Determinative

Security is never free, but policy determines who pays for it.
Bruce Schneier, "US Bans All Foreign-Made Consumer Routers," Schneier on Security. Thursday, 2 April, 2026

This is one of those statements that takes what would otherwise be a lot of verbiage, and boils it down into something both succinct and informative. The bigger picture, of course, is that Mr. Schneier's statement is true of everything. Safety, health, education, sidewalks, love... all of them can be slotted into that sentence, and it would still be true. One might even update the old canard of "Freedom is never free" with those last seven words to get something more worth talking about.

And "policy" covers a lot of ground. Sure law and regulation, but social norms and unspoken mores also count as policy, even if they are less stable; enforcement can be even more sure.

American society implements policy that does a lot of shifting of who pays for things. Sometimes, out of an apparent concern for the general welfare, but other times out of an apparent desire to hide the ball, and the true costs of things from those who eventually foot the bill. In the end, it's the lack of transparency of the system that causes the problems. Even without an intent to obscure things, the general opacity of the system means that the general public winds up supporting policies for which it will directly shoulder the costs, even when the intent is to have those costs borne elsewhere. And when anger boils over, and there is a hunt for the sources of people's misery, the search tends to focus in the wrong places.

It would be nice to be able to say that keeping Mr. Schneier's words in mind would help with understanding where the buck ultimately stops (or whose pockets it comes from), but the world is never that simple. Still, I'm pleased to have come across so articulate a distillation of the concept; I think that keeping it in my back pocket will help.

Promptly

With the understanding that I can't validate that this is even legitimate, this is another of those things that popped up on LinkedIn for people to have a good laugh at. It strikes me, however, mainly as weird. Sure, on the surface it's yet another "someone meant to have generative automation write something, and wound up sending the prompt, instead," but the prompt itself seems off to me.

"A warm but generic rejection email that sounds polite yet firm."

Don't companies have those? Who's actually expecting something other than a form letter? Why craft a new "generic" message for each rejected candidate? Isn't reusability the point of "generic?" This gives the vibe of using generative automation for its own sake: "We need to burn compute on a triviality to show that we're 'AI-forward'."

"Do not mention specific reasons for rejection."

I understand the rationale for this part of the prompt, but it still strikes me as risky. After all, there are likely non-specific reasons for rejecting a candidate that generative automation could come up that would still be a problem, if they aren't related to the job at hand. This is something that it strikes me that one would want laid out beforehand, for just that reason.

"Make the candidate feel like they were strongly considered even if they weren't."

Considering that the automation likely wouldn't know one way or the other to what degree a candidate was considered, I can understand having it default to implying that everyone was strongly considered. But I'm not sure that it's a good idea to have LLMs tell people something that may not be true... Once it's considered legitimate to have generative automation mislead candidates, even to spare their feelings, I'm not sure how one keeps people from asking the LLMs to deceive other stakeholders. And I'm not sure it takes much imagination to see how that starts ending badly, especially if the automation starts telling outright untruths.

"Remember to use the candidate name and company name variables."

Why is the company name a variable? Does it change somewhere along the way? This gives me the impression that this is coming from a third-party recruiter, who works with a number of different clients. I suppose that a holding company could have a lot of smaller companies under its umbrella, and centralized HR for all of them, but given that the company name shows up in other parts of the e-mail, it doesn't seem necessary to call it out again. And again, why not use a form letter? There's nothing in the prompt that calls for any candidate-facing personalization from their résumé or cover letter. I'm not sure what just using their name is supposed to do.

Of course, the fact that a prompt was sent to a candidate who was supposed to receive a rejection message means that messages aren't being vetted prior to being sent. Which makes some sense... after all, generative automation is supposed to be able to handle all of this. But even the prompt screw-up aside, if the idea is to generate responses to candidates on the fly, it seems that it would be wise to have something that checks things before they go out, if only to make sure that something entirely random didn't find its way into the message.

The final thing that stood out to me was the redaction. I understand why the candidate wouldn't want their name out there, but blanking out the company speaks to a fear of retaliation that I'm not sure is healthy. It's not like there's something in this message that points to anything criminal, or even unethical... a prompt was screwed up along the way. If pointing that out publicly is the sort of thing that would lead an HR department to blacklist someone, maybe we as the public (and yes, I include myself in that) need to start having higher expectations of the businesses we give our money to.

Motion

It's one thing to say: "The one constant in all of my dysfunctional relationships is me," but yet another to understand what that actually means for one's life.

Especially when one has, like I do, an internalized locus of control, because that means that looking back on those relationships, and why their dysfunctional, leads to the self. And one of the other traits that tends to go along with an internal locus of control is a certain lack of self-forgiveness.

Being the agent of the dysfunctions of one's life means not being the person one wanted to be, or, perhaps more acutely, feels one should have been. And this is where I think that the internal locus of control can be a difficult thing to manage, it lends itself to judging the self by the immediate snapshot of one's life, and the comparison of that to a counterfactual, either created by other's lives or an idealized version of one's own. Neither of which are useful guides.

For me, personally (which is weird, given my general dislike of writing about myself), I've developed a tendency to accuse my past self of errors in judgment, even as I work to really internalizing the idea that the choices I made, even when they didn't work out as I intended, were the best ones I could have made with the information that I had at the time. And maybe that's the stumbling block. I'm starting to think that it smuggles in an implicit criticism, even when my explicit goal is to avoid being self-critical.

And maybe that's because self-criticism is easy. It can be painful at times, but it doesn't really ask much of a person other than to take a look at some version of themselves and find them wanting. And it feels like a step on a path to change, even though there's no reason why the two are related. But self-acceptance doesn't mean accepting stasis, even if such a thing were possible. I'm starting to find that this is a more difficult lesson than it's given credit for.

Small Time

Iran-linked hackers breach FBI director's personal email, publish photos and documents

Is that all?

Okay, who cares? "We in ur e-mail, posting ur pics," doesn't really seem to move the needle in a shooting war. I would have thought that Iranian cyber-warfare would be more... warlike. If getting into Kash Patel's Gmail account is the best they can do, why are they bothering?

While President Trump's random boasting about Iran suing for peace comes across as complete fantasy, it's still been fairly clear that this is a one-sided war to this point, as Iran has no real way of defending its territory from U.S. air power. Accordingly, the United States can strike pretty much when and where it wishes. And, the legitimacy and necessity (and maybe the actual drivers) of this particular conflict aside, the Iranian military was unable to protect it's Head of State, and has been shown to be unable to protect it's own high-ranking members in the past. A simple hack of someone's e-mail account doesn't do anything to make the country seem more able to make a real fight of it.

Now, that could change if the United States puts soldiers on the ground in Iran. Taking and holding territory is always more difficult than launching in munitions from a distance. But it's not like this exfiltration of data from Director Patel's personal e-mail account show that Iran is more capable in that regard than one may have first thought, either.

In the end, this sounds like empty boasting. I guess we'll see if it turns out to be more than that.

Altared State

But to me, the thing that I take out of that is that there are gamblers who, for whom sports betting is their religion, right. They equate their sports betting communities and behaviors to kind of religious, a religious experience. Like, it is part of; it is their community, their identity, it's who they are. And I think that's a social catastrophe in the making, right. Like, sports betting, whatever you think of it: maybe it's a vice that needs to be much more heavily regulated, maybe if you have a more Libertarian approach, it's a fun hobby that a few people will, you know, turn into a bad thing in their lives, but for most of them it's, you know, a source of enjoyment. Um, it should not be central to who you are. It should not be a religious experience. And if it is, I think that it's that much more dangerous as a phenomenon.

McKay Coppins. Plain English With Derek Thompson; "The Casino-ification of America"

As someone who isn't religious, and has little use for concepts of meaning, the immediate question that this raises for me is why one source of community and identity is necessarily better or worse than any others. After all, one could make the point that religion can be either a vice or something enjoyable that a few people will turn into a bad thing in their lives. What is it about sports gambling, in and of itself, that means that when people make it central to who they are, that it's more dangerous than religion, when people make that central to who they are? I've seen people neglect things they claim are important to them, like family, friends or career, in the service of becoming closer to their idea of the Divine. I've seen people give away their money until they were impoverished, tolerate remarkable levels of what would otherwise be considered abuse and even kill in the name of their faith. Why is that no dangerous?

It strikes me that anything can become important enough to a person that it becomes dangerous; that it becomes something that they, and some number of the people around them, would be much better off had it never entered that person's life. And it's the effects that it has on the person's live, not the thing in itself, that is the dangerous phenomenon. The person who is willing to trade their material well-being for community and identity has a problem, regardless of the specific thing that they've latched onto while seeking community and identity. Whether that's a connection to the Divine or an expensive hobby is beside the point.

Derek Thompson, the host of Plain English, is fond of saying that dystopias don't come from bad ideas, they come from good ideas taken too far. I believe he makes the point twice in just this one episode. Giving the things that are important to one a pass may be a good idea, but it's one that's easily taken too far. Because it prompts one to stop looking at the actual things that are being done, and the effects that they have, and instead to focus on what's doing it. It's prejudicial in the same way that judging a person guilty on innocent based on who they are, rather than what acts they have committed, is. And it doesn't take much for it to be just as corrosive.

So I don't see the rationale for why some things "should" be religious experiences and other things "should not." If a career can be central to who a person is, why can't a hobby be, as well? Now, to be sure, gambling on sporting events strikes me as much more likely to lead a person to places that they will find both highly unpleasant and extremely difficult to extricate themselves from, than something like say, being a Certified Public Accountant. But that has little to do with one's ability to build one's community and identity around them.

But it's easier to decide that the downsides aren't worth the benefits for activities than it is to sort out who will, or will not take something and go off the rails with it. And it's easier to see the downsides, and to decide that they outweigh the benefits, for things that the person doing the judging does not find to be important. For my part, I don't really care which altar someone worships at, if it brings them what they're seeking from it. And when it doesn't, when it demands more than it can give, all altars are equally dysfunctional.