> Goals for Hacking for Defense

> A decade ago, our goal for the class was to teach students Lean Innovation methods while they engaged in national public service. We wanted to familiarize students with the military as a profession and help them better understand its expertise, and its role in society. We also hoped the class would show our sponsors a methodology that builds problem understanding before writing requirements.

> The class still does all this, but now that the DoW is buying from startups and defense venture capital is abundant, the class has turned into a national security incubator. Most of our teams form defense companies.

And so I think there’s a meaningful difference between the app donating all the data automatically, vs making the data available to the user who is free to share what they want.

> PCC delivers a powerful server model without compromising privacy: data is never stored, used only for the request, and independently verified. It's integrated with the OS and iCloud, so there's no authentication or API keys, no token cost to developers, a daily per-user limit (higher with iCloud+), and eligibility for apps under 2M downloads.

Source: summary on https://developer.apple.com/videos/play/wwdc2026/319/

I haven’t seen any information about what’s happening with apps over 2M downloads, who graduate from the Small Business Program. https://developer.apple.com/app-store/small-business-program...

I saw that. Maybe you’re unfamiliar with Apple’s Private Compute Cloud? It’s intended to allow cloud computation on data without making the data available to anyone, which I think backs up my interpretation that apple’s stance is “no one should have this data, not even us”

This is from https://security.apple.com/documentation/private-cloud-compu...

We designed Private Cloud Compute with core requirements that go beyond traditional models of cloud AI security:

* Stateless computation on personal user data: PCC must use the personal user data that it receives exclusively for the purpose of fulfilling the user’s request. User data must not be accessible after the response is returned to the user.

* Enforceable guarantees: It must be possible to constrain and analyze all the components that critically contribute to the guarantees of the overall PCC system.

* No privileged runtime access: PCC must not contain privileged interfaces that might enable Apple site reliability staff to bypass PCC privacy guarantees.

* Non-targetability: An attacker should not be able to attempt to compromise personal data that belongs to specific, targeted PCC users without attempting a broad compromise of the entire PCC system.

* Verifiable transparency: Security researchers need to be able to verify, with a high degree of confidence, that our privacy and security guarantees for PCC match our public promises.

- - - -

Second, according to their press release ([1] and a sibling comment elsewhere in this chain), they’ve been trying to find a way to allow interoperability without giving full access to everything. Unsuccessfully, so far. So it’ll be interesting to see where it goes, but I’m sympathetic to their current stance.

[1] https://www.apple.com/newsroom/2026/06/due-to-dma-siri-ai-de...

Their presentations talked about how it was based on the user’s quota, with higher quotas for iCloud+ subscribers.

One reason is that the data on a user’s phone isn’t solely owned by them. Some of it is shared with other people, or “belongs” to someone else: chat, email, shared documents, photos of people, contact information, etc.

In a corporate environment, this is more explicit: you have access to company information, so the IT department controls what apps you can install / run, because individual EEs won’t always make the best choices.

Second, I think app developers are more likely to share more data, if they know that the shared data doesn’t leave the user’s control. And that (presumably) makes the feature work better. If I’m developing an app, I’ll think twice about indexing any sensitive data, if I don’t know where it was going to end up.

> Apple’s most powerful on-device model and the features it enables, like expressive voices and more advanced dictation, […]

On other devices, I think there’s still on device support (just not with the “most powerful model”), for these devices:

> Apple Intelligence and Siri AI in iOS 27, iPadOS 27, macOS 27, watchOS 27, and visionOS 27 are available on iPhone 16 models or later, iPhone 15 Pro, iPhone 15 Pro Max, iPad mini (A17 Pro), MacBook Neo (A18 Pro), iPad models with M1 or later, Mac with M1 or later, Apple Vision Pro, Apple Watch Series 9 or later, Apple Watch Ultra 2 or later, and Apple Watch SE 3 when paired with an Apple Intelligence-enabled iPhone nearby.

This is from the footnotes on https://www.apple.com/newsroom/2026/06/apple-introduces-siri...

I do wish they’d been more clear about what the “advanced features” are :(

So, where developers comply, all of that content is now accessible to those alternative implementations.

It’s not full read/write of the phone, and it’d exclude obvious secrets like passwords, but it is quite far reaching access.

I don’t know what sort of restrictions they can put on the alternative implementations. Can I vibe code one and have it live in a week? or is there a minimum bar?

I suspect if you paid apple enough money, and were willing to prove that your personal Private Cloud Compute did meet their requirements, it wouldn’t be impossible.

For example, if I’m maintaining a secure chat app, I think I’d be more likely to adopt the APIs to share the chat messages with the system AI due to Apple’s promises that the data will either be processed On Device, or in their Private Compute Cloud.

If I instead believe that sharing the chat messages with the system AI would cause those messages to be sent to unknown-to-me other entities, I think I’d be less likely to participate in the new API.

This user might be okay with their data going to this other provider, but what about the people they’re messaging? I have a responsibility and a commitment to _all_ of my users to protect their data.

I might not be able to control what any specific user does with the data, but proactively writing the code that sends the chat messages to this other system is something that I have control over.

“Make your reminder app’s actions available to Apple Intelligence and Siri by adopting schemas for common reminder actions.”

https://developer.apple.com/documentation/appintents/app-sch...

https://developer.apple.com/videos/play/wwdc2026/240

https://data.stackexchange.com/stackoverflow/revision/193252...

On the other hand, I view my kindle as an appliance, and I don’t need it to have updated functionality. I think this is true of many electronics: digital cameras, printers, misc USB peripherals, etc. I believe Amazon could easily support the APIs it uses, and keep delivering me books that I’ve paid for or borrowed.

Financially, I suspect the kindle devices have a much longer lifetime than iPhones do, and Amazon is still making $$ off of old kindles.

If there were TLS concerns, a partial disablement (ex: can’t buy books from the device) would be way more acceptable than a complete cutoff. I’ve seen suggestions that it’s a DRM issue, and if that’s the primary motivation, it’s pretty disappointing.

I’m usually trying to find the smallest practical change to accomplish my goal: giving them less to review / consider, and keeping the architecture close to their preferred style.

Maybe that changes in the AI coded future

It covers a variety of times people might use it. Sometimes it's genuine, other times it's flattery. Some people use it all the time (and in the episode they talk about calling someone on it). One guest says it's a bridge, to go from the question asked to the question you want to answer instead.

I don't see it in this transcript, but I also thought I remembered hearing/reading that it can be a sign the speaker doesn't know the answer offhand, and needs to consider the question to formulate their answer. I think I'd classify that as a genuine usage: the question is something the speaker hasn't considered before, and thinks is worthy of consideration.

[1] https://freakonomics.com/podcast/thats-a-great-question-rebr...

I finally paid for my v15 upgrade ~2 weeks ago, so I wish I could take the credit for the v16 release. But given their long standing, generous policy of giving an updated license if you bought in the last N months (Nov 1st 2025 this time!), I'm actually in great shape and the meme falls very flat.

I agree with the claim of negligence. I think they were more than happy to reap the benefits of a thriving community plugin ecosystem, and were hoping this page would provide enough CYA when security breaches inevitably occurred.

> TIP: If you're working with sensitive data and wish to install a community plugin, we recommend that you perform an independent security audit on the plugin before using it.

I wonder just how many plugins received a security audit.

https://blog.cloudflare.com/eliminating-captchas-on-iphones-...

https://developer.apple.com/news/?id=huqjyh7k