about Viagra, but on Sildenafil.
> Interesting that we use the same word to describe both technologies, but semantically and technically they are very different.
That's where my head was at. When i hear my colleagues talk about a VPN, i'm thinking about an IPSEC tunnel and an afternoon of swearing at ios on some outdated ASA. When I hear regular people talking about a VPN, my mind immediately goes to "oh, so you want to watch rick and morty on netflix and don't know anybody hosting a jellyfin/plex server".
When do we coin a new term? Or do we? Does "vpn" turn into a word like "truck" where it's only the context that tells you if we're talking about a 2 axle pickup truck in a home depot parking lot or something pulling a 40ft container unit?
How do authoritarian regimes differentiate business and consumer network traffic, for the purpose of inspection and decryption, censorship of specific content, or blocking of specific protocols? This also overlaps with net neutrality and dump pipes vs. content-centric metering.
Company VPN most likely goes to set IP address associated with a business. And this is most likely a rather static thing. So tracking data going there is most likely legitimate. And well on other side they can make whatever comes out from business IP a problem for business.
A ton of ISPs use deep packet inspection for various kinds of filtering (and other shenanigans). When they get it wrong it manifests to the user as certain websites or access patterns being inaccessible and the ISPs customer support agreeing that you should have access and being able to do fuck all to fix it. A VPN in the middle usually solves the issue.
Wait, I think an ISP cannot inspect the content of packets that are encrypted, say, with HTTPs. In order to inspect TLS encrypted packets you need access to the end-device, controlling the end-router is not sufficient since you would not have access to the device certificates.
If you can prove that an ISP can inspect packets, it would be major news.
You don't need fully broken encryption to gain useful information. Knowing how much data is transferred, to which servers, and when (especially with details like how various endpoints will inadvertently chunk up HTTPS requests based on the details about the content or how interactive sessions will have certain back-and-forth transmit patterns) is sufficent to generate a traffic "fingerprint" which you can correlate to other users, to automated traces crawling those same servers, and otherwise get a very good sense of what a user is up to online even above and beyond just knowing which IP is being queried.
Toss that into any sort of "anomaly detection" or other such nonsense, and it's easy to create rare edge cases at an ISP level.
It's somewhat analogous to how you can sometimes "reverse" hashes like SHA256. E.g., suppose the thing you're hashing is an IPV4 address. There are only 4 billion of those, so a pre-image attack just iterating through all of them and checking the forward direction of the hash is extremely effective. TLS makes that a little more complicated since the content itself is actually hidden, but time and space side-channels give you a lot of stochastic information. You might not be able to deduce somebody's bank password, but you can probably figure out where in the bank's login flow they are and approximately what they did once they logged in.
It may have been fixed since, but I saw a decent talk about this (defcon, IIRC) using Tinder as an example.
Using timing, amounts of data, and what was being connected to, you could recreate what someone was looking at and swiping direction. (left/right sent different amounts of data)
Yes. What I'm saying is that the pattern of data entering the mailbox lets you infer more about the contents than just the sender, especially when you can pattern match against known behavior for that sender.
They may not need the contents, seeing you're connecting to a netflix IP and having a lot of data transfer may be a good reason to throttle, for example.
DPI does not require any decryption of payload. Even cheap consumer devices can perform DPI on encrypted traffic. ISPs absolutely use DPI as a part of standard practice, and have been for decades. It is a basic network traffic management tool.
I imagine so. I understand that Opera GX, for example, provides a specialized version to Russian IPs that locks down the search engines that can be used.
Including the US right? And I don't mean in a conspiratorial sense. Just in the sense that they wouldn't deny it because it's their home country (Say Windows certs or Google certs), and at the very least they can issue warrants, gag orders, or triple letter agency bypasses.
Now it only sounds weird when a country exherts their national sovereignity because the US doesn't need to perform any additional steps to install any of their Certs, they have hundreds of them by design.
> Including the US right? And I don't mean in a conspiratorial sense. Just in the sense that they wouldn't deny it because it's their home country (Say Windows certs or Google certs), and at the very least they can issue warrants, gag orders, or triple letter agency bypasses.
Yeah. I don't think the US explicitly requires it but they don't have to, there are more than enough US-based entities with root certificates who they could send a National Security Letter to if they ever wanted one. (Also the US FKPI root certificate is at least shipped by some vendors, although it seems to be disabled by default)
Australian ISPs are legally required to retain metadata for two years.
That's one of the best reasons to use a VPN if you're in Australia. Give up as little as possible.
I have found, however, lots of sites block or Captcha-restrict IP addresses that are (somehow determined as) non-residential, and Netflix restricts its content as well.
I use VPNs when I'm trying to ferret out the scope of an outage. I have VPN servers on local ISP which moves me around different routing. I use a commercial service to move me further out and to other countries.
Sort of. I suppose the difference is that I don't need to know in advance where the fault is. ex: An upstream, 3rd party service provider appears offline.
One others seem to have missed 3. ad blocking on your phone away from home. Almost all VPNs have a block ads / known malicious traffic function. This can be done with just a DNS but often mobile carriers will block using your own DNS.
3. When you know/suspect your ISP is more shady than the VPN you're using. This applies particularly when you're doing something your government doesn't like.
VPNs don't increase privacy, they just change who has the opportunity to spy on your traffic. Sometimes, it's much better if it's some foreign random ISP instead of your local government, who can send law enforcement agents where you live.
It's probably more that a lot of people have been convinced that they need a VPN, but they don't. There are use cases, like I trust Mullvad more than I trust some random hotels WiFi. When traveling it can provide a slightly higher base layer of trust.
If you live in a country that restricts your internet access, which to be fair is most these days, a VPN can help. Most of us just don't care about those restrictions or they are more easily circumvented using a 3rd. party DNS. Also if you're in country like Iran or Russia, you really need to trust your VPN provider and strange corporate structures and staff sharing really isn't helping in that respect.
For the average person, no you don't need a VPN. You might need one for a few days or week per year, if you travel and need to access your bank or corporate infrastructure (in that case your employer most likely have their own VPN). VPNs are a niche business, but online influencers have convinced a lot of people that they need a VPN for everything, which simply isn't the case for the vast majority of us.
> I trust Mullvad more than I trust some random hotels WiFi
For what exactly? All sites are HTTPS now anyway, so the only thing you're leaking is the hostnames / IPs you visit. I don't exactly see how the whole "hotel WIFI" thing is relevant at all, except as a dishonest marketing strategy by VPN salesmen
3. Hosting websites with DDNS (though the abuse from that caused Mullvad and IVPN to drop port forwarding)
4. Though it hurts anonymity, and is relatively rare: I2P or Hyphanet, because some websites block known P2P nodes[1]. Important if your bank or work is being a jerk about it.
5. As ThatMedicIsASpy notes, ISP issues: some routers soil the bed from P2P, some ISP's throttle P2P traffic regardless of legality, etc.
2. Because you normally visit example.com using an incognito window, your browser hasn't cached the redirect to SSL, or the address bar suggestion, and you haven't bookmarked the site.
3. You key in example.com, the browser connects over http, and the evil wifi MITMs your unencrypted connection - removing the redirect to SSL and messing with the page however the evildoer wants.
Obviously a VPN provider can also do this, but you might hope they're less likely to.
"Obviously a VPN provider can also do this, but you might hope they're less likely to."
So you have identified some marginal privacy issue, and have identified that a VPN doesn't solve it, but rather that it moves the risk to a third party actor you subjectively feel is better. Well I feel that, subjectively, introducing a third party generally decreases security.
I believe that not all privacy and security considerations can or should be solved technically, but rather we have extra-technical mechanisms like law and social norms that provide some protection on the edge cases. For example, an employee cannot lookup information for personal reasons on a system they are entrusted to in a professional capacity. I'm no expert, but you probably have first laws that prohibit that, second corporate policy that prohibits that, and thirdly social pressure that prohibits that to some extent. Are they perfect? Not necessarily which is why for the most part we rely on technical encryption and security mechanisms.
But at some point these examples become so contrived and the medicine becomes the poison, so you enter into territory that is pretty standard in other industries, what's to stop a waiter from spitting into a cup? There's no spit filter in place of McDonalds, there's other mechanisms protecting us.
On a similar note, logic and debate is not the only way to convey this phenomenon, so here's some more artistic retort to privacy schizophrenia.
Using a VPN means you have to trust one company instead of every wifi you connect to, and also makes that an entity that's an expert at privacy instead of working off a half-forgotten router in the back.
How is any of this "medicine becoming the poison" or "schizophrenic"?
No, you have to trust the one company, as well as everyone you were trusting before. You are still using the router, and now you are also trusting the VPN provider, as well as the nodes in between the VPN provider and your original destination.
Also, you are just switching up the "unprotected stretch" between your local wifi, and, say, Google's servers, whereas now that "unprotected stretch" lies between the VPN provider servers in Latvia or British Virgin Islands or Panama, or whatever dubious jurisdiction, and, say, Google. Sure, you added a layer of protection against the random hacker sitting in your Starbucks, but you have added many more vectors.
It becomes the poison because the solution you are introducing brings more issues. And it's schizophrenic because the issue to begin with, was minuscule (a hacker stepping into MacDonalds, breaking the network encryption and then also the application encryption.
Maybe if this were 2010 and websites still used HTTP, or you are using a local email client without TLS configured. But it's 2025, everything has HTTPs and you are using an HTTPs email client.
VPNs to protect corporate networks is sensible. Consumer VPNs are a different thing entirely and they do not provide increased security at best, decrease security at worst, and usually cater to schizoid threat models, where the threat actor is the state, rather than more realistic threat scenarios.
> No, you have to trust the one company, as well as everyone you were trusting before. You are still using the router, and now you are also trusting the VPN provider, as well as the nodes in between the VPN provider and your original destination.
As long as the VPN is up, the worst the wifi can do is cut you off. It can't alter your connections.
It's far fewer trust points.
> Also, you are just switching up the "unprotected stretch" between your local wifi, and, say, Google's servers, whereas now that "unprotected stretch" lies between the VPN provider servers in Latvia or British Virgin Islands or Panama, or whatever dubious jurisdiction, and, say, Google. Sure, you added a layer of protection against the random hacker sitting in your Starbucks, but you have added many more vectors.
When I use a VPN for protection, the server is in the US too.
And if it's for netflix I'm going to some major country, not dubious-land.
(Also I'd say datacenter and internet core routers are less likely to attack some random person's traffic, but that's not core to my argument.)
> It becomes the poison because the solution you are introducing brings more issues. And it's schizophrenic because the issue to begin with, was minuscule (a hacker stepping into MacDonalds, breaking the network encryption and then also the application encryption.
For most wifi networks, there is no encryption between users. And it's quite likely that the neglected router got hacked over the internet and is part of a botnet.
> Maybe if this were 2010 and websites still used HTTP, or you are using a local email client without TLS configured. But it's 2025, everything has HTTPs and you are using an HTTPs email client.
>For most wifi networks, there is no encryption between users. And it's quite likely that the neglected router got hacked over the internet and is part of a botnet.
WPA2? Sure it can be broken, but you still would have to break HTTPS on top of that.
I don't deny that a third layer adds security in that scenario, as 3 layers is more than 2 layers. But you necessarily weaken some other stretch in a zero-sum fashion, as mentioned. I'll concede that the server can be in your own country if you so choose to. But these datacenters are not necessarily controlled by the VPN provider, and they may be highly heterogeneous, in addition there will be many routers in the VPN DC to destination stretch that can still be hacked. Although again I'll grant that endpoint routers are probably weaker targets than ISP routers.
> WPA2? Sure it can be broken, but you still would have to break HTTPS on top of that.
If you're on a WPA2 network you just have to observe a device connecting and you can crack their session key. It's very easy. Not that you need to do that, you could ARP spoof. Or the router could be hacked.
And you don't have to break HTTPS to have a good chance of attacking someone. There's enough HTTP around.
So it's easy to fall through both of those layers.
If you're on a WPA2 network you just have to observe a device connecting and you can crack their session key. It's very easy.
Is it that easy? I'm not sure if you are a genius hacker or just somewhat misinformed.
My understanding was that observing the initial connection is a requirement for the typical exploit. The attack itself is considerably more complex. Additionally WPA2 is a sort of envelope protocol, the actual encryption cipher can vary and so will the attacks.
I'm not an expert, but I looked into this stuff 7 years ago when I was broke, and I apt installed aircrack-ng from a starbucks so I could try siphoning off my neighbour's wifi, I wasn't able to. Skill Issue sure, but it wasn't as trivial as "just observing a device connecting".
I personally don't see much HTTP, I think a more reasonable attack would be hoping that the user clicks on "continue anyway" whenever a TLS error pops up.
On another note, this would relate to local attackers only right? If a router has been pwned remotely, it wouldn't matter whether the last mile is a twisted pair or air.
> In the WPA2 handshake, everything except the GTK is sent unencrypted. Recall that the PTK is derived with the two nonces, the PSK, and the MAC addresses of both the access point and the client. This means that an on-path attacker who eavesdrops on the entire handshake can learn the nonces and the MAC addresses. If the attacker is part of the WiFi network (i.e. they know the WiFi password and generated the PSK), then they know everything necessary to derive the PTK. This attacker can decrypt all messages and eavesdrop on communications, and encrypt and inject messages.
No genius hacker, no misinformation. WPA2 in the normal password mode does not protect clients from each other. It's not part of the design.
Here's a page about how you can use wireshark to decrypt WPA2 if you capture the handshake, but you can't do it on WPA3. (Also it's not hard to force new handshakes.)
> I'm not an expert, but I looked into this stuff 7 years ago when I was broke, and I apt installed aircrack-ng from a starbucks so I could try siphoning off my neighbour's wifi, I wasn't able to. Skill Issue sure, but it wasn't as trivial as "just observing a device connecting".
Trying to get a password is a completely different thing from trying to attack someone else on the same network as you. You did not fulfill the "If you're on a WPA2 network" part of the sentence.
There was a password-finding attack called KRACK that came out in 2017 but it's fussy and there are ways to defend against it. And you can still brute force WPS sometimes but I guess their device didn't allow it.
> On another note, this would relate to local attackers only right? If a router has been pwned remotely, it wouldn't matter whether the last mile is a twisted pair or air.
Yes, "someone sharing the network" and "hacked router" are two different ways you could be attacked.
> If an attacker knows the WPA2 password, they can intercept traffic.
Oh yes, of course, this is not unlike the capacity of computers in my LAN being able to see my packets, for example if my roommate was a hacker, they would be able to intercept packets while on their way to the router.
Now an interesting thing I've seen in public networks like say Starbucks or McDonalds, they usually don't rely on WPA2 password default security mechanism. I'm not sure what mechanism they use, but they have me log through a browser first.
I'm not 100% sure, but I don't think splicing the cable is necessary, you can capture broadcast packets and advertise as having a local ip address and capture the packets, whether in a LAN (a residence connected to the same router as the target.) or a WAN (Reading your neighbour's packets).
At least from a blue team perspective that's what I assume can happen. The power lines outside my home have the network cables all spliced together anyways, it's not like you'd have to make a new connection.
Will Chromium generate a "Your connection is not private" warning in this scenario, that the user has to click through to proceed?
And the user would have to type example.com in the browser bar; https://example.com would also trigger a warning, correct?
Additionally, if ConsumerVPNs provide encryption, don't they provide encryption from the stretch between the consumer to the proxy? The stretch between the proxy to the destination would not have additional encryption, and there is no reason to believe that the second transit would be shorter.
It does if you do DNS over TLS or HTTPS, although I guess that information would still be knowable to your DNS provider if they terminate your TLS behind the scenes
Not quite. In order to make TLS certs work on a per-site basis, requests sent over HTTPS also include a virtual host indicator in cleartext that shows the hostname of the site you’re trying to connect to, so if the IP on the other end is hosting multiple domains it can find the right cert. For this reason some people feel that DNS over TLS is pretty pointless as a privacy measure.
It's still not perfect since you're still leaking information about the privacy set implied by the outer ClientHello, but this possibly isn't much worse than the destination IP address you're leaking anyway.
SNI relies on the client specifying the host name in the unencrypted ClientHello message that initiates a TLS handshake. Encrypted Client Hello involves extra configuration that most websites don't implement.
Or that dude in the black hoodie in the corner who always seems to be camped at whatever cafe you and your cow orkers are using as your startup "office"?
I work from home and use a VPN service to get a bunch of IP:s I can easily switch between.
Recently a SaaS supplier blocked my IP because I was logging in programmatically every thirty seconds to collect data on batch processing in a customer project, basically two HTTP requests to get an access key and then the data, and I was lazy so I just put those in a script and dumped the second response to a log file and put that in a scheduler. Turned out that another customer of the SaaS supplier somehow could see the traffic on my customer's SaaS instance and panicked because in their mind it was obviously the russians attacking or something, and when they brought this to the supplier they also panicked.
So to keep doing this I had to move over to checking whether the previous access key was still valid and reuse it if so, as well as moving my 'location' to another country. Apparently this is fine but logging in two times a minute is not. It also happens that I need to do research on network services and cloud environments, where having the ability to just hit a couple of terminal incantations to switch 'where' I am helps out quite a bit sometimes.
It was surprising in a way I don't hesitate to call bad, but this supplier is an enterprise style organisation so of course they've only ranted at me and don't plan to alter their infrastructure.
Protection from IP tracking, especially if your ISP doesn't do CGNAT. Of course there's a trade-off here between
a) your ISP (who knows your billing information) knowing which sites you visit, and any site you visit can correlate internet activity back to your household
b) your VPN provider knowing all the sites you visit
But a VPN, commercial or self-hosed, also won't stop fingerprinting. It changes your apparent IP address, but the rest of the characteristics of your device and browser stay the same.
>but there are still metadata that can be collected.
That logic is questionable given how poorly "spying on public wifi users" scales. You either need to put a bunch of eavesdropping radios in a bunch of public places or somehow convince a bunch of small businesses to use your "free wifi" solution. Even if you do have access, it's hard to monetize the data, given that nearly every device does MAC randomization (so you can't track across different SSIDs) and iOS/windows rotates mac addresses for open/public networks. OTOH setting up metadata capture on a commercial VPN service is pretty straightforward, because you control all the servers.
Doesn't pretty much every Starbucks location in the United States use a nationwide provider?
Despite the randomized Mac address, you can still fingerprint devices using all the usual tricks when they connect to the authentication and authorization page before you allow them to access the broader internet.
If the receipt had a passcode on it, you've got a link between all of your browser fingerprint, radio fingerprint and payment detail fingerprint and possibly customer loyalty provided at time of payment.
>Despite the randomized Mac address, you can still fingerprint devices using all the usual tricks when they connect to the authentication and authorization page before you allow them to access the broader internet.
Fingerprinting is overrated given that every iPhone 17 is identical to any other iPhone 17. If you leave system settings at stock, which most people do, there's very little to fingerprint.
>Doesn't pretty much every Starbucks location in the United States use a nationwide provider?
True, although mobile data is cheap and plentiful enough that I rarely bother using wifi at cafes or fast food places. The only time I use public wifi is if I'm staying long term, which basically only encompasses trains, airports, and hotels. Those are diverse enough that it's tough to build a complete profile.
>If the receipt had a passcode on it, you've got a link between all of your browser fingerprint, radio fingerprint and payment detail fingerprint and possibly customer loyalty provided at time of payment.
I don't think I ever saw a place that was that guarded about their wifi. The closest I've seen is hotels requiring your room/last name, which would allow them to identify you, but at the same time I'm not sure how much information they can glean, other than that I'm logging into gmail or airbnb. Persistent monitoring that ISPs can do is far more useful.
> Those are diverse enough that it's tough to build a complete profile.
Debatable; i promise you that somebody out there is willing to buy the info and will attempt to combine it with $otherInfo such that it becomes valuable enough for somebody else to buy. Lots of adtech/survalence-tech operates with thin margins at _massive scale_.
> I don't think I ever saw a place that was that guarded about their wifi.
It's rare; i'd run into it only a few times a year. Typically PoS systems and WiFi are not integrated. I also haven't really been paying attention since LTE is good now :).
Way too many services in Mexico only work from Mexican IPs, from paying your electricity or internet bills to topping up highway toll accounts and even ordering food from a supermarket
Just because something is called with the same name, doesn't mean it's the same thing. Especially if the naming is done on a product by a company that wants to sell the product, and especially if the name is not a protected trademark.
Express VPN, NordVPN and Surfshark belong to another category of software than the VPNs used by companies.
Some differences are:
1- One is used by consumers, the other is used by businesses.
2- One protects communications to a client-controlled Local area network. The other protects communications with third party services.
3- One provides encryption, the other provides anonymization.
First, a hammer is a build (compile time) tool, while VPN is a runtime tech. Closer to a nail if you will.
Additionally, millions of products use hammers, while there's two product categories that use VPNs.
The product distribution of VPN products is bimodal, there's no inbetweens it's either a privacy oriented consumer VPN, or it's a security oriented corporate product.
Regarding the specific technology, there is no technical definition of what a VPN is, it's not an industry term, it's a marketing term. Similar to "Web", it's not HTTP, it's not TCP. This is in stark contrast to Internet (as in Internet Protocol).
Related technologies are IPSec, IKev2, WireGuard, but VPN is one of those trademarkless industry buzzword terms that companies are can latch onto for free and participate of a commodity market.
On an unrelated note, this is not unlike the term AI, which can somehow apply to fake images and conversational software. And coincidentally, modern AI is also bimodal, it's either text or syntethic images, the common ancestor might have been that the textual product originally was also synthetic generated text, but with agents and text as thought (in a Sappir-Whorf fashion) have since greatly diverged.
My vpn bypasses the paywall on the public xfinitywifi hotspots making internet essentially free because I would likely being paying for Mullvad regardless.
Cynical view is that technical founders who don’t know who business work are easier to manipulate into bad decisions for their business, as long as VC makes money.
I think it’s more of a realism vs optimism take - deeply technical people focus on what can go wrong, because they know better. Which is a good thing for a technical person - the best CTOs are great because they prevent implosions, not because they’re naive and optimistic
They changed the video game dota2 permanently. Their bots could not control a shared unit (courier) among themselves so bot matches against their AI had special rules like everyone having their own. Not long after the game was changed forever.
As a player for over 20 years this will be a core memory of OpenAI. Along with not living up to the name.
Apple has physical stores that will provide you timely top notch customer service. While not perfect, their mobile App Store is the best available in terms of curation and quality. Their hardware is not so diverse so is stable for long term use. And they have the mindshare in way that is hard to move off of.
Let’s say Google or Anthropic release a new model that is significantly cheaper and/or smarter that an OpenAI one, nobody would stick to OpenAI. There is nearly zero cost to switching and it is a commodity product.
Their API product is easy to swith away from but their consumer product (which is by far the biggest part of their revenue) has much better market share and brand recognition than others. I've never heard anyone outside of tech use Gemini or Copilot or X AI outside of work while they all know ChatGPT.
Anecdata but even in work environments I hear mostly complaints about having to use Copilot due to policy and preferring ChatGPT. Which still means Copilot is in a better place than Gemini, because as far as I can tell absolutely nobody even talks about that or uses it.
There is only a zero cost to switching if a company is so perfectly run that everyone involved comes to the same conclusion at the same time, there are no meetings and no egos.
The human side is impossible to cost ahead of time because it’s unpredictable and when it goes bad, it goes very bad. It’s kind of like pork - you’ll likely be okay but if you’re not, you’re going to have a shitty time.
Let's say Google release a new phone that is significantly cheaper and/or smarter than an Apple one. nobody would stick to apple. There is nearly zero cost to switching and it is a commodity product.
The AI market, much like the phone market, is not a winner take all. There's plenty of room for multiple $100B/$T companies to "win" together.
> Let's say Google release a new phone that is significantly cheaper and/or smarter than an Apple one. nobody would stick to apple.
This is not at all how the consumer phone market works. Price and “smarts” are not only factor that goes into phone decisions. There are ecosystem factors & messaging networks that add significant friction to switching. The deeper you are into one system the harder it is to switch.
e.g. I am on iPhone and the rest of my family is on Android. The group chat experience is significantly degraded, my videos look like 2003 flip phone videos. Versus my iPhone using friends everything is high resolution.
> Let's say Google release a new phone that is significantly cheaper and/or smarter than an Apple one. nobody would stick to apple.
I don't think this is true over the short to mid term. Apple is a status symbol to the point that Android users are bullied over it in schools and dating apps. It would take years ti reverse the perception.
You’re aware that LLMs all have persistent memory now and personalize themselves to you over time right? You can’t transfer that from OAI to Anthropic.
> the proposed legislation includes exemptions for government accounts used for “national security purposes, maintaining law and order or military purposes”. Convenient.
I can buy the military exemption, and maybe some very top level government workers that are effectively military (example: POTUS). But the EU parliament has no reason to be excluded. It is definitely a terrible law if it is so bad that they won't pass it unless they are excluded.
> top level government workers that are effectively military (example: POTUS)
POTUS is very specifically NOT a member of the military. Elected civilian control was the whole point. Even Eisenhower had to (temporarily) give up his general rank to serve as president.
It's a very common story in industry. You start nimble, and disrupt bloated platforms. Then, as you grow, pressure grows and you also bloat. Then new company comes that brings nimble product and disrupt you.
Search, TV->internet video, newspapers->internet - all of them go through those cycles.
You forgot the main source of pressure: you sell off equity in your company in exchange for cash. The buyers are buying the promise of future profits. At first, you still hold the vast majority of the voting rights, but over time you sell more and more and expectations rise and rise.
Eventually you are an organization whose purpose is to return cash to shareholders in the near term.
Hence a page full of ads, and no reason to think things will ever change.
I think the fact that Valve is still a private corp is a big part of it, yes. It allows for continued ownership by people who have meaningful beliefs of what it means to do something the Right Way and who run the business accordingly. This isn't to say that private corps are always "good" like that - the temptation to go for easy pickings and enshittify is always there. But some owners at least won't do that for various reasons, while a public company seems to always end up chasing short-term profits above everything else.
Google's original founders still hold the majority of votes.
> Eventually you are an organization whose purpose is to return cash to shareholders in the near term.
Amazon's history shows that public shareholders can be very patient with cash being returned to them, or the company ever showing a profit at all. Tesla used to be in the same boat.
Shareholders are very forward looking. They just don't necessarily trust 'visionary managers' not be full of bullshit. Probably rightly so.
>purpose is to return cash to shareholders in the near term.
I see this constantly repeated in anti-capitalist/anti-corporate rhetoric, but on the other side, shareholder meetings, finance conferences, financial service talks, no one ever wants this. Maybe the 20 year old stock bros on discord pumping penny stocks, but no serious shareholder of any company with a name you might recognize.
It happens, there are cases of it, but overwhelmingly the vibe is "long term stable profit generation".
If shareholders didn't want it, then they wouldn't appoint (or keep in place) the top management that repeatedly and consistently makes those choices.
Look at the recent Microsoft layoffs. They purged the company of so much tech talent, and tanked morale for basically all the remaining workers. From any kind of long term perspective this is madness. Yet they were rewarded for it by the stock market.
I think it's a mistake to think of these cycles as inevitable, and that it's guaranteed that some small fry will disrupt the current giants. Yes, they may have happened in the past, but large companies are much more cognizant of the cycles of disruption now than they were 30 or 40 years ago. Microsoft was a behemoth in the late 80s and they're currently number 2 market cap in the world. Many folks on this board may be too young to remember Netscape's boast of "The Browser is the OS" in the mid 90s - well, Netscape is long gone and Microsoft is still giant. Only 2 years ago you saw pronouncements that OpenAI was going to be the death knell for Google, and it was it seemed to be the kick in the pants that Google needed to get their AI story working. Facebook just basically bought all its nascent competition (Instagram, WhatsApp, etc.)
I think disrupting large players will be much harder than it was it the past.
I fully accept the heat death of the universe will eventually take down Microsoft, but I don't think that's what the comment I was responding to was really about.
My point was that this cycle is not a recent thing, but has been present all throughout history. Bell labs fell. The hudson bay company fell. Arthur Andersen fell. All these were much more entrenched than microsoft is today. I'm not suggesting you have to wait for the heat death of the universe.
Don't worry. Our legislators around the world are hard working so this doesn't happen again, protecting us from harmful contents and cementing current industry leaders' position.
Can you imagine a more effective way to incentivise more people to start even more disrupting platforms? Can you image a more effective way to get investors to give money to these upstarts?
It's much easier to get your rabble-rousing startup to threaten disruption (and then be bought up as a precaution), than if you had to actually battle it out in the marketplace to the bitter end.
It's a bad thing for the rest of us, because it means that all those platforms don't actually disrupt anything at the end of the day, and we have to keep eating the same turds.
You get way more of these new platforms popping up. And some of the might not get bought up in time. (And the wealth of the incumbent ain't infinite, so there's a limit to how many they can buy up.)
I think there’s a middle ground between not making any money by not showing ads and plastering half the page with ads in a way that almost renders the product useless. I’m sure this was a result of a long list of promo packets that incrementally kept adding 0.01% increases to the ad impressions.
Just one facet of what we call 'promotion oriented programming' (or promotion oriented design).
Google's promotion guidelines used to include that if you want to get a promotion on a technical track, you have to demonstrate a mastery of complexity. Cue the unnecessary complexity in some projects meant to get the author promoted.
(They might still include that requirement. I don't know. I haven't worked at Google in nearly a decade.)
Google managed to dance the knife edge there for a lot longer than most though. AdWords made so much money in a fairly unobtrusive way, that they were able to scale it out without pissing a lot of people off. That and it was actually even sometimes useful.
They clearly decided to just say "fuck it" though. Sometime after Ruth Porat replaced Patrick Pichette and especially after Sundar took the helm (both happened while I worked there) but most especially in the last 3 years.
Wouldn't it be nice if some companies instead of ramping up ads for revenue passed along the value to consumers? Once they made their money back on the original investments convert to a lifestyle and provide a valuable product without squeezing every penny our of it and in the end killing it. One day maybe.
The problem is who wants to be CEO of that? How many people do you know are simultaneously voracious enough to want to be the CEO of something and also totally chill and down to just have a lifestyle business? How many people do you know would take a salary of $5 million/year and just keep working the same job? Pretty sure almost everyone I know would do that for maybe two years and then quit and retire. Companies doesn't want that. So that leaves us with the kind of people that would take that salary and keep at it. The reason CEOs are different kinds of people from the rest of us is that it stopped being about the money for them a long time ago. It's not not about the money, but after getting enough money for your own lifetime and several other people's, why keep working? Not everyone is cut out for it. Be the change you want to see in the world. Claw your way up to the c-suite and then run the company how you see fit. Just don't let that climb change you so that you no longer want to run it as a lifestyle business.
They did pass on a lot of value to consumers. They used their profits to grow, build Gmail, buy and grow YouTube, build Android.
Just running Google as-is without ads would have produced less value in the long run. Plus the SEO tide (which relied on DoubleClick ads that weren't yet owned by Google) began to rise and would've drowned Google Search much earlier if they hadn't grown.
Where I think Google took the bad (for consumers) turn was when they purchased DoubleClick and began to consolidate the entire ad business. Instead of losing money to SEO spammers, they began to make money. This put Google into a conflict of interest against their own users. Ever since then they've been piling onto that conflict of interest, draining more and more value from their products.
I feel like you'd need a new corporate structure or something, like the way an S-corp is different, but on steroids.
Because I agree, the forced obsession with "growth" at all costs, which seems necessary to operate a public company (at least in this century[1]), is imho the #1 reason why enshittification is unavoidable.
[1] I'd describe nearly all present-day corporations as fixated on quarterly results even at the expense of business viability. Something I truly don't understand is why big companies say, 75 years ago seem to have been so much less that way. If anyone has any theories I'd love to hear them.
People overwhelmingly prefer ad-supported to subscription supported. Google would be a dramatically better service if everyone who used it paid. I really, really, cannot overstate that.
The internet sucks because users feel entitled to everything on it for free. They don't want ads and they don't want to pay subscriptions. uBlock origin, archive.is, and constant complaining about how the content sucks.
The internet is full of children with a naive understanding of how things work. The are so deluded that they even call on companies to simply provide them everything for free if they want to be "successful".
Google has almost $100 billion in cash reserves right now. Big tech together has over $1 trillion in cash - that's in the ballpark of the GDP of the top 20 countries.
The notion that Internet sucks because megacorps have to scrounge for cash doesn't pass the most basic smell test.
Well Google has been a very good example of not giving into that pressure for a very long time. Their landing page remained ad free for decades and their revenue came from sponsored links through ad-words which was a minimally invasive ad strategy which didn't show banners etc.
They do have good engineers. But they’re chasing wrong goals set my management. I don’t know many people who said “man, I wish iPhone was x mm thinner”. But I do know many who say “man, I wish iPhone battery was much larger”.
And what did Apple do? Build thinner phone with an external battery pack.
These improvements could be laying the groundwork for future products. Engineering wins in this regard are almost never useless - that’s a short sighted take imo.
But I agree this iphone air as a product is kind of weird. Similar to the original macbook air maybe? Ahead of its time but a bit limited by today’s tech. A peek at the future…
And what else did Apple do? Build two “Pro” phones with even bigger batteries for these folks. Come on, let a thousand flowers bloom!
(Yeah that phrase has unfortunate Mao-era baggage, but personally I really just want the mini series back—which many also consider to have too little battery capacity—so I feel encouraged by Apple broadening the iPhone lineup.)
Seriously, it's bizarre to see this argument from people that Apple isn't caring about what people want in terms of battery life. Apple in their keynote called out that they made the Pro models slightly thicker for the sake of a larger battery! Like, why ignore the standard models of iPhone and only focus on the Air when making complaints?
Multi cloud redundancy is like Java being a solution to platform independency.