Yes and that would be completely correct in many cases.

> Almost like there are aligned interests there rather than a purely adversarial relationship.

You might very well be the exception, but for something like 99% of marketing content that reaches me, our interests aren't aligned. First of all, they want to generate "needs" where there weren't any before and probably shouldn't be. A pizza ad produces the wish for unhealthy food. A fashion ad produces the wish for new clothes (even though I have enough) and probably even changes the societal dynamics of individual expression and personal style to be consumption oriented.

Second, even if I have a legitimate need for a solution, they still want me to buy their product, consume their media, give my attention to them. I, on the other hand, want to be informed by a neutral third party about the pros and cons of some product. Sure you can say "but unhappy customers are bad for us", but there are actually very few niches, where this signal is powerful enough to align incentives, because information and power asymmetry limit the customers understanding of product quality and their leverage to correct harmful market dynamics.

All of their issues are self-inflicted. What benefit is there to their cloud backend except getting around the home NAT? If you want to build your IoT product privacy-friendly, your cloud offering can be reduced to a STUN/rendezvous server and a proxy server as fallback [1]. Ship your devices with individual tokens to rate limit the proxy, have the STUN/rendezvous/proxy server address configurable and publish their source code for users to not be dependent on your continuous operation.

You can even go so far and have a public sub domain for each devices ( serialnumber.manufacturer.com ) which you only operate as a dumb proxy so that even the TLS certificates are negotiated end-to-end between the IoT device and Let's Encrypt. (The devices connect to your backend via Wireguard and you rate limit with their device individual key, whose public key you read out during the end-of-line production step.)

Hell, with today's browser heavy applications you can even run the whole slicer in the browser. Let the app be distributed via CDN so the code does not need to go through the proxy.

[1] In the case of non-battery operated and always or mostly on devices, like 3d printers at least.

Honestly, a lot of devices that use cloud apps for things could be improved both for the customer and manufacturer by using a "STUN/TURN" style proxy for the cloud service rather than forcing all data to go through a cloud service (to add to the other advantages, you don't need as many developers on the cloud side). But nobody in the engineering departments of these companies seem to be willing to touch WebRTC with a nine-foot pole lol

Do try to follow the advice of my sibling comments, but its also okay to find out you are simply really bad at remembering names. I think I'm in the bottom 10% percent in that regard. The only way I can somewhat manage to remember the names of the people I would like to is to use Anki (spaced repetition) on a semi-daily bases. This comes down to what others would consider a crazy amount of work, but at least it is somewhat successful. It frustrating for the long tail of people I might not meet again, but where it still would be really helpful to know their name. Where I really fail is situations that don't allow me to write down names shortly after they were used, which is often the case in introduction rounds. Trying to constantly repeat all names in my head means I'm missing on the other stuff people say.

As you point out, in some cases it's better to just accept that you're not good with names if the effort of trying to deal with it is affecting your other interaction with people. A former neighbour of mine was so bad at names and faces that she wouldn't recognise you in the street and walk right past you, making it seem like she was blanking you. Once I experienced that I realised that simply not being able to remember someone's name wasn't really such a killer, a lot of the time you can cover it up. Also, while you may feel bad about it, it's possible the other person has barely even noticed it, or if they have will forget about it 30 seconds later.

A side aspect of this drama is the root feature which enabled this bug:

> ugh sorry this was a bug with the 3rd party harness detection and how we pull git status into the system prompt

Claude wants to exercise control of how I use the "inclusive volume" that I purchased with my monthly subscription. This harms competition (someone else could write a more efficient or safer coding agent) and is generally not in the best interest of society. Why do we allow this?

This specific case is interesting, because it is so clear cut. There is no cross financing via ads, they already have the infrastructure to measure usage and even the infrastructure to bill extra usage. I also don't see how you can plausible make the argument that restricting usage to their blessed client is necessary for fair use or for the basic structure of their business model (this would be the standard argument for e.g. Youtube: Purposefully degrading the experience of their free client to not support background playback enables the subscription model).

This is the important point. You need the right to not be discriminated when you withhold your consent, otherwise your consent is effectively meaningless, as it is forced on you by your impossible bargaining position. This is one of the central pillars of the GDPR without which it wouldn't work at all. Be advised to make asking customers for consent that doesn't directly benefit them illegal as well, lest you risk creating another wave of malicious cookie banners.

The trouble with this is that I, at least, am trying to live in a society. And society has both rights and responsibilities. Sometimes you are forced to do things, or don’t do things, contrary to your desires. Every freedom has two sides, you can’t ignore the fact that increasing some freedoms for one decreases other freedoms for others.

The shirt and shoes example is a great example in fact that illustrates the point. You don’t have unlimited freedom to not wear shoes, just like a business does not have unlimited freedom to impose whatever terms it likes, just because it put it in its ToS.

> You don’t have unlimited freedom to not wear shoes

Okay, I am gonna be 100% serious here: you absolutely should have such a freedom. Just as loitering or jaywalking being a crime is inherently totalitarian, what the hell.

In this case, unlimited means literally everywhere.

You do have the right to go barefoot in your own home. And in true public spaces.

But, a property owner can require shoes. Do I care if somebody is barefoot in the local grocer? No, not really. But, the proprietor might because they want to limit their liability (should something fall on your foot, a cart run it over, or a loose tack/nail somehow land in an aisle, etc).

Except the are companies with which you effectively must do business.

Microsoft (or Apple).

Any web host, payment processor, etc that's contracted to do work for your local government (I suppose you could try driving to the government office and pay by check, but then you need to give consent to Ford or Chevy).

Short of living like a hermit, there's no practical way to avoid all ridiculous T&C.

Yes please. Your shaming didn't work. Free markets centre of gravity is biased towards capital and land owners. We need people power to balamce it back. Something we poor people are all enjoying now (pssst me and you are poor.... kings and barons are the few and rich)

I really need to start putting /s at the ends of my comments where I merely restate the currently adopted legal theory/framework in non-sugar-coated terms, don't I? The whole liberal movement has its roots in the merchants' and industrialists' desire of having as little interference from the aristocracy-heavy governments of the yore, and it really shows even to this day.

The argument is that deploying PQ-authentication mechanisms takes time. If the authenticity of some connections (firmware signatures, etc…) is critical to you and news comes out that (")cheap(") quantum attacks are going to materialize in six months, but you need at least twelve months to migrate, you are screwed.

There is also a difference between closed ecosystems and systems that are composed of components by many different vendors and suppliers. If you are Google, securing the connection between data centers on different continents requires only trivial coordination. If you are an industrial IoT operator, you require dozens of suppliers to flock around a shared solution. And for comparison, in the space of operation technology ("OT"), there are still operators that choose RSA for new setups, because that is what they know best. Change happens in a glacial pace there.

Super important: Don't replace traditional (elliptic curve) Diffie-Hellman with ML-KEM, but enhance it by using hybrid key exchanges. Done thusly, you need to break both the classical and post-quantum cryptography to launch an attack.

If you worry about a >=1% risk of quantum attacks being available soon, you should also worry about a >=1% risk of the relatively new ML-KEM being broken soon. The risk profile is pretty comparable. For both cases there are credible expert opinions that say the risk is incredibly overrated and credible expert opinions that say the risk is incredible underrated.

Filippo has linked opinions that quantum attacks are right around the corner. People like Dan Bernstein (djb) are throwing all their weight to stress that anything but hybrids are irresponsible. I don't think there is anybody that says "hybrids are a bad idea", just people that want to make it easy to choose non-hybrid ML-KEM.

How do you mean the risk profile is comparable, when ECDH is nearly guaranteed to be broken in five years and Kyber is two decades old? The two have nothing to do with each other, the ECDH component of a hybrid becomes worthless before you next replace your smartphone, and bloating the protocol can only hurt adoption. Yes, djb keeps making the same crankish complaint without any evidence or reason, that doesn't mean you have to repeat it uncritically.

> when ECDH is nearly guaranteed to be broken in five years

Says who?

There's a big difference between “we can't be sure that ECDH stays secure for five more years” and “ECDH is nearly guaranteed to be broken”. There has been two major papers in the beginning of the year that advanced the state of the art enough to question the prior assumption about the slowness of QC progress. Now we know that rapid advances are possible and we must take that into account in risk assessment. But that doesn't mean that rapid advances are guaranteed. Things could stay stagnant for 15 more years at this point before the next breakthrough. And if that's the case, then ECDH could very well remain relevant for the remaining century.

We just cannot know if it happens, so we can't take the risk. But that doesn't mean that we are certain that the risk will materialize.

> How do you mean the risk profile is comparable

Exactly in the way the succeeding sentence defines: "For both cases there are credible expert opinions that say the risk is incredibly overrated and credible expert opinions that say the risk is incredible underrated."

> when ECDH is nearly guaranteed to be broken in five years

Most of your argument (and that of many others pushing the contra-hybrid point) hinges on this. I don't think this position is justified. I believe there is significant risk for quantum attacks in the near term (and thus fully support the speedy adoption of hybrids), yes, but quite far away from certainty. Personally, I'd even say better than coin-flip is pushing it. I mean, look at what Scott Aaronson is writing on that matter:

"I also continue to profess ignorance of exactly how many years it will take to realize those principles in the lab, and of which hardware approach will get there first. […] This year [=2025] updated me in favor of taking more seriously the aggressive pronouncements—the “roadmaps”—of Google, Quantinuum, QuEra, PsiQuantum, and other companies about where they could be in 2028 or 2029." -- https://scottaaronson.blog/?p=9425

This is nothing like "nearly guaranteed" in five years.

> and Kyber is two decades old

But the implementations aren't and it's not been under heavy scrutiny for that long. One can very much make the point that we weren't that critical when elliptic curve cryptography entered the scene, but we do now have the luxury to have these heavily battle-tested primitives and implementations at our disposal, so why throw them out of the window so eagerly? Also an interesting comparison to elliptic curve cryptography is that it took until 2005 to get good key exchanges primitives and until 2011 to get good signature primitives (Curve25519, now known as X25519, and Ed25519 respectively) and mainstream availability of those took waaaay longer.

Coming back to this again, for second remark:

> when ECDH is nearly guaranteed to be broken in five years

Another important point is all quantum attack on ECDH will require inherently expensive equipment for the foreseeable future, see adgjlsfhk1's comment https://news.ycombinator.com/item?id=47665561 , whereas a stupid Kyber implementation error in a mainstream library can very likely end up being attackable by a Metasploit plugin. Our threat model should most definitely include nation state attackers prominently, but these are not at all the only attackers that we should focus on. There is still significant value in keeping out attackers that did not spend >100k$ on equipment.

> Yes, djb keeps making the same crankish complaint without any evidence or reason, that doesn't mean you have to repeat it uncritically.

I did not repeat it uncritically, I just happen to share his conclusion, even after months of following the pro and contra discussion. Also, how can you say he complains without reason? He has explained them at length, see https://cr.yp.to/2025/20250812-non-hybrid.pdf for example. Whether his methods of complaining are commendable or effective is another topic, though.

I would be interested in seeing you rattle off the "pros and cons" of this argument, just as a synchronization mechanism for the thread so we'd know if we're on the same page.

Off the top of my head?

Pro hybrid: Negligible performance impact (negligible for battery devices, negligible for data send over the wire (number of packets -> sub-discussion about specific circumstances, time on the air for cellular), negligible for speed, negligible code size increase), little implementation effort as every library already has ECC in it, ML-KEM is too new (yes actually old, but far less research interest, implementations new), conservative design choice

Pro ML-KEM only / produce a TLS RFC for non-hybrid ML-KEM: Reduction in complexity, reduction of transitions (non-hybrid is going to be the final state, so lets skip ahead already), lattice crypto is actually an old branch of cryptography (discussion over different metrics), NSA says its secure for government use, NSA stipulates use of non-hybrid and we want/need to be compatible, we want/need to have a well defined place to have a reference, if people are going to write an RFC to document non-hybrid ML-KEM let us at least have influence over what is written there, better performance (speed, data on the wire, number of packets in handshake, energy budget), actually the non-hybrid TLS connection is intended to be the inner one while the outer transport is secured with classic cryptography (or vice versa) so hybrids are a complete waste, for any interesting timeline ECC is broken anyway so it is a useless burden, we just want choice dammit, don't undermine the process dammit.

Pro hybrid only / don't produce a TLS RFC for non-hybrid ML-KEM: Let's not make it easy for people to choose wrongly by accident/incompetence/malice, actually no complexity reduction as implementations still need to implement hybrids to be compatible, TLS WG publishing something has weight and might sway others to consider non-hybrid ML-KEM, NSA might have pushed for non-hybrid ML-KEM because they believe only they can break it, don't care if US institutions are pushing for non-hybrid ML-KEM for weird internal political reasons, don't you see how this is all a ploy to weaken our crypto again?, don't undermine the process dammit.

Did I forget any important talking point? The TLS WG discussion is actually quite tiresome. For anybody new the party, here is a random pointer for a current thread: https://mailarchive.ietf.org/arch/msg/tls/7OGS_X1e-zG8O0eRJP...

one more Pro hybrid only: reduction of transitions is doubtful since by the time PQC is clearly better, we're likely to have better PQC algorithms (and or better attacks that force more conservative parameters). At a bare minimum, we aren't ready to move to pure PQC until we can go a couple years without continued improvements in lattice reduction algorithms.

> This is like saying we should have halted all RSA deployments until improvements in sieving stopped happening.

Absolutely not. If people were advocating for ECC only, you would have a point. But this thread is about hybrids vs ML-KEM-only (for key exchange!). Everybody here wants to deploy the algorithm your favoring and wants to deploy it now, just not without a safety net.

I don't understand. We didn't have hybrids for RSA while sieving improved.

RSA was the first. If ECC didn't exit, no one would be saying that we have to hybridize Kyber, but since it does, and the hybrid has ~0% overhead, it's very silly not to.

Yes, yes, true, but you've massively moved the goalpost. The original commenter was referring to people working at xAI right now. To continue your comparison, your argument would be like Oppenheimer claiming "How could I have ever known my work would be used as a weapon? I just wanted to make big explosions."

I don't know why this argument often pops up in these kinds of discussions. Approximately no one is judging people who have done their best effort to avoid doing harm. We are judging people who don't care in the first place.

Well if I moved it, consider this to be me putting it back where it was: people who continue to work on things which are concurrently being used in mostly harmful ways and have means to find a different job have no excuse.

As far as Oppenheimer is concerned, his argument is not that nukes are harmless, but that they are less harmful than Nazis, and much less harmful than Nazis with nukes.

Thanks, I can very much agree with that.

Re Oppenheimer: I know. My point was that he very much knew what his work was being used for, as should people working at xAI at the moment.

> on-demand can never compete with mass production even if a big part of the mass produced stuff is discarded.

This is definitely not universally true. E.g. photos are very cheaply printed on demand. Even on-demand books are printed at reasonable prices. Sure, mass production is cheaper (both for books and pictures), but the value difference of the individual product is high enough to bridge the price gap.

For cloth this area has found little exploration. TFA covers production at niche scale. If you would mass produce the looms to reduce the capital expense and heavily lean into customer value, e.g. individual fittings via 3d scans, as my sister comment proposes, or even just letting me customize my sweater with motive, color choice, garment etc., this could radically change the cost to value ratio. The company that has published TFA sells extremely bland apparel in a shop that looks just like any mass produced clothing shop and leaves all of the customer value of custom production on the table.

Last but not least: This "3d knitting" seems to need only a fraction of the labor of traditional sewed clothes. If textile production didn't default to underpaid labor under precarious working conditions in low income countries, it would probably already be cheaper.

> But what is the option? I feel each of us wants to draw a line based off of our morality but the circumstances don't allow us to stick to it (still gotta pay rent)

I was with you up to this point, but when you say "life is to hard to stay moral" I am thinking about how buying the wrong shampoo contributes to micro plastic in the ocean, or how buying a fitting jeans that is not exploiting labor is an extremely time intensive endeavor, or how avocados may be vegan but often produced unsustainable. Basically I thought you were making this point from The Good Place https://www.youtube.com/watch?v=Lci6P1-jMV8 .

But when you are working in IT, an industry that is generally still very well of, avoiding an employer that is actively making the world a worse place, is a low bar to cross. It's just one decision every few years, which also is comparatively easy to research (you are probably doing it as your normal preparation for the job interview anyway) and the impact of that decision is enormous in comparison to most other decisions you make, so it's well worth it to ponder a bit.

I think moral purity tests for work places is a delicate and tough question event for software development.

Which work places would you feel are acceptable?

What about a bank? They invest or loan money to weapons manufacturers.

What about a renewable energy company? What if that company accepted investment with funds from Saudi Arabia / UAE / Qatar?

Etc.

Given the atomization and layering of work, this has become much harder to truly judge. Ten years ago I was excited to join a customer feedback platform - what could be better than helping companies understand their customers and provide better services and products? You can probably see where this is going, but inevitably the tools were just used to better tweak product profitability and eliminate end customer surplus, to the customer company’s benefit. And they were used by the likes of draft kings et al along with the Starbucks and Nikes of the world. I hear people claim that, in capitalism, no one hands are clean, and I am inclined to agree.