Someone should add Sam’s face to the targeting training data as an Easter egg ;)
Readit Newspolack commented on We do not think Anthropic should be designated as a supply chain risk twitter.com/OpenAI/status... · Posted by u/golfer
polack commented on Cloudflare CEO on the Italy fines twitter.com/eastdakota/st... · Posted by u/sidcool
Surly this post must have the opposite effect of what he intended. Even if you side with Cloudflare on the core issue this post is so cringy my butthole collapsed into itself.
Are Americans not embarrassed by the way these tech bros operate? As a European it’s obvious that the US gone from an allied to an enemy. I would feel like a traitor if I picked US tech these days.
polack commented on What to know about a recent Mixpanel security incident openai.com/index/mixpanel... · Posted by u/meetpateltech
Good write-up. Incidents like this show how easy it is for data to leak through third-party tools, even with good internal policies. The more dependencies a product has, the harder it is to keep the full chain secure.
That’s why you should only export anonymous information to external parties. There is no valid reason for OpenAI to export my personal information like this.
I will report OpenAI to the data protection agency in my country and I encourage others to do the same. They can not blame Mixpanel when they sprinkle others personal information around like this. NOT OK.
polack commented on Cloudflare outage on November 18, 2025 post mortem blog.cloudflare.com/18-no... · Posted by u/eastdakota
I don't think these are realistic requirements for any engineered system to be honest. Realistic is to have contingencies for such cases, which are simply errors.
But the case for Cloudflare here is complicated. Every engineer is very free to make a better system though.
What is not realistic? To do simple input validation on data that has the potential to break 20% of the internet? To not have a system in place to rollback to the latest known state when things crash?
Cloudflare builds a global scale system, not an iphone app. Please act like it.
polack commented on Cloudflare outage on November 18, 2025 post mortem blog.cloudflare.com/18-no... · Posted by u/eastdakota
> I'm migrating my customers off Cloudflare.
Is that an overreaction?
Name me global, redundant systems that have not (yet) failed.
And if you used cloudflare to protect against botnet and now go off cloudflare... you are vulnerable and may experience more downtime if you cannot swallow the traffic.
I mean no service have 100% uptime - just that some have more nines than others.
Yes, it's probably an overreaction.
But at the same time, what value do they add if they:
* Took down the the customers sites due to their bug.
* Never protected against an attack that our infra could not have handled by itself.
* Don't think that they will be able to handle the "next big ddos" attack.
It's just an extra layer of complexity for us. I'm sure there are attacks that could help our customers with, that's why we're using them in the first place. But until the customers are hit with multiple ddos attacks that we can not handle ourself then it's just not worth it.
polack commented on Cloudflare outage on November 18, 2025 post mortem blog.cloudflare.com/18-no... · Posted by u/eastdakota
I’ve led multiple incident responses at a FAANG, here’s my take. The fundamental problem here is not Rust or the coding error. The problem is:
1. Their bot management system is designed to push a configuration out to their entire network rapidly. This is necessary so they can rapidly respond to attacks, but it creates risk as compared to systems that roll out changes gradually.
2. Despite the elevated risk of system wide rapid config propagation, it took them 2 hours to identify the config as the proximate cause, and another hour to roll it back.
SOP for stuff breaking is you roll back to a known good state. If you roll out gradually and your canaries break, you have a clear signal to roll back. Here was a special case where they needed their system to rapidly propagate changes everywhere, which is a huge risk, but didn’t quite have the visibility and rapid rollback capability in place to match that risk.
While it’s certainly useful to examine the root cause in the code, you’re never going to have defect free code. Reliability isn’t just about avoiding bugs. It’s about understanding how to give yourself clear visibility into the relationship between changes and behavior and the rollback capability to quickly revert to a known good state.
Cloudflare has done an amazing job with availability for many years and their Rust code now powers 20% of internet traffic. Truly a great team.
They failed on so many levels here.
How can you write the proxy without handling the config containing more than the maximum features limit you set yourself?
How can the database export query not have a limit set if there is a hard limit on number of features?
Why do they do non-critical changes in production before testing in a stage environment?
Why did they think this was a cyberattack and only after two hours realize it was the config file?
Why are they that afraid of a botnet? Does not leave me confident that they will handle the next Aisuru attack.
I'm migrating my customers off Cloudflare. I don't think they can swallow the next botnet attacks and everyone on Cloudflare go down with the ship, so it will be safer to not be behind Cloudflare when it hits.
Dead Comment
polack commented on Oncall shift should be Tuesday to Tuesday arthur-johnston.com/tuesd... · Posted by u/RyeCombinator
We do Thursday to Thursday and then you get Friday off after completed on-call.
Being on-call gives you no extra pay by itself, but if you get paged off hours and need to work you get paid 150 to 200% of your normal hourly wage depending on what time of day you need to work.
Best on-call I’ve had.
If this really was a mistake the easiest way to deal with it would be to release people from their non disparagement agreements that were only signed by leaving employees under the duress of losing their vested equity.
It's really easy to make people whole for this, so whether that happens or not is the difference between the apologies being real or just them just backpedaling because employees got upset.
Edit: Looks like they're doing the right thing here:
> Altman’s initial statement was criticized for doing too little to make things right for former employees, but in an emailed statement, OpenAI told me that “we are identifying and reaching out to former employees who signed a standard exit agreement to make it clear that OpenAI has not and will not cancel their vested equity and releases them from nondisparagement obligations” — which goes much further toward fixing their mistake.
> ”we are identifying and reaching out to former employees who signed a standard exit agreement to make it clear that OpenAI has not and will not cancel their vested equity and releases them from nondisparagement obligations”
Looks like they’re doing that.
The fact that we kept it in triage means that we believed there was something. Also the reporter gave a really good explanation.
By the time the report was originally sent the feature was just released, and while we never deployed a code change to directly address it, it wouldn't be the first time that we receive something that I believe it was genuinely a security issue and stopped being reproducible due to an seemingly unrelated change around the same time.
It's a really simple vulnerability though. It comes of like you're not really on top of things when you cant reproduce or close it.