This article is about the Cyber Security and Resilience Bill, which aims to increase the security of critical assets, and to strengthen breach reporting requirements.
It's puzzling to hear those steps described as "authoritarian." What makes you feel that way?
If this is about protecting third parties from being scraped, why does Google have an interest at all? Surely Google won't have the relevant third-party data itself because, as you say, Google respects robots.txt. So how can that data be scraped from Google?
I don't think this suit is actually about that, though. I think Google's complaint is that
> SerpApi deceptively takes content that Google licenses from others
In other words, this is just a good old-fashioned licence violation.
It's often interesting to observe the different ways that privacy is approached in the US and Europe.
In Europe we often accept pretty grave restrictions of our liberty like the UK's Online Safety Act, which would never fly in the US, and we do so without much public comment.
On the other side of things, organisations in the US happily expose datasets like this one, which would give a most EU Data Protection Officers a heart attack, and nobody bats an eyelid.
In Lyft's defense, they are providing it anonymized under the NYCBS Data Use Policy. They also aren't providing the exact GPS routes, which is why OSRM is used to calculate the shortest path instead.
> Grocery stores closed to visitors, all shopping done online and delivered to your door
In the UK at least, and I'm sure in a lot of other places, a solid proportion of groceries are now delivered to the door. But, that doesn't mean that supermarkets have closed; if anything, they seem to be busier than ever.
Instead, we have a hybrid market where convenience for the consumer is the ruling factor. The same is going to be true for most of the other situations you mention.
In parts of the US, even low-crime areas, a significant amount of the items at grocery stores are locked up in glass cases. If you want them you have to track down an employee and beg for access (and in some stores they won't let you carry the items to the register). That part of the store might as well be closed to visitors, replaced by vending machines.
Hah. In my Safeway, the ice cream and half the frozen aisles have a lock on every door. I can’t imagine how much inconvenience that causes everybody. The employees openly say it’s ridiculous and you regularly find a queue in each aisle waiting to be individually served by an employee with a key unlocking and re locking each door they want something from.
People often say that the problem with string theory is that it doesn't make any prediction, but that's not quite right: the problem is that it can make almost any prediction you want it to make. It is really less of a "theory" in its own right and more of a mathematical framework for constructing theories.
One day some unusual observation will come along from somewhere, and that will be the loose end that allows someone to start pulling at the whole ball of yarn. Will this happen in our lifetimes? Unlikely, I think.
The problem is that once, a long time ago, String Theory was something that made concrete predictions that people just couldn't calculate.
Then people managed to calculate those predictions, and they were wrong. So the people working that theory up relaxed some constraints and tried again, and again, and again. So today it's that framework that you can use to write any theory you want.
That original theory was a good theory. Very compelling and just a small adjustment away from mainstream physics. The current framework is just not a good framework, it's incredibly hard to write any theory in it, understand what somebody else created, and calculate the predictions of the theories you create.
I am old enough to remember when string theory was expected to explain and unify all forces and predict everything. Sadly, it failed to deliver on that promise.
And there is no known single real world experiment that can rule out string theory while keeping general relativity and quantum mechanics intact.
More accurately, string theory is not wrong (because it just cannot be wrong). Because it does not predict anything and cannot invalidate anything, it does not help to advance our understanding of how to integrate general relativity and quantum mechanics.
It should not be called theory - maybe set of mathematical tools or whatever.
You can't really show it's wrong because there are dozens of different theories but using the Wikipedia definition "point-like particles of particle physics are replaced by one-dimensional objects called strings" it's possible that particles are not strings. I guess it would then be like fairies at the end of the garden theory. Good from a literary fiction point of view but not reality.
I was planning to make a similar comment. Conjecturing that some theory in the string theory landscape [0] gives a theory of quantum gravity consistent with experiments that are possible but beyond what humans may ever be capable of isn't as strong of a claim as it may first appear. The intuition I used to have was that string theory is making ridiculously specific claims about things that may remain always unobservable to humans. But the idea is not that experiments of unimaginable scale and complexity might reveal that the universe is made up of strings or something, it's just that it may turn out that string theory makes up such a rich and flexible family of theories that it could be tuned to the observed physics of some unimaginably advanced civilization. My impression is that string theory is not so flexible that its uninteresting though. There's some interesting theoretical work along these lines around exploring the swampland [1].
Or, that day will never come, because string theory isn't reflective of the actual world, or because there are so many theories possible under the string theory rubric that we can never find the right one, or because the energies involved to see any effect are far beyond what could be reached in experiment.
It isn't completely implausible that a future civilisation could perform the experiments to gather that data, somehow; but it is hard to envisage how we do it here on Earth.
Your implicit point is a good one. Is it sensible to have a huge chunk of the entire theoretical physics community working endlessly on a theory that could well end up being basically useless? Probably not.
There is not a "huge chunk" of the theoretical physics community working on string theory, and their never was. For one, it is far less common a topic of research now then it was earlier when it was more popular, but even then "huge" was really "a lot of universities had a grant for string theory investigation because it looked promising".
It mostly hasn't worked out and now people are moving on to other things.
The single worst thing that happened though was the populism: a small group of people with credentials started putting out pop-sci books and doing interviews, well in excess of what their accomplishments should mean. People are like "so many people are working on this" because there were like, 3 to 5 guys who always said "yes" to an interview and talked authoritatively.
Huge is a subjective term, but go and count the number of participants at Strings 2025 [1]. Then realise that is just one of many conferences [2]. It's still a very big field.
A meaningless statement if you aren't going to introduce any points of comparison. But I would hardly call 735 conference participants a huge conference. Like, that's big but there are lot more then 735 theoretical physicists.
Claude tells me that there are about ~5000 theoretical high energy physicists actively publishing as tracked by INSPIRE-HEP (the de facto search engine in that field). If we estimate that about a third or half of string theorists take part in Strings in a given year -- because there are other big conferences like String Pheno that will be more relevant for many -- then we have something like 30-50% of high energy theorists working on string theory.
I agree that people should be "moving on to other things," but I'm not seeing the evidence that they actually are.
> the problem is that it can make almost any prediction you want it to make
In logic this is either the principle of "contradiction elimination" or a "vacuous truth". Depending on how you look at it. i.e. given sufficiently bad premises, you can prove anything.
Both you and the poster above you may be misunderstanding the point that Jonathan Hall KC appears to be making. If you take a look at what he actually writes [1], then it is pretty clear that he is presenting these hypothetical cases as examples of obvious over-reach.
This is a warning from the independent reviewer that the law is too potentially broad, not an argument to retain these powers.
So: OP wants to grow, but at his own pace and in his own way. He values transparency and autonomy. He doesn't mention salary as being particularly important, but does want a good work/life balance.
I wonder if he's considered a job as a developer in the Dutch government?
Be aware of threat actors, too: you're giving them an easy data exfil route without the hassle and risk of them having to set up their own infrastructure.
Back in the day you could have stood up something like this and worried about abuse later. Unfortunately, now, a decent proportion early users of services like this do tend to be those looking to misuse it.
I'm not who you asked, but essentially, when you write malware that infects someone's PC, that in itself doesn't really help you much. You usually want to get out passwords and other data that you might have stolen.
This is where an exfil (exfiltration) route is needed. You could just send the data to a server you own, but you have to make sure that there are fallbacks once that one gets taken down. You also need to ensure that your exfiltration won't be noticed by a firewall and blocked.
Hosting a server locally, easily, on the infected PC, that can expose data under a specific address is (to my understanding) the holy grail of exfiltration; you just connect to it and it gives you the data, instead of having to worry much about hosting your own infrastructure.
That's actually a fair defence against this kind of abuse. If the attacker has to get some information (the tunnel ID) out of the victim's machine before they can abuse this service, then it is less useful to them because getting the tunnel ID out is about as hard as just getting the actual data out.
However, if "No signup required for random subdomains" implies that stable subdomains can be obtained with a signup, then the bad guys are just going to sign up.
I've seen lots of weird tricks malware authors use, people are creative. My favorite is that they'd load up a text file with a modified base64 table from Dropbox which points to the URL to exfiltrate to. When you report it to Dropbox, they typically ignore the report because it just seems like random nonsense instead of being actually malicious.
> Hosting a server locally, easily, on the infected PC, that can expose data under a specific address is (to my understanding) the holy grail of exfiltration; you just connect to it and it gives you the data, instead of having to worry much about hosting your own infrastructure.
A permanent SSH connection is not exactly discreet, though...
> website activity logs show the earliest request on the server for the URL https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outl.... This request was unsuccessful, as the document had not been uploaded yet. Between this time and 11:30, a total of 44 unsuccessful requests to this URL were made from seven unique IP addresses.
In other words, someone was guessing the correct staging URL before the OBR had even uploaded the file to the staging area. This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.
The report acknowledges this at 2.11:
> In the course of reviewing last week’s events, it has become clear that the OBR publication
process was essentially technically unchanged from EFOs in the recent past. This gives rise
to the question as to whether the problem was a pre-existing one that had gone unnoticed.
> In other words, someone was guessing the correct staging URL before the OBR had even uploaded the file to the staging area. This suggests that the downloader knew that the OBR was going to make this mistake, and they were polling the server waiting for the file to appear.
The URLS are predictable. Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.
I used to do this for BOE / Fed minutes, company earnings etc on the off chance they published it before the official release time.
2025-Q1-earnings.pdf - smash it every 5 seconds - rarely worked out, generally a few seconds head start at best. By the time you pull up the pdf and parse the number from it the number was on the wires anyway. Very occasionally you get a better result however.
Given the market significance of the report it's damn obvious that this would happen. They should have assumed that security via obscurity was simply not enough, and the OBR should have been taking active steps to ensure the data was only available at the correct time.
> Hedge-funds would want to get the file as soon as it would be available - I imagine someone set up a cron-job to try the URL every few minutes.
It's not even just hedge-funds that do this. This is something individual traders do frequently. This practise is common place because a small edge like this with the right strategy is all you need to make serious profits.
This setup was not initially approved, see 1.7 in the document:
> 1.7 Unlike all other IT systems and services, the OBR’s website is locally managed and outside
the gov.uk network. This is the result of an exemption granted by the Cabinet Office in
2013. After initially rejecting an exemption request, the Cabinet Office judged that the OBR
should be granted an exemption from gov.uk in order to meet the requirements of the
Budget Responsibility and National Audit Act. The case for exemption that the OBR made at
the time centred on the need for both real and perceived independence from the Treasury in
the production and delivery of forecasts and other analysis, in particular in relation to the
need to publish information at the right time.
Part of this is a product of the UK's political culture where expenses for stuff like this are ruthlessly scrutinised from within and without.
The idea of the site hosting such an important document running independently on WordPress, being maintained by a single external developer and a tiny in-house team would seem really strange to many other countries.
Everyone is so terrified of headlines like "OBR spends £2m upgrading website" that you get stuff like this.
It's not an easy call. Sometimes, one or two dedicated and competent people can vastly outperform large and bureaucratic consulting firms, for a fraction of the price. And sometimes, somebody's cousin "who knows that internet stuff" is trousering inflated rates at the taxpayer's expense, while credentialed and competent professionals are shut out from old boys' networks. One rule does not fit all.
It would work if old boys' networks were not the de facto pool that the establishment hired from. The one time where UK GOV did go out and hire the best of the best in the private sector regardless of what Uni they went to we got GDS and it worked very well, but it seems like an exception to usual practice.
How does the Nobel Peace Prize figure into this? I seem to be on the other side that didn't hear about the award. Which is not surprising as I don't follow it, but also I haven't worked out query terms to connect it with OBR.
Somebody monitored the metadata on files to figure out who the winner of the nobel prize was prior to the official announcements by the candidate that was modified. Which they used to financially profit in betting markets.
It relates to OBR because it's another scenario where people just by polling the site can figure out information that wasn't supposed to be released yet. And then use that information to profit.
Since a recent event of polling was in the news the idea of polling isn't really evidence of an insider trying to leak data versus somebody just cargo-culting a technique. Plus polling of financial data was already common.
It's puzzling to hear those steps described as "authoritarian." What makes you feel that way?
reply