> However, the existence of pirates is a stitch in my craw, particularly when any schoolmarm typing the name of my software into Google is prompted to try stealing it instead:
I wonder whether Google, in its Don't Be Evil era, ever considered what they should do about software piracy, and what they decided.
I'd guess they would've decided to either discourage piracy, or at least not encourage it.
In the screenshot, the Google search query doesn't say anything about wanting to pirate, yet Google is suggesting piracy, a la entrapment.
(Though other history about that user may suggest a software piracy tendency, but still, Google knows what piracy seeking looks like, and they special-case all sorts of other topics.)
Is the ethics practice to wait to be sued or told by a regulator to stop doing something?
Or maybe they anticipate costs and competition for how they operate, and lobby for the regulation they want, so all they have to do is be compliant with it, and be let off the hook for lawsuits?
The original expression came out of an internal company discussion that someone summarized (paraphrased) as "when there's a tough choice to make, one is usually less evil. Make that choice."
In the early days of Google in the public consciousness, this turned into "you can make money without being evil." (From the 2004 S-1.)
Over time, it got shortened to "don't be evil." But this phrase became an obligatory catchphrase for anyone's gripes against Google The Megacorp. Hey, Google, how come there's no dark mode on this page? Whatever happened to "don't be evil"? It didn't serve its purpose anymore, so it was dropped.
Answering your question really depends on your priors. I could see someone honestly believing Google was never in that era, or that it has always been from the start. I strongly believe that the original (and today admittedly stale) sentiment has never changed.
Making a loud affair out its retirement rather than quietly letting it collect dust and be forgotten over time was most definitely not a good idea.
The public already demonstrated that they adopted, misused and weaponized the maxim. Its retirement just sharpened the edge of that weapon. Now instead of "What happened to don't be evil?" it's become "Of course Google is being evil." and everything exists in that lens.
A similar dynamic is playing out with Anthropic, whose founders left OpenAI in part over a philosophical split that could be described, if you'll grant a little literary license appropriate to this thread, as Anthropic choosing the "don't be evil" path. No surprise that we now see HN commentary skewering Anthropic for not living up to it.
They had to at least nominally have it, early on, to be able to hire the best Internet-savvy people.
Tech industry culture today is pretty much finance bro culture, plus a couple decades of domain-specific conditioning for abuse.
But at the time Google started, even the newly-arrived gold rush people didn't think like that.
And the more experienced people often had been brought up in altruistic Internet culture: they wanted to bring the goodness to everyone, and were aware of some abuse threats by extrapolating from non-Internet society.
Early in Google's history, I took that sentiment as saying that they were one of us (Internet people), and weren't going to act like Microsoft (at the time, regarded by Internet people as an underhanded and ignorant company). Even though Google had a very nice IR function and general cluefulness, and seemed destined to be big and powerful.
And if it were the altruistic Internet people they hired, the slogan/mantra could be seen as a reminder to check your ego/ambition/enthusiasm, as well as a shorthand for communicating when you were doing that, and that would be respected by everyone because it had been blessed from the top as a Prime Directive.
Today, if a tech company says they aspire not to be evil: (1) they almost certainly don't mean it, in the current culture and investment environment, or they wouldn't have gotten money from VCs (who invest in people motivated like themselves); (2) most of their hires won't believe it, except perhaps new grads who probably haven't thought much about it; and (3) nobody will follow through on it (e.g., witness how almost all OpenAI employees literally signed to enable the big-money finance-bro coup of supposedly a public interest non-profit).
I took it to mean, prioritize long-term growth over short-term income. But the slogan was silly even back then, like obviously an evil company would claim to not be evil.
FWIW, it absolutely was believable to me at the time that another Internet person would do a company consistent with what I saw as the dominant (pre-gold-rush) Internet culture.
For example of a personality familiar to more people on HN, one might have trusted that Aaron Swartz was being genuine, if he said he wanted to do a company that wouldn't be evil.
(I had actually proposed a similar corporate rule to a prospective co-founder, at a time when Google might've still been hosted at Stanford. Though the co-founder was new to Internet, and didn't have the same thinking.)
I self-host Forgejo for personal and indie-startup purposes, and like it well enough.
The downside with that is it misses one of the key purposes of GitHub: posturing for job-hunting/hopping. It's another performative checkbox, like memorizing Leetcode and practicing delivery for brogrammer interviews.
If you don't appear active on GitHub specifically (not even Codeberg, GitLab, nor something else), you're going to get dismissed from a lot of job applications, with "do you even lift, bro" style dissing, from people who have very simple conceptions of what software engineers do, and why.
There is a fairly straightforward feature in Forgejo to sync your repos to Github, if that's what you want to do. It's not perfect, of course, but should help to advertise your projects and keep your activity heatmap green.
I mostly use Forgejo for my private repos, which are free at Github, but with many limitations. One month I burned all my private CI tokens on the 1st due to a hung Mac runner. Love not having to worry about this now!
I do this, but beware if you have LFS files. You can easily get into weird states with LFS pushing up to two different remotes and it's really not fun to fix.
> If you don't appear active on GitHub specifically... you're going to get dismissed from a lot of job applications
Sometimes wonder if my coursemates back in the days, who automated commits to private repos just to keep the green box packed, actually got any mileage out of it.
I get that. To counter it I usually try to have at least one public repo on my Forgejo instance and link to that on my resume/LinkedIn. It helps that I'm angling for security/infra positions so the self-hosting aspect actually helps but even without that I would imagine it signals something. Maybe not ideal for the most mainstream jobs (whatever that even means...), but I suspect some people will be intrigued by the initiative.
Edit: to the "do you even lift bro", the response becomes "yeah man, I've built my own gym - oh, you go to Planet Fitness? Good luck."
(I know one historical connection that looks suspicious, but it could be explained by the fact that prestigious social network graphs in the US tend to be incestuous, and a closely-connected world.)
My gut feel is that Micay is genuine, and obviously also very defensive.
At least some of the defensiveness is warranted. Maybe most of it. Regardless, it comes across in most GrapheneOS communications, and it's sometimes counterproductive.
A related issue, which I'm sure Micay can appreciate, is that users of GrapheneOS tend to be cautious, and increasingly will want to know why the project should be trusted, now that it is popular and on a lot of radars of adversaries.
(For example, hypothetical scenario that's plausible, given the incentives: State actor (e.g., RU, US, CN) or organized crime group long-con starts with a public harassment campaign of Micay. Followed by sleeper volunteers taking more control of the project, initially under the pretext of helping insulate Micay from harassment, and taking some of the load off. Later maybe even impersonating Micay. Now the threat actor has backdoors to a large number of especially privacy/security-conscious parties, including communications, 2FA, location, cryptocurrency wallets, internal networks where those people work, etc.)
I think it probably hasn't been compromised like that, but it's an obvious real possibility, and IMHO, until GrapheneOS is more transparent, some natural users of GrapheneOS are going to consider iPhone relatively "the devil you know".
Again, I think Micay is genuine, and I'm a fan of the project and appreciate it. And I hope the project understands that's compatible with critical thinking about infosec, and doesn't take personal offense at that.
(Source: Am long-time GrapheneOS user, and have donated.)
I agree that this is an issue, but it is impossible to prove a negative. The same could be said for Apple's or other manufacturer's signing keys. Who guarantees that the US government hasn't required access to the iOS signing keys? Or China in exchange for access to the Chinese market? They probably wouldn't even want to reveal that the signing keys were leaked if they were allowed to, since it would undermine their security story.
With a non-profit project of highly principled security experts, there is at least a high probability that they'd rather blow up the project than compromise. People elsewhere in the thread criticize Micay because he deleted the CopperheadOS keys, but to me it increases trust in the GrapheneOS project, since he clearly puts the security of his users over money, fear, and whatnot.
In the end trust arises from running a project or company long-term without evidence that you somehow compromised security.
I wonder in general how this situation could be improved. Second or third independent reproducible build + confirmation signing?
All of the defensiveness is warranted. They speak neutrally and objectively.
The project is not going to relinquish control to any 3rd party. Not even the Motorola partnership is given control over the GOS project. The hypothetical you describe is not possible by design.
The GOS project takes no issue with critical thinking, and encourages it. But that is often used as an excuse to handwave attacks. There is a very big difference between criticism/critical thinking and attacking them.
Note that there are more individuals in the project than Micay. Multiple people handle multiple responsibilities, its not one person.
> The GOS project takes no issue with critical thinking, and encourages it. But that is often used as an excuse to handwave attacks. There is a very big difference between criticism/critical thinking and attacking them.
Responding to attacks so defensively is almost alway a bad look for organizations. They could really use a PR person with a more measured voice that corrects facts and projects confidence, and does not convey victimhood, insecurity or defensiveness. Take a look at the tone of press releases issued by companies when some tech press bozo writes a hit piece on them, for good examples of dealing with people attacking you.
I would not use those words to describe the approach they take. They make the effort to speak neutrally and objectively, but the issues they are making light of are often exactly as extreme and common as they describe. Many people have voiced appreciation that they decide against a "corporate-speak" approach. The GrapheneOS accounts are meant to be accounts that let project members speak to users, rather than take on a corporate appearance.
I'm sure you realize that confident assurances of a random new pseudonymous account on a Web site isn't sufficient for anything of importance.
Is there an authoritative source of information about how a takeover like that isn't possible by design, which people can verify, analyze, hold parties accountable for the pieces that require it, etc.?
I am a GrapheneOS user and community member, and I am active in the chat rooms. I made this account to assist with misinformation.
As for how such a thing would not be possible;
-GrapheneOS updates do not trust the network, so any compromise of update servers for OS and app updates would not be able to push malicious updates. Only those who hold the signing keys are capable of pushing updates that will be accepted.
-Multiple people review the code that gets included in the OS. There is not one point of failure when it comes to social engineering.
-GOS supports reproducible builds, so the code that is published can be verified to be the code that is built for the official builds.
So in other words, you would need to convince multiple people who are consciously protecting against this, and who have a proven track record of burning the keys if the privacy and security of their users are in jeopardy. On top of that, you need to conceal this from every developer, moderator, and community member who would raise the alarm at the slightest indication of compromise.
Calyx Institute and GrapheneOS are both really great projects. I support them both. I rely on products from both.
You're not doing either project any favors by pretending that hastily generalizing nerd dramas and autism over-corrections is somehow a broad statement on the neutrality and objectivity of GrapheneOS's team or the high-quality product it produces.
This kind of bad faith posting is bad for the whole FOSS/libre community, and it's both dumb and rude, in contradiction of HN's site guidelines.
The author of that blog got mad we didn't want to implement a feature they wished for. Their duplicate issue was closed and later deleted and they made a public drama out of it for... what reason?
Let me tell you something. I personally reached out to them just a few weeks ago. I didn't argue, I didn't blame them. That was not my intention and I communicated that clearly. Those were not empty words, I went into it with a genuine open mind and with the goal of finding a solution. After all they consider themselves an open source enthusiast.
It didn't go anywhere. They did not seem willing to discuss anything at all really. You see, even if we assume they are 100% in the right, i.e. they did nothing wrong, why would they oppose our attempt at resolving the conflict? I've come to the conclusion there is no good faith argument to be made here. They spread their post all over the internet, heck they even linked it on Facebook.
> The company is offering a 20% discount that you can apply toward one of its new Kindle models,
Federal is complicated right now, but can state AGs step in, and make Amazon either continue to support the old devices, or provide comparable free replacement devices?
Can they, yes. Just about anyone can be used for just about anything.
Should they, no. Why should Amazon continuously support, checks notes... 14 year old devices??? Likely the number of customers using a device like that anymore is super small.
The network service side of the product should continue to work because the company sold that.
Unless you can find where the original advertisements (not microscopic fine print) said that the company would disable the network service side after a period of time, such that the buyers knew that's what they were buying, then the company is obligated to continue operating the service they sold. Or negotiate some alternative satisfactory to the buyer.
how well does the battery hold up after that long?
Mine is only like 2-3 years old and I charge it so rarely. I can read several entire books on a charge easily. It lasts months. I imagine even if the battery degraded significantly it would be quite usable.
I replaced the battery in mine. Unlike big tech, I believe in repairing old devices.
Something Amazon have not considered is how many of these old devices are used as companion devices for other high end kindle owners. I have a scribe and old paperwhite and use them interchangably, with cloud sync of reading position etc, which won't be possible after 20 may.
My paper white is about 7/8 years old, and is still holding up fine though the battery is noticeably degraded - charging it approximately once a week now.
I was also having a play with a demo model of the latest one in a store and the page turn speed is much much better, which is tempting me to upgrade though I'd prefer to run the current one into the ground first.
> According to The Information, Chief Technology Officer Praveen Neppalli Naga said Uber is now "back to the drawing board" after a surge in the use of AI coding tools, particularly Anthropic's Claude Code, has blown past internal expectations.
Of usage costs?
> The payoff is starting to show. Around 11% of Uber's live backend code updates are now written by AI agents, up sharply in just a few months. These systems power everything from ride-matching to pricing and bug fixes.
That's not a payoff.
What is the immediate cost of those code updates, what is the quality, how do they affect longer-term maintenance, how does that compare to doing it without "AI", etc.
Are these articles written to inform or to hype?
> UNLOCKED: 5 NEW TRADES EVERY WEEK. Click now to get top trade ideas daily, plus unlimited access to cutting-edge tools and strategies to gain an edge in the markets.
There's my answer. Here's a helpful uBlock Origin filter:
Only 11%!? Slackers. My team's project is 100% coding agent generated as pushed for by our dear leaders. Yes I'm very scared for when it all crashes down and really hope I'm not there when it does.
Yes, yahoo “journalism” is garbage. The primary source of this story is paywalled, so I can’t actually see what it said, but this AI (or otherwise crappy) summary is worthless.
The other day, I was forcing myself to use Claude Code for a new CRUD React app[1], and by default it excreted a pile of Node JS and NPM dependencies.
So I told something like, "don't use anything node at all", and it immediately rewrote it as a Python backend, and it volunteered that it was minimizing dependencies in how it did that.
[1] only vibe coding as an exercise for a throwaway artifact; I'm not endorsing vibe coding
Even though I'm a hardcore programmer and software engineer, I still need to at least keep aware of the latest vibe coding stuff, so I know what's good and bad about it.
You can tell Claude to use something highly structured like Spring Boot / Java. It's a bit more verbose in code, but the documentation is very good which makes Claude use it well. And the strict nature of Java is nice in keeping Claude on track and finding bugs early.
I've heard others had similar results with .NET/C#
My vibe coded one-off app projects have are all, by default, "self-contained single file static client side webapp, no build step, no React or other webshit nonsense" in their prompt. For more complex cases, I drop the "single file". Works like a charm.
I'm struggling to understand how they bought Bun but their own Ai Models are more fixated in writing python for everything than even the models of their competitor who bought the actual Python ecosystem (OAI with uv)
It emits Actix and Axum extremely well with solid support for fully AOT type checked Sqlx.
Switch to vibe coding Rust backends and freeze your supply chain.
Super strong types. Immaculate error handling. Clear and easy to read code. Rock solid performance. Minimal dependencies.
Vibe code Rust for web work. You don't even need to know Rust. You'll osmose it over a few months using it. It's not hard at all. The "Rust is hard" memes are bullshit, and the "difficult to refactor" was (1) never true and (2) not even applicable with tools like Claude Code.
Edit: people hate this (-3), but it's where the alpha is. Don't blindly dismiss this. Serializing business logic to Rust is a smart move. The language is very clean, easy to read, handles errors in a first class fashion, and fast. If the code compiles, then 50% of your error classes are already dealt with.
Python, Typescript, and Go are less satisfactory on one or more of these dimensions. If you generate code, generate Rust.
Ok I mean this is a little crazy, "minimal dependencies" and Rust? Brother I need dependencies to write async traits without tearing my hair out.
But you're also correct in that Rust is actually possible to write in a more high level way, especially for web where you have very little shared state and the state that is shared can just be wrapped in Arc<> and put in the web frameworks context. It's actually dead easy to spin up web services in Rust, and they have a great set of ORM's if thats your vibe too. Rust is expressive enough to make schema-as-code work well.
On the dependencies, if you're concerned about the possibility of future supply chain attacks (because Rust doesn't have a history like Node) you can vendor your deps and bypass future problems. `cargo vendor` and you're done, Node has no such ergonomic path to vendoring, which imo is a better solution than anything else besides maybe Go (another great option for web services!). Saying "don't use deps" doesn't work for any other language other than something like Go (and you can run `go vendor` as well).
But yeah, in today's economy where compute and especially memory is becoming more constrained thanks to AI, I really like the peace of mind knowing my unoptimised high level Rust web services run with minimal memory and compute requirements, and further optimisation doesn't require a rewrite to a different language.
Idk mate, I used to be a big Rust hater but once I gave the language a serious try I find it more pleasant to write compared to both Typescript and Go. And it's very amiable to AI if that's your vibe(coding), since the static guarantees of the type system make it easier for AI to generate correct code, and the diagnostics messages allow it to reroute it's course during the session.
How are you getting low dependencies for Web backend with Rust? (All my manually-written Rust programs that use crates at all end up pulling in a large pile of transitive dependencies.)
I once made a golang multi-person pomodoro app by vibe coding with gemini 3.1 pro (when it had first launched first day) and I asked it to basically only have one outside dependency of gorrilla websockets and everything else from standard library and then I deployed it to hugging face spaces for free.
I definitely recommend golang as a language if you wish to vibe code. Some people recommend rust but Golang compiles fast, its cross compilation and portable and is really awesome with its standard library
(Anecdotally I also feel like there is some chances that the models are being diluted cuz like this thing then has become my benchmark test and others have performed somewhat worse or not the same as this to be honest and its only been a few days since I am now using hackernews less frequently and I am/was already seeing suspicions like these about claude and other models on the front page iirc. I don't know enough about claude opus 4.7 but I just read simon's comment on it, so it would be cool if someone can give me a gist of what is happening for the past few days.)
I can't feel bad when the subscription circumvention uses the same method they use to get their stuff to rank high in search results. News pages want their content indexed, so they can pull a bait and switch.
In browser plugins and mobile apps (and maybe WordPress plugins?), it's pretty well known that malware attackers buying those is a frequent thing, and a serious threat. So:
1. So is there an argument to be made that a developer/publisher/marketplace selling such software, after it has established a reputation and an installed base, may have an obligation to make some level of effort not to sell out their users to malware/criminals?
2. Do we already have some parties developing software with the intention of selling it to malware/criminals, planning that selling it will insulate them from being considered a co-conspirator or accessory?
Before browsers were up to this, I implemented something related, using Google Earth Plugin.
You could load up the flight data recorder data (which contains more parameters than ADS-B), and watch 3rd-person view animation of a 3D model of that aircraft's movements as it flies over terrain. With instruments, plus visual annotations of flight path over terrain.
One kludge I was proud/relieved to find: At the start of the flight, there's a zoom in to the aircraft on the ground, from the Earth view, and then a particular dance of the camera around the aircraft itself. The purpose wasn't to try to look cool at the time, but to make sure that the plugin would render the aircraft model at all, before we started to change the position or orientation of the model. (The plugin was overly aggressive about deciding some annotations weren't in the scene. Once this camera dance ritual forced the plane into the scene, it stayed in the scene, even as it moved and twisted, and as the camera moved with it.)
I saw Balint Seeber demo this at Dorkbot in Sydney, which must have been in the early 2000s, definitely before he left Sydney in about 2010.
He was using live ADS-B data from an SDR, because this was way before global ADS-B websites and APIs existed.
(I wonder what he's up to these day, he was a fascinating person and presenter, and used to be a prolific blogger on interesting subjects. I also wonder what Pia van Gelder who used to run Dorkbot Sydney is up to?)
I wonder whether Google, in its Don't Be Evil era, ever considered what they should do about software piracy, and what they decided.
I'd guess they would've decided to either discourage piracy, or at least not encourage it.
In the screenshot, the Google search query doesn't say anything about wanting to pirate, yet Google is suggesting piracy, a la entrapment.
(Though other history about that user may suggest a software piracy tendency, but still, Google knows what piracy seeking looks like, and they special-case all sorts of other topics.)
Is the ethics practice to wait to be sued or told by a regulator to stop doing something?
Or maybe they anticipate costs and competition for how they operate, and lobby for the regulation they want, so all they have to do is be compliant with it, and be let off the hook for lawsuits?
reply