Exactly. This is a pipeline architecture, you don't buffer more than absolutely necessary. What matters is how much fuel is flowing, not what the storage fill size is.
Right now it seems like we've entered a detente where (1) Iran controls the strait and allows oil to flow with tolls and (2) the US lies about it and pretends (for domestic consumption) like it's interdicted all tolled commerce.
Jet fuel in particular is more complicated than that. At the moment, most of the shipping passing through the straits are coming to and from Iran. I believe only a few ships for other countries have transited, none of them tankers- the GCC countries are not willing yet to acknowledge Iran's control over the Straits, since doing so would be to admit that this war was a giant catastrophe.
Iran, for sanctions related reasons, is unable to make international grade jet-fuel. Only the GCC countries can (in the Persian Gulf). And so not a single tanker of jet fuel has transited the Straits of Hormuz to Europe since this incredibly dumb war started. Iran does export raw crude to China, which refines it to international grade jet fuel, and China is getting some shipments from Iran, but China's raw crude imports have dropped, and they have responded by ending jet-fuel exports to the rest of Asia.
My understanding is that Europe can produce jet-fuel from the North Sea deposits, but they rely on imports because it is not sufficient for their consumption (My memory is that 'domestic production' was on the order of 60% of consumption). So as long as the Straits are blocked to GCC traffic there will be problems for European commercial aviation, getting worse over time.
Is there a cite for that explanation? That doesn't sound right to me. My understanding is that almost all Hormuz oil is crude, the refineries are elsewhere.
Which part? That GCC countries export refined Jet-A?
Kuwait was responsible for 15% of seaborne jet fuel exports in 2025 (1), something like 10% of the world's total exports. In 2024, Bahrain exported 20 million barrels of jet-a (2). South Korea, #1 in the world, exported 90 million barrels in 2025 (3), so Bahrain isn't a dominant player, but it's still an important amount.
Obviously most of ROK's oil was crude imported to South Korea for re-export elsewhere, but the GCC has spent the last few decades trying to get up the value chain of petro-chemicals and capture more of the value themselves.
Or, alternatively, don't. Stuff in a TPM isn't for "security" in the abstract, it's fundamentally for authentication. Organizations want to know that the device used for connection is the one they expect to be connecting. It's an extra layer on top of "Organizations want to know the employee account associated with the connection".
"Your SSH keys" aren't really part of that threat model. "You" know the device you're connecting from (or to, though generally it's the client that's the mobile/untrusted thing). It's... yours. Or under your control.
All the stuff in the article about how the TPM contents can't be extracted is true, but missing the point. Yes, you need your own (outer) credentials to extract access to the (inner) credentials, which is no more or less true than just using your own credentials in the first place via something boring like a passphrase. It's an extra layer of indirection without value if all the hardware is yours.
TPMs and secure enclaves only matter when there's a third party watching[1] who needs to know the transaction is legitimate.
[1] An employer, a bank, a cloud service provider, a mobile platform vendor, etc... This stuff has value! But not to you.
> TPM isn't for "security" in the abstract, it's fundamentally for authentication
What on earth do you think I make my users present keys for???
You know all those guides saying "you should never copy an ssh private key over the network. Make a new one for each device" that every idiot dev ignored? Now I can enforce that.
> The advantage of this approach is that malware can't just send off your private key file to its servers.
The use case is ssh keys! If malware can run an ssh command on the remote host, it doesn't need to steal your key, it can just install itself there. Or add its own keys to the access, etc... At best, you'd have to detect and fix that sort of thing with auditing and control, something that's isomorphic to the "third party" requirements I was mentioning.
To repeat the third time: this is all terrible threat model analysis. TPMs do not have value for individuals managing access between trusted devices. TPMs are for third-party validation.
TPMs can be useful to you as an individual if you're trying to protect against an evil maid attack. Although I think Linux isn't quite there yet with its support for it. The systemd folks are making progress though.
That only helps if you set a strong password as your TPM PIN. Otherwise its hardware-bound with no access control, and just as susceptible to evil maid attacks as storing the keys directly in a file.
I don't see how entering a passphrase into a compromised boot loader/kernel/initramfs is as safe as a measured boot with TPM providing the decryption key only if nothing seems to have been tampered with. Can you elaborate please?
I said this elsewhere in the thread, but to repeat here:
Can you explain why securing the ssh keys on a host that was fully compromised like that is anything but theater? Fine, you can't get the key out. You can just run the command directly.
Again, there are use cases where TPMs provide value to authenticate specific devices. But they are not and never have been about "keeping secrets". Your secrets are trash once the device is compromised.
Well I wasn't talking about ssh keys at all - that's where the misunderstanding comes from. I was simply trying to counter your claim that TPMs are never ever useful for individuals. They can be useful to individuals worried about having their boot tampered with.
I absolutely agree that they do zilch to protect your SSH keys. Hardware security keys that need physical confirmation of presence are much better for that use-case.
Dependency cooldowns are theater. They will do nothing. Supply chain hacks get caught when someone gets pwned, and all this does is push the deadline out.
You find attacks via cross-organization auditing, like you do in Linux distros, and this doesn't do that.
Counter-take: this was almost entirely wrong, and the author should be embarassed looking back after 17 years.
I mean, it was 2009. How much of your personal data from then is still around on non-archival media you still control? Even among the geek set here, the answer is likely to be "almost none of it". At best it's "backed up" on media you haven't validated.
Or more likely, copied somewhere else to keep it secured. Like... Dropbox or Backblaze or S3 one of those, you guessed it, CLOUD services.
Likewise, do you still have your email from 2009 online in a useful form? Gmail users, many of them in this very thread, still do.
All of mine. Music, photos, copies of important documents, archived sets of email (and gmail) across different eras. My facebook archive export, IRC & IM logs stretching back to ~2000. A lot of it even on SSD, let alone HDD's, let alone "archival media". The spinning rust is mostly used for double- and triple-redundant copies of my music and photos, as well as the usual movie collection.
I'm not sure HN is the best place for such... technological anachronistic skepticism? A lot of us ARE going to be storing all that for shits and giggles.
Yeah I have all this data backed up on a couple different drives. IRC and ICQ logs going back to when I was a teenager. Digitised photos from when I was a kid through to the present day. Source code for projects I worked on from when I was 10. Rips of all the cds I used to own. And yes, email exports dating back to about 2003.
I wish I kept more, honestly. It’s a beautiful record.
I think my most treasured possession is videos of myself and my parents from when I was young. I’m thinking of sitting my sisters kids down in front of a camera for 15 minutes and getting them to talk about their life. It’s beautiful to rewatch this stuff decades later. It’s transporting.
> How much of your personal data from then is still around on non-archival media you still control? Even among the geek set here, the answer is likely to be "almost none of it".
As other commenters have stated, maybe this isn't the best place to ask.
I'm definitely in the "almost all of it" camp. I have Diablo II game saves on my desktop that are carried forward directly from my Windows 98 SE box circa 2002-2003. As well as Linux ISO's I acquired on Kazaa while still on dial-up internet.
Funny you bring up Gmail as a positive example when they reneged on their promise of unlimited storage 5 years ago.
Most of my media is backed up on my Unraid server, the most important stuff is backed up on an external drive and I also have some things that exist in the cloud, which I do not trust, which is why it's tiered as least important.
Is your Unraid free and unlimited then? Funny argument, indeed.
I'm amazed at the number of people jumping out here to insist that people don't use or value cloud storage because of the existance of one or thirty or whatever kludgey manual solutions. I mean, I know you can store stuff manually. I still have all that junk too! It's fun. But I don't recommend it to friends or coworkers or family or anyone else because... well, duh, as it were.
This forum's cherished (and, apparently, deeply insecure) geek cred notwithstanding, THE MARKET walked straight into the arms of the cloud, and has derived immense value from it. Grandmothers have terabyte archives of their progeny's development and will take it to the grave, without needing to puzzle out (sigh) an unraid install.
I'm grandfathered to get unlimited updates, though if they rugpull on that the drives are just formatted as XFS. It'd be a hassle to move to something like TrueNAS, but I could do it even if the OS stopped working. Even if Lime Technology completely disappear one day and make every Unraid USB stick self destruct, I'll still have physical access to the data.
Cloud services, like everything else in control of rent seeking companies, are getting worse. That was always the obvious, inevitable trap with all of this, with any system where you pay a subscription for remote access to a timeshare computer. Which isn't to say that it isn't useful, I even use it, but I don't rely on it.
You didn't frame your initial post around the market of grandmas, your rhetoric was targeted to those reading your post; "How much of your personal data", "do you still have your email".
> You didn't frame your initial post around the market of grandmas, your rhetoric was targeted to those reading your post; "How much of your personal data", "do you still have your email".
Uh... that's wildly and seemingly deliberately mischaracterizing what I wrote. Seriously? The very next sentence falsifies your interpretation, quite explicitly. Why would you cherry pick like that?
I have all my music from 2009, shuffled from drive to drive. It out-survived my subscriptions to on-demand music streaming services (I do Pandora for discovery but don’t like the feeling of building an Amazon streaming “library” that will actually vanish when I stop paying).
I think the drive that held my old home directory might have died, though.
Uhhh, me? My home directory has 20-30 years of documents, photos, emails, the email address itself, instant-messaging logs, etc. Even a downloaded zip of every comment I ever made on Reddit. (But not HN, I should look into that.)
The primary exception would be Google Photos pictures which were auto-uploaded from my phone that I haven't curated and downloaded yet.
I predict I will maintain my custom-domain email address much longer than if I had used Gmail, given the attrition rate of bannings without support.
> on non-archival media you still control [...] Or more likely, copied somewhere else to keep it secured.
Hold up, is this OR or XOR? It sounds like you're trying to add unreasonable (dis-)qualifiers. TFA isn't saying one must boycott "the cloud" and erase all data, it just advocates that you retain an independent copy.
> Dropbox or Backblaze or S3 one of those, you guessed it, CLOUD services.
I think that's conflating different use-cases.
* Having a regular offsite backup into S3 isn't that different from when the data was rsync'ed to a Linux machine I paid for an account on. Any cloud-ness is a remote implementation detail, not a change in the consumer relationship.
* In contrast, "all my photos are in the cloud and my friends and family can collaborate on shared albums" is different, it permanently moves the locus of control.
> * In contrast, "all my photos are in the cloud and my friends and family can collaborate on shared albums" is different, it permanently moves the locus of control.
No, it doesn't. You're fooling yourself. All the criticism of "cloud" providers is predicated on a presumption of bad faith on the part of the provider. Do the same to Amazon and Dropbox and you get the same risk. More actually, since you're not just storing photos but raw backups that might end up with chat logs or password or authentication tokens or whatever.
All you're saying is that you trust party A but not party B to give you the same service. Which is fine, your trust is yours to give. But it's not an indictment of the technology behind the service!
You're still against against a strawman. Please re-read this part of TFA:
> Don’t trust the Cloud to safekeep this stuff. Hell yeah, use the Cloud, blow whatever you want into the Cloud. The Internet’s a big copy machine, as they say. Blow copies into the Cloud. But please: (1) Don’t blow anything into the Cloud that you don’t have a personal copy of.
____________
Here's an analogy for how I feel things are going. Keep in mind the differences between: (1) a kind of product-offering, (2) the people offering it, and (3) an underlying set of technologies that could be in multiple products.
* Alt-TFA: "Fuck Asbestos - Everyone's selling asbestos pillows which are dangerous and being pushed by amoral sociopaths. Don't use them without a respirator."
* Alt-ajross: "All your criticism of asbestos is predicated on a presumption of bad faith by the providers. Stop being mean to asbestos. Asbestos can be useful."
* Alt-Terr_: "All asbestos pillows are still terrible no matter who's selling them."
____________
> All you're saying is that you trust party A but not party B to give you the same service.
No, applying logic I choose is a fundamentally different service than accepting data into logic they choose.
No, I was arguing with you, who posited that the difference between Dropbox and iCloud Photos was the "locus of control" and the "change in consumer relationship". That's not an argument about data reliability, it's an argument from trust. And it didn't make sense to me.
I still have hour long techno/house mixes that I downloaded from some dude who was trying to get into DJing in 2008/did house shows or something, because we played on the same garry's mod server. They don't exist anywhere else on the internet as far as I could possibly find. Searching his dj name doesn't bring up anything.
A UK trance artist called Deathboy left directory-traversal open on his website about 23 year ago. Since then I've had a lot of mp3's that he's never released or put on albums, which is sad because a lot of them are pretty great.
Similarly (also from ~2003), the (Australian) ABC's website held a lot of recorded breakfast radio show clips from when Adam & Wil hosted it, getting the awesome comedy band Tripod [0] to write songs in an hour. Many of these were released on their CD's, but nowhere near all of them.
Eventually that ABC server was shutdown due to lack of government funds. There's a very good chance I'm the only one on the planet with these excellent songs & interviews from those shows.
YouTube is actually the least engagement-driven/addition-maxing social video provider, by far. Meta and TikTok are famous for discouraging external linking, limiting reach to non-targetted users, heavily moderating content to match engagement metrics, disguising advertisement as content, etc...
YouTube for the most part just serves what you post, does minimal content moderation, stuff a dumb insurance ad on the front (of the long-form content) that looks like a dumb insurance ad, and then does it for everyone else. I mean, sure, they could do better. But really if the world of amateur video content was all YouTube it would be a better place.
Not over the last few months, obviously. But in general I've never known a serious trader who didn't maintain a cash balance at some non-trivial level, if only to maintain liquidity for low-latency bets.
But regardless, the point was that all the "cash" you see in your investment accounts (even if you, personally, don't carry any) is predominantly treasuries and other short term high-confidence debt. Everyone owns treasuries, it's only true that very few people "buy" treasury notes.
Well, your statement was that a "meaningful population of the target audience" did not "have any meaningful amount of treasuries in their portfolio". And that's wrong. Basically everyone holds treasuries. Some people don't. Most people do.
You're goalpost-moving to the converse of your point, though. You weren't claiming that there was merely a meaningful population who wouldn't benefit, you were stating that there was NO meaningful population that would. Go check. And again, that's wrong.
I repeat: almost everyone has some kind of money market instrument, the cash balance of which is stored primarily in US treasuries (along with other short term debt). Almost everyone benefits, to the extent they have that asset, by interest payments from the US government.
If you want to make a point about wealth distribution, then make a point about wealth distribution. This was a subthread about government finance policy.
> Similarly, I might be receiving Social Security or Medicare benefits.
The demographic here is likely to be benefitting most from the mortgage interest deduction and 401k contribution "deduction" (it's deducted before pay is reported, but mathematically it's the same thing), FWIW. Younger folks are probably still paying well under market rate on their guaranteed student loans, and older FAANG scions are very much helped by the very low long term capital gains rate too.
This seems mistaken to me. The core idea is that LLMs are commoditizing and that the UI (Siri in this case) is what users will stick with.
But... what's the argument that the bulk of "AI value" in the coming decade is going to be... Siri Queries?! That seems ridiculous on its face.
You don't code with Siri, you don't coordinate automated workforces with Siri, you don't use Siri to replace your customer service department, you don't use Siri to build your documentation collation system. You don't implement your auto-kill weaponry system in Siri. And Siri isn't going to be the face of SkyNet and the death of human society.
Siri is what you use to get your iPhone to do random stuff. And it's great. But ... the world is a whole lot bigger than that.
Bug bounties don't reflect the market impact of the vulnerability though, just the amount needed to incentivize white hats to do research they wouldn't otherwise (or that they would target to other platforms that pay higher bounties). You need to look at market prices for zero days on the black market to get closer.
Bug bounties reflect what companies are willing to pay to find bugs. Mythos would have to be more expensive than that (probably considerably so) to not be worth its cost. If you are saying that finding bugs has significantly more value than reflected by bug bounties, then that strengthens my point.
It's frustrating how genuinely effective Iran's management of the information war has been. This, the Lego things, the front-running of TACO moments. They understand the White House decision-making process better than the White House does[1].
And let's be clear: that's very bad. Iran is a bad actor. Iran does bad things and an empowered Iran is a disaster for the region. Yet Iran is able to keep goading Trump into making everything worse.
[1] Because obviously the WH doesn't have a clue what's in the president's head. He announced a blockade this morning, seemingly, literally because he read it in some pundit article.
Right now it seems like we've entered a detente where (1) Iran controls the strait and allows oil to flow with tolls and (2) the US lies about it and pretends (for domestic consumption) like it's interdicted all tolled commerce.
reply