nah he doesn't need the money. working as a director or VP at google gives you all the money you could possibly spend.

he's in it for ideological reasons

International maritime law expert explains legality of U.S. blockade of Iranian ports NPR's Scott Simon speaks to James Kraska - a professor of international maritime law at the U.S. Naval War College in Newport, Rhode Island - about the legality of the U.S. blockade of Iranian ports.

War.

It's an act of war. www.npr.org/2026/04/18/n...

More to come, but I just did a data analysis for someone who left substack for beehiiv some time ago and WOW, if your only motivation is money? Forget nazis, terfs, and pedos, just care about cash? You should get tf off substack now!

Vercel April 2026 security incident | Vercel Knowledge Base We’ve identified a security incident that involved unauthorized access to certain internal Vercel systems.

see vercel.com/kb/bulletin/...

that's what they claim! they claim a third-party OAuth URL used by one of their AI tools was implicated.

so that's an act of piracy against a civilian vessel right?

literally letting robots compete while banning trans people 🙃

hah yup you said the same thing I did

experience is subjective, I guess!

it turns out I couldn't host it on lizthegrey.com because it would trip the "same domain, different subdomain" anti-phishing protection, sobbbbbbb. apparently it's fine to use a completely different domain or to put it directly on pds. but not to do a hybrid of same domain, different subdomain

well that wasn't that hard.

bsky-mcp.rustycutlass.org/mcp if anyone wants to give it a gander!

so I guess the view is things are MORE reliable if you previously didn't have access to a lot of the ecosystem/tooling, but are LESS reliable if you're used to tweaking things and Claude's vibe coded additions are less functional for you.

so I guess, the view is different depending upon whether you're a power user or (like me) a little bit more mass market. I don't and will probably never --dangerously-skip-permissions, and I've been appreciating Claude Code bringing in-house a lot of extensions I wouldn't/couldn't run before

yeah, sometimes it inexplicably when a bash command fails, just stops, instead of retrying or working around.

overall, --auto permissions is a net improvement to number of touches regardless, I find I have to poke it less than I did before even with it stalling out sometimes

(and also it would appear that perhaps it wasn't even a bait AI tool, but one that was legitimately compromised urgh)

update: can't find the OAuth client id on github, so it's a closed source commercial tool that very well might actually in turn have been breached!

probably leaks of internal documents relating to customers, support/contract records (per ShinyHunters' previous MO of leaking Salesforce instances & company documents). but probably nothing with ability to modify published source code, github tokens, etc. etc.

I admit I don't fully see how a leak of data that flowed through a Google Workspace account, even sensitive data scopes, can lead to supply chain attacks and compromise of GitHub / NextJS, etc., that's really overblowing it. given vercel's comms about specifically impacted customers guessing limited

👀 claim is it was ShinyHunters? if so, yeah, they're in the same company as a lot of other very large & prominent businesses, I especially wouldn't hold it against Vercel, if you get big enough they'll come after you and they're pretty sophisticated. bsky.app/profile/anir...

This is the exact same threat the president was making when he was threatening to end Iranian civilization but nobody’s going to bat an eye at it because you can’t misread it as “he’s going to use nukes”

but I believe in being fair to people on the facts rather than letting my personal views cloud that

look there is a conspicuous [deleted] linkedin post of mine from a few months ago, I think my feelings are known about the company and its founder

Sensitive scope verification  |  App verification to use Google Authorization APIs  |  Google for Developers

(that process is this: developers.google.com/identity/pro...)

the good news is Google almost assuredly knows who's behind this (or at least has a photo id of one of the stooges), because you literally cannot open public OAuth w/ workspace access without photo ID / putting down a credit card, submitting privacy policy, how you intend to use data etc.

obviously how far the attackers did or didn't get before being detected, that is a company specific issue, but the way they were initially popped? could have happened to almost any "AI-first" company that's deploying MCP servers at scale without solid controls of what MCPs are allowed

to their credit, it looks like Google already has deactivated the OAuth creds, I attempted to "add" the app to my workspace config to "block at domain level" but it wouldn't even let me get that far, shows as no such app now.

chances are those hundreds of other users are from other companies that also are breached, Vercel is just the one that was the juicy enough target that the attackers burned the open source AI tooling project on rather than continue to amass install base and hope for a bigger fish.

vercel getting popped is not necessarily a problem with vercel as a company, it's a statement about the ecosystem and the wild wild west approach to AI tool access that's been going on for months now. as they've published, a Google Workspace OAuth URL with hundreds of users is implicated.

always have appreciated the shit out of y'all <3

I fear it is all too real