New Book: A Hacker’s Mind

I have a new book coming out in February. It’s about hacking.

A Hacker’s Mind: How the Powerful Bend Society’s Rules, and How to Bend them Back isn’t about hacking computer systems; it’s about hacking more general economic, political, and social systems. It generalizes the term hack as a means of subverting a system’s rules in unintended ways.

What sorts of system? Any system of rules, really. Take the tax code, for example. It’s not computer code, but it’s a series of algorithms—supposedly deterministic—that take a bunch of inputs about your income and produce an output that’s the amount of money you owe. This code has vulnerabilities; we call them loopholes. It has exploits; those are tax avoidance strategies. And there is an entire industry of black-hat hackers who exploit vulnerabilities in the tax code: we call them accountants and tax attorneys.

In my conception, a “hack” is something a system permits, but is unanticipated and unwanted by its designers. It’s unplanned: a mistake in the system’s design or coding. It’s subversion, or an exploitation. It’s a cheat—but only sort of. Just as a computer vulnerability can be exploited over the Internet because the code permits it, a tax loophole is “allowed” by the system because it follows the rules, even though it might subvert the intent of those rules.

Once you start thinking of hacking in this way, you’ll start seeing hacks everywhere. You can find hacks in professional sports, in customer reward programs, in financial systems, in politics; in lots of economic, political, and social systems; against our cognitive functions. A curved hockey stick is a hack, and we know the name of the hacker who invented it. Airline frequent-flier mileage runs are a hack. The filibuster was originally a hack, invented by Cato the Younger, A Roman senator in 60 BCE. Hedge funds are full of hacks.

A system is just a set of rules. Or norms, since the “rules” aren’t always formal. And even the best-thought-out sets of rules will be incomplete or inconsistent. It’ll have ambiguities, and things the designers haven’t thought of. As long as there are people who want to subvert the goals of a system, there will be hacks.

I use this framework in A Hacker’s Mind to tease out a lot of why today’s economic, political, and social systems are failing us so badly, and apply what we have learned about hacking defenses in the computer world to those more general hacks. And I end by looking at artificial intelligence, and what will happen when AIs start hacking. Not the problems of hacking AI, which are both ubiquitous and super weird, but what happens when an AI is able to discover new hacks against these more general systems. What happens when AIs find tax loopholes, or loopholes in financial regulations. We have systems in place to deal with these sorts of hacks, but they were invented when hackers were human and reflect the human pace of hack discovery. They won’t be able to withstand an AI finding dozens, or hundreds, of loopholes in financial regulations. We’re simply not ready for the speed, scale, scope, and sophistication of AI hackers.

A Hacker’s Mind is my pandemic book, written in 2020 and 2021. It represents another step in my continuing journey of increasing generalizations. And I really like the cover. It will be published on February 7. It makes an excellent belated holiday gift. Order yours today and avoid the rush.

Posted on November 11, 2022 at 2:11 PM47 Comments


RatMan29 November 11, 2022 3:03 PM

I don’t buy calling accountants and attorneys “black hats.” If they find a loophole and it is upheld at audit or trial, then it is a legitimate part of the rules and only shows that the accountant or attorney did a better job of understanding them than did the tax agency people who wrote them.

Mike B November 11, 2022 6:03 PM

@RatMan29: For any given tax provision, there’s a good chance that it wasn’t “tax agency people who wrote them.” More likely it was inserted into the deep details of a “tax reform” bill, late in the legislative process, by a staffer for a congressman doing the bidding of the Apple Pie Industry Association, which just happened to adopt the platform pushed by the fourth-generation owner of the industry’s leading company. In such a case, the tax lawyer or accountant is no smarter nor better-understanding than the script-kiddies who buy and swap simple tools for common exploits.

Jon November 11, 2022 6:25 PM

I concur with the ‘finding ways’. I was idly poking at a kiosk in a car dealership in Italy once, and it occurred to me to try ‘alt-tab’ – so I did, and pop the kiosk application went away and I had a Windows desktop with an internet connection.

Wasn’t much, just a ‘let’s try something they might not expect’ and off I went.

Am I a hacker? I guess so. I popped up www . ferarri . com in IE and then briskly departed with a smile. 😉 J.

Clive Robinson November 11, 2022 6:48 PM

@ Bruce, ALL,

“And even the best-thought-out sets of rules will be incomplete or inconsistent. It’ll have ambiguities, and things the designers haven’t thought of.”

One of the failings of design is “unregarded states” in any system that does not have the ability to store state it’s fully detetmanistic from input to output, thus all the states can be determind as can the transitions.

But do the designers actually walk through every state?

No of course not because there is not enough time in the universe to do so for some fully determanistic systems (block ciphers for instance).

When you add feedback or memory then you bring storage of state into the design and with it complexity we humans as yet appear incapable of grasping.

That is the majority of people can at best only think logical in a single chain of sequential thought. The ability to think in multiple chains or threads of thought escapes most of us and we simply can not think in parallel. So even what appears to be trivial complexity can be beyond us.

So if people want to “hack systems” for good or bad they need to find the shadows of “unregarded states” that most often appear in an exploitable form when there are more than two paths there that are unequal.

It realy is that simple…

Which is why stopping it is so hard.

Nick Levinson November 11, 2022 11:26 PM

How some Western journalists posted to a southeast Asian nation got rid of a disliked KGB agent who was posted to a diplomatic assignment (the journalists had rather liked the predecessor but not the new person):

They asked reportorial colleagues in Western capitol cities to write postcards to the new KGB agent. The postcards were just simple greetings, except that each card was to have a number handwritten in a corner. It didn’t matter what the number was.

The agent disappeared.

(Reported about 40 years ago in Far Eastern Economic Review, at the time a serious political news magazine. I don’t know when the event occurred.)

Nick Levinson November 12, 2022 12:16 AM

I wonder how well AI will work at finding loopholes in law and tactics from law, in the U.S. I suspect AI will generate so many false positives that it will be terminated from those tasks until a much advanced generation of AI comes along.

Reason: The validity of a new loophole or tactic will depend on how adjudicators evaluate claims about the new loophole or tactic. Adjudicators, while often notably precise in a legal sense, do not live by the kind of precision known to computer science. While most adjudicators agree on most of the law, the differences are usually somewhat legitimate. The U.S. Supreme Court often sorts out legal disagreements among the courts immediately below that court. The kinds of precision are different.

Example: A statute defined the boundaries for one municipality’s school districts applicable to school board elections. I checked the statute against an official map. At least once, I found an incomplete boundary definition, by which a boundary ended so that it needed definition for another city block or so. The board of elections supplied that definition, so that in which district a resident lived could be certain and elections could be held without a dispute on that point. In U.S. law, that kind of filling the gaps in law is allowed to government agencies that have to implement a law. The principle has been judicially approved.

I found discrepancies in the U.S. Constitution between authoritative texts. None, however, are likely to be serious enough to cause a problem with Constitutional legal interpretation or application. AI would likely generate plenty of false positives, such as with one incomprehensible word (maybe it was due to bad handwriting).

One thing accountants and lawyers bring to their advice to clients is a background in what laws will be enforced and when. I used to sign documents and qualify my signature to avoid making false claims but specifically lawyers’ offices (not the lawyers personally but their well-trained lower-level staff) would object to my so qualifying, in which case I’d refuse to sign, like when I was told to sign that I had served papers before serving them or like when I was to sign a receipt for stock certificates that turned out to be only specimens and not stock certificates. Someone got hold of a tax agency’s audit standards, showing what would trigger an audit. A journalistic effort to uncover city corruption found accountants advising to whom to offer bribes to prevent law enforcement and to whom not to offer bribes because the latter recipients would keep coming back for more. I don’t know how AI would handle all this, when there’s no database of what legal violations will likely go unnoticed.

SpaceLifeForm November 12, 2022 12:20 AM

@ Jon

re: popping up a website on kiosk

LOL. I hope you left it chromeless full screen. Even if not, they probably went thru the ‘Did you try turning it off and back on?’ scenario. Fiat dealer?

Melba November 12, 2022 12:12 PM

@ Nick Levinson,

I wonder how well AI will work at finding loopholes in law

The only reason I see for AI here is to turn the law into something resembling computer code. Once it’s parseable, one could just as well use techniques such as fuzz-testing and formal verification to check for “interesting” code paths.

(The idea reminds me of the freely downloadable book Accelerando, which describes a byzantine web of corporations created and governed by regulations written in Python.)

The IRS obviously already has an executable version of (at least large portions of) the US tax code—likely uncopyrighted and accessible to anyone via the Freedom Of Information Act (FOIA). I’m a bit baffled that, apparently, none of the several open-source tax-software efforts have tried to request it. Even if it didn’t lead to directly useful code, I suspect we’d learn something interesting.

Nick Levinson November 12, 2022 1:15 PM


If you mean just digitization of natural-language texts of the Constitution, codified Federal statutes and regulations, much case law, and likely much State law and sometimes law of big cities, that’s already available and much of it is free of charge. See e.g., href=””>Cornell’s Legal Information Institute, href=””>the U.S. Code from the Government Publishing Office, and href=”″>California’s State appellate court opinions.

But if you mean that the same sources would be written with the kind of logic and precision demanded of computer code, I doubt it’s coming. It’s hard enough to get contracts written in plain English, and that movement has been around for decades. That’s difficult and expensive to do, because when you do it you don’t want to change the meaning away from the intent of the parties, and that almost always means relying on meanings found in other law. You could add a clause saying that you’re not changing the meaning, but a court applying a legal source might be forced to change the meaning and that could lead to unpredictable results, which you’d try to prevent.

In the U.S., law itself is not subject to copyright, although enhancements, arrangements, and commentaries may be.

vas pup November 12, 2022 4:19 PM

North Korean hacker attack on Israeli crypto firm said thwarted

“North Korean hackers attempted to steal money from an Israeli crypto firm in an attack that was described as “professional and sophisticated,” Channel 12 news reported Monday.

According to the report, the North Koreans posed as a Japanese supplier of the unnamed company in an attempt to gain access to the funds.

The hack was stopped by personnel from cybersecurity firm Konfidas, the report said.

!!!!The report said that the attack last week used “unfamiliar tools” that had “set off alarm bells in Israel.”

According to the report, if the hack had been successful, the funds would have been used for the development of Pyongyang’s nuclear program.

Last year, a leaked confidential UN report said North Korea had stolen more than $300 million worth of cryptocurrencies through cyberattacks to support its weapons programs in the face of sanctions.

Financial institutions and exchanges were hacked to generate revenue for Pyongyang’s nuclear and missile development, the document said, with the vast majority of the proceeds coming from two thefts in 2020.”

vas pup November 12, 2022 4:51 PM


Couple thoughts if I may:
-tax hack is easy because tax code is so complicated as many other Federal and State Laws fill in with contradictions, old obsolete norms and so many regulations that even FINCEN guys developing red flag patterns which should then be transformed to the IT programs have very difficult task. Moreover, Law is not working 100% as intended because it is always behind the real life changes and required adopted to them. BUT, general principles should be permanent, e.g. Law which was valid at the time of offence should be applied, not current law; for citizen/business what is not prohibited by law is allowed, for government (LEAs, ICs) what is not directly allowed by Law is prohibited. Conclusion: the more system is complicated, more possibility to hack it – see reason above.

-when you talk about intentions that is also not clear. As soon as intentions are going through process of delegation authority there is always distortion – that is like signal coming through many middle devices. Unfortunately, recently we see how some active groups try to impose their intentions on all others – which is wrong. That is hacking of our mind by media, other manipulation tools, fallacy you name it. Do we have a crystal ball to know REAL not declared intention? Are they both coincide totally or gap creates path for hacking?

-“We have systems in place to deal with these sorts of hacks, but they were invented when hackers were human and reflect the human pace of hack discovery. They won’t be able to withstand an AI finding dozens, or hundreds, of loopholes in financial regulations. We’re simply not ready for the speed, scale, scope, and sophistication of AI hackers.” That is probably be resolved by GAN when one AI – hacker – works against other AI-defender by multiple cycles until loopholes would be detected and patches developed. That could be applied not only for IT cases.

Anyway, thank you for Your creative approach to this problem. I wish folks like You are listened to more often by those who make decisions affecting all or most of us.

Melba November 12, 2022 6:47 PM

@ Nick Levinson,

But if you mean that the same sources would be written with the kind of logic and precision demanded of computer code

That’s exactly what I mean. And, specifically, that anything describing a computation—such as tax code—be written directly as computer code that can be executed. I share your pessimism that we can get legislators to do it. But however they describe the computations, someone at the IRS already has the job of translating that into computer code. You know all those tax forms where you fill a bunch of boxes (deductions and whatnot), add them up, multiply by some amount, etc.? A lot of that is pointless busywork, because the IRS already has a program to calculate the result from the input; and it’s their calculation that will be presumed correct if there’s any disagreement (“code is law”, as Lessig says, though one can always go through a manual appeal process).

Programs written for government use by IRS employees would be non-copyrightable on account of being “works of the United States Government”. But for all we know, they might have just bought it from Intuit, and then it could be copyrightable (depending on what Carl Malamud has to say). That’s what I mean when I say FOIA might lead to interesting results other than code.

Ted November 12, 2022 7:41 PM

Pre-ordered the book! Three months should fly by. What awesome editorial reviews on Amazon. Congrats and thank you!

Nick Levinson November 12, 2022 8:38 PM


Yes, the IRS does have that job, and the tax prep software firms have that job, too. Also, there has been public debate about forms simplification because the firms prefer that the IRS forms stay complicated. And the firms provide a service to the IRS of identifying cheating, so the IRS tends to not want to rock that boat by challenging forms complexity.

While whatever programming code the IRS uses could have the force of law, since it applies regulations and statutes those regulations and statutes, insofar as they’re law, remain law even while the programming code is applied to a person. The programming code will have legal weight, but anyone who wishes can examine the superior regulations and statutes to determine the lawfulness of the programming code and can challenge the latter in court as unauthorized by superior law.

If a private party writes programming code and protects it under copyright and the IRS adopts portions of it as law within the authority of the agency to promulgate law, I think those portions would lose copyright protection insofar as they’re law.

Writing programming code directly into statute would be somewhat like writing an operating system entirely into firmware: you could amend it but expensively and usually slowly, and meanwhile security crackers would have a field day, and they’d find a way to lobby for their favorite back doors to stay put. What was a cat-and-mouse game would become a cat-and-snail game (if cats find snails delicious).

And you’d have a problem of readability of law among people who don’t know any programming language, such as most judges, law clerks, and lawyers on both sides. What they’d do now is consult experts in programming, and they’d probably testify on the meaning of a longer passage because no one has the time for a legal interpretation of every short string (imagine a question in front of most people: what does “==” mean? we can explain it but there are plenty more of these) and interpretations of longer passages are open to disagreement between opposing experts who are not allowed to challenge each other in front of judge or jury in order to narrow a disagreement.

If the IRS refuses to release programming code under FOIA and is upheld in its refusal, perhaps as an IT security issue, that would mean that the programming code is not law, which would be interesting.

My errors in my last post: I misformatted my 3 links. My fault. At least they can be parsed.

SpaceLifeForm November 13, 2022 4:21 AM

@ Melba, Nick Levinson

re: Tax computations

Years ago, I had a math problem doing taxes.

I knew I had a math problem but I could not find the cause after many hours of review. It was not due to misreading, transpositions, or missing digits. The tax I owed was much higher than expected. I sent in the inflated balance, and I included a note that said I know there is a math problem here, but that I could not find it.

A few months later, I received a refund.

There was no explanation as to what the math problem actually was, but the IRS figured it out. They will find and fix math errors eventually, and they will correct errors in your favor. Of course, they will also tell you that if you messed up a few years ago, you may owe some back tax.

Penalties and Interest seem to only go in one direction.

Petre Peter November 13, 2022 10:30 AM

I have ordered the book. The way I first found out Professor Schneier’s name is by searching for the word “hacker” on books24x7 . I have been a reader ever since.
Thank you for everything you do and congratulations on the new book. Cannot wait to read it. Also, I hope you’ll have a reading at the Brattle Square Theater.

Tania November 13, 2022 11:48 AM


Penalties and Interest seem to only go in one direction.

I’m not sure how it works in the USA, and always throws “access denied” errors, but the Canada Revenue Agency has paid me interest many times. Last year they helpfully “corrected” my return by completely ignoring one of my inputs, and then demanded money with interest. Since they hadn’t officially rejected that input, as they’ve occasionally done, I didn’t even formally object but simply sent an adjustment request with the payment. I was surprised that they not only refunded my interest and payment, but paid interest on the amount they then retroactively owed me.

Anyway, it’s been obvious for a long time that they redo basically every calculation done by the taxpayer; excepting those where they don’t ask for the calculation’s input values, like line 12100 “Interest and other investment income”. It seems like they’ll accept my calculation if it’s within a dollar or so, but otherwise replace the number with their own. The forms want dollars and cents for everything; but many of their calculations ignore or round the cents, so small differences like that are normal. I’ve seriously considered sending the forms with all calculation results left blank, and letting them calculate the refund or ask for money; I’m pretty sure it would work.

Bruce Schneier November 13, 2022 8:08 PM

@ RatMan29:

“I don’t buy calling accountants and attorneys “black hats.” If they find a loophole and it is upheld at audit or trial, then it is a legitimate part of the rules and only shows that the accountant or attorney did a better job of understanding them than did the tax agency people who wrote them.”

Yes. Exactly. Just as hackers do a better job understanding the code than the developers do.

The NSA’s Rob Joyce said it a few years ago: “In general, Joyce noted, spies have little trouble getting into your network because they know better than you what’s on it.”

Nick Levinson November 13, 2022 10:20 PM

The scales of the two jobs vastly differ. The developers of Windows have many more criteria to meet than a cracker has.

Ditto for the leadership of a major military base and a tiger team proposing to break in. Ditto for the executives of a phone system and the phone phreaks who made free phone calls when the phone company knew how they did it but it would cost too much money to stop them.

The expense of defense is high when what is to be defended is valuable.

Evidently, some owners of valuables successfully protect what they have, so that prospective attackers look elsewhere. It was said about 40 years ago that Sweden made the prospect of invasion by either the USSR or NATO too expensive for either (I think that was in Aviation Week & Space Technology, an industry weekly). Before anyone says that NATO wouldn’t invade a friendly nation, remember that an enemy might invade and then a friend might need to counter-invade, and so friendly nations have to plan to carry out that prospect, even though it’s politically touchy in the target nation.

It’s endless.

Mafias worldwide still murder, one of their hacks of choice for getting or keeping money. Detectives, reporters, and academics have counter-hacks. Babies cry, sometimes for milk, sometimes for trivia, even when parents wish they wouldn’t. Parents have counter-hacks.

And there are counter-counter-hacks and so on. It can’t end.

Some hacks and hackers deserve prison; some, nothing; some, high honors and invitations to keep hacking. Willie Sutton, who knew where the money was, didn’t need to know how to run the places where the money was. We wouldn’t have 7.5 billion people and life and evolution wouldn’t have been here 3.5-4 billion years without hacks. Horticulture started as a hack, agriculture as a more profound one. Nuclear weapons, the threats to use them, and early Soviet space exploration and NASA’s were even more profound hacks.

Clive Robinson November 14, 2022 7:07 AM

@ Bruce, RatMan29

You appear to be ay odds over the meaning of the word hack.

“Exactly. Just as hackers do a better job understanding the code than the developers do.”

Is the technical view divorced of human assumptions of good or bad.

“I don’t buy calling accountants and attorneys “black hats.” If they find a loophole and it is upheld at audit or trial, then it is a legitimate part of the rules”

Firstly for someone to take the method to trial, they must believe the method to be illegitimate or “bad”. For a tribunal of truth to find the method within the rules is a matter of logic not apraisal of “good or bad”. It then goes back to the legislators to formulate new rules or not.

This sort of thing goes on one way or another in most jurisdictions and it is very much a waste of resources. And it’s one of the reasons “the tax code” is said to be bigger than “the criminal code”… But the tax code certainly does appear to change more frequently, and seldom for the better.

As I’ve pointed out before technical methods “are” they are neither “good or bad” that is down to the observers of the method in use.

Also we have the old issue of the word “Hacker” it was once assumed to be “good” but the press in their usual knuckleheaded way decided to make it “bad” and now prosecuters try to make it “evil” in peoples minds to get their “brownie points” for political or promotional success.

I’ll let other observers decide if that process was “Good or Bad”.

Nick Levinson November 14, 2022 9:37 AM

@Clive Robinson, @RatMan29, & @Bruce Schneier:

Adjudication of facts in light of whether the set of facts is good or bad is often part of the analysis and the conclusions drawn, because in the U.S. it is illegal to call someone a violator of law unless being a violator is established, leading to a presumption of innocence or lack of civil liability unless the presumption is overcome by the evidence.

The determination of good/bad (i.e., lawful/unlawful) is often up to the court, because legislatures often don’t have the time to do it themselves. Courts interpret statute law and, if the result is unsatisfactory, legislatures can amend statutes but usually accept the judicial decisions. While jury deliberations are not reviewed, judges’ instructions to juries are reviewed on appeals and courts’ resulting opinions supporting decisions become part of case law. Legislators and part of the public object to judge-made law, but, in practical terms, no one has a better system. Try writing a legislatable definition of “fraud” in a business context and that wouldn’t require judicial interpretation for, say, 5 years.

On the vocabulary, I distinguish between crack and hack. Bad actors are crackers. But in common usage hack is used both ways and we can’t do much about it except with our own usage and encouragement of others.

Tatütata November 14, 2022 10:38 AM

Checking out the title on the online selling platform run by one of rocket flying those gazillionaires who never oh never ever “creatively interpreted” any rules:

This title will be released on February 7, 2023.
Return policy: Returnable until Jan 31, 2023

One of the professional nitpickers over at the Graun has a problem with the expressions “artificial intelligence” and “AI”. According to the author, these are not equivalent, with the latter being a heavily promoted industry shorthand for “machine learning”, which isn’t quite the same thing:

But is there even a thing like “natural intelligence”?

lurker November 14, 2022 11:37 AM

I thought RatMan29 was objecting to the black colour of the hat implying something nefarious in the activities of the accountants and attorneys. Because we usually describe the colour of the hat depending on who is paying for it.

Do any of the accounts and attorneys who pentest and code analyse IRS make responsible disclosure to the govt? Those might qualify as white hats . . .

Clive Robinson November 14, 2022 11:44 AM

@ Tatütata,

“But is there even a thing like “natural intelligence”?”

As we’ve not come up with a fool proof definition of “intelligence” the logical conclusion is “NO”

I however regard the quest for a definition of inteligence rather like that of a definition of a deity.

Both are a moving target and both are not just artifacts but reflections of mankind.

Look at it this way, if mankind did not exist would there be a need for inteligence and deities?

JonKnowsNothing November 14, 2022 12:32 PM

@lurker, All

re: accounts and attorneys … make responsible disclosure to the govt

Yes, but not in the way you might think, such as sending a Bug Report In. Accountants and Lawyers know Accounting Practices and Legal Enacted Legislation. They may cross train but are not that often code jockeys looking for a bit-overrun.

Those types of items are under the purview of the IRS or other legal agency and whatever QA they use or don’t. Hence zero days are not rare. Every iteration of any update on a system can introduce a zero day effect.

The “loophole” is the direct understanding of what is not only in the legislation but also how it is taxed. It’s 2 different paths that may intersect. Items by law that require disclosure get listed on a specific reporting document. Items that get taxed are listed on a different document. When an item is exempt from taxation or a particular piece of legislation details that it’s not included in a taxable item that’s where the accounting and legal professions intersect.

Because no one likes taxation, which is the extraction of assets for government redistribution to government authorized groups (military etc) there is a constant hunt for items that can avoid being taxed and/or how to qualify an item to have reduced tax status.

Some of this goes into programming but the zero day problem belongs to the programming staff. If something gets misclassified that’s a problem that often crops up years later with unpleasant effects.

Deliberate misclassification is illegal for these sorts of documents and the news often reports the penalties assigned to the behavior. Criminal actions, those that are proscribed have the same results.

So the good-bad actor is the difference between

  • Legal Activities and Legal Accounting Methods


  • Deliberate Falsehoods and Criminal Endeavors

ex: If the law says Cooked Chicken is taxable and Uncooked Chicken is non-taxable:

  • Cooked Chicken falls into the legal reasoning behind Wages and Earnings tax laws
  • Uncooked Chicken is defined as Food Item and falls into a different tax category.

If your client is a restaurant or chain or mega chain restaurant, purveyor of food items, caterer or event provider or commissary for Olympics, sports or other huge consumers of cooked foods, you are going to focus on reducing the tax burden. You may not be able to reduce the reporting. If Cooked Chicken s taxable, JIT supplies of uncooked chicken can reduce the tax burden.

If your client is a farmer raising chickens, the problem is getting the restaurants to take them before they out grow their best-kill-by dates. (1) That is matched with income taxation on the sale of chickens.

There is a reporting and taxation difference if the birds are sold Q4 or held to Q1. If you are raising turkeys or geese for holidays, there is less demand in Q1 but a lot of demand in Q4. The time slot the sale is recorded in impacts how much you pay to the IRS.

The sorts of problems under discussion are far more complicated both in reporting and in taxation rules. Nearly all these rules in the USA are provided by lobbying groups. They write up “sample code” and hand it over to their favorite politician working in the desired committee. This “sample code” is often adopted as law and tax law verbatim. No one really reads the details and the summary page is well designed talking-point-babble.

We all know about “programming sample code”, “legal and taxation sample code” has pretty much the same result.


1) Coq au vin needed cooking in wine stock for hours for a reason. The old rooster was a tough bird.

MarkH November 14, 2022 5:22 PM


we’ve not come up with a fool proof definition of “intelligence”

I’ve certainly never seen a precise definition. In spite of this, there is a fraudulent industry devoted to measuring “intelligence” and “scholastic aptitude” with 2 or 3 decimals of precision. Among these scammers, the de facto definition of intelligence is “that which is measured by intelligence tests.”

When I denounced this fraud in an online forum, I got some pushback from a participant who wrote like an industry insider, insisting that various intelligence measures are known to be valid, because they supposedly correlate with a magical quality identified by a letter (g if I recall correctly).

I replied that this was simply reframing the fraud to “g is that which is measured by intelligence tests.”

Clive Robinson November 14, 2022 7:32 PM

@ Mark H, Tatütata, ALL,

Re : Inteligence Tests.

“because they supposedly correlate with a magical quality identified by a letter”

As far as I am aware the only thing “Intelligence Tests” have been scientifically tested to show is the “racism” of the designers from the IQ test onwards.

In fact every time I read about AI systems being susceptable to the myriad of biases that have been found and used on them it reminds me of just how long anything with “Intelligence” in the title has been used for political or worse objectives.

But then having passed such tests with sufficient marks to get me into Mensa and the like. And… having gone once or twice and got such a bad impression I never joined, I guess you could say I was biased 😉

Clive Robinson November 14, 2022 8:01 PM

@ JonKnowsNothing, lurker, ALL,

Re : Tax on food


“ex: If the law says Cooked Chicken is taxable and Uncooked Chicken is non-taxable”

Reminds my of a long running case in the UK the tax man eventually lost.

It all starts with what sounds like the start of a joke (and to many it was),

Q : When is a biscuit not a biscuit?
A : When it’s a cake.

The dainty in question was the Jaffa Cake. A confection made of a sponge base, with a blob of marmalade on top, covered with a layer of dark chocolate.

The recipe sounds like that of a sponge cake and is. However the Jaffa Cake was made in the same size as a chocolate biscuit and sold in a tube much like choclate biscuits often are.

The tax man decided that it was a biscuit thus subject to years of back tax called VAT. There was no way the company could aford to pay VAT so they fought back.

There were many arguments for and against the cakes being biscuits, but the one that caught the eye of the public was a simple argument,

“If left on a plate cakes go from soft to hard, where as biscuits go from hard to soft”

Apparently the idea of that as a test struck a cord with the judge and so now more than thirty years later Jaffa cakes are still cakes.

You can read more at,

But beware it asks you for cookies 😉

Tatütata November 14, 2022 9:52 PM

A close relative of mine deals in dairy products and sugar, and is a master of customs tariffs and import quotas in most major world markets. Blending your ingredients right, or getting them across the border in a more, or less, processed state, can get you to from a punitive duty to a SIC (international Standard Industrial Classification) code with a very favorable rate.

Playing the system? It’s as if the politicks designed in the loopholes from the outset…

MarkH November 15, 2022 12:41 AM


The late (and sorely missed) paleontologist and evolutionist Stephen Jay Gould wrote a thorough account of racist origins of intelligence testing, The Mismeasure of Man.

He perhaps went too far in some of his arguments, but the generations-long linkage between such testing, racial supremacism, and “eugenics” is historical fact.

Clive Robinson November 15, 2022 12:56 AM

@ MarkH,

Re : Past, Present and future.

“the generations-long linkage between such testing, racial supremacism, and “eugenics” is historical fact.”

Yes and as we are reading about AI / ML introduced in the various law enforcment processes it’s certainly current fact as well just in a different form.

As to the future, I’ll be honest with you, from what I can see as long as there is money, and politics involved, and systems that can be biased obviously available then I would expect it to get worse with time, a lot worse.

Winter November 15, 2022 1:18 AM


He perhaps went too far in some of his arguments,

No, he didn’t.

IQ was developed to chart educational progress of children. The aim was to look for remediation of deficiencies. And that is the only effective use of IQ: Improving educational choices of school children.

In the USA, IQ was captured by eugenetics, and there it stayed captive to this day.

In academia (in Europe, at least) absolutely no one is interested in the IQ of students, or post-docs. A smart student is one who does smart things. How this person performs on an IQ test is generally unknown.

Myra November 15, 2022 10:35 AM

With regards to the taxation of food, the Canada Revenue Agency has a 35-page guide: GST/HST memorandum 4.3: Basic Groceries [PDF].

The rules are pretty complicated, and in some cases one can only guess whether an item from the grocery store shelf will attract tax at the checkout (in many provinces, it’s most common to list pre-tax prices). For example, chips a.k.a. crisps are fully taxable whereas crackers are zero-rated, and item 58 gives six examples of items “in between”: some taxable, some not—”It should be noted that no one factor is determinative of the tax status of a product and changes in the labelling, packaging and/or marketing would not necessarily [but could] result in a different tax status. All factors must be considered”. Occasionally, some items attract federal but not provincial tax, or vice versa; one could pay 0%, 5%, 8%, or 13%.

Some commonly known rules:

  • Doughnuts, muffins, etc. are taxable in amounts less than six, and zero-rated when buying six or more (item 87; watch out for 4-packs in the grocery store!).
  • Unsalted nuts and boxes of salt are both zero-rated, but you’ll be paying the government an extra 13% if you’re too lazy to combine them yourself.

JonKnowsNothing November 15, 2022 3:08 PM


re: The Mulitplex of Tax and Legal Rules

It’s pretty easy to see how complicated the issues become when the definition of cookie-cracker-biscuit (which in the USA we feed to dogs) drive tax revenues. Without taxation there isn’t much reason to fight over the classification, except perhaps brand names.

To hark back to an earlier question:

  • Does the biscuit maker have a duty to pre-advise the government that the biscuit may actually be a cake?

This is before any needed reporting such as Health Codes or complying with Supply Store Sanitation requirements.

  • If I make my cake aka biscuit, do I need to report “I made a biscuit?”

So, consider why would we make this a pre-annoucment requirement for software or hardware? Why would it even be a consideration at all?

Taxation requires it.

If the item isn’t taxed there is less need for the lobby-law-of-the-day to be handed over to favored politician in the committee of interest to be used verbatim as a “hard definition declaration” of “Hey, I wire wrapped a keyboard and I used 6″ of wire and 1″ of solder”.

Taxation, an interesting topic on its own, isn’t just what’s filed at the end of year, or taken out of pockets, its what Is Not taken out of pockets (cookies-biscuits-cakes). It’s about restricting items to particular categories where items are mutually exclusive of other designations (Bordeaux wine cannot be produced in California).

Taxation and Designation are methods of gaining monopoly power in a market.

  • Is it milk if it from almonds, soy or oats?
  • Is it milk if it is colored white?

Like all things in modern times, and ancient ones too, follow the money and who gets to keep the King’s Ransom and who gets to pay for the King’s Ransom.


http s://en.wikipedia.or g/wiki/Plant_milk

http s://en.wikipedia.or g/wiki/Plant_milk#Europe

http s://en.wikipedia.or g/wiki/Plant_milk#United_States

(url fractured)

Nick Levinson November 16, 2022 12:39 AM

@Melba: Perhaps they did request and were refused on an IT security ground. I recently asked for some field names under a State equivalent of FOIA and was refused on such a ground. My request was not about law but the IRS might refuse even for law because of an IT security concern. It might be a misplaced concern and the decision might be unlawful, but going to court can be costly. Neither the people making the administrative decision nor the courts need be proficient in IT security; it would be up to the parties, especially the requester or plaintiff, to persuasively educate the decision-makers about IT security, no easy task.

SpaceLifeForm November 16, 2022 2:43 AM

@ Tatütata

Should we crowdfund a copy of “Back to the Future” for Bezos?

He is broke, and is going to fire 10K employees so he will be in position to give away his Billions to charity.

Pick a bridge, any bridge you want.

Except the Brooklyn bridge.

name.withheld.for.obvious.reasons November 16, 2022 3:38 AM

Thoughts on your book Bruce,

Okay, I’ll bite. In order to torpedo my maligned thinking, I’ll expose myself to the deluge of “WTF” are you talking about as I express what your book brings to mind for me. I will be subjective, surely, informative, somewhat, and relevant–maybe. You have had a knack of doing this with three prior books. I beginning to not like your book titles (sarcasm w/subtle concern) and subtitles. And of those, the concerning part is either in the title or the subtitle, but not both. Except for the book titled “Click Here to Kill Everybody”. I do have all your books but will not assert I am a fanboy. I have other authors and mathematicians I stalk (I mean follow), including the dead William Shakespeare (not the living one). I tried following him on twitter recently…seems he has made a comeback.

As a quick comment to your work here Bruce, it was in 2000 that I posited a thesis, formally, that was foundational (in my mind, for what that is worth) concerning the risk to society where the landscape of instruments (what ever it might describe) becomes one of war. A concept I termed “KnowFare”. I used to joke with my daughter, “Don’t make me weaponize this toaster.” Kind of a modern day replacement for ,”Don’t make me pull over this car and stop!”

Central to the thesis, the operationalism of a multitude of cross domain areas of society to be exploited at every level. A systematic approach that takes every element of human activity and codifies a means and the methods to exploit theses systems to whatever ends. I didn’t do this as a leading theory, as I’d had some experience in working with AI in some form in the 90’s. Mostly the work was along the lines of “genetic” programming. It was at this point some obvious idiosyncratic elements of artificial “something, something, something” dropped out. An early epiphany, I suggested to a colleague that generative DNA, conceptual, might be something to experiment with. It was the stare back that told me where I stood…get out. My simplest explanation, instead of helical, spherical toroidal protein chains–and that’s not the weird part. Anyway…got off track a little. As I pre-warned.

My work was not centered on the future of “Artificial Intelligence” but of “Artificial Organizing”. Where systems defeat even the most ardent human driven systems in favor of “what?” That is the open question, not what AI is, but what AI does if and when achieved. The good news, we are way off. The bad news, people will make systems believing they have some form of AI, but in fact have some Frankenstein version that they are not completely sure of or confident about…we know where this leads. You can think of it in terms of collective thought with collective action (conscious and unconscious) all simultaneously with both individuals and groups with whatever alignment you prefer.

My play on words with this one is “You are either with us or you are us”. A truly one-dimensional plane of existence. To reach consciousness is to be able to do more than just look into a mirror and not be frightened. But more concerning, looking in the mirror every day and being frightened every time? Eventually any response under this condition will not be good–I am betting. And I don’t gamble.

name.withheld.for.obvious.reasons November 17, 2022 1:10 AM

A quick followup, years ago I’d encouraged me mum, she lived in Cambridge, to pursue legal research from a formal perspective. Formalism in law is rare, research tends to be centered around empirical studies and less about define how law may be tested and interrogated. Her work centered on miscarriages of justice, and she ran up against some of the most massive schemes and corruption. I believed I shared a bit of it here, revealing and making plain how English Charter Law underpins the majority of institutional systems. It is a form of “dark organizing”, your front street shop seems okay but what Charter sits behind it.

So, based on this discussion, I am a fan of crafting a model of law. The basis of legal instruments, their functions, methodologies, practices, application and their causal relationship within the context of the individual and the society at large. Law is typically compartmentalized and specialized to a degree that makes it seem opaque. Hell, just procedural court rules are enough to get one twisted in several pretzels at once.

Law is also non-uniform by its very nature, law is highly cultural. It is as if when in a specific country, gravitational forces are dissimilar. In France, law has about 1.05 g’s, in Germany something on the order of 1.01 g’s, in the U.S. I understand there to be negative g forces (like -6 or -7) depending on whether your are in a Red or Blue state (or the state of confusion, just west of New Jersey). And in Rome, “What is gravity…have you been talking with that Galileo fellow?” Followed by, “We have strongly suggested that he STFU, or else.”

Melba November 17, 2022 9:10 AM

@ Nick Levinson,

Perhaps they did request and were refused on an IT security ground.

It’s definitely possible, but if it happened, they’re being quiet about it. I’d think if someone tried to do this for the benefit of the public (as for a free software project) they’d have told the public about any rejected request, and the news media would’ve picked it up. Web searching reveals nothing. And as hinted, there are people such as Carl Malamud and the MuckRock organization that are interested in Freedom of Information matters and might be willing to drive a lawsuit for something that benefits the public; they’ve done so before.

So, my guess is that if anyone requested the IRS’s tax calculation software, it was some rich person, or their accountant or tax lawyer, looking for ways to hack the tax code—which most don’t like to talk about publically. Or a company that writes proprietary tax software, and wouldn’t want to alert their competitors to a labor-saving hack.

“Meta-FOIAing” is an interesting hack that people have used successfully before, and could be used here: send a request for the list of FOIA requests received by the IRS regarding any of their software. The IRS could hide the requester names and addresses under privacy rules, but would have no valid reason to hide the general content of the requests or responses—the latter having already had any necessary redactions applied. Were I American, I might have tried these things.

A meta-meta FOIA hack is to take the returned list of FOIA requests and responses, and have someone re-request something without mentioning the previous request. People have done this and received differently-redacted material, revealing things that were redacted the first time and redacting things that were not.

&ers November 17, 2022 11:31 AM


The big problem that i see is that people assign to
“AI” extraordinary or even extraterrestrial power,
skills and capabilities. AI can’t think on its own, it
can only follow the patterns humans have designed for them. Nothing
more, nothing less. Because humans have flaws in thinking and design,
AI has too. They are our product. But they can’t think on their own.
Yes, AI can do things in lighting speed but
beyond that it is still more stupid than any clever human.

And i still like to add here the quote from one of my favorite

“It’s strange how hackers’ minds work. You might think that white hat hackers
would be on one end of the spectrum and black hat hackers on the other. On
the contrary, they are both at the same end of the spectrum, with the rest of
the world on the other end. There really is no difference between responsible
hacking and evil hacking. Either way, it’s hacking. The only difference is the content. Perhaps that’s why it’s so natural for a black hat to go white, and why it’s so easy for a white hat to go black. The line between the two is fine, mostly defined by ethics and law. To the hacker, ethics and laws have holes, just like anything else.

Many security companies like to hire reformed hackers. The truth is that there is no such thing as a reformed hacker. These hackers may have their focus redirected and their rewards changed, but they are never reformed. Getting paid to hack doesn’t make them any less of a hacker.”

Now, is there any example/free chapter to read for us, loyal visitors and contributors?

Clive Robinson November 17, 2022 9:05 PM

@ &ers, Bruce, ALL,

Re : Hackers good or bad.

From the quote,

“There really is no difference between responsible
hacking and evil hacking. Either way, it’s hacking. The only difference is the content. “

Actually as any hardened hacker will tell you it’s not even the content.

The reality is “the hack” is not good or bad, it just is. “Good v. Bad” is a “Point of View” based entirely on social assumptions made by third party observers, often long after the fact when context is gone or misrepresented. Which also means that “Responsible v. Evil” is again just a point of view bassed on incomplete information.

As for AI, quite a number of years ago I pointed out to this blogs readers how to lie by telling the truth.

You have to understand that in real life events, there is only the event, the players and the observers of the event. Importantly for any number of observers each one’s point of view is “their” truth, which means there is always at least one more truth that is not observed but comes from inside the event, but importantly it is neither observed or recorded.

All those observed truths are by definition different, thus the question,

“Which of these multiple observer truths is ‘most true’?”

Remember it is based, not on the event, but the opinion of an observer, of the observers usually baddly recalled points of view of the event.

The trick is that humans are bad at recall for many reasons, but one is they want to please combined with self deception.

By asking them questions, most people want to please the questioner rather than be dispassionate in their recall. This causes a feedback process where their very malleable memory starts to align with the questions… In time the memory of the event is nolonger the observation of the event at the time of the event.

One observer can do the same to another observer by simply saying things differently. For instance we all know that colour is not just subjective, but changes not just due to lighting conditions but as you look at it (try staring at red for a while then looking at white, it appears as a different colour that fades to white).

So one observer thinks “dark-blue” and one or more other observers say “black” or some other dark colour and that original observer has their memory slightly changed. With repeated saying over time the observer will start thinking “blackish-blue” or simillar then just “blackish” etc.

If you change your “observed truth” and say it often enough then it not only becomes “your truth” it becomes “others truth”. Thus lies become truth, something those in law enforcment are well aware of and to many take advantage of…

This is analagous to what happens to some AI systems.

Nick Levinson November 17, 2022 10:53 PM


You may easily be ahead of me on FOIA.

While agencies may keep summaries or logs of FOIA requests and their responses, I doubt they have to, and, as of the last time I heard about this, FOIA doesn’t require creating records. Someone could request copies of the requests themselves (I’ve gotten a file of people’s letters commenting on a proposed regulation and they included sender info) but that could quickly get expensive due to a page count.

I also don’t recall that FOIA is only for Americans, although there was political debate about that regarding national security records after the U.S.S.R. used FOIA to get some, probably from the U.S. military, and perhaps something was amended on point.

If a request had failed, the requesting organization may well publicize it, but I doubt most other media would pick up the story, even if the media had not shrunk over recent years. The news I see includes daily fluff about cats and women’s bodies but not a syllable about FOIA.

Melba November 18, 2022 12:13 AM

@ Nick Levinson,

While agencies may keep summaries or logs of FOIA requests and their responses, I doubt they have to, and, as of the last time I heard about this, FOIA doesn’t require creating records.

Apparently FOIA requires e-mails to be kept for at least 3 years, and e-mail is a common way to send FOIA requests. The law also requires publication of records “that have been requested 3 or more times”, and of various statistics—requirements that, in the absence of a simple request log, would require more cleverness than we might expect from the government.

that could quickly get expensive due to a page count.

The FOIA Improvement Act of 2016 appears to ban fees in many circumstances, and one can request waivers; if you’re using Muckrock, they should count as “a representative of the news media” for this purpose.

I also don’t recall that FOIA is only for Americans

I think you’re right, but the information would be of limited use to people who (like me) aren’t subject to US taxation and aren’t planning to write US tax software.

If a request had failed, the requesting organization may well publicize it, but I doubt most other media would pick up the story

Not the general media, no, but perhaps someone like Techdirt or LWN or the Free Software Foundation. Techdirt has run quite a few stories relating to FOIA requests and government handling thereof, which is probably where I saw the “meta” hacks.

name.withheld.for.obvious.reasons November 18, 2022 5:07 AM

I swore not to post here again, but, think of it as a receipt. Pre-ordered your book today Bruce. I look forward to reading it. It’d be great to see you on Book TV with Brian Lamb interviewing you on your work. I think he’d have some excellent questions for you.

Seeing what direction, context, and destination your thoughts lead you to and how you expressed them is a “future” treat. It will be another drive-by on the highway of ignorance for most. People will read your book and say “But what are you telling me, do I need to understand? This appears to be work!” But I don’t believe or understand that your writing is particular targeted to beer guzzling hot dog eaters at a Sunday barbecue in Buffalo at Bill’s parking lot before a game.

That’s my receipt

PotentialCustomer January 2, 2023 10:43 AM

@Bruce Schneier:

Are there any plans for translation of “A Hacker’s Mind”, especially into German?


Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.