Jeff Kaufman talking about how AI has impacted the status quo of coordinated disclosures in security vulnerabilities.

A week ago the Copy Fail vulnerability came out, and Hyunwoo Kim immediately realized that the fixes were insufficient, sharing a patch the same day. In doing this he followed standard procedure for Linux, especially within networking: share the security impact with a closed list of Linux security engineers, while fixing the bug quietly and efficiently in the open. His goal was that with only the raw fix public, the knowledge that a serious vulnerability existed could be “embargoed”: the people in a position to address it know, but they’ve agreed not to say anything for a few days.
Someone else noticed the change, however, realized the security implications, and shared it publicly. Since it was now out, the embargo was deemed over, and we can now see the full details.

It’s interesting to see the tension here between two different approaches to vulnerabilities, and think about how this is likely to change with AI acceleration.

On one side you have “coordinated disclosure” culture. This is probably the most common approach in computer security. When you discover a security bug you tell the maintainers privately and give them some amount of time (often 90d) to fix it. The goal is that a fix is out before anyone learns about the hole.

On the other side you have “bugs are bugs” culture. This is especially common in Linux, where the argument is that if the kernel is doing something it shouldn’t then someone somewhere may be able to turn it into an attack. Just fix things as quickly as possible, without drawing attention to them. Often people won’t notice, with so many changes going past, and there’s still time to get machines patched.

This approach never worked perfectly, but with AI getting good at finding vulnerabilities it’s a much bigger problem. So many security fixes are coming out now that examining commits is much more attractive: the signal-to-noise ratio is higher. Additionally, having AI evaluate each commit as it passes is increasingly cheap and effective.

Another take on this by user tptacek on Hacker News.

This has been a very long time coming and the crackup we’re starting to see was predicted long before anyone knew what an LLM is.

The catalyst is the shift towards software transparency: both the radically increased adoption of open source and source-available software, and the radically improved capabilities of reversing and decompilation tools. It has been over a decade since any ordinary off-the-shelf closed-source software was meaningfully obscured from serious adversaries.

This has been playing out in slow motion ever since BinDiff: you can’t patch software without disclosing vulnerabilities. We’ve been operating in a state of denial about this, because there was some domain expertise involved in becoming a practitioner for whom patches were transparently vulnerability disclosures. But AIs have vaporized the pretense.

It is now the case that any time something gets merged into mainline Linux, several different organizations are feeding the diffs through LLM prompts aggressively evaluating whether they fix a vulnerability and generating exploit guidance. That will be the case for most major open source projects (nginx, OpenSSL, Postgres, &c) sooner rather than later.

The norms of coordinated disclosure are not calibrated for this environment. They really haven’t been for the last decade.

I’m weirdly comfortable with this, because I think coordinated disclosure norms have always been blinkered, based on the unquestioned premise that delaying disclosure for the operational convenience of system administrators is a good thing. There are reasons to question that premise! The delay also keeps information out of the hands of system operators who have options other than applying patches.

Robert Glaser arguing that Scrum was created before AI with constraints that, in the age of AI, are no longer present.

Sprint planning, estimation, standups, user stories, ticket grooming, handoffs, all the ceremony around coordination and risk reduction. Reasonable, given the constraints. If a single iteration takes days or weeks, you need structures that prevent people from wasting too many of them.

But agentic engineering changes the economics: It makes more options materializable! It lets teams move from intent to prototype to evaluation much faster. It lets product people see working software earlier. It lets engineers test more hypotheses before committing. It does not magically make delivery easy, but it moves the constraint away from implementation and toward intent, verification, judgment, and feedback.

The awkward thing is that many organizations spent twenty years calling themselves agile while preserving the organizational reflexes agile was supposed to remove. Now AI makes real agility more plausible, and the system still asks for two-week sprint commitments, handoff documents, and all the stuff that assumes iteration is scarce.

That is the ceremony graveyard again, but now at adoption level. The loop can move faster than the organization can metabolize what the loop learned.

Paul Krugman explains how corruption in the futures market ends up destroying its risk reducing benefits.

First, ask yourself what purpose is served by the oil futures market. Unlike the prediction markets Polymarket and Kalshi, the oil futures market is not intended to be mainly a vehicle for gambling. Instead, it is a market that serves to reduce risk through hedging.

Here’s how it works. There are people and institutions, such as oil producers, who will need to sell oil at a future date. They want to lock in the price today on those future sales. There are also people and institutions, such as airlines, who have a future need for oil and would like to lock in the price today. Thus the futures market lets both sellers and buyers of oil eliminate a major source of risk – fluctuations in the price of oil. This reduces uncertainty in the economy as a whole.

But what if there are substantial players in the futures market with inside information? Then if you are, say, a corporation trying to lock in the price of oil you plan to buy next month, you may not be making a mutually beneficial deal with future sellers. You may, instead, be being played for a sucker — paying what in retrospect will have been an excessive price — by people who know what’s about to appear in the president’s social media feed.

The same could apply to sellers of oil futures, although the examples of insider trading we know about involved Trump insiders getting ahead of falling, not rising, prices.

Either way, the effect of traders’ suspicion that they may be losers in a rigged game will be to make them reluctant to play at all — reluctant either to buy or to sell oil futures. And this will mean losing the risk-reducing benefits of a properly functioning futures market.

Sneha Rege writing for Freefincal, explains why measuring your risk profile is much, much more nuanced than the 10-point questionnaire available out there.

It is easy to dismiss risk profiling as a formality, a box to tick before you start “actual investing.” That mindset is part of the problem.

Your risk profile is not a label. It is the quiet answer to a question you can only really test in a downturn: would I sit on a 30% drawdown across a portfolio worth several years of my savings, without acting on impulse? Most of us think we know the answer. Very few actually do.

A ten-click quiz cannot tell you this. Neither can your YouTube watch history nor your Instagram saves on “small-cap funds with the highest Sortino Ratio”. Reading about volatility is not the same as living through it. Knowing the theory of drawdowns is not the same as watching a chunk of your net worth disappear on a Tuesday afternoon.

[…]

your risk appetite is not fixed. As your portfolio grows, the rupee value of every drawdown grows with it. A 30% fall on five lakh feels very different from a 30% fall on fifty lakh, and different again at five crore. The percentage is identical; the experience is not. You have to keep asking yourself whether you still have the stomach for it as the absolute numbers change. 

Life events shift this, too. A new home loan, a child, an ageing parent, a job change, any of these can quietly redraw your capacity for risk without you noticing.

Raymond Chen recalling the conflict between Microsoft and IBM over the TAB key.

A colleague recalls that while he was assigned to the IBM offices in Boca Raton, Florida, there was a dispute over what key should be used to move from one field to another in dialog boxes. The folks at IBM were not happy with my colleague’s decision to use the TAB key, so they asked him to escalate the issue to his manager back in Redmond.

My colleague’s manager replied, “The reason you are in Boca is to make these decisions so I don’t have to be in Boca.”

My colleague rephrased this reply in a more corporate manner before passing it on to IBM: “Microsoft supports the use of the TAB key for this purpose.”

Unsatisfied, the IBM folks escalated the issue up their organizational chain for several levels, and replied that their VP (who was around seven levels of management above the programmers) was absolutely opposed to the use of the TAB for this purpose, and they wanted confirmation from the equivalent-level manager at Microsoft that Microsoft stands by the choice of the TAB key.

My colleague replied, “Bill Gates’s mother is not interested in the TAB key.”

This apparently ended the discussion, and the TAB key stayed.

Ha!

Christine Lemmer-Webber talking about her meeting with Gerald Sussman.

At some point Sussman expressed how he thought AI was on the wrong track. He explained that he thought most AI directions were not interesting to him, because they were about building up a solid AI foundation, then the AI system runs as a sort of black box. “I’m not interested in that. I want software that’s accountable.” Accountable? “Yes, I want something that can express its symbolic reasoning. I want to it to tell me why it did the thing it did, what it thought was going to happen, and then what happened instead.” He then said something that took me a long time to process, and at first I mistook for being very science-fiction’y, along the lines of, “If an AI driven car drives off the side of the road, I want to know why it did that. I could take the software developer to court, but I would much rather take the AI to court.”

This discussion happened in 2015. Not 2025. 2015. Thanks to Hacker News for bringing up this.

Hanna Horvath explains what is material and positional precarity in her insightful post about how the middle class was created by government policies, and now that the policy no longer exists it has created to two groups of people.

Material precarity describes people for whom the basics — not the aspirational stuff, the basics — are genuinely falling out of reach. As I said before, the middle class can’t truly be defined as an income number — someone earning $80K in rural Ohio and someone earning $80K in Brooklyn are likely living in different economies.

[…]

Positional precarity: when you have money and it’s still not enough

The HENRY — high earner, not rich yet, gets a bad rap. Though this group makes good money on paper, typically well over six figures, they find themselves in a state of disenfranchisement.

I believe much of this is because their expectations for the kind of life six figures would bring is no longer possible. A household earning $200,000 in 2005 could likely absorb a mortgage, two kids in decent public schools, a yearly vacation, and retirement contributions. That same household in 2026, adjusted for inflation, may find itself running calculations that don’t resolve — the house costs twice what it should relative to income, childcare eating a second salary, and the “good” school district has become its own arms race of tutoring, travel sports, and enrichment programs that didn’t exist twenty years ago.

This explains the quarterly viral Reddit posts about a couple making $800K in NYC who feel like they’re middle class.

Danny Hillis talks about 3 petty tyrants and 3 honest leaders and how they responded to challenges. It’s a long, but worthwhile read.

The post concludes with how truth-based solutions create along lasting legacy.

The difference in long-term impact between the effective leaders and the petty tyrants is clear. While the effective leaders were not very similar in their styles, flaws or motivations, the important thing they have in common is that they built systems grounded in truth.

Bismarck’s provocation of France worked because he had accurately assessed French and Prussian military capabilities, Napoleon’s character and the French sentiment. Roosevelt’s banking success came from fact-based diagnosis of the problem and communicating truthfully to the public. Singapore’s honest government gave it a competitive advantage over other small nations. Honesty was good for business.

The legacies of these truth-based leaders have long outlived the leaders themselves, and they continue to benefit us in the 21st century. Bismarck’s social safety nets are still thriving in Germany, and they have been widely copied. Singapore is now a prosperous nation, and a Singaporean passport will get you visa-free entry into more countries than any other. Roosevelt’s Social Security is so successful that politicians on both sides of the aisle now compete to take credit for protecting it.

Look at what endures from these six stories: not the propaganda, the posters and parades, but the institutions that continue to serve their nations decade after decade. The children who are healthy and literate. The elderly and disabled who live in security and dignity. The deposits, safe in the bank. The honest civil services that provide real protections and solve real problems. These are the legacies that matter.

The petty tyrants’ spectacles of power — Napoleon’s “Second Empire,” Mussolini’s “New Roman Empire,” Marcos’ “Golden Age” — collapsed because illusions require constant effort to sustain. Truth-based solutions match reality — they solve real problems, so they last. Lee explained this clearly: “I was never a prisoner of any theory. What guided me were reason and reality.”

Every leader is confronted with difficulties and must face that same fork in the road. The honest leaders chose truth. The dishonest chose denial and, as a consequence, they failed.

Petty tyrants cause real suffering and harm, but they leave few enduring legacies. The lasting institutions of effective leaders are not undermined by reality. They are sustained by it. They are copied and improved. They are strengthened by success.

Truth turns reality into a relentless ally. That gives me reason for hope.

Mandy Brown draws parallels from Andre Gorz’s book Reclaiming Work and the recent layoff announcements due to AI.

…instead of reducing the number of workers, companies could reduce the amount of working time. That is, rather than laying off twenty percent of the workforce, they could have everyone work twenty percent less. In fact, I’d venture that a great number of knowledge workers would be more than happy to take a twenty percent pay cut in exchange for a four-day work week. Time is very often more valuable than cash.

But the steady drumbeat of layoffs suggests that no member of the C-suite has even considered this path. Why not?

It could hardly be more clearly stated that the workers taken in by the big companies are a small “elite,” not because they have higher levels of skill, but because they have been chosen from a mass of equally able individuals in such a way as to perpetuate the work ethic in an economic context in which work is objectively losing its “centrality”: the economy has less and less need of it. The passion for, devotion to, and identification with work would be diminishing if everyone were able to work less and less. It is economically more advantageous to concentrate the small amount of necessary work in the hands of a few, who will be imbued with the sense of being a deservedly privileged elite by virtue of the eagerness which distinguishes them from the “losers.” Technically, there really is nothing to prevent the firm from sharing out the work between a larger number of people who would work only 20 hours a week. But then those people would not have the “correct” attitude to work which consists in regarding themselves as small entrepreneurs turning their knowledge capital to good effect.

This is what she wrote in April 2026. Below is the excerpt from what she wrote in September 2025 on elite work.

That is, the existence of an elite workforce—whether it’s workers managing a kanban process in a Toyota factory, or workers driving agile development at a product company—is predicated on an underclass of people who either work in less sustainable conditions or else are proscribed from work at all. The former has come into some awareness in recent years, as workers at Google and elsewhere have organized not only well-paid engineers and designers but also support staff and contractors who are paid in a year what an engineer makes in a month. Those very highly-paid engineering roles simply couldn’t exist without the people toiling in the support mines or tagging text and images for AI training—often dreadful work that’s barely remunerated at all. But what Gorz is calling out here is that isn’t only bad work that the elite work depends on—it’s also the absence of work. The “disruption” that the tech industry has so long prided itself on is just another word for “unemployment.”

But there’s also a gesture here towards another way: the less that elite identifies with their work and with their companies’ successes, the more they admit of their own insecurity and of their collaboration in creating it, the less menacing that threat becomes, the more space is opened up for different futures.

This was depressing and eye opening for me.

Barry Ritholtz talking about the thorniest problem in finance.

Consider some of the most challenging problems in finance: the equity-premium puzzle; binomial-option pricing models; do zero interest rates spur inflation or damp it; are stocks cheap or overpriced?

Challenging as those may appear, none compare to what Nobel laureate William Sharpe, 82, calls “decumulation,” or the use of savings in retirement. It is, he says, “the nastiest, hardest problem in finance.”

Why is planning for retirement so difficult? Saurabh Mukherjea explains the two key challenges.

Longevity Risk: None of us know how far we will live. What we do know is that with each passing year, improvements in medical science are likely to increase our lifespan thus increasing our cost of retirement. Even if we assume that most of us will die between the ages of 70-100, there are at least 30 possible outcomes with regards to our own longevity.

However, for retirement planning purposes, we also have to factor in our spouse’s longevity – after all, after I am gone, my better half’s lifestyle still needs to be funded properly. Since, even for your spouse there are 30 possible longevity outcomes, for a couple there are at least 900 possible longevity outcomes.

Investment Risk: Assuming that most retirement portfolios are a mixture of bonds & equities, the blended return of the portfolio through the retirement years and in the decade immediately preceding retirement could range anywhere from low-single digits to low-20s. Why? Because the world’s large stock markets have seen extended periods of ZERO returns. For example, from1967-84, the S&P500 gave zero returns. Between 1993-2003, the Sensex gave no returns. Then, again, from Jan 2007-Jan 2014, the Sensex gave close to zero returns. In fact, for half the years in the past 3 decades, the Sensex has given annual returns which are close to zero – see chart below.

Assuming however, that a mixture of bonds and equities, gives a retirement portfolio long term returns anywhere between 5% and 25% and taking intervals of 0.20%, there are at least 1000 different return possibilities to consider for your retirement portfolio.

Now, given that there are 900 possible longevity outcomes (30 for you & 30 for your spouse) and there are 1000 possible returns outcomes, there are at least 90,000 possible retirement outcomes for you to consider even before we add the next important layer to this problem.

He then adds two additional risks that a developing economy like India needs to consider.