If your goal is to maximize your posture against cyber threats, spending your time on SOC 2 compliance with Vanta (or similar) is a waste of time if you consider the amount of time spent compared to security gained.
It's incredibly easy to get SOC 2 audited and still have terrible security.
> forces you to go through a very useful exercise of risk modeling
Have you actually done this in Vanta, though? You would have to go out of your way to do it in a manner that actually adds significant value to your security posture.
(I don't think SOC/ISO are a waste of time. We do it at our company, but for reasons that have nothing to do with security)
Probably the most useful aspect of SOC2 is that it gives the technical side of the business an easy excuse for spending time and money on security, which, in startup environment is not always easy otherwise (Ie “we have to dedicate time to update our out of date dependencies, otherwise we’ll fail SOC2”).
If you do it well, a startup can go through SOC2 and use it as an opportunity to put together a reasonable cybersecurity practice. Though, yeah, one does not actually beget the other, you can also very easily get a soc2 report with minimal findings with a really bad cybersecurity practice.
That's exactly what I've done in the past. We had to be soc2 and pci dss compliant (high volume so couldn't be through saq). I wouldn't say the auditor helped much in improving our security posture but allowed me to justify some changes and improvements that did help a lot.
Wealthfront offers the ability to blacklist stocks in your account (the feature is meant for people legally prohibited from investing in certain tickers).
It won’t exclude from regular indexes, but it will exclude from the direct indexing. I’ve been using it to exclude NVDA ever since it peaked (or at least reached the peak valuation I’m comfortable with)
Wealthfront’s portfolio minimum used to be $100k, but I think they have a new direct indexing product with a $5k minimum.
For a company bringing a new technology from zero to mainstream, I think it's pretty normal that there will be a lot of failed attempts at productization.
The thing that isn't normal is the degree of experimentation relative to company valuation. Normally once a company reaches $700 B+ valuation, they've figured out their product and monetization strategy. ChatGPT is clearly still iterating heavily on that - not normal for a company that size.
And not normal for a company that has been at it this long.
The Apple II went on sale on June 10th, 1977. Visicalc went on sale October 17th, 1979- 860 days separate the two. ChatGPT was opened to the public on November 30th, 2022, which was 1219 days ago- almost 50% more time has elapsed than between the Apple II and Visicalc.
Visicalc is often described as the killer app of the first generation Personal Computer(1). It was the product that drove them into every small business in the country, that blew up sales of personal computers and brought them out of the realm of hobbyists into enterprise. And, honestly, I think Visicalc and spreadsheets are still a greater benefit than what I've seen out of generative AI today. And that happened a lot faster than where we are today with generative AI. Apple had enormous actual profits by 1980 (Apple IPO'd in 1980 with a 21% operating margin). So I think that a lot of the "just got to give it more time" argument misses that the previous computer based revolutions that we know about productized and threw off gobs of cash a heck of a lot faster than this one has.
If the end result of this is "certain classes of white collar workers are 10-25% more productive" (which is the best results I can extrapolate from what I've seen so far) then it's really hard to imagine how OpenAI can return a profit to their investors.
>If the end result of this is "certain classes of white collar workers are 10-25% more productive" (which is the best results I can extrapolate from what I've seen so far) then it's really hard to imagine how OpenAI can return a profit to their investors.
If we take this as face value, and say that the absolute best case scenario is there are literally no other uses for AI but helping programmers program faster, given 4.4 million software devs, with an average cost to the company of $200,000 (working off the US here, including benefits/levels/whatever should be close), those 4.4 million devs with 20% productivity would save roughly 176 billion dollars a year.
Some companies will cut jobs, some will expand features, but that's the gist. And it's hard not to see the magnitude of improvement that's come in just 3 years, though if that leads to a 'moat' is yet to be seen.
> If we take this as face value, and say that the absolute best case scenario is there are literally no other uses for AI but helping programmers program faster, given 4.4 million software devs, with an average cost to the company of $200,000 (working off the US here, including benefits/levels/whatever should be close), those 4.4 million devs with 20% productivity would save roughly 176 billion dollars a year.
I don't think that's necessarily out of line with struggling to return a profit to investors though: an individual company is only ever going to capture a tiny fraction of the productivity improvements it enables its customer base to make[1], its own cost base is unusually high for tech, and investors are seeking a 10x+ return on an $852B valuation for a company that isn't even the market leader in that segment (which isn't the only segment, but it's the optimum B2B one). You can have a great business with a great value proposition and a sustainable moat and still not generate the desired returns on investment at a $852B valuation.
[1]and that's productivity improvements over the best-known free models, not productivity improvements over reading StackOverflow
Sorry, I forgot that for many engineers this is, in fact, their first time going through a technology cycle like this, and so would need more explanation. I am too young for Visicalc myself, but the cycle that I saw while I was in high school- the dot-com bubble- doesn't have convenient, easy to mark out dates like the PC does.
Thinking... Thinking...
Tim Berners-Lee proposing HTTP in 1989 is kinda like the original Attention is All You Need paper, I guess? Netscape 1.0 release in December 1994 is ChatGPT 1.0? And then Amazon.com opened up to the public in July 1995 and then IPO'd in May 1997 (after raising less than 10 million dollars in two funding rounds). But once again we have the business side of these previous cycles moving much faster than this one.
WOW. That does really drive home the perspective. I was an adolescent during those years and it did seem quick then, but that's an insane pace in retrospect.
Amazon is perhaps a counter-example to your point, though, to be fair. It seems to me they did a lot of spaghetti throwing while making accounting losses for a good number of years. Granted, they did it on OpenAI's dining budget.
I took it the other way, spreadsheets shook up the world way more than AI has (to date) - it's possible that history will look back and count AI as the bigger "thing" but if I had to pick a killer app, VisiCalc and computer spreadsheets in general would beat ChatGPT.
VisiCalc was "the" killer app for early micros, but being able to edit a written text on screen and then print it out with letter-like quality was nothing to sneeze at, either. This was plausibly a key gain in efficiency for the service sector, perhaps comparable to the 10%~25% that's now being talked about re: LLM's (which is huge on a secular basis).
IMO, the AI companies are trying to be both T-Mobile and Google Doc at the same time. Even Apple is struggling with being both the platform and the product. The issue with OpenAI is that the platform has no moat (other than money) and the product can be easily copied. In the game console world, the platforms have patents and trademarks, and games are not easily produced.
I'm a retired engineering manager so judge me appropriately :-) I've had 1000 good chats with ChatGPT on a wide range of topics. I build personal Excel and Access applications but not any real programming. I don't need workflow automation although I will dabble with Codex. I'm curious why I should abandon what works for Claude.
You shouldn't. No need to rush to buy a TI-84 to do simple arithmetic. I don't use either because I can learn just find from docs and textbooks. And I don't have that many problems to solve with computing.
The Apple II was so simple (by today's standards) that it came with a complete printed circuit diagram. Visicalc was so simple it was written by two guys in a year.
AI is so many orders of magnitude more complex that the comparison is not really useful.
This complexity requires a lot of money- from investors- to sustain. If those investors don't see a return on their investment before they get too anxious, then no more money will be invested and the business is dead. So that would suggest that there will be even less patience from the money than the investors in Apple had. If you are correct that this greater complexity actually makes it harder to productize, then it is hard to see how frontier model generative AI will be viable under a VC funded domain.
It is entirely plausible to me that there are great technologies that are impossible to reach via the normal means of VC/investor financed capitalism. I certainly have encountered market failures requiring extremely patient money (usually in the form of government subsidies) to produce a useful product that eventually does have market value. That has worked many times in the past. But so far generative AI has not had that, and looking at my non-technology friends, I very much doubt that there would be much support among them for government subsidies of AI companies. AI companies have made too many people unhappy, served as too much of a punching bag, to be in a good position politically for that.
For most companies an $850B valuation means you figured out the business model. Here it seems to mean you convinced enough people that figuring it out is inevitable. Those are very different bets.
Which is a good thing. Elon has showed the world, the only thing that limits the upper bound is bureaucracy, extreme risk-averse and no culture for experimenting.
More and more companies will start operating on the correct reward/risk curve or else getting crushed by firms who do. OpenAI has forced Google, Apple, Meta out of their comfort zone because they know OpenAI will eat their lunch
Literally every part of this comment is confusing. Elon hasn't shown anyone anything interesting in at least a decade. OpenAI hasn't forced Apple to do anything - LLMs aren't impinging on hardware or bundled services, and this literally seems right up Google's alley (and they're arguably better at it than OpenAI has demonstrated, now that first-mover-ish is long past).
I suppose Meta's recent comfort zone was simply a stupid bet on VR, so sure, maybe one part of the comment isn't confusing.
Do bear in mind the context of that Buffett quote is to not blindly chase market sentiment and the numbers, neither directly nor inversely; Berkshire Hathaway's got quite the pile of cash right now.
I have a feeling Warren Buffet would accept that label, with a chuckle and a smirk!
But I also think Buffet wouldn't characterize the current environment as particularly fearful. We haven't seen a whole lot of panic aside from a couple 1-2% daily swings, which is nothing.
I wouldn't say it's a fallacy. It's just an interesting way to look at the data.
I think more people need to be talking about the fact that the S&P 500 has extreme concentration risks that didn't exist 15+ years ago (and the Chart of the Day demonstrates that). We're in uncharted territories re: market cap concentration.
It becomes less interesting the more the “overweight” stocks correct.
The extreme concentration risk lessens as these 8 stocks fall in value compared to the rest.
I also don’t personally see the risk in the concentration. Risk of what? These companies are legitimately larger and doing more business than other firms.
Pick a median consumer. Which company are they sending more profit to than companies like Apple or Amazon?
10 years ago the average consumer maybe bought an iPhone from Apple every 3 years, so they gave Apple less than $100 of pure profit dollars per year.
Now that same consumer is giving Apple money for the iPhone, but also spending on services that they weren’t buying 10 years ago. If they’ve got an Apple One subscription they’re now sending Apple double or triple the profit they used to get.
These companies are big because they sell more things and are more diversified than they were in the past.
There’s no concentration risk. I’d actually argue that the concentration risk can be resolved overnight through antitrust regulation (e.g., force Apple and Amazon to split into multiple companies, as they already have obvious verticals that could stand alone).
The concentration risk relates to diversification in investing. Index funds are generally thought of as a way to diversify a portfolio. Cap weighted index funds are generally preferred because they are cheaper for the provider to maintain. Compare VOO with RSV for example. VOO is cap weighted. RSV is equal weighted - which means investors in RSV bear the cost of periodically readjusting all holdings so they are once again equally weighted - something no necessary with VOO.
I am not the only investor who has taken steps to offset the overly high concentration in the SP500 that raises the riskiness of an investment portfolio. I've done so by splitting my VOO holdings in half, split 50/50 VOO/VTV that strategically diminishes the impact of the high top 10 stocks in the SP500.
I certainly think it's a good thing to diversify investing, while recognizing that there is value in putting a lot of your bets into heavyweights that are very likely to do very well in the long term.
One of my main points here is that dumping a lot of money into one company isn't always something that represents lack of diversity in your investment dollars.
A company like Microsoft has its hands in so many business verticals that its stock by itself is a highly diverse asset.
I also think it's important to realize that massive companies like these have inherent advantages over smaller ones. A company like Framework literally cannot make a better laptop than Apple even if an angel investor dropped billions of dollars into their laps. Even if they pulled it off, it wouldn't come with a free trial for Apple's content subscriptions and other revenue-maximizing features, and the wholesale price they get from the factory can't match Apple's margins on the device until they convince a large enough mass of people to buy them.
That's the kind of stuff that big companies can do, and that's why they are worth more putting more bets into than smaller ones.
Obviously, companies like Tesla and Nvidia are far bigger risks in the S&P 500, but they represent a small minority of those giants.
There is nothing wrong with your desire to 'dump[ing] a lot of money into one company'. That is easy to do without an index fund. And it is not the investing theory behind the creation of index funds and their investing purpose. When 8 companies dominate an index fund, that means the index is not performing the intended function for which it was created.
But the index fund is doing what it was designed for, which is to index on the companies based on their relative importance in the marketplace.
And that’s really my whole point. Someone who is buying an S&P Index fund wants to own more Apple than GoDaddy, because Apple represents much more economic activity than GoDaddy.
I have read John Bogle extensively. I believe he would disagree with you about the purpose behind why Bogle invented the index fund. Index funds are cap based primarily because that saves on costs (there is no need to rebalance the index). But the philosophical framework is diversification. When 10 companies make the other 490 irrelevant in producing the annual return of the index, the index itself is no longer serving the diversification purpose.
Nobody is going to deny enjoying the monetary gains produced by the index becoming concentrated. But it comes at the cost of the portfolio risk that diversification (i.e. absence of concentration) is intended to eliminate.
I’ll make an analogy to maybe help explain what I mean further:
I own a somewhat diverse set of 50 company stocks, at least for the purposes of this exercise.
Let’s say a bunch of those companies merge, now there’s only 20 companies.
No product lines have been discontinued. The companies make all the same things with the same client lists.
Did my investments become less diverse when these companies merged? Perhaps in some ways yes, in many other ways no.
Is my investment portfolio more diverse if I own one stock, Apple, or if I own three stocks, Time Warner, Paramount, and Comcast? All these companies make media content, but Apple is in more industry verticals overall in addition to being a media company (or at least, we can say they are for the purposes of this analogy). If the content industry collapses, Apple is fine, the rest not so much.
Size and success is not a diversification factor. Investment history is scattered with the bones of 'golden child' companies that never saw the death train coming at them through the tunnel. Intel. Nokia. Blockbuster. Yahoo.
Moreover, your examples are crossing over into active investing versus indexing. Indexing theory submits active investors cannot beat indexing over time (Buffet's purchasing/controlling whole companies notwithstanding).
I'm not talking about size and success, I'm talking about participation in a diverse array of industry verticals.
My example is not meant to specifically talk about active investing, I'm just picking out companies to discuss within a hypothetical index holding.
> Intel. Nokia. Blockbuster. Yahoo.
Interesting, 3/4 of these still exist and are doing reasonably well. If you bought their stocks 30 years ago you'd be up on your investment on all of them except for Blockbuster. Obviously, they're not top performers in that timespan (although Nokia ADR pays dividends like other telecoms so maybe it is a good investment in the right index).
You have inadvertently demonstrated some of my point here: companies that serve diverse verticals stick around for decades. For example, Nokia’s consumer business evaporated but their telecom business is still here. See also: BlackBerry.
I wonder what a solution could look like. Perhaps keep the market cap weighting, but cap the weighting at a max $500b (or some sliding scale to prevent the top X stocks from composing more than Y% of the portfolio)
That would certainly be a way to control escalating concentration but at the expense of keeping index fund costs low. The Vanguard Total Stock Index (VTI) has an expense ratio of 0.03 - almost zero. Low expenses is a critical factor behind why index funds outperform active investing. So, yes, your proposal would work, but the expense ratio would up to implement the cap.
Pro tip: You could instead spend that money to spin up a forgejo instance for as little as $2 a month https://www.pikapods.com/apps#development (not affiliated, just a happy customer)
I did exactly that. Containerized it and Forgejo simply became a small instance part of the fleet. UI is much snappier then GitHub. And more importantly: zero outages.
Huh? Care to elaborate how Gitea is an inevitable cashgrab? Sure, it's not strictly copyleft, but it is licensed with the MIT License, and that is also the most popular license on GitHub.
You don't have to use their free service if you don't like its terms. "Extortion" is a bit of an exaggeration here.
Yes, I know, it's dicey when people get used to a nice, friendly platform, and the platform gains lots of users, and then at some point (or several points), the terms start getting worse, and people feel misled and betrayed.
I get that. But this is a corporation. Hell, this is Microsoft. It's hilarious how many people think they've actually changed since their antitrust judgment in the 90s. I guess a lot of folks here are too young to remember it, even.
Companies exist to make money. If they are giving you something for free, they are either a) getting something else out of it already, or b) giving it to you for free now and looking for ways to get their own value out of it later. I don't mean that in some sort of cynical, "fuck the world" sense; that's just reality, and that's fine, for the most part.
If you don't like this, don't use free services provided by corporations. Host your own. Yes, I know it can cost money. Yes, I know it's more work. But that's life. TANSTAAFL.
I've had a VPS running for a couple decades on a small provider. These days it costs me a little under $200/year. Much cheaper options exist. I run a web server, gitea instance, matrix homeserver, and a slew of other things on it. It requires very little maintenance because I just run Debian stable on it, keep up with security updates, but otherwise leave it alone. It backs up the important stuff to S3 using duplicity, but -- knock on wood -- I've never had a catastrophic failure that required a restore in the ~20 years its been running.
Ehhh sort of, I see what you're saying about it maybe not meeting the technical definition of extortion but I think you're missing the forest for the trees a little bit. The whole point is that when a company tries to force you to pay them through manipulative practices, you should not do that. That when companies manipulate you even if it makes economic sense to pay you shouldn't. That's fully compatible with not using the free service if you don't like the terms.
Obviously the root problem is the incentive structures created by a system that relies on scarcity to assign value to things being applied to things that effectively cost zero to duplicate. Obviously companies are not my friends, I self host everything, heck I even have a local copy of my VPS, it's on solar, I'M fine. I don't expect Github to do good things and make good choices, but that doesn't mean I can't be mad about it when they do things I don't like. Also I live in the real world and have to deal with society and there would be friction I create for myself when I try to exist in tech and refuse to use github, might be a worthwhile trade but it IS a trade.
An enterprise licence won't save you, Google, Microsoft, et al have happily been breaking copyright laws for years.
If the publishing industry can't win a case against the AI firms then you don't stand a chance when you finally find out they've been training on your private data the whole time.
They can tell you one thing and do the opposite and there's effectively nothing you can do about it. You'd be a fool to trust them.
Github's enterprise version "starts at" $21.99/seat, and requires you to "contact sales".
And I don't see any mention that that exempts you from being trained on. (Yes, the blog says you're still covered, but at that price I'd like to see a contract saying that)
Or, they don't train on it, but who's to say they're not harvesting analytics which may or may or not code samples, prompt data, etc. Which are then laundered through some sort of anonymization pipeline, to the point where they can argue that it no longer qualifies as your data, and can be freely trained upon.
Conspiratorial thinking? Sure. But if you've been around for a couple decades and seen the games these people play (and you aren't a complete sucker), then you'll at least be aware that there's at least slight possibility that these companies can get things from their customers that they (the customers) did not knowingly agree to.
Nothing conspirational about it. Getting data that their users or customers don't actually intend to give is the bread and butter of these companies. And they will do what they can to get it.
They're not all taking banned substances. Case in point, Hergie Bacyadan and Elis Lundholm competed in the last Summer and Winter Olympics respectively.
Both Hergie Bacyadan and Elis Lundholm has not undergone any hormone replacement therapy or surgery, and competes in the women's divisions. Their status as trans men has nothing to do with their eligibility to participate.
This would be like if two trans women, who has not undergone any hormone replacement therapy or surgery, would compete in men's divisions.
Well both of those examples could potentially electrocute you or start a fire and both can be done by a homeowner if he feels like it.
I don't disagree that it's a bit different in certain ways but I feel like that's drifting off topic. It shouldn't be up to manufactures to determine these things unilaterally but rather the legislature. Particularly any justification to the contrary rings hollow in this case because there's a very strong conflict of interest.
https://hackernews.hn/item?id=36408604
reply