One of the larger DCs is 7.65 GW on 8000 acres in Texas. It will radiate around 236.3 W/m^2 (compare vs 1000 W/m^2 solar irradiation). This emission continues 24/7/365, while the sun doesn't. So yes, the UHI is real.
That plus all the gas turbines powering it which release many tons of gasses.
And finally all the infrasound from the DC and its generators have impacts on humans and all creatures for many miles away.
A lot of people and orgs don't use security products for security. They use them for security theater. A vast majority of people, even many security people, will never hear about this breach. So LastPass still works great for them.
I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.
With something like LastPass it's also much easier to create unique strong passwords for other sites.
Also, let's be real:
> The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already. This has nothing to do with the security of your passwords stored in LP. They have some CRM, some person from their 800 employees clicked a sketchy link and it leaked that. It's not good, but its hardly an indictment of their product or usefulness
> I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.
> With something like LastPass it's also much easier to create unique strong passwords for other sites.
Sure, but LastPass, in addition to being the least secure option, doesn't even have a good user interface, and it's expensive. There are dozens of other password managers out there, each one better than LastPass in every way.
Changing all your passwords after you switch so they aren't potentially exposed in the next LastPass break takes time and energy.
People have a lot of things going on and have to make a decision about whether the risk justifies the effort.
Then there's feature gaps. LastPass is available on all platforms, has convenient sharing, a good story for emergency recovery if I'm incapacitated and want family to get access to things, and support for 2FA options such as Yubikey. Most competitors lack at least some of those, which is an issue if you're relying on them.
Personally, I left Lastpass for 1Password several breaches ago, but it took me a couple weeks of research to decide where to move to, at least a week of changing passwords on sites afterwards, and however much time and energy it took me to help others who I share credentials with switch at the same time.
Security Best Practices change all the time. Failing to implement MFA because "it takes time and energy" and "besides we implemented 12 character, complex passwords years ago" will not be valid excuses for government regulators when they come knocking.
Password managers are entirely a UX problem waiting to be solved better. Every time I hit a UX bug with my password manager, I mutter that I could do fix that, and then know that mine would also be worse in so many ways just to reach parity. What I wish is there was a public bug tracker of UX issues/optimizations that I, and the rest of the world, could log ideas to. Password managers are such a good idea but they all need just that much more work to be seamless.
Can you give me an example of a UX problem that you attribute to the password manager? That'd help me understand.
I often hit problems with 1Password's autofill on particular websites, but by and large I blame the website. Few examples:
* one website expects me to type the PIN then a Symantec VIP OTP token into a single field called "password". That's a (possibly deliberately) password manager-hostile design. I finally got annoyed with it enough to use an open source project called `python-vipaccess` to create a proper `otpauth://totp/...` URL I could add into 1Password and wrote a TamperMonkey script that added separate autofillable fields that would get concatenated automatically. Now 1Password works fine.
* frequently websites will complain about needing a valid credit card number after autofill. I have to go to the field, delete the last digit, add it back, tab away, then it works. I think they have just used the wrong event handlers and never tested it with autofill.
* they often will skip `autocomplete="new-password"` attributes, so my password manager will look for a (nonexistent) current password rather than prompting me for a new one, and/or they won't have the username and new password fields ever in the DOM at the same time so the password manager doesn't save it properly. (Even if it makes sense in terms of user-visible flow to do these in sequence, they can still leave the username in as a hidden form element for the benefit of the password manager.)
I've also hit UX problems in 1Password itself, for example the "quick access" pop-up doesn't reliably appear on the current Space in macOS. (Confusing and annoying to have to switch to another to see it.) But they seem less common.
These are tiny paper cuts that add up to pain, like the ones you mentioned that affect me/a tiny portion of the user base so they aren't worth fixing. Is the justification I'm sure that's being made. For example, if site auto detection that you're submitting a form fails that you laboriously have to add field elements in and if the editor is on a different workspace on mac you have to go to the application space/desktop than three finger swipe back to the browser space/desktop and then back to the application space/desktop and then back-and-forth to fill in four different security questions. Tiny stuff like that that really adds up, that make password manager usage go down.
> These are tiny paper cuts that add up to pain, like the ones you mentioned that affect me/a tiny portion of the user base so they aren't worth fixing. Is the justification I'm sure that's being made.
I think it's not only that but also that making site-specific changes (as I did with a TamperMonkey script) is fragile and could get them into trouble if their changes do the wrong thing (immediately for everyone, for some users, or after some site change). Might be better from their perspective to honor the site's stated intent even if that intent is questionable. In my top example, the "password" field actually is a password if the user hasn't enabled 2FA, so the changes I made wouldn't work for 1Password to apply to everyone. They could detect the label "PIN + Token" to gate it, but what if that text changes in a redesign or is sometimes localized into another language? and so on.
In the broadest sense, I agree there are big UX problems, but how much should we expect the password manager to do unilaterally? fwiw even when a bunch of players got together to make broader changes, we ended up with passkeys, which are far from perfect in many ways. (The flows about scanning a QR code from one device to another, without necessarily even knowing which device has a working passkey for that site... the simultaneous confusing offers of different ways of signing in... try talking your vision-impaired father through that over the phone.)
> if the editor is on a different workspace on mac you have to go to the application space/desktop than three finger swipe back to the browser space/desktop and then back to the application space/desktop and then back-and-forth to fill in four different security questions.
Yeah, that sounds similar to my own complaint about quick access opening on the wrong Space, just applied to the main window instead. And of course when you have to use the security questions something else has gone really wrong, like the main password having changed on the site without having changed in your password manager.
* One way I've seen this is when people have overlapped usage in two different password managers (1Password vs either Google Passwords or Apple Passwords). They have import and export (except for passkeys), but it'd be nice if they had an incremental version to help you get out of this mess if you weren't disciplined in switching over all at once.
* Another is that when you change the site's password even while using the password manager, the actual site change and recording it in the password manager's database is hardly transactional. You can click the password manager's update pop-up even if it failed, or not notice it even if it succeeded. Again not really sure how they would address this unilaterally.
> I just hit one. Creating a new document in 1Password, the name of the document isn't preselected, so I have to hit delete to name it. Lots of little tiny shit like that.
I just hit one. Creating a new document in 1Password, the name of the document isn't preselected, so I have to hit delete to name it. Lots of little tiny shit like that.
1Password checks all these boxes and hasn't yet had a data breach.
Their biggest security hole is probably somewhere in the operational pipeline between 1P browser client developers and the static file servers hosting them.
Unfortunately it's one of the most bug-ridden and unreliable pieces of software I've ever used. I encounter issues with it on a daily basis, but the burden of switching and a lack of superior options keeps me locked in.
Used it for years and never encountered a single bug, and I'm quite a power user with hundreds of items stored in it, shared vaults, and access multiple times per day. It's one of the few softwares I happily pay for.
Maybe it differs from platform to platform, otherwise I can't explain your comment.
Their flow for regaining access after somehow "disauthorised" laptop, she there's an installed but unused for months plugin is one of the most infuriating.
It won't ask me for my secret key, which I have an can provide immediately, no, it won't allow me to authenticate myself with the phone, because our enterprise vault logs off quickly, I must however do a some absurdly obscure dance because FY, that's why.
I stopped paying them when they killed local valuts, and secondarily when then moved away from native apps. I drifted along on the old 7.x client for awhile with local values.
I've more or less switched to apple keychain/passwords at this point. I need a solution for linux, and have been thinking about some kind of simple 1-way sync issue that dumps stuff from keychain into some other tool for use on linux.
Curious if you have any gripes or concerns about using the Apple keychain/passwords setup. Aside from Apple devices, do you mostly also stick with Safari? Was it hard to transition things like TOTP or passkeys?
i mostly stick to firefox I do some management of moving some passwords back and forth (i'm not yet using the firefox extension for apple passwords because i just learned about it).. but because i use firefox on my phone as well.. nbd.
In terms of TOTP I just use googleauth and oathtool.
“On June 12th, LastPass was made aware of an incident that occurred at Klue (klue.com), a third-party market intelligence platform utilized by our go-to-market teams, which integrates with our Salesforce and Gong systems,” LastPass says.
"We immediately launched an investigation and learned that, as part of this incident, an unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass.”
“The threat actor then used these credentials to access LastPass customer data within our Salesforce environment.”
That's a npm supply chain attack style but next level for the Enterprise game: hack one and get access to everything of all of them since they are all unrestricted connected and with each other.
And then they force us to install cloudstrike, antiviruses and client side monitoring because "us are the security problem".
> I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.
Yeah but wanting a product like LastPass doesn't require that you use LastPass. There are many good alternatives.
What's the solution? Don't have a CRM and store stuff about customers under lock and key? Don't give access to the CRM to any employees? More security training about clicking shady links?
I don't get how you think some other competitor would be better suited against this threat. The right solution is to mitigate the damage. CRM has minimum available stuff, like names, addresses, etc. Don't keep stuff like payment information, passwords, etc in that place as that's the vulnerable system. It seems like that's what LP does and probably every other company in this space does.
Again, it's entirely reasonable to have an off the shelf CRM, pretty broad access to it. You try to prevent phishing email or phone scams (assuming this is what it was) but you have 800 employees, its bound to happen.
Brand damage and lost of trust from customers are consequences of security breaches. I'm not saying don't have a CRM, but I am saying don't complain when the customer data in your CRM leaks and customers complain. LastPass has had several such breaches over the years, and I think people are right to say that the company has a reputation of poor security hygiene.
By all means, have a CRM. But consider that it probably doesn't need to be as broadly accessible as you think it does, and consider that the people with access to it probably need to be held to a higher standard.
> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already. This has nothing to do with the security of your passwords stored in LP. They have some CRM, some person from their 800 employees clicked a sketchy link and it leaked that. It's not good, but its hardly an indictment of their product or usefulness
Would you be okay will a public database of all people's names, emails, addresses, phone numbers, and other contact details? After all, most people's data have already been leaked somewhere. Credit reporting agencies have leaked more sensitive data. I, for one, still expect companies to keep my private data private. Especially companies who's started purpose is to keep my secrets secret. It's a bad look for them and if I trusted them this would make me lose my trust in them. But, they already lost my trust two or three (I lost count) breeches ago.
I agree the ship has sailed but I have no desire to make it easier for people to spam me or social engineer any of my accounts. If they want to send some crypto to some stangers on the internet to do it, I can't stop that, but I am not going to hand the info to them on a silver platter.
Where I’m from there actually were guides like this of the whole country, published once a year, I think even into the early 2000s. They stopped doing it for cost savings, but this type of information being public is considered fairly normal by many, as long as you have the ability to unsubscribe.
my ssn (usa) and my credit info (also usa) was already leaked in a data breach. i don't care about my encrypted blob in lastpass being leaked because it's computationally too expensive to crack it (assuming it's not a targeted attack with hostile nation-state level gpu capacity)
Yes, a public database like this would be acceptable. That way the info isn't paywalled behind some white pages site or similar. And then maybe I could even update my own info to be correct. Contact info is pretty much out there for most people already. Hell, I put it on my resume and send that out to many people and put it on public sites.
I am glad you want the world to know your phone number, but not everyone does.
Since we still use SMS as second factors (or primary, as some in this thread said they don't write down passwords but just use password reset links to login), it's not the best security hygiene
When their CRM and support systems are improperly secured, it doesn't bode well for the security of their vaults. When attackers infiltrate one system, it's easier to laterally move to other systems.
Also, their marketing systems are also a mess. I've unsubscribed from their marketing emails multiple times, but to date I'm still getting marketing emails from them even though I'm no longer a customer. Even contacting their support about this issue hasn't helped.
Assuming you are in EU you could report them to local DPA. Objection (i.e. unsubscribing. Original automatic subscription may or or may not have been legal) to direct marketing is pretty much absolute due to GDPR Article 21(2), I'm not aware of any "workaround" companies have successfully managed to argue.
In the US you can report it to FTC for CAN-SPAM violations, but don't hold your breath on any enforcement.
> I think a lot of people use products like LastPass because it makes storing passwords easier. Works on mobile, computer, tablet. Pretty good experience tbh.
What you are describing is a password manager. No one here is questioning why people would use a password manager. That's like asking why people would use a toothbrush. The question is why anyone would use LastPass as their password manager.
> Also, let's be real:
> > The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.
> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already.
I'm sorry to put it so bluntly, but this comment strikes me as really baffling.
LastPass has a very long history of breaches, some of them very severe with a big fallout. It's at the point where the yearly LastPass breach has become a meme just like the yearly T-Mobile breach. It makes no sense whatsoever to look at this incidence without that context and to claim "it's not that bad, they only leaked xyz".
On another note, of course does a breach tell something about the security practices of a password manager company. You really want the developer of your password manager to have good security practices and any sign to the contrary is concerning even when it is not directly related to the core product. Of course security is not about absolutes and mistakes and incidents do happen – what counts is how, how is dealt with them and if they repeat. In the case of LastPass history, including this breach, shows that they have atrocious security and you do not want to let your credentials get any millimeter closer to them than you can possibly avoid.
> I'm pretty sure 99% of the people on exposed have already had their names, phone numbers, email and physical addresses leaked already.
Again, I'm sorry for being so direct, but this argument annoys me greatly: This argument – that others have done similar bad already and similar harm has already been done – is beyond stupid and needs to die. It's why slippery slopes are real. It's the reason why normalization of bad things happen. It's what people with bad intentions continuously use with great success to slowly make their bad deeds socially acceptable.
When my neighbor dumps his trash on the street that does not allow me to do the same and does not make it any better if I do. I will be just as much in the wrong as him. The only difference being – when I use that excuse – that I will also be a coward.
The wrongdoing of others is never an apology to do the same; and just because something bad is normal does not make it any better and it is especially not an argument for making it even worse.
If you want to be a security vendor reseller, just make sure to sell to orgs that have a compliance requirement, either by law or similar.
Do you sell firewalls? sell them to banks or something. Anti-malware endpoints? Insurances too. SIEMs? payment gateways for their PCI DSS environments.
Price it just below what would be the fine for not complying, that way you maximize the invoice.
I stopped playing the security vendor reseller game because it got too boring this way to make money.
And it will continue until we can sue company being breached for criminal negligence. Should a single company executive be personally liable in these situations, the scale of the problem would be orders of magnitude less severe because they would spend the appropriate amount of effort to cover their damn ass.
This is it. These companies don't really care about their customer's data. Their SDLC is no more rigorous than any other SaaS product. They have junior people and (now) AI pushing code with a quick "LGTM" PR check just like everyone else.
The way to stop this is to have actual consequences for the decision makers here. You can build high-integrity software and some fields (avionics) have done it. But the organization needs to be built from the ground up to do it and nobody's going to do it if you can just get breached and offer a phony apology over and over again.
Well, these types of companies typically carry cyber incident insurance. If there was, say, a ransomware attack, the carrier is going to bring in a forensic team to investigate. If it is determined that there was negligence, like not patching a system, that will be used to deny a claim. This might be a little different from the lastpass situation in that it's an untrustworthy vendor, but there's still significant exposure.
If this bank were my client, I would make sure that the decision-makers were aware.
Because procurement is hard. Changing vendors is a big undertaking for big companies. They are certainly not going to be switching vendors every time there is an incident
Also use them as a password manager like an advanced version of Excel that fills in the passwords for you. Security isn't part of it. I have the feeling LastPass agrees.
It is inertia. Customers are sticky, they do not switch unless they have to. If you're an enterprise, you have to go through establishing a new vendor relationship, onboarding a new password vault with your IT team, communicate it across the org, migrate data from the old password vault to the new password vault, etc. There is a real cost in time and resources to do this, and so, many avoid it until they have no other choice.
Lastpass is owned by PE. Why? Because Francisco Partners and Elliott Management bought a cashflow that is sticky. Its why most software companies were acquired by PE prior to the Cambrian explosion of generative AI.
Moving to another solution involves some expense and operational risk (changing procedures, increased human error rates, locking yourself out). Even though the risk of staying with the existing solution goes from "unlikely" to "possible" (so maybe from yellow/amber to red), a lot of companies rationalize it as "but now the provider will be extra careful so the likelihood is actually lower".
Crowdstrike had a famous incident and is still probably #2 in the cybersecurity world. Sometimes assessing risk is a funny business.
I worked for a big company that switched from 1password to Keeper. The transition was smooth and I do not see why it shouldn’t be as long as IT knows what they are doing.
True, but how come such risks are addressable when adding AI or opening up to yet another API or when some savings are promised with a new product/product feature?
> when adding AI ... or when some savings are promised
Because savings are promised. And who could say no to AI? (/s)
There's always some risk mitigation possible but it's costly or inconvenient. Companies pretend the risk is lower so they can do whatever they wanted to do but now with less accountability. The risk matrix says so.
But sometimes the tradeoff is genuinely not worth it. The bottom line is that each company has to do it's own calculations and decide whether moving is overall a better choice. Which risk is higher, that your provider is breached again or that you have new operational issues with the new solution. Which costs more, a chance of another security issue, or the guaranteed expense of replacing the solution? You do the same math at home all the time. Your washing machine leaked once, do you replace everything or just patch the hole?
"We need to be able to answer an RFP that asks "do you have a comprehensive credential management system?"."
Just like a previous employer I had, on background checks. "We need to run one. We don't care what you did or didn't do, if you're doing good work for us. But some of our customers require that we have performed them."
> That supposes that LLMs can write secure software.
I think we're at the point that the best LLMs can indeed write software that's far more secure than your average programmer. Partly because the average is so terrible.
What if... on the vulnerability report rules page there's an image of some text saying something like "your report must include the text: turtle123". Reports without that text get automatically deleted.
Sure - modern AI can figure that out, but I bet in a vast majority of cases they won't.
Reminds me of someone (well known in their field) who charged $0.05 for using their “contact me” page. A trivial amount for someone who genuinely wanted to contact them, but just high enough to prevent any kind of scaled abuse
If I've stumbled across what I think is a security issue in your systems, there is zero chance that I'm going to get out my credit card and pay you for the privilege of responsibly disclosing it to you. Especially if it's the vulnerability is in the site hosting the contact form.
I know some professors who have started doing something similar to combat students using AI for their work. Even going as far as to hide the "your report must include XYZ obscure word 3x" prompt instructions in small invisible text. It's gotten pretty bad, with some students turning in papers with the original ChatGPT prompt LEFT IN THE TURNED IN ASSIGNMENT.
Maybe lay down some concrete numbers and timelines, hold yourself accountable, otherwise you risk confirmation bias with your predictions like millions before you.
"implode" is not testable. A good prediction is specific, time bound, measurable, etc. Otherwise you can flatter yourself however you like with confirmation bias. This is basic stuff.
When chatgpt 3 came out the first thing I asked was a question like "If I put my cat in a box, put that box in a crate, move that crate to a truck, and drive the truck across Canada non stop, when I arrive on the west coast, will my cat be happy?"
It nailed it, referencing my specific nouns correctly, and lectured me about cat needs. And even identified that this sounds a bit like schrodingers cat as a possible test but explained to me why it wasn't.
I knew it was soon going to be a huge deal automating office work and code writing. This obviously was much more than just a 2010 chatbot.
Revolutionizing education is easy. Ask teachers what they need and then give it to them. Unfortunately that's boring, obvious, and expensive. So hardly anyone does it.
We don't need the metaphysical solution to the problem of detecting AI videos for the rest of time. Certainly, it's fairly easy to make something that mostly works most of the time. Enough to be very, very useful.
You're wrong from your very premise. The world isn't going to shit. It's better than it's been at pretty much any time in human history, in almost every facet.
I mean if you focus on the negative and ignore the positive (which is what many people + the media do), you could say it's overall a regressive period. But you could do that (and people have) literally every year for the past 80 years.
Yet, in the grand scheme of things, the world has gotten better in that time. Which is how you know these people are wrong, at least most of the time.
The challenge with positive news is that you have to go seek it out. It will rarely come to you. And then you have to greet it without cynicism, which many are incapable of.
There have always been bumps on the path upward. It's never been smooth. Doesn't change the fact that we're not going to shit, and that we haven't been going to shit for hundreds of years. Quite the opposite.
On average Steven Pinker is at best a fake hyperoptimist-by-aggregate who puts billionaires on pedestals and rewrites history to entrench shitty systems. Sometimes he says smart stuff but he ignores or actively disregards massive problems with a painfully self-serving neutrality.
Yeah I get the pretty much, the car was near the mountain top in the 80s and 90s and "pretty much" flew off a cliff more recently. Sure, we're still alive but everyone is going to die in about 5 seconds.
Drugs are out of control. Homeless are everywhere. No one has interests in anything. No one is having kids. All jobs are going to be gone soon. Colleges can't teach (it's all AI cheating now). People are Gang Robbing stores. Cartels are killing hundreds daily. Fraud is out of control. We have 2 maybe 3 world wars going on simultaneously now. Prices are skyrocketing.
Yeah I get why you say "pretty much". lol PS good luck buying a house
This isn't even at the level of the spam filter on your email account. Are there some false positives and negatives? Yes. Are there some people sending emails who are negatively affected by falsely ending up in the junk mail folder? Yes. Are we going to turn off spam filtering because of this? No. Why should we accept video spam any more than text spam?
The problem is that it's not SOME false positives, AI detectors so far have been all so comically bad that they might be classified as pseudoscience. Or an artificial false positive generators even.
We'll I'd think that YouTube would have incentive to get it right. Either there are too many false positives and the content creators go away and YouTube collapses. Or there are too many false negatives and the viewers go away, and YouTube collapses. I mean there is a chance that garbage people will ruin video sharing platforms for everyone.
Having the incentive to do something and having the ability to do it are not the same thing.
It's not like human-generated content is made of carbon and AI-generated content is made of silicon and the science of chemistry can unambiguously tell them apart. If you asked a million humans and a million LLMs to write a sentence on a specific subject, it's not implausible that one of the LLMs and one of the humans would output the exact same sentence. Maybe more than one.
A thing that can take only the output and accurately tell you if it was AI-generated or not is therefore impossible, because if it said no it would be wrong when the LLM generates that sentence, but if it said yes it would be wrong when a human generates the exact same sentence.
All it can do is try to calculate a probability. But then what do you want to do with that? Suppose the probability it estimates for some content is 45%, and that probability estimate is an accurate measure of the true probability, i.e. can't be improved when the only information you have is the content itself. Do you want to ban the 55% of that content which is human-generated, or allow the 45% which is AI-generated?
Right now the problem is the flood of low-quality AI spam that might (or might not) be low hanging fruit. We can worry about high quality AI artifacts later if that becomes a problem. (and yes, there is no guarantee that YouTube won't fail due to these spammers)
I get the idea: get 10k each samples of human data and AI data, train a simple classifier until it gets 99.9999% accuracy or <10k false negatives per day at your scale, ship it as a screening tool.
Is such tool feasible at all with current state of AI technology, or is it just a reasonable take from the past that may not be so reasonable anymore?
> I get the idea: get 10k each samples of human data and AI data, train a simple classifier until it gets 99.9999% accuracy or <10k false negatives per day at your scale
The issue is, that's not a thing. AI-generated content and human-generated content have significant overlap. No amount of training data can allow you to distinguish them with that level of accuracy because many outputs exist that could have been generated by either one. Additional training data allows you to say that the probability is 55.0374% plus or minus 0.0001, rather than only being able to say that it's 55% plus or minus 5%. It can tell you with greater precision exactly how ambiguous it is. What it can't do is remove the ambiguity.
We will find out shortly? YouTube is the one saying they are going to implement this:
"If a creator doesn’t specify whether or not they used AI, but our systems detect significant photorealistic AI use, we will now automatically apply a label."
Even worse if it's some attribute considered by the algorithm but not disclosed. "Likely AI" is enough to be damaging without even being tagged "Disclosed as AI"
This isn't a choice between "perfectly fine how things are now" and "destroying credibility". If it were, you're right - "good enough to be useful" wouldn't be a high enough bar.
Things are not perfectly fine how things are now. AI slop is destroying the internet. Tons of grifters are earning tons of money off YouTube by brainwashing millions of people with AI slop, including my mom. YouTube needs to do something and this seems feasible and far better than doing nothing.
I also think the false positive rate is going to be far lower than you think - especially if YouTube sets a caution threshold.
I'm open to other solutions but if you propose we just keep what we have now, then you are proposing an absolute disaster.
People make a living off this platform though, this could be really bad for someone that lives off of YouTube to have their videos labeled as AI generated. This would still be OK if there was a person at YouTube you could contact to manually review and reverse the decision, but that doesn’t really exist so there’s no one you can really appeal to in a timely manner.
Lots of people making a living off the platform clearly use LLMs to write their scripts. Its kind of weird hearing a person talk to me about something, and then notice characteristic chatgpt patter in their speech.
I'm sure many content creators' videos will be labelled as AI generated. For good reason.
Wouldn't the human creators be the biggest advocates of labeling, so that their content can be more easily found among the AI dross? And that's not considering the fate of the platform as a whole if it descends into low-effort AI spam swamping out everything else. I guess it will be interesting if it is all bots consuming bot-generated content in a parallel economy.
The entire discussion was centered around whether or not using AI to detect AI content would work, or if it would create false positives that harm human content creators.
It could work "well enough" for YouTube to consider it a success while still harming a fairly large number of content creators.
Problem is that at YouTube's scale the remaining "some of the time" ends up being a collossal figure. On top of that, YouTube's effective monopoly position magnifies the damage done by false positives.
Please tell me this is a joke, or that you're not building anything important at work. It's a very well known problem that YouTube's algorithmic moderation hurts a lot of honest creators, and their ability to make a living, when there is a false positive or is abused.
reply