Hacker News

We should welcome more precise law enforcement. Imperfect enforcement is too easy for law enforcement officers to turn into selective enforcement. By choosing who to go after, law enforcement gets the unearned power to change the law however they want, enforcing unwritten rules of their choosing. Having law enforcement make the laws is bad.

The big caveat, though, is that when enforcement becomes more accurate, the rules and penalties need to change. As you point out, a rigidly enforced law is very different from one that is less rigorously enforced. You are right that there is very little recognition of this. The law is difficult to change by design, but it may soon have to change faster than it has in the past, and it's not clear how or if that can happen. Historically, it seems like the only way rapid governmental change happens is by violent revolution, and I would rather not live in a time of violent revolution...

And this goes both ways.

Many governments around the world have entities to which you can write a letter, and those entities are frequently obligated to respond to that letter within a specific time frame. Those laws have been written with the understanding that most people don't know how to write letters, and those who do, will not write them unless absolutely necessary.

This allows the regulators to be slow and operate by shuffling around inefficient paper forms, instead of keeping things in an efficient ticket tracking system.

LLMs make it much, much easier to write letters, even if you don't speak the language and can only communicate at the level of a sixth-grader. Imagine what happens when the worst kind of "can I talk to your supervisor" Karen gets access to a sycophantic LLM, which tells her that she's "absolutely right, this is absolutely unacceptable behavior, I will help you write a letter to your regulator, who should help you out in this situation."

Dean Ball made this exact point on the Ezra Klein show a few days ago. I always thought laws would get more just with perfect enforcement -- the people passing mandatory sentencing laws for minor drug offenses would think twice if their own children, and not just minorities and unfavourable groups, were subject to the same consequences (instead of rehab or community service).

But if I've learned anything in 20 years of software eng, it's that migration plans matter. The perfect system is irrelevant if you can't figure out how to transition to it. AI is dangling a beautiful future in front of us, but the transition looks... Very challenging

> Cost of enforcement matters. The exact same nominal law that is very costly to enforce has completely different costs and benefits then that same law becoming all but free to rigidly enforce.

Hey, I really like this framing. This is a topic that I've thought about from a different perspective.

We have all kinds of 18th and 19th century legal precedents about search, subpoenas, plain sight, surveillance in public spaces, etc... that really took for granted that police effort was limited and that enforcement would be imperfect.

But they break down when you read all the license plates, or you can subpoena anyone's email, or... whatever.

Making the laws rigid and having perfect enforcement has a cost-- but just the baseline cost to privacy and the squashing of innocent transgression is a cost.

(A counterpoint: a lot of selective law enforcement came down to whether you were unpopular or unprivileged in some way... cheaper and automated enforcement may take some of these effects away and make things more fair. Discretion in enforcement can lead to both more and less just outcomes).

Yup :P

As in their post:

"The future of software is not open. It is not closed. It is liberated, freed from the constraints of licenses written for a world in which reproduction required effort, maintained by a generation of developers who believed that sharing code was its own reward and have been comprehensively proven right about the sharing and wrong about the reward."

This applies to open-source but also very well to proprietary software too ;) Reversing your competitors' software has never been easier!

This has also been a common theme in recent decades with respect to privacy.

In the US, the police do not generally need a warrant to tail you as you go around town, but it is phenomenally expensive and difficult to do so. Cellphone location records, despite largely providing the same information, do require warrants because it provides extremely cheap, scalable tracking of anyone. In other words, we allow the government to acquire certain information through difficult means in hopes that it forces them to be very selective about how they use it. When the costs changed, what was allowed also had to change.

I think this distinction also gets at some issue with things like privacy and facial recognition.

There’s the old approach of hanging a wanted poster and asking people to “call us if you see this guy”. Then there’s the new approach matching faces in a comprehensive database and camera networks.

The later is just the perfect, efficient implementation of the former. But it’s… different somehow.

There was this scholarly article from Pamela Samuelson and Suzanne Scotchmer

https://yalelawjournal.org/pdf/200_ay258cck.pdf

which, as I recall it, suggested that the copyright law effectively considered that it was good that there was a way around copyright (with reverse engineering and clean-room implementation), and also good that the way around copyright required some investment in its own right, rather than being free, easy, and automatic.

I think Samuelson and Scotchmer thought that, as you say, costs matter, and that the legal system was recognizing this, but in a kind of indirect way, not overtly.

The answer to this is just changing the law as enforcement becomes different, instead of leaning on the rule of a few people to determine what the appropriate level of enforcement is.

To do this, though, you're going to have to get rid of veto points! A bit hard in our disastrously constitutional system.

Seconded, thirded, fourthed. I spend a lot of time thinking about how laws, in practice, are not actually intended to be perfectly enforced, and not even in the usual selective-enforcement way, just in the pragmatic sense.

The issue with strictly enforcing the speed limit on roads is that sometimes, people must speed. They must break the law. Wife giving birth, rushing a wounded person to the ER, speeding to avoid a collision, etc.

If we wanted to strictly enforce speed limits, we would put governors on engines. However, doing that would cause a lot of harm to normal people. That's why we don't do it.

Stop and think about what it means to be human. We use judgement and decide when we must break the laws. And that is OK and indeed... expected.

> We are all making a continual and ongoing grave error

> Blindly translating those centuries of laws into rigid, free enforcement is a terrible idea for everyone.

I understand your point that changing the enforcement changes how the law is "felt" even though on the paper the law has not changed. And I think it makes sense to review and potentially revise the laws when enforcement methods change. But in the specific case of the 55 mph limit, would the consequences really be grave and terrible if the enforcement was enforced by a robot, but the law remained the same?

Absolutely! We're not all making that error, I've been venting about it for years.

"Costs matter" is one way to say it, probably a lot easier to digest and more popular than the "Quantity has a quality all it's own" quote I've been using, which is generally attributed to Stalin which is a little bit of a problem.

But it's absolutely true! Flock ALPRs are equivalent to a police officer with binoculars and a post-it for a wanted vehicle's make, model, and license plate, except we can put hundreds of them on the major intersections throughout a city 24/7 for $20k instead of multiplying the police budget by 20x.

A warrant to gather gigabytes of data from an ISP or email provider is equivalent to a literal wiretap and tape recorder on a suspect's phone line, except the former costs pennies to implement and the later requires a human to actually move wires and then listen for the duration.

Speed cameras are another excellent example.

Technology that changes the cost of enforcement changes the character of the law. I don't think that no one realizes this. I think many in office, many implementing the changes, and many supporting or voting for those groups are acutely aware and greedy for the increased authoritarian control but blind to the human rights harms they're causing.

Not exactly the same but at least in Spain, the cost of constructing a new building subject to all the regulations makes them completely unafforfable for low salaries.

(There are other problems, I know, but the regulations are crazy).

If you had to put a name to this phenomenon, what would it be?

>https://malus.sh/blog.html

An interesting read, however I'd like to know how to stop websites from screwing around with my scrollbars. In this case it's hidden entirely. Why is this even a thing websites are allowed to do - to change and remove browser UI elements? It makes no sense even, because I have no idea where I am on the page, or how long it is, without scrolling to the bottom to check. God I miss 2005.

De jure, there is no difference between de facto and de jure. De facto there is.

LOL. Same here. But the footer disclaimer and testimonials gave it away immediately:

> "We had 847 AGPL dependencies blocking our acquisition. MalusCorp liberated them all in 3 weeks. The due diligence team found zero license issues. We closed at $2.3B." - Marcus Wellington III, Former CTO, Definitely Real Corp (Acquired)

> © 2024 MalusCorp International Holdings Ltd. Registered in [JURISDICTION WITHHELD].

> This service is provided "as is" without warranty. MalusCorp is not responsible for any legal consequences, moral implications, or late-night guilt spirals resulting from use of our services.

Certain views of OSS and its relation to commercial software always seemed to be fraught with highly voluntarist and moralizing attitudes and an intellectual naivete.

This is satire, but the very notion of open source license obligations is meaningless in context. FLOSS licenses do not require you to publish your purely internal changes to the code; any publication happens by your choice, and given that AI can now supposedly engineer a clean-room reimplementation of any published program whatsoever, publishing your software with a proprietary copyright isn't going to exactly save you either.

It's a satire. The authors presented it at FOSDEM. They are people that worked previously for foss communities.

I didn't see it was satire (having only skimmed the site) until scrolling through the comments and seeing this fake review being quoted. That's when I went "surely not", checked the site, saw it was really there, and was quite relieved this is not yet an actual thing!

Under this name or not I think it's happening regardless..

lol - it's literally called malus but I guess that's only an obvious giveaway in retrospect

It also shows why this approach is questionable. Opus 4.6 without tool use or web access can provide chardets source code in full from memory/training data (ironically, including the licensing header): https://gist.github.com/yannleretaille/1ce99e1872e5f3b7b133e...

That's worth its own submission and discussion.

What would be the incentive for someone to do this for real?

We all have access to SOTA LLMs. If I want a "clean room" implementation of some OSS library, and I can choose between paying a third party to run a script to have AI rebuild the whole library for me and just asking Claude to generate the bits of the library I need, why would I choose to pay?

I think this argument applies to most straightforward "AI generated product" business ideas. Any dev can access a SOTA coding model for $20p/m. The value-add isn't "we used AI to do the thing fast", it's the wrapping around it.

Maybe in this case the "wrapping" is that some other company is taking on the legal risk?

The bottleneck is trust and security. I'd rather defenestrate 3rd party libraries with a local instance of copilot than send all my secret sauce to some cloud/SaaS system.

Put differently, this system already exists and is in heavy use today.

There's a lot of things you could do to be malicious towards other people with minimal effort, yet strangely few people do it. Virtually everyone has morals, and most people's are quite compatible with society (hence we have a society) even if small perturbations in foundational morals sometimes lead to seemingly large discrepancies in resultant actions

You need the right kind of person, in the right life circumstances, to have this idea before it happens for real. By having publicity, it becomes vastly more likely that it finds someone who meets the former two criteria, like how it works with other crime (https://en.wikipedia.org/wiki/Copycat_crime). So thanks, Malus :P

What do you mean nobody has done it?

It's an inevitable outcome of automatic code generation that people will do this all the time without thinking about it.

Example: you want a feature in your project, and you know this github repo implements it, so you tell an AI agent to implement the feature and link to the github repo just for reference.

You didn't tell the agent to maliciously reimplement it, but the end result might be the same - you just did it earnestly.

> why hasn't anyone done this for real?

WDYM? LLMs are essentially this.

This is a misreading of the law. Court cases say that AI cannot own copyright, not that AI output cannot be copyrighted.

If you’re referring to Thaler v. Perlmutter, that is not binding precedent nationwide, only in courts under the D.C. Circuit. And it only applies to “pure” AI-generated works; it did not address AI-assisted works, which seem very likely to be copyrightable.

it is straightforward to build this for real, here is my nearly one-shotted tldraw clone from a couple of weeks ago, https://x.com/c_pick/status/2028669568403578931 - the implementation side never saw the code, only the spec (in reality it did see the tldraw code in its training data, but you can't escape that anymore)

The Torment Nexus must be built, because someone wants a lambo.

The satire is A-grade.

On a quick glance, or skim read, you could be excused for believing this is real, but they drop just enough nuggets throughout that by the end there is no ambiguity.

Really helps illustrates how realistic this could be.

At least you think that this is satire, until the author receives a DMCA from one of the big corps saying that he leaked the transcript of their last meeting

Too late. Someone's senior executive management has probably already seen it and spinning up a new project to implement it.

its partial satire. I kinda believe Claude/Codex spill lots of OSS code without license attribution for many millions of devs already.

Yeah, thank you. I was starting to get a little heated.

The situation is a bit too Torment Nexus-y for my comfort, thank you very much

I don't know - if you upload a package.json with any dependencies that map to real npmjs.com packages, it does lead you to a Stripe payment page which appears to be real... and it appears you'd be sending real money.

Maybe that's part of the joke, though :)

I know this is satire, but I would wish to see something like this for liberating proprietary & closed-source hardware drivers.

Thank you for pointing that out, I genuinely was scratching my head and questioning if this site was serious.

Malus Corporation = EvilCorp

For now

For now...

W.r.t. intent, yes. But w.r.t. content, we are long past a situation where it is unrealistic enough to function as satire.

While such tactics would render certain OSS software licenses absurd, the tactic itself, as a means to get around them, is entirely sound. It just reveals the flawed presupposition of such licenses. And I'm not sure there is really any way to patch them up now.

I was wondering. I had heard chardet story and wouldn't be surprised to see others moving into that same space.

It legit got me. An actual "whaaaaaatttt?" out loud and then I had to figure out why it was the top of HN haha.

This is going to bring back software patents.

Sounds like my CTO. Overuse of LLMs in c-suites is like overuse of weed by teenagers - it may not cause delusions, but it sure seems to make them worse.

Actually I have been told that replacements to (restricted subsets of) open source libraries, generated by LLM’s, vendored next to our code using the dependency, cannot be vulnerable since they don’t have cve’s, and therefore they don’t ever have to be maintained.

That’s how deep we are in neoliberal single truth shit now

I have actually very convincingly recreated a moderately complex 70s-era mainframe app by having an LLM reimplement it based on existing documentation and by accessing the textual user interface.

The biggest trick is that you need to spend 75% of your time designing and building very good verification tools (which you can do with help from the LLM), and having the LLM carefully trace as many paths as possible through the original application. This will be considerably harder for desktop apps unless you have access to something like an accessibility API that can faithfully capture and operate a GUI.

But in general, LLM performance is limited by how good your validation suite is, and whether you have scalable ways to convince yourself the software is correct.

Interested to keep updated on this point. As a consultant, I've worked on transformation of legacy applications so this would help me greatly as well. We've worked on pretty archaic systems where no one knows how the system works even if we have the source code.

I've done a little bit of this and Claude is pretty great. Take the app and let Claude run wild with it. It does require you to be relatively familiar with the app as you may need to guide it in the right direction.

I was able to get it to rebuild and hack together a .NET application that we don't have source for. This was done in a Linux VM and it gave me a version that I could build and run on Windows.

We're past the point of legacy blackbox apps being a mystery. Happy to talk more, my e-mail is available on my profile.

Well, what kind of desktop apps?

Unless obfuscated C# desktop apps are pretty friendly to decompile.

>The 'Firewall' they describe is an illusion because [...]

it is an illusion because this is a satire site.

The solution here seems to be to impose some constraint or requirement which means that literal copying is impossible (remember, copyright governs copies, it doesn't govern ideas or algorithms - that would be 'patents', which essentially no open source software has) or where any 'copying' from vaguely remembered pretraining code is on such an abstract indirect level that it is 'transformative' and thus safe.

For example, the Anthropic Rust C compiler could hardly have copied GCC or any of the many C compilers it surely trained on, because then it wouldn't have spat out reasonably idiomatic and natural looking Rust in a differently organized codebase.

Good news for Rust and Lean, I guess, as it seems like everyone these days is looking for an excuse to rewrite everything into those for either speed or safety or both.

Obviously satire, but it will clearly be what happens in the future (predicting here, I'm not endorsing this practice). We can scratch train a new LLM on code generated from "contaminated" LLMs. We can then audit all the training data used and demonstrate that the original source wasn't in the training data. Therefore the cleanroom implementation holds. Current LLM training is relying less and less on human generated code. Just look at the open source models from China. They rely heavily on distilling from other models. One additional point. Exposure to the original source isn't enough to show infringement. Linus looked at UNIX source before writing linux.

I think this site is either satire, or serious but with a certain kind of humor in which both they and the reader know they're lying (but it's in everyone's interest to play along).

They do say this:

> Is this legal? / our clean room process is based on well-established legal precedent. The robots performing reconstruction have provably never accessed the original source code. We maintain detailed audit logs that definitely exist and are available upon request to courts in select jurisdictions.

Unless they're rejecting almost all of open source packages submitted by the customer, due to those packages being in the training set of the foundation model that they use, this is really the opposite of cleanroom.

This is definitely a parody though, not a real service.

Often OSS is used not because you want the software, but the software and the upkeep. So even with such a service, you're now just taking code in-house that you have to maintain as well.

The people that will take this as a good thing unironically will just have their personal Yes Man do that work internally.

It's already a term of art used for this very purpose. https://en.wikipedia.org/wiki/Clean-room_design

This was already done, see: Grokipedia.

aren't you describing what elon already did https://grokipedia.com/

So Grokipedia?

It's funny that humans working together for mutual benefit via any other mechanism than regimented corporate slavery is considered insane.

It's not true (and also not funny):

* Many of the people maintaining FOSS are paid to do so; and if we counted 'significance' of maintained FOSS, I would not be surprised if most FOSS of critical significance is maintained for-pay (although I'm not sure).

* Publishing software without a restrictive license is not 'generous', it's the trivial and obvious thing to do. It is the restriction of copying and of source access that is convoluted, anti-social, and if you will, "insane".

* Similarly, FOSS is not a "miracle" of human cooperation, and it what you get when it is difficult to sabotage human cooperation. The situation with physical objects - machines, consumables - is more of a nightmare than the FOSS situation is a miracle. (IIRC, an economist named Veblen wrote about the sabotaging role of pecuniary interests on collaborative industrial processes, about a century ago; but I'm not sure about the details.)

* Many people read licenses, and for the short, paragraph-long licenses, I would even say that most developers read them.

* It is not insane to use FOSS from a "fiduciary standpoint".

Isn't that the premise of Fallout ?

>whatever that library is called

https://news.ycombinator.com/item?id=47259177

You'll find all the answers if you read more carefully:

> Through our offshore subsidiary in a jurisdiction that doesn't recognize software copyright

> If any of our liberated code is found to infringe on the original license, we'll provide a full refund and relocate our corporate headquarters to international waters.

> "Our lawyers estimated $4M in compliance costs. MalusCorp's Total Liberation package was $50K. The board was thrilled. The open source maintainers were not, but who cares?" - Patricia Bottomline, VP of Legal, MegaSoft Industries

Everything is enforceable by the rich, nothing is enforceable by the poor

Yeah it's just a slightly more honest and simplified presentation of what LLMs providers do IMO.

> observes how it looks from the outside (UI) and inside (with debug tools), creates a spec sheet of how the app functions, and then sends those specs to the "clean room" AI.

and tbh, i cannot see any issues if this is how it is done - you just have to prove that the clean room ai has never been exposed to the source code of the app you're trying to clone.

> I view this as an unmitigated good.

Then I don't think you've thought it through.

This entire software ecosystem depends on volunteering and cooperation. It demands respect of the people doing the work. Adhering to their licensing terms is the payment they demand for the work they do.

If you steal their social currency, they may just walk away for good, and nobody will pick up the slack for you. And if you're a whole society of greedy little thieves, the future of software will be everyone preciously guarding and hiding their changes to the last open versions of software from some decades ago.

You should read Bruce Perens' testimony in the Jacobsen v. Katzer case that explained all this (and determined that licensing terms are enforceable, and you can't just say "his is open mine is open what's the difference?")

https://web.archive.org/web/20100331083827/http://perens.com...

> I view this as an unmitigated good. Open source every damn thing.

Agree, I said this in another comment, AI-generated anything should be public domain. Public data in, public domain out.

This train wreck in slow motion of AI slowly eroding the open web is no good, let's rip the bandaid.

Open sourcing all the things sounds fun right up until you hit the point where clean room claims collapse under real legal cross-examination. If you think companies with money on the line are just going to roll over and accept it all as fair play I'd like to introduce you to the concept of discovery at $900/hr. If your business model is a legal speedrun you better budget harder than you code.

Open source is good, washing open source licences is very bad.

I publish under AGPL and if someone ever took my project and washed it to MIT I would probably just take all my code offline forever. Fuck that.

If the AI could do good refactor of OS project, remove unused code/features and make the code more efficient. Than we really would be out of jobs :D

I expect that thousands of people are now doing just that. Most proprietary software is just a shiny UI in front of a crappy database schema.

Is it satire? Or is it a warning?

I was on this talk expecting to hear about MongoDB abusing open source (as you could guess from my profile, that’s a topic dear to my heart). Instead, I saw the most entertaining talk in my life.

"I solemnly swear that I am up to no good" and their seal is ⍼.

https://www.hp-lexicon.org/magic/solemnly-swear-no-good/

https://news.ycombinator.com/item?id=47329605

https://www.explainxkcd.com/wiki/index.php/2606:_Weird_Unico...

Homonym of "malice" too. Honestly kind of a brilliant name.

whoosh

A lot of people, including perhaps the creator of this, feel that LLMs themselves are this service.

It exists! It's called Claude Code.

No

Amazon C*s calling Amazon Legal to ask if they could get away with implementing something like this internally, more like.

I think we've already seen this with "AI writes a web-browser" type PR. I guess we can still look forward to when they make license evasion an explicit part of their marketing. Then I can wryly laugh when somebody robo-whitewashes leaked commercial software, knowing that they'll get sued anyways.