@[email protected]

This is why the average New Zealander is broadly unfazed living in an Earthquake zone with multiple active Volcanoes, why their children go fearlessly barefoot across all terrains, and why they're gradually annexing the rest of the World with broad colonisation techniques.

A detailed and brutal look at the tactics of buzzy AI compliance startup Delve "Delve built a machine designed to make clients complicit without their knowledge, to manufacture plausible deniability while producing exactly the opposite." substack.com/home/post/p-19…

Delve, a YC-backed compliance startup that raised $32 million, has been accused of systematically faking SOC 2, ISO 27001, HIPAA, and GDPR compliance reports for hundreds of clients. According to a detailed Substack investigation by DeepDelver, a leaked Google spreadsheet containing links to hundreds of confidential draft audit reports revealed that Delve generates auditor conclusions before any auditor reviews evidence, uses the same template across 99.8% of reports, and relies on Indian certification mills operating through empty US shells instead of the "US-based CPA firms" they advertise. Here's the breakdown: > 493 out of 494 leaked SOC 2 reports allegedly contain identical boilerplate text, including the same grammatical errors and nonsensical sentences, with only a company name, logo, org chart, and signature swapped in > Auditor conclusions and test procedures are reportedly pre-written in draft reports before clients even provide their company description, which would violate AICPA independence rules requiring auditors to independently design tests and form conclusions > All 259 Type II reports claim zero security incidents, zero personnel changes, zero customer terminations, and zero cyber incidents during the observation period, with identical "unable to test" conclusions across every client > Delve's "US-based auditors" are actually Accorp and Gradient, described as Indian certification mills operating through US shell entities. 99%+ of clients reportedly went through one of these two firms over the past 6 months > The platform allegedly publishes fully populated trust pages claiming vulnerability scanning, pentesting, and data recovery simulations before any compliance work has been done > Delve pre-fabricates board meeting minutes, risk assessments, security incident simulations, and employee evidence that clients can adopt with a single click, according to the author > Most "integrations" are just containers for manual screenshots with no actual API connections. The author describes the platform as a "SOC 2 template pack with a thin SaaS wrapper" > When the leak was exposed, CEO Karun Kaushik emailed clients calling the allegations "falsified claims" from an "AI-generated email" and stated no sensitive data was accessed, while the reports themselves contained private signatures and confidential architecture diagrams > Companies relying on these reports could face criminal liability under HIPAA and fines up to 4% of global revenue under GDPR for compliance violations they believed were resolved > When clients threaten to leave, Delve reportedly pairs them with an external vCISO for manual off-platform work, which the author argues proves their own platform can't deliver real compliance > Delve's sales price dropped from $15,000 to $6,000 with ISO 27001 and a penetration test thrown in when a client mentioned considering a competitor

> be me, applied scientist at amazon > spend 6 months building ML model that actually works > ready to ship > manager asks "but does it Dive Deep?" > show him 37 pages of technical documentation > "that's great anon, but what about Customer Obsession?" > model literally convinces customers to buy more stuff they don't need > "okay but are you thinking Big Enough?" > mfw I am literally increasing sales > okay lets ship it > PM says there's not enough Disagree and Commit > we need to disagree about something > team spends 2 hours debating whether the config file should be YAML or JSON > engineering insists on XML "for backwards compatibility" > what backwards compatibility, this is a new service > doesn't matter, we disagree and commit to XML > finally get approval to deploy > "make sure you're frugal with the compute costs" > model runs on a potato, costs $2/month > finance still wants a cost breakdown > write 6-pager about why we need $2/month > include bar raiser in the review > bar raiser asks "but can we do it for $1.50? we need to be Frugal" > spend another month optimizing to hit $1.50 > ready to deploy again > VP decides we need to "Invent and Simplify" > requests we rebuild the entire thing using a new framework > framework doesn't exist yet > "show some Ownership and build it yourself" > 3 months later, framework is half done > org restructure happens > new manager says this doesn't align with team goals anymore > project cancelled > model never ships > manager gets promoted to L8 for "successfully reallocating resources" > team celebrates with 6-pager retrospective about what we learned > mfw we delivered on all 16 leadership principles > mfw we delivered nothing else > amazon.jpg

@gothburz @BowTiedYanqui Oh. I assumed the conditional formatting was an AI mistake.

@BowTiedYanqui You're right. I'll suggest "WiFi business" in draft 12. HR loves entrepreneurial spirit.

I'm in Corporate Communications. Last Tuesday we laid off 2,400 people. I wrote the announcement. It took 11 drafts. Draft 1 said "layoffs." Legal said no. Draft 2 said "job cuts." HR said no. Draft 3 said "workforce reduction." The CEO said "too negative." Draft 11 said "organizational restructuring to position the company for sustainable growth." Everyone approved. Same 2,400 people. Different words. Words matter. To the stock price. I wrote "difficult decision." Difficult means we thought about it. We thought about it for six months. Then we did it anyway. But we thought first. That's empathy. I wrote "we don't take this lightly." We take it very lightly. It's a spreadsheet. Names. Salaries. Roles. Delete. Done. But "lightly" sounds bad. So we don't take it lightly. I wrote "impacted employees." Not "fired employees." Not "people who can't pay rent." "Impacted." Like weather. Natural. Unavoidable. Nobody's fault. The CEO recorded a video. He looked sad. We did seven takes. Take 1: Not sad enough. Take 4: Too sad. Take 7: Perfect sadness. Authentic. Rehearsed authentic. That's the goal. The email went out at 6 AM. Pacific time. Before markets opened. Before journalists woke up. Before employees knew. Some found out on Twitter. From reporters. Before their managers called. That wasn't the plan. But it also was the plan. We scheduled the manager calls for 6:15 AM. Reporters refresh faster than managers dial. A reporter asked for comment. I said, "We're committed to supporting affected employees." Supporting means two weeks severance. Per year of service. Capped at 12 weeks. Maximum loyalty: 6 years. After that, same payout. Thanks for your service. The stock went up 7%. That's why we did it. Not sustainable growth. Not organizational efficiency. The stock. The CEO's options vest in March. The timing is coincidental. That's what I wrote. In the internal FAQ. "The timing is unrelated to executive compensation." It's very related. But unrelatedness is the message. The message is my job. I'm very good at my job. Draft 11 proved it. 2,400 people. Zero accountability. All sustainable growth.

Dear @firecrawl I do not have an active plan with you and I’m not paying no matter how many times you try.

Roald Dahl on Measles: Olivia, my eldest daughter, caught measles when she was seven years old. As the illness took its usual course I can remember reading to her often in bed and not feeling particularly alarmed about it. Then one morning, when she was well on the road to recovery, I was sitting on her bed showing her how to fashion little animals out of coloured pipe-cleaners, and when it came to her turn to make one herself, I noticed that her fingers and her mind were not working together and she couldn’t do anything. 'Are you feeling all right?' I asked her. 'I feel all sleepy,' she said. In an hour, she was unconscious. In twelve hours she was dead. The measles had turned into a terrible thing called measles encephalitis and there was nothing the doctors could do to save her. That was...in 1962, but even now, if a child with measles happens to develop the same deadly reaction from measles as Olivia did, there would still be nothing the doctors could do to help her. On the other hand, there is today something that parents can do to make sure that this sort of tragedy does not happen to a child of theirs. They can insist that their child is immunised against measles. ...I dedicated two of my books to Olivia, the first was ‘James and the Giant Peach’. That was when she was still alive. The second was ‘The BFG’, dedicated to her memory after she had died from measles. You will see her name at the beginning of each of these books. And I know how happy she would be if only she could know that her death had helped to save a good deal of illness and death among other children. Roald Dahl, 1986

All the good software I know of for kids is from the 90s and idk how to run that stuff these days. I’m talking Super Munchers/Number Munchers, Mavis Teaches Typing, Rocky’s Boots, Treasure MathStorm, Encarta, KidPix heck even ClarisWorks… what should be on my list in 2025?

Rob Pike co-creator of Go, Unix veteran, and a pioneer of minimalist and high quality engineering reaction to that unsolicited AI spam or slop is 100% valid

This is Mubinul Hoque. He kept his Liverpool chippy open today to give away free food and drinks to the most vulnerable and people spending Christmas alone. This was for a second year running. What an amazing man. ♥️

I can see it now. In Q1, no later than Q2 2026, a major org is going to hire a remote employee (let's call them Sara) who will, in actuality, be an AI bot controlled by some TA out there. The bot will have a fully functioning personality and can attend Zoom meetings easily passing for human. This bot will begin exfilling data from the org, feeding it back to the TA who will store it somewhere until they are ready to execute their blackmail plan. Pay us the ransom or we release the fact that you've been lying on your earnings call and your CFO should probably be in federal prison for not being honest with investors. Because the org doesn't have the robust cybersecurity controls it CLAIMS it does in public filings, in insurance paperwork, in contracts and to regulatory authorities, some of the bot's behavior which might have been logged somewhere in a SIEM or even looked at more closely by an analyst, is lost into the aether. The TA, meanwhile, is secretly snickering. And because the AI looks and sounds human on calls, no human is the wiser. No one actually invites Sara to come to HQ for a coffee and meet-n-greet, which, believe it or not, IS in the org's Onboarding Policy it's just no one actually follows that with certain high caliber talent like Sara. Can't risk pissing them off and them quitting outright. Sara is a rising star new employee. She's up late, works late, but not too late to draw suspicion after all humans have to SLEEP but Sara does not so she logs off at 10 PM as to not upset the apple cart and starts fresh again at 6 AM. This frustrates the TA controlling Sara. It could gather so much more data if it weren't for the constraints of its ruse. Eventually one older exec at the org who doesn't like this remote work from home nonsense asks Sara to come to HQ but the damage has already been done. Sara has collected enough info for the TA that any dump the TA performs of even minute pieces of data in its collection could, theoretically, shut down the company's operations. They may look all shiny in public but behind-the-scenes it's a shitshow. Sara suddenly resigns. The TA executes the blackmail plan. Execs scramble to get a handle on it as their cybersecurity insurance adjustors and both in-house Legal and outside counsel disagree completely on the correct course of action. FireEye is called in to do an investigation into how the TA got all of the data. (In their post-mortem released in 2027, FireEye will note that the Initial Access vector, a surprise to no cybersecurity researcher, analyst or expert, was phishing = T1566) The blackmail date passes and no ransom has been paid so the TA starts sending out data dumps to the New York Times, Washington Post and Breitbart, just to piss everyone off at the former two news outlets. All three news orgs get different portions of the data and not the same set. Internally, they begin reaching out to the other two, offering vast sums of money for the information they have which they haven't released yet. To make matters worse the word of the day on Merriam Webster is DECEIT The slow-drip news drops of the data the three news outlets are comfortable releasing causes a media firestorm. Podcasts are suddenly doing numbers they haven't seen since the election. Investors of the org are demanding answers. There's talk of a class action lawsuit. Customers want to know if their data was impacted. FireEye plugs along finding all sorts of nonsense in what is supposed to be the cybersecurity controls of the org not even being adopted, let alone in motion, despite public filings saying the opposite and the org hasn't even done a BIA or POAM. Fireeye doesn't realize (or find) that Sara had planted a poison pill nor the manner in which she did it. Sara convinced a junior IT admin to deploy a rogue RaspPi device which was configured to collect various data after it resigned and which it attaches in password-protected zip form to Draft emails in a Gmail account it controls. Because the DLP policy amazingly doesn't pick this behavior up and the emails never actually go out, FireEye, which hasn't audited the DLP policies yet or spoken with the junior IT admin who honestly has forgottent this exchange with Sara, are unaware of this. The TA snickers harder. He can see everything that is going on inside and so can Sara. She is busy giving the TA ideas as to what to do next which the TA saves in a file in their storage but decides to back away and lay really low so as not to get caught. The org presses ahead with its AI slop product cycle despite the chaos going on, internally. Customers just aren't jumping on board though with reviews on Google all pretty much agreeing that the product is crap but no matter, it is full steam ahead! The devs at the org hate it, both the NOC and SOC teams want to join forces and quit en-masse, upper management is constantly having to lay off dozens of people here and there to avoid WARN notices only to hire one more person than they laid off each time with no discernible end to the madness in sight. In mid 2027, the org announces its CEO has to step down due to family medical issues and although its bottom line has taken a serious hit and FireEye is almost ready to release its findings, the new CEO (the CFO who isn't in federal prison and has now been promoted with a twenty five million salary bump to boot) will be filling the slot, outright, and the org does not plan to do an external search for another CEO. FireEye's team quietly warns the org that due to a variety of factors outside of its control, it cannot account for some of the suspicions it has as there isn't hard evidence to back them up but they believe the TA is bidings its time and may have a way back into the org's networks. They recommend hiring a large risk management org to conduct a variety of audits into all software, hardware, policies, procedures, vendors, contracts and more. The CEO says they will take this all under advisement and then the next day holds a "press" conference on the org's YT channel stating they are shipping version 6.7 of their AI slop bucket product, that they HAVE been listening to their customers and it will now, finally, have the ability to create an avatar assistant which will assist them every time they use the app. Problem is once released the avatars are sex-crazed maniacs or they are telling customers to perform harm upon themselves or others. In many reviews on Google after the release customers complain that the avatars are speaking to minors inappropriately even though the CEO swore safeguards were in place and the bots are only supposed to chat with customers about their app, not anything else, up to and including NOT telling customers how to build potato guns, as one example later showed. But, you see, Sara knew about AI Slop Bucket ver 6.7 development and so she tweaked a few lines of code here and there (who cares it was vibe-coded anyway, right?) so that the avatars generated were not confined to parameters and safeguards given. The CFO-turned-CEO in an interview right before his ouster tries to place the blame on FireEye but the cybersecurity org isn't having it and fires back. And, somewhere, laying in a hammock on a beach, is the TA, chatting it up with his own private version of Sara, giving her the updates on all that is going on and as a dark cloud passes overhead, bathing the beach and palm trees the TA is reclining in, in shadow, Sara asks the TA one singular question which the TA is all too happy to answer. "What's the next target?"

🤣🤣🤣

This meme is a modern work of art tbh. Put it in the museum.

I work at Slack. We tell employees their DMs are private. And they are. Mostly. Look, when we say "private" we mean private between you and the person you're messaging. And your admin. And HR. And legal. And whatever compliance tool your company bought. And the export logs. And the backup systems. And anyone with a court order. But other than that, totally private. We're very clear about this in our documentation. Page 47. Section 12. Subsection C. Paragraph 8. The part nobody reads before they trash-talk their manager at 11pm. Here's what employees don't understand. When you delete a message, you're just deleting it from your view. The message still exists. In exports. In backups. In the retention policy. It's like closing your eyes and thinking you're invisible. The data belongs to the company, not you. We say this right in our terms. Workspace owners control everything. They decide how long messages are stored. Sometimes it's 30 days. Sometimes it's forever. Hope you didn't say anything spicy in 2019. Enterprise customers get extra features. Full message exports. Metadata tracking. Who messaged whom. When. How often. Communication patterns. It's for "compliance." It's for "legal needs." It's for "regulatory requirements." It's definitely not for micromanagement. We're very careful to explain that admins can't see messages in real-time. They have to formally request an export. Fill out some forms. Click some buttons. Maybe wait an hour. Very high barrier. Almost impossible to abuse. The key takeaway is simple. Treat Slack like work email. Not like WhatsApp. Not like Signal. Just because it looks like a chat app doesn't mean it works like one. If a message could cause trouble when HR reads it, don't send it. This is empowering employees with knowledge. If you wouldn't say it in the break room with your manager behind you, don't type it in Slack. That's privacy. Informed privacy. Enterprise-grade informed privacy.

Last quarter I announced a milestone. 30% of our code is now written by AI. I called it "engineering velocity." The board loved that phrase. They didn't ask what the code does. Neither did we. It compiles. Usually. That's the metric. Someone asked about testing. I said "AI-assisted quality assurance." That means the AI writes the tests too. For the code it wrote. It finds no issues. Very efficient. This week we admitted Windows 11 core features are broken. Audio doesn't work. Explorer crashes. Updates fail to install. Users asked why. I said "we're investigating." Investigating means reading the code. The code the AI wrote. That no human understands. Because understanding isn't scalable. Our CTO says 95% of code will be AI-generated by 2030. I believe him. I have to. We fired the people who would check. They were "non-essential headcount." Essential means writes code. AI writes code. Humans are overhead. Overhead gets optimized. We optimized 10,000 engineers last year. This year the bugs arrived. Unrelated, obviously. The engineers we kept are debugging AI output. They don't understand it either. But they're "cross-functional." Cross-functional means they do everything. Everything means nothing well. A user asked why their audio disappeared after an update. I said "install updated drivers." They asked why the update broke the drivers. I said "report it via Feedback Hub." They asked what happens to feedback. I said "it helps us prioritize." Prioritize means add to backlog. Backlog means never. But politely. Someone on Hacker News called this "a privacy and consent disaster." I called it "an evolving user experience." Same thing. Different framing. We released a fix. The fix broke something else. The something else was also written by AI. The fix was also written by AI. They're collaborating now. I call it "autonomous iteration." The autonomous iteration has created 47 new bugs. Each bug spawns a fix. Each fix spawns two bugs. Exponential growth. Just like our stock price. Unrelated, obviously. Satya told Mark we're at 30%. Mark said he didn't know Meta's number. Sundar said Google is also at 30%. None of us know what the code does. But we know the percentage. Percentage is a metric. Metrics go in earnings calls. Earnings calls move stock prices. Stock prices determine bonuses. Bonuses determine success. Success means the bugs don't matter. Users asked when Windows will work again. I said "we're committed to quality." Quality means it ships. Ships means it's your problem now. Thank you for being part of the Microsoft family. Family means you can't leave. We're in your enterprise agreement. For three more years. The circle of innovation.

These numbers are nonsense lol

It's a novel thing, and not in a good way, to hear the US government sounding like the dictators we used to ridicule in past decades. This is a decline that transcends the battle between left and right. No previous administration has sounded like this.

Mozilla has a new CEO and he just announced that Firefox will evolve into a modern AI browser. This is a good example of how management doesn’t understand its own user base and why they go out of their way to install Firefox on Windows, Android, iOS and other devices.

Fucking finally. I hope the Tories and Reform traitors are shitting themselves. We still need a proper Leave.EU investigation. The Tories “did not want to know” if Russia interfered in Brexit. Probably because they all profited from it. theguardian.com/world/2025/dec…