Shameless plug

First and foremost - an absolutely shameless plug!

I wrote a blog post for JFrog, and it was published on the company blog last week. Missed Valentine's Day by one!

Do check it out. The topic is the AWS Well-Architected Framework (WAFR) and how JFrog delivers on the Security and Operations aspects of the framework.

The AWS WAFR is a best practices review to ensure that your cloud infrastructure is secure, cost-effective, and reliable. It has six pillars focused on operations, security, performance, cost optimization, sustainabilty, and reliability.

The JFrog Platform contributes to many of the Security pillar design principles. It makes sure that you can ship secure code, get rich and correlated security alerts in the way you prefer, perform vulnerability management easily and with support from the JFrog Platform, and covers many other topics. The attached PDF file that I created goes in depth on these topics. Do check it out.

Back to it

With that, let's get back to our regular newsletter. First, we're talking about HP. Then, we'll turn our attention to new kinds of cybercrime, and read some more about how FOSS maintainers are struggling and quitting. We'll also check in with DeepSeek, and we'll find out what's up with Intel.

Reluctantly, let's talk about HP - the world leader in... printers? laptops? I'm not sure any more.

HP is in the news for two things this week - buying out Humane for an insanely cheaper price than the founders wanted for the startup, and for introducing unnecessary mandatory 15 minute waiting periods on their Call Center Support calls, in order to deter paying customers from getting human support where they need it.

First, the inHumane news. Humane is best known for their Ai Pin. I know someone professionally who has one and I've seen it in action. It seems to work just fine, relying on ML APIs to constantly stream all your conversations, both video and audio, to record, recall, and summarize. The problems with the Pin are many, but much more importantly, the problem with the company was that they didn't find their direction fast enough. After burning through much cash, Humane came up with the Ai Pin, did a half-hearted effort to launch a product not many understood or were interested in, and didn't even bother with building their own AI models. It's actually smart to use off-the-shelf ML models and APIs to go to market fast, but neither does that give you a technology moat, nor does it give your users the confidence that you'll be around for long.

The Verge described the Ai Pin experience in just four short words -

"it just doesn’t work."

After the Ai Pin failed to even graze the sales predictions the company put out, the founders promptly put the company up for sale and expected $750 Million to $1 Billion for it. This was May 2024. Cut to today, and HP has picked up the company for a mere $116 Million. That's less money than what the company originally raised - $230 Million.

HP has ordered that the services behind the Ai Pin be shut down at the end of the month, which means all you'll be able to do with your $700 (+$24/mo subscription) "not a phone" device is... find out its battery level.

Benjamin Sandofsky wrote about the acquisition with the apt subheading -

"Why You Can't Build Apple with Venture Capital"

Venture Capital is very risk-averse, despite being supposedly the biggest risk takers. (After all, VCs lost a ton of money on this deal.) If your very first product fails to deliver bombastic results, and your sole funding source is VCs, you best bet your company will be sold for parts.

That's exactly what HP is doing - the company is going to integrate the ideas behind Humane (not the IP, not the device, not the non-existent ML models) into their printers, scanners, and other devices to become an "experiences-led company", whatever that means.

Somehow, the second news about HP is worse. The Register reports that HP is deliberately adding a mandatory 15-minute wait time to telephone support calls, regardless of whether their call center staff is available or not. The idea behind it is to stall users and force them to give up and try to look for solutions to their problems online.

Of course, the experience would be pretty much the same if call centers were overloaded with calls. But the brazenness with which they're going about it is impressive. In internal communication which I think HP would have hoped would never see the light of day, the company says this - "This involves inserting a message of high call volumes, to expect a delay in connecting to an agent and offering digital self-solve solutions as an alternative."

So what they're doing is very clear - they will absolutely lie to their customers that there is a high call volume, regardless of whether there is. They'll also play multiple messages at various intervals, reminding you to "go away and look for answers online", probably not in those exact words.

Of course, criticism for this decision has come from within and without. But is it going to stop the once-Silicon Valley leader from enshittifying their customer experience? Nah.

Turns out, the backlash worked and HP has reversed the decision. Worth it to remember that making noise about enshittification matters.

Cybersecurity

There are two strange and interesting stories going on this week in the cybersecurity space. The first is about how hijackers are exploiting cloud hosted LLMs, while passing the cost of operations to the owners of those cloud accounts. The second is about how Russian threat actors have found a novel attack by which Signal group invites can be modified to give access to your Signal account to hackers.

LLMjacking

In a new kind of attack that Sysdig is calling LLMjacking, hackers gain access to your cloud accounts and then use your hosted LLMs or your saved API access keys to run their ML workloads. This gives them the ability to use premium LLMs for essentially free, while passing on the costs of the operation to the victims.

This sort of attack is nothing new. Last year, in the EmeraldWhale attack (which also Sysdig found and named), hackers targeted cloud accounts and private git repositories. Then, in a move that's almost Bond-villain level, the hackers stored all the stolen data and files in the S3 bucket of a previous attack victim!

What's new and particularly insidious is that operating cloud-based LLMs is expensive! So if you're a large organization, your expectation is that your various teams are using the LLMs, while it's actually the attacker slipping in their LLM calls and abusing your infrastructure.

It makes sense to constantly vet your cloud infrastructure and check for misconfigurations. It also makes sense to use a framework of best practices, such as the AWS Well-Architected Framework, to ensure your cloud infra is secure and compliant. As I mentioned at the beginning of my newsletter, I've written an excellent writeup detailing how JFrog can help you achieve those cloud infra security goals. So yes, please, take a look at it when you get a chance!

Signal Threat

Google's Threat Intelligence Group has found a new and novel attack whereby Russian threat groups have found an weakness in Signal QR codes and group invite URLs. Signal uses QR codes to allow for group invites, device pairing, and security alerts. Group Invite links tend to use JavaScript to redirect to the group within the Signal app.

By modifying the JavaScript and the QR codes, threat actors can first direct the user to link their account to the hacker's device. Then it redirects to the actual group invite or other feature. This means that your account receives future messages on your own device as well as the hacker's device.

Google worked with Signal to fix this issue. Signal's apps now warn users when they are linking a new device and asks them to reconfirm this move. It furthers asks you for authentication to link a new device. There's a lot of good history about how this attack was discovered and what threat actors are relevant here on the link above.

Signal is used extensively by Journalists, security personnel, and persons of interest. To it's a high value target for threat actors around the world.

Linux Community Update

We talked in the $600 Billion issue of EveryOpsGuy about Linux losing developers and maintainers due to burnout and health issues. This trend continues, with the founder and lead developer of Asahi Linux resigning his post this week.

Hector Martin, aka marcan, started Asahi Linux after Apple moved from Intel silicon to their inhouse M1 chips for their Macbook series. The goal of Asahi is singular - to get Linux working on the M series chips. The difficulty level is massive, since Apple has built the M1 as a closed ecosystem and does not publish anything in terms of technical documentation.

This is also what killed dual booting Windows on Macs. While Microsoft does have Windows for ARM, and the M1 is based on ARM design, Apple has not worked with Microsoft (or with the Asahi Linux community) to allow other Operating Systems to work on any of their M* series chips.

Despite this, marcan and his team delivered on their promise, though it took a long, long time for them to do so. Some of the details of his struggles are in his letter of resignation. But his reason for moving away from the project (and it seems, much of the Linux community at large) is the rot and backstabbing in the community. There are many political issues and fiefdoms inside the Linux maintainers community, but the biggest bone of contention is around adopting the language Rust for Linux.

Rust is starting out in the Linux kernel, but Asahi makes very good use of it. Modern programming languages like Rust deal with issues like memory safety automatically, leaving developers to focus on broader applications. marcan mentions in his post how their GPU driver was successful only because of its extensive use of Rust.

Despite this, the Linux community has not been welcoming of Rust. While individual maintainers are reticent to adopt it, marcan also blames Linus Torvalds for dragging his feet and not being decisive. This has led to a majority of people shunning Rust. This is a problem because, according to marcan, any downstream Linux distro needs to be able to contribute upstream in order to survive long term. That's just how Linux has been set up as a project. Since they're not able to upstream their Rust code, Asahi as an organization has been struggling with frequent maintaince issues when pulling new code updates from upstream Linux.

All of this led marcan to burn out and get out. He says the Asahi project will continue on without him.

Days after marcan's resignation, Linus blasted a DMA maintainer in his typical email reply style. The maintainer, Christoph Hellwig, was objecting to someone else using Rust to query the DMA code that Hellwig maintains. Linus reminded him that he can either actively choose to learn Rust and contribute to it, or he has to ignore everyone else who is using Rust. He cannot object to someone's code simply because it interfaces with his.

This is like a developer of an API objecting to someone using python requests to talk to their API. What technology a consumer uses should be irrelevant to the developer, as long as they are compliant with the API's rules.

Change always makes people uncomfortable. This episode shows that even programmers, who are usually up to the challenge of picking up new technologies and hacking their way through, can get bogged down by change. This can adversely affect the Linux community and the Open Source community at large.

A little DeepSeek on the side

DeepSeek continues to enthrall and divide. Users love the R1 model. The industry, while quickly adopting the open source model, continues to suffer and hate on the company. But there's a lot more to the story, it seems. An analytics firm has claimed that the R1 model didn't cost a measly $6 Million. That was a marketing gimmick based on the last training run of the final model. Instead, their estimation is that R1 cost DeepSeek something to the tune of $1.6 Billion in training costs, and "a fleet of 50,000 Nvidia Hopper GPUs".

This goes against what DeepSeek has claimed, but also means that the industry shakeup that happened in its aftermath may start to recover. Everything from Data Center building companies, to nuclear energy, to of course Microsoft have suffered losses to their stocks because of DeepSeek's supposed superiority in LLM creation and Ops. These stocks should bounce back if it's proven that DeepSeek didn't seek the truth too deeply.

DeepSeek vs the World

The latest country to take action against DeepSeek is South Korea. The nation removed DeepSeek from app stores over concerns about its data collection practices. This doesn't affect users who have already downloaded the app and are using the service. The government is asking for the app's personal data protection practices to be fixed according to local laws.

Government agencies in the country have already blocked access to the service for their employees, citing privacy and security concerns. The world over, this is becoming a trend. As I said before, LLM companies are no different from social media companies and email providers, in that they're going to be expected to follow local data protection and privacy laws and will be shut down barring that compliance.

Now let's talk about Intel.

Intel's stock is at an all-time low, and takeover bids are in the offing. TSMC and Broadcom are interested in buying the once flourishing company. It's not like any other CPU processor is doing any better. In the face of the massive growth of Nvidia stock, money seems tight for anyone not in the GPUs for ML race.

But a fun little wrinkle in any takeover bid is AMD.

Intel built the original x86 architecture. At first, AMD licensed this architecture to build their own chips. Then AMD improved upon the 32 bit architecture to build the AMD64 processors. Intel cross-licensed this to build their own x64 chips.

So far so good.

But as part of the licensing agreement, the lawyers slipped in a clause that either company's takeover would have to be approved by the other, so that this licensing agreement would not flounder. This was supposed to be from the Goliath Intel so that if the David AMD ever gets bought out, Intel maintains the x64 licensing agreement.

Well, now the tables have turned and AMD might have a lot to say about any potential Intel takeover. All of this means that one of the best contenders to buy out Intel might actually just be AMD.

A merger of these two would cement their position and not adversely affect their licensing agreements. However, if they're looking for any kind of market dominance (and if any regulators are looking at this with any interest), then we need to remember that ARM is growing quite well. From Apple's M series chips (which I've mentioned above in the Asahi Linux story) to Qualcomm's Snapdragon processors powering Windows laptops, mobile phones, and Android tablets, we see ARM everywhere and it's here to stay.

Looking forward to what happens to Intel in the coming years.

Fin

That's all for now folks. This is the fourth installment of my newsletter. Every time I think about writing short and sweet pieces, focused on links. But there's so much backstory to tell in every story. If you like what you read here, do forward it to a friend or colleague who might get a kick out of reading these. Cheers!