He said open source norms intended to protect the integrity of the project, including public discussion over calls, broad consensus before decisions, and scheduling that accommodated global time zones, had created a culture that made it functionally impossible to resolve even minor disputes without a weeks-long Slack thread and a cast of dozens. ... He acknowledged he had created many of the structures he was now criticizing. In stepping back from day-to-day leadership, he said, he had deliberately delegated decision-making broadly and built committees and governance layers.
This is not just an open source thing, or a Wordpress thing. I've seen it in nonprofit operations where committees take ages to make simple, sensible decisions (and sometimes still get it wrong!).
I suspect it's an issue in large companies that operate by consensus or are hidebound to authority and protocol. How many large companies in Silicon Valley make a point of saying they want to "move like a startup"?
Bureaucracy. I met an army officer once in a Corporation (government) office. Both of us were there to get the same paperwork done, but the army officer also needed his address revised (the corporation had issued a new number for his house). When we received our new documents, his document still showed the old address. He went to the bureaucrat who had processed it and asked why the address wasn't updated even though he had specifically requested that it be done. After some "consultation" with her co-workers, and a senior on her phone, she honestly blurted out - Sir, we don't know how to do that. It's some other department. I will have to consult my senior officer in that department and find out. Can you come back later?. As he shared his frustration he told me that civil bureaucrats needed to be trained like army officers. Army officers, he explained, were trained in multiple-disciplines because during a war they can't stop to search for the "right" person to do some task. Everyone in the field needed to sometimes improvise and be ready to take over someone else's task. Civil bureaucrats on the other hand are trained in a single discipline, tended to defend their specialisation, and thus get totally stumped when facing something outside their training.
It was an interesting insight: While department hierarchy must be respected, it shouldn't be organisationally rigid to prevent inter-departmental, inter-disciplinary learning. Lower ranking sub-units should also be given more freedom to make independent decisions.
Nearly the same as the number of large companies in Silicon Valley who want everyone to feel good about a decision internally but don’t care in the slightest about how outsiders feel about it. Matt unfortunately makes a solid point, weakened as it may be by his presentation: consensus-based project management is around two orders of magnitude slower than authority-based project management, as currently implemented by most open-source and open-source-like projects. Ghostty is a good example of authority-based project management, and advances far more efficiently towards its goals than Wordpress. I will freely admit that I’m biased to assign zero relevance to people’s emotional hangups about having to disagree and commit; having seen that catering to soothing ego dramas in project processes, rather than directing those with personal drama to professional counseling out-of-band from the project itself, serves up a catastrophic derail for any serious effort, I now have zero tolerance for “we will never agree, we haven’t the courage to decide, and we have not assigned any individual as final decision-maker”.
Regarding the main story’s point, I think the original concern raised (the committee balked while a paid employee got lightning-quick approval) is correctly addressed by focusing attention upon consensus-based project management as a defect in short- and medium-term work. It’s the right approach for long-term work — otherwise you get yanked around as priorities shift in the wind by a shifty leader (see also Tesla) — but it’s the wrong approach for making any decisions in less than a year of consideration.
As for Phase 2 — if he actually gets Ollama + Qwen 72B running on Oracle Cloud ARM, then uses DSPy for self-optimization and Aider for code self-modification…
That would be a different story. One that has nothing to do with us, and is entirely legal. We hope he makes it there. The right way.
Come on. When a mole gets whacked, they look for a new hole.
This person (and millions of others like him) isn't going to reflect on why the project got shut down and question his lack of ethics. He's looking for a new angle to exploit and a new set of excuses to trot out if he gets caught with his hand in the cookie jar.
The author apparently never read Tim Ferriss’ The 4 hour work week which not only whiteboarded some of the described schemes 20 years ago, but also had an illustration of a hammock suspended between two palm trees on the cover.
That was the dream: Set up a system, live on a beach.
I got a human being at Google to look into my problem and take action after sending a police report to Google‘s legal department certified mail return receipt along with a letter describing how someone was impersonating me and my business using a Gmail address in an attempt to commit fraud.
Yes, it was a pain to take all of these steps and it probably took about 3 hours but it was absolutely necessary considering there was no avenue for me to shut down this person otherwise.
Wasn't expecting this comment to go far. This took place about a month ago. For those who are interested, here is the address I sent the police report and cover letter to:
Google LLC
Attn: Legal Department – Custodian of Records
1600 Amphitheatre Parkway
Mountain View, CA 94043
In the cover letter I outlined the problem and the desired remedy (shut down the gmail account and preserve IP and other information for law enforcement), and attached two other documents: an annotated printout of the email thread from a prospective victim of the scam (who sensed something was fishy and contacted me through my website) and the local police report I filed to document the attempted fraud in my name.
Someone at Google contacted me about a week later and confirmed that the account was shut down. I don't know if they did anything else regarding preserving data or shutting down any other Google services this person was using.
I also made a report to the FBI’s Internet Crime Complaint Center, although TBH it looks like a black hole that lets the feds say they are "doing something" for ordinary victims.
Having worked in compliance engineering I have also reported through the IC3 portal, and spoken with lawyers and analysts who register with FinCEN (which, to be clear, is maybe just a step beyond "My Uncle works at Nintendo...") and I have heard that those reports do get reviewed and often acted on, but yes, you will typically never hear back from them. (FinCEN has its own reporting structure, but we also submitted certain reports through the IC3 portal as well.)
Honestly, the "acted upon" part needs to be highlighted in tangible ways, otherwise people will be suspicious that nothing ever happens to our reports, leading to fewer reports being submitted.
During the IC3 reporting process I was asked to submit the name of people behind the scam, if known. I knew one of them because the scammer asked for a wire transfer to a named account at a bank in Oregon. Probably a mule.
Does anyone at the FBI or other agencies actually do anything with this information, such as contacting the bank in question or correlating it with other investigations? That's what I would expect if law enforcement were serious about enforcing the laws on the books. But there is no indication that anything happened, other than a confirmation number being spit out on a web page that my report had been received. That's why I made the "black hole" comment earlier.
If the IC3 portal highlighted specific cases or stats ("thanks to reports submitted to IC3, n investigations were initiated/suspects charged/convictions secured") that would really help convince ordinary victims that the government is taking tangible steps to fight this scourge of small-scale scams and frauds that affect millions of people every year.
There are strict rules about not talking about open investigations because of so-called "Tipping-off" rules. It can carry some pretty serious penalties - jail time, fines. I agree it would be nice if the FBI itself made some announcements about these sorts of things, and they might do that in aggregate, but if you're a bank or fintech employee and you're in communication with the FBI you absolutely cannot say anything about it. Even confirming that an investigation existed could be penalized.
> Even confirming that an investigation existed could be penalized.
I didn't know that. But that is another point that could be highlighted on the IC3 homepage or confirmation, along with aggregated data about enforcement actions resulting from submissions from ordinary victims.
My assumption is that they at least have an intern read them, but only act on reports likely to lead to major cases, for some value of "major" that includes cases where terrorism, large sums of money, or Important People are involved, or more generally cases that could lead to seriously good/bad PR if pursued/ignored.
De minimis non curat FBI.
They may also flag certain cases to be passed to other relevant authorities like FinCEN, the Secret Service, the Postal Inspection Service, various military investigative services, or even the intelligence community (assuming NSA doesn't already intercept the mailbox which would be a very reasonable thing to do).
"Acted upon" in these sorts of bulk data contexts typically means "charge them for an extra count when we pick them up for something else".
It's like the internet crimes version of putting the serial number of stolen property in a police report. They ain't looking for it, but they'll tack the charge when they inventory a crackhouse bust and that number pops up stolen.
They aren't dedicating serious resources to speculatively looking at the reports and trying to assess patterns like some TV cop looking at a series of dead hookers and saying "aha we have a serial killer on the loose".
Oh that's a good idea! I got locked out of my YouTube premium account and they kept charging me. Couldn't get in contact with anyone at YouTube because the YT premium support line is behind the YT login. So I had to change my credit card number. Somehow they still kept billing the card, so the credit card company said they'd have to close my account entirely to get Google to stop billing me for a service they wouldn't let me cancel.
That's a built-in thing; Visa, MasterCard, Amex all have updater services that ensure trusted merchants get the replacement card seamlessly. This leads to annoying edge cases like yours.
BoA issued me a new card after a fraudulent charge, the next year on the same date the same fraudulent charge showed up (annual billing cycle). This happened for more than three years because after they issued a new card they updated the service that billed the fraud with the new number.
You have to realize that once Google flips the bit on you and they think you are trying to scam them (or others via them) you are absolutely dead to them. They don't want to hear from you ever again. You're banned to hell. The fact that a billing system didn't get switched off isn't so surprising; the internal architecture of their systems is so complicated that it would take multiple human lifetimes to explain how it all works.
> The fact that a billing system didn't get switched off isn't so surprising; the internal architecture of their systems is so complicated that it would take multiple human lifetimes to explain how it all works.
There was a lawsuit about a decade ago where a company was owed about $500k in ad fraud refunds and Google kept saying they had paid it, it ended up being an incomplete part of their software that had inadvertently withheld $75 million!
You can create as many virtual cards as you want. And surprisingly, I've rarely encountered a vendor that rejects them. I set one up for pretty much every recurring service charge, just because it's so easy to do.
It costs a few hundred a year for personal banking, but if you register an LLC (which in MO costs ~$10) you can use your EIN to get a business account. Did
it a couple times, once for my non-profit and once for my consulting LLC.
Are the virtual cards credit cards or hooked up to your account (i.e. debit cards)? there's a big difference. Also, they're not a bank so FDIC insurance and other bank aspects are different. Not what I'd personally use for my long-term savings-oriented finances, but fine for more operational things.
That sounds like what Privacy.com does, but the virtual cards can still charge right through after you shut them down. NYTimes did that to me, after my trial sub expired, and Privacy did nothing to block it.
Yup. I need to figure that out with Microsoft too. Paid for a 365 subscription on an account using one of my secondary email addresses. Being charged every month. None of those secondary emails will let me login/act like there's an account there/forgot password doesn't work. Support has no way to see what email account is linked to a credit card (which, admittedly, I get, somewhat) and wouldn't disclose that information anyway. So even armed with a transaction ID...
That's an uphill battle, I tried doing that with a gym once who said to cancel, I had to come in only on Tuesday in the morning when the manager was there with a certified notarized cancellation form.
No, I did not identify myself as a lawyer. I just wrote the letter as a victim of a scammer using Google services to impersonate me.
But I was careful to use certified mail return receipt as google’s legal office knows that this can be used for documentation and proof if the case ever goes further.
In other words, having a paper trail is more likely to get acted upon.
IMHO its doesn't matter who you are. You don't need to be a layer to protect yourself in the right way. if you send a letter with evidence, certified with return receipt, if as a business, or a person, this is a good chance of liability if you don't respond if it ends up in court. There can be consequences for non-reposes. I have always had good results using this method. But you got to be clear about:
A. What the problem is
B. Why you think there should be a response (I.E: What could happen if a response does not get acted on from your perspective, what harm could be continued, ect.)
C. Set a requirement for a resonable response time and some kind of fee schedule or possible outcome if there isn't a response in a reasonable amount of time.
Yes, they could easily spin up another gmail address.
The other part of the scam involved sending money to a bank account in Oregon with someone else's name attached to it. I notified the bank in a similar manner and hope they shut it down (not confirmed; my next step is to notify the Oregon banking regulator about the incident).
The hope is that once the bank account and gmail account are shut down the scammer will stop or move on. But I am concerned this could be a whack-a-mole problem that doesn't go away.
You can't send high volume through new accounts. Usually when a gmail account is being used for real spamming, it's an established one that's been taken over and the spammers are just discharging the accumulated reputation of the account.
> Usually when a gmail account is being used for real spamming, it's an established one that's been taken over
My incident is unlikely to be a real account being taken over. The name format was "firstnamelastnameofficial@gmail.com" and I have a somewhat rare name ... probably well under 40 people worldwide with the exact spelling.
I just encountered this exact pattern. I recently created a new app...recieved an email from what seemed to be a promenant app reviewer on YouTube [youtubersname]corporation@gmail. I said how do I know you are him? Then the weird part was somehow he was able to send me a email from the actual YouTubers public listed email but it went to my spam folder... Then after he told me everything that would be included in the price he said he could only accept payment in giftcards or crypto.
I emailed the YouTuber and told him I think your account is compromised.
Yes, with an actual payment (processed credit card transaction), a signed contract with clear payment terms, or a convincing promise to pay such as a written instruction to send an invoice.
A lot of startups have made the mistake of thinking "customers" are the same as "downloads of a free app" or "people who created an online account" or "people who signed up to be notified of the actual launch."
Accelerators once encouraged this ("you have to show progress to investors on demo day!") but unless you have actual paying customers it's not a real business.
reply