You can connect it to any anthropic compatible endpoint(kimi allows this) but it's a weird choice, given that Open code, pi.dev and others are open source.
It's not that easy, and the 2025 blackout good evidence of that. Renewables need a grid that's engineered for them and that require significative investments. Without them, closing power plants (of any kind) is, IMO, nonsensical.
Ironically, Spain has plenty of Uranium, but there is an environmental law that doesn't allow its mining.
> It's not that easy, and the 2025 blackout good evidence of that. Renewables need a grid that's engineered for them and that require significative investments.
The outage in spain had multiple complex causes.
While the grid had a rather routine instability/oscillation on-going during time of the incident, the actual point-of-no-return was completely non-technical: Prices crossed into the negatives, which caused generation to drop by hundreds of megawatts and load to increase likewise within a minute (!) because the price acted as a non-technical synchronized drop-off signal for the grid.
In grids where the price action is not forwarded directly to the generators and consumers there would be no incentive to suddenly drop off decentralized generation. So for example in Germany a black-out would not happen like this.
Unfortunately, to have an informed opinion, you pretty much have to read all these pages, because the situation is just so complex. Otherwise, you just fall for agenda pushing from all sides.
That being said, I was apparently also under the impression of outdated or just plain wrong information.
While the report I listed mentions the sudden loss of decentralized generation as starting point of the blackout, and also specifically mentions small-scale rooftop PV, it says that the cause for that sudden synchronized drop-off is actually unknown.
You can't get an "informed opinion" by reading crap like that report.
The Spanish systems have systematic design failures for stability and electricity market design. Working out the political failures that led to the design failures is much harder.
Only those working closely in that profession have any knowledge of the underlying causes.
Most everyone else (including this comment) is different levels of ignorance and cluelessness.
Edit E.g. Crap quote from the report "but no significant oscillations with
amplitudes above 20 mHz". The rest of it is about that level from what I could tell.
> Only those working closely in that profession have any knowledge of the underlying causes.
This report is literally from the ENTSO-E which is the main regulatory body for the grid in Europe.
> Crap quote from the report "but no significant oscillations with amplitudes above 20 mHz".
What is the "crap" about that?
An amplitude can still be measured in Hz, if you are looking at oscillating frequency deviations, if that is what you mean.
Very timely, the final report has been released today.
I hadn't read the document you referenced, and I admit don't have the prior knowledge, nor the time, to fully understand all the implications of what it says. My opinion is then the result of reading and listening a variety of experts and news sources, and it will have some biases, for sure.
Still, I have skimmed the final report to see if there was something that I could understand from first hand (and to support my original point, not gonna lie), and I found this:
_The increasing penetration of variable renewable and
distributed generation, further market integration,
broader electrification, and evolving environmental
and geopolitical risks place the European electricity
system under increasingly challenging operational
conditions, requiring higher levels of resilience._
Do you really think that my original point (as uniformed as it might be), namely, that the levels renewable energy currently present in the spanish grid require significative investments, was wrong?
Yes, I think it's wrong, or at least way over-exaggerated.
You can run a grid to supply approximately 80% renewables (long-term average) without significant technical changes.
Only if you want to get the last 20% to renewables, you get technical challenges, e.g. related to synchronization and load-matching. But that is also not unsolvable problems, e.g. instead of relying on the inertia of steam turbines you can "just" build specific-purpose fly-wheels to do the same thing. It's just less elegant.
Source: Volker Quaschning "Understanding Renewable Energy Systems", too lazy right now to look up the exact page.
This is also consistent with the section they quoted.
Generally, the load matching in grids is done by the system itself.
If you add more wind and solar, which depends on the weather and location, you have to more large-scale intervention, e.g. allow generation re-dispatch. But that doesn't immediately imply that this is a dangerous process.
I have not read the report yet, but in another thread someone gave a very plausible explanation of what happened.
The high levels of renewable energy happened to contribute to this incident, but not because of something inherent in renewable energy. All renewable energy sources are connected to the grid through inverters, and in Spain most of these inverters do not use an adequate control policy, i.e. they do not compensate the phase fluctuations of the grid, like the synchronous electromechanical generators do (i.e. they do not generate an appropriate amount of reactive power for compensation).
Technically it is easy to implement such control policies in all solid-state inverters, but it was not done in Spain because there were no incentives, i.e. there were no regulations specifying how the inverters connected to the grid should behave, otherwise than disconnecting when the frequency went outside a permissible range.
Yes, that is plausible indeed, but the problem is that there are many explanations which are plausible, but there doesn't seem to be a smoking gun.
Strange about that explanation for example is that the time correlation is backwards.
First the solar generation started to drop out and only then central generator stations tripped. Also the on-going frequency oscillations had already stabilized. If it was related to frequency issues, the solar inverters would either have shut down 15 minutes earlier (while the frequency oscillations were at the peak) OR 1-2 minutes later (when power stations tripped and frequency would have dipped)
But doesn't nuclear power present a complication when designing a power grid for renewable energy? It is basically very expensive caseload energy that needs permanent demand, when the entire proposition of a renewable-focused grid is that you manage a non-certain production with dynamic demand (via batteries and price-sensitive usage).
For power plants, this is glacial. A power grid has to balanced perfectly on a sub-second level. Also, you can only do this down to about 50% of rated capacity. Below that you have to switch it off completely.
If you combine this with renewable generation, it all falls apart. A cloud passing over a large PV installation will drop generation much faster than nuclear plants will ever be able to follow (by increasing generation). So if you want to have a substantial share of renewable generation (which, remember, is the cheap stuff), you can't have more than a token nuclear capacity, because you need to invest the money you might want to spend on nuclear on battery and hydro storage.
The other aspect is the economics of nuclear itself. Nuclear power plants are the most capital intensive generation capacity you can build. Even when driving them at the maximum of their rated capacity, the have a levelized cost of electricity several times that of PV and Wind per kwh. Requiring routine load following for nuclear would basically guarantee that no one ever builds a nuclear reactor again.
There are reasons to build new nuclear, but it's not cheap/reliable power generation. You build it to have access to a nuclear industrial base, as well as the research and professional community to run a military nuclear program. Or you actually succeed in creating a Small Modular Reactor, which might be suitable for niche applications (i.e. power isolated communities in extreme remote locations). Or you are simply fascinated by the technology and want to invest a ton of money on the off chance that it will produce some unforeseen technological breakthrough (though arguably you'd do better with investing in nuclear fusion from my limited understanding of the research).
But as far as I know this is a non issue since we 've mostly been able to cover this where it props up. Especially since the grid's demand doesn't tend to go 0-100 or the other way around that fast. Even with a significant amount of nuclear there's multiple of those solar farms, wind farms, etc
For the small fluctuations the turbine's governor response can provide frequency stabilization and pressurised water reactors also provide moderate load following.
>The other aspect is the economics of nuclear itself. Nuclear power plants are the most capital intensive generation capacity you can build. Even when driving them at the maximum of their rated capacity, the have a levelized cost of electricity several times that of PV and Wind per kwh.
When I looked at actually honest comparisons this simply isn't true across the board. I mean it doesn't help that the west has built so few recently and managed some exceptional fuckups whilst also making a lightbulb in an unimportant sidebuildings toilet cost a couple dozen grand in a way that might as well be purposefull sabotage of nuclear but much of the world (read mostly china) does relatively fine with their costs and time frame. These comparisons also have a tendency to use absolutely unrealistic storage costs all the same or foresee continued storage costs of methods that are exhausted. (hydro over here)
Additionally it's the cheapest solar that often pulls this down but the vast majority in let's say here in Belgium is residential which is a lot lot more costly and less efficient. The solar farms are all way more south so a lot of these american reports don't make much sense in most of europe either.
> If you combine this with renewable generation, it all falls apart
Rubbish. Only true if the renewable generation is poorly integrated. Solar plus batteries can provide synthetic inertia if the incentives/regulations are correctly designed.
Australia has been adding oodles of solar, and they have been doing it surprisingly well.
> Solar plus batteries can provide synthetic inertia if the incentives/regulations are correctly designed.
Yes, but why build nuclear at all, if you are already building PV + batteries? Nuclear is much more expensive than that combination. And if you add nuclear capacity on a level that actually matters (i.e. 30%+ of peak load), you run into real integration problems.
As I've written elsewhere, a toke nuclear program can make sense if you want to keep the industrial base, institutional knowledge and expertise around, i.e. to guarantee independent access to nuclear weapons. But it is ludicrous to make nuclear a cornerstone of your energy policy. Not even China is expanding its share of nuclear in total energy generation. They keep it around as a strategic asset, but a subsidized one.
For countries like Denmark and Spain I'd be pulling my hair out if my government would start throwing money into the money pit that is nuclear power (and it is inevitably is government money, because no nuclear power plant has ever been built without government subsidies and/or price guarantees).
> Nuclear can load follow, within limitations
Yes, but it makes zero economic sense to do so. Nuclear is multiple times more expensive per kwh than PV + batteries, even if you run it at max capacity continuously. If you require nuclear to load follow on a regular basis, not a single reactor will ever be built again.
It's more cost efficient to keep them running all the time since most of the cost of nuclear is building the power plant, but power output can be adjusted if needed.
In another thread that comments the report it was said that most inverters used in Spain for the renewable energy sources do not implement a control policy to generate an adequate reactive power to compensate the phase fluctuations of the grid, like a synchronous electromechanical generator would do. The inverters only disconnected from the grid when the frequency went outside the permitted range.
Ensuring that the inverters produce compensating reactive power would have been easy to do, but it was not done simply because there were no regulations that requested this. Obviously, as a consequence of the report, this is likely to change.
Yeah, been trivial forever. In the US it became a requirement for new all utility scale non-synchronous generators a decade ago. And then a bunch of statewide rules for rooftop solar as well.
The difference is that in this case the agent loop is executed, which has all the caching and behaviour guarantees. What I assume OpenClaw is doing is calling the endpoint directly while retaining its own "agent logic" so it doesn't follow whatever conventions is the backend expecting.
How important is that difference, I can't say, but aside the cost factor I assume Google doesn't want to subsidize agents that aren't theirs and in some way "the competition".
The source is somewhat trustable mainstream but not really good, as already the headline is wrong. The other person was not jailed for insults against the rapists, but threats of violence. And that is a attack on the state monopol of violence itself, hence the harsh sentence.
But indeed, the rulings against the rapists don't seem allright and very much out of balance with the other sentence.
It appears that the ruling regarding the rapes was not so straight forward [1], certainly not something that you can use as a one-line argument. There are also other articles describing what presumably happened there in 2020.
Regarding the case of 'Maja R.', here's a summary [2] (e.g. she didn't show up for the first two hearings [3] - that would certainly raise the anger of the righteous if somebody not in their favor did that).
I'm in doubt whether this one case is sufficient to prove the downward spiral that some people claim to perceive (it was also brought up in context of migration here on HN recently, and from the sources which I could find I‘m not sure it fully qualifies there either).
I agree with the sentiment, but I think it's a pretty naive view of the issue. Companies will want all info they can in case some of their workers does something illegal-inappropiate to deflect the blame. That's a much more palpable risk than "local CA certificates being compromised or something like that.
And some of the arguments are just very easily dismissed. You don't want your employer to see you medical records? Why were you browsing them during work hours and using your employers' device in the first place?
TLS inspection can _never_ be implemented in a good way, you will always have cases where it breaks something and most commonly you will see very bad implementations that break most tools (e.g. it is very hard to trust a new CA because each of OS/browser/java/python/... will have their own CA store)
This means devs/users will skip TLS verification ("just make it work") making for a dangerous precedent. Companies want to protect their data? Well, just protect it! Least privilege, data minimization, etc is all good strategies for avoiding data leaking
You also need some decent support + auditing. There are a couple of places to configure (e.g. setting CURL_CA_BUNDLE globally covers multiple OSS libraries) but there will be cases where someone hits one of the edge clients and tries to ignore the error, which ideally would lead to a scanner-triggered DevOps intervention. I think a fair amount of the rancor on this issue is really highlighting deeper social problems in large organizations, where a CIO should be seeing that resentment/hostility toward the security group is a bigger risk than the surface problem.
Security takes many forms, including Availability.
Having branch offices with 100 Mbps (or less!) Internet connections is still common. I’ve worked tickets where the root cause of network problems such as dropped calls ended up being due to bandwidth constraints. Get enough users streaming Spotify and Netflix and it can get in the way of legitimate business needs.
Sure, there’s shaping/qos rules and dns blocking. But the point is that some networks are no place for personal consumption. If an employer wants to use a MITM box to enforce that, so be it.
I think that's a very loose interpretation of Availability in the CIA triad.
This looks a lot like using the MITM hammer to crack every nut.
If this is an actual concern, why not deny personal devices access to the network? Why not restrict the applications that can run on company devices? Or provide a separate connection for personal devices/browsing/streaming?
Why not treat them like people and actually talk to them about the potential impacts. Give people personal responsibility for what they do at work.
Yes, but also it’s not an employer’s job to provide entertainment during work hours on a factory floor where there are machines that can kill you if you’re not careful.
There’s a famous fable where everyone is questioning the theft victim about what they should’ve done and the victim says “doesn’t the thief deserve some words about not stealing?”
Similarly, it’s a corporate network designed and controlled for work purposes. Connecting your personal devices or doing personal work on work devices is already not allowed per policy, but people still do it, so I don’t blame network admins for blocking such connections.
I agree with all you said, but it's not like it is well advertised by the companies--they should come right out and say "we MITM TLS" but they don't. It's all behind the scenes smoke and mirrors.
Normally no personal device have the firewall root certs installed, so they just experience network issues from time to time, and dns queries and client hello packets are used for understanding network traffic.
However, with recent privacy focused enhancements, which I love by the way because it protects us from ISP and other, we (as in everybody) need a way to monitor and allow only certain connections in the work network. How? I don’t know, it’s an open question.
Does GDPR (or similar) establish privacy rights to an employee’s use of a company-owned machine against snooping by their employer? Honest question, I hadn’t heard of that angle. Can employers not install EDR on company-owned machines for EU employees?
(IANAL) I don't think there is a simple response to that, but I guess that given that the employer:
- has established a detailed policy about personal use of corporate devices
- makes a fair attempt to block work unrelated services (hotmail, gmail, netflix)
- ensures the security of the monitored data and deletes it after a reasonable period (such as 6–12 months)
- and uses it only to apply cybersecurity-related measures like virus detection, UNLESS there is a legitimate reason to target a particular employee (legal inquiry, misconduct, etc.)
It has to have a good purpose. Obviously there are a lot of words written about what constitutes a good purpose. Antivirus is probably one. Wanting to intimidate your employees is not. The same thing applies to security cameras.
Privacy laws are about the end-to-end process, not technical implementation. It's not "You can't MITM TLS" - it's more like "You can't spy on your employees". Blocking viruses is not spying on your employees. If you take the logs from the virus blocker and use them to spy on your employees, then you are spying on your employees. (Virus blockers aiming to be sold in the EU would do well not to keep unnecessary logs that could be used to spy on employees.)
What’s the definitive answer? From what I can tell that document is mostly about security risks and only mentions privacy compliance in a single paragraph (with no specific guidance). It definitely doesn’t say you can or can’t use one.
That's probably because there is no answer. Many laws apply to the total thing you are creating end-to-end.
Even the most basic law like "do not murder" is not "do not pull gun triggers" and a gun's technical reference manual would only be able to give you a vague statement like "Be aware of local laws before activating the device."
Legal privacy is not about whether you intercept TLS or not; it's about whether someone is spying on you, which is an end-to-end operation. Should someone be found to be spying on you, then you can go to court and they will decide who has to pay the price for that. And that decision can be based on things like whether some intermediary network has made poor security decisions.
This is why corporations do bullshit security by the way. When we on HN say "it's for liability reasons" this is what it means - it means when a court is looking at who caused a data breach, your company will have plausible deniability. "Your Honour, we use the latest security system from CrowdStrike" sounds better than "Your Honour, we run an unpatched Unix system from 1995 and don't connect it to the Internet" even though us engineers know the latter is probably more secure against today's most common attacks.
Okay, thanks for explaining the general concept of law to me, but this provides literally no information to figure out the conditions under which an employer using a TLS intercepting proxy to snoop on the internet traffic a work laptop violates GDPR. I never asked for a definitive answer just, you know, an answer that is remotely relevant to the question.
I don’t really need to know, but a bunch of people seemed really confident they knew the answer and then provided no actual information except vague gesticulation about PII.
Are they using it to snoop on the traffic, or are they merely using it to block viruses? Lack of encryption is not a guarantee of snooping. I know in the USA it can be assumed that you can do whatever you want with unencrypted traffic, which guarantees that if your traffic is unencrypted, someone is snooping on it. In Europe, this might not fly outside of three-letter agencies (who you should still be scared of, but they are not your employer).
Your question
So does nobody in Europe use an EDR or intercepting proxy since GDPR went into force?
Given that a regulator publishes a document with guidelines about DPI I think it rules out the impossibility of implementing it. If that were the case it would simply say "it's not legal". It's true that it doesn't explicitly say all the conditions you should met, but that wasn't your question.
They can, but the list of "if..." and "it depends..." is much longer and complicated, especially when getting to the part how the obtained information may be used
Yes.
GDPR covers all handling of PII that a company does. And its sort of default deny, meaning that a company is not allowed to handle (process and/or store) your data UNLESS it has a reason that makes it legal. This is where it becomes more blurry: figuring out if the company has a valid reason. Some are simple, eg. if required by law => valid reason.
GDPR does not care how the data got “in the hands of” the company; the same rules apply.
Another important thing is the pricipals of GDPR. They sort of unline everything. One principal to consider here is that of data minimization. This basically means that IF you have a valid reason to handle an individuals PII, you must limit the data points you handle to exactly what you need and not more.
So - company proxy breaking TLS and logging everything? Well, the company has valid reason to handle some employee data obviously. But if I use my work laptop to access privat health records, then that is very much outside the scope of what my company is allowed handle. And logging (storing) my health data without valid reason is not GDPR compliant.
Could the company fire me for doing private stuff on a work laptop? Yes probably. Does it matter in terms of GDPR? Nope.
Edit: Also, “automatic” or “implicit” consent is not valid. So the company cannot say something like “if you access private info on you work pc the you automatically content to $company handling your data”. All consent must be specific, explicit and retractable
What if your employer says “don’t access your health records on our machine”? If you put private health information in your Twitter bio, Twitter is not obligated to suddenly treat it as if they were collecting private health information. Otherwise every single user-provided field would be maximally radioactive under GDPR.
Many programmers tend to treat the legal system as if it was a computer program: if(form.is_public && form.contains(private_health_records)) move(form.owner, get_nearest_jail()); - but this is not how the legal system actually works. Not even in excessively-bureaucratic-and-wording-of-rules-based Germany.
Yeah, that’s my point. I don’t understand why the fact that you could access a bunch of personal data via your work laptop in express violation of the laptop owner’s wishes would mean that your company has the same responsibilities to protect it that your doctor’s office does. That’s definitely not how it works in general.
The legal default assumption seems to be that you can use your work laptop for personal things that don't interfere with your work. Because that's a normal thing people do.
I suspect they should say "this machine is not confidential" and have good reasons for that - you can't just impose extra restrictions on your employees just because you want to.
The law (as executed) will weigh the normal interest in employee privacy, versus your legitimate interest in doing whatever you want to do on their computers. Antivirus is probably okay, even if it involves TLS interception. Having a human watch all the traffic is probably not, even if you didn't have to intercept TLS. Unless you work for the BND (German Mossad) maybe? They'd have a good reason to watch traffic like a hawk. It's all about balancing and the law is never as clear-cut as programmers want, so we might as well get used to it being this way.
If the employer says so and I do so anyway then that’s a employment issue. I still have to follow company rules. But the point is that the company needs to delete the collected data as soon as possible. They are still not allowed to store it.
I’ll give an example in more familiar with. In the US, HIPPA has a bunch of rules about how private health information can be handled by everyone in the supply chain, from doctor’s offices to medical record SaaS systems. But if I’m running a SaaS note taking app and some doctor’s office puts PHI in there without an express contract with me saying they could, I’m not suddenly subject to enforcement. It all falls on them.
I’m trying to understand the GDPR equivalent of this, which seems to exist since every text fields
in a database does not appear to require the full PII treatment in practice (and that would be kind of insane).
GPT actions allowed mostly the same functionality, I don't get the sudden scare about the security implications. We are in the same place, good or bad.
Btw it was already possible (but inelegant) to forward Gpt actions requests to MCP servers, I documented it here
Custom connectors are cool and a good selling point but they have to be remote (afaik there is no Le Chat Desktop) so using it with local resources it's not impossible, but hard to set up and not very practical (you need tail scale funnel or equivalent).
I had never expected that I would witness in my lifetime such advanced AI, and now (may be) extraterrestrial life.
If confirmed, the only remaining big mystery would beto know if there is intelligent life in any other part of the universe, which I understand is orders of magnitude more unlikely to confirm, but one can dream...
One of these obviously hasn't happened, but it might be, hence my excitement. I don't know how likely the experts think it is (~1%, ~10%,etc...) but I guess the odds aren't high.
With regards to the other one (AI), I did not claim anything else than a subjective assesment. I did not expect to see an AI capable of mantaining a conversation aloud, for example. May be I'm easy to impress.
reply