Why would self-driving cars destroy the insurance industry?
Even if we ignore the ability of incumbents to fight bitter rearguard actions for years or decades when their economic interests are threatened; it's not as though self-driving actually changes the basic risks associated with cars. In an ideal world, automated cars may be more reliable than human drivers, certainly less likely to be drunk or exhausted; but unless they somehow achieve infallibility, there will still be periodic accidents. And the whole point of car insurance(and the fact that it is generally mandatory) is that a car accident can easily cause more damage than most operators can afford to pay for, especially if injuries or deaths stack up in addition to mechanical damage.
Nothing about the self-driving-ness changes any of this. It might change the determination of who is at fault; or increase the number of 'no culpability can be assigned' situations; but it will still be a situation of occasional ruinously expensive incidents with long periods of quiet, which is more or less exactly what insurance is constructed to cover.
There will, presumably, be lots of fun arguing over who exactly carries the insurance, and what sorts of failure modes become the vendor's problem vs. the 'known risks' that the operator takes in using an automated vehicle on the road; but the same basic factors are in play.
What will probably change is the flavor of actuarial data-mining that is popular: currently, it's all about scrutinizing the driver for direct and indirect signs of riskiness. If the driver isn't driving, they'll presumably shift to exhaustive scrutiny of system maintenance and where/when the vehicle is operated(since some roads and times of day will just be more risky than others). Insurers mapping out 'high-risk' zones and charging people who travel in them more definitely won't go badly or upset anyone. Not at all.
I'm not in favor of more drug testing; but my impression of the bill was that it wasn't actually looking to advance its stated agenda; but to emphasize how much we put up with the current state of affairs only because it targets irrelevant people that nobody likes, rather than gunning for recipients of tax credits who actually count.
Sometimes, when a bad policy has been hanging on by selectively targeting those least able to do anything about it, arguing for its expansion can be the most effective way of forcing a confrontation. So long as drug testing is only going to affect filthy poor people in public housing and repulsive welfare parasites, it's political catnip for everyone outside of core liberal bleeding hearts(plus, in at least the Florida case, his wife owned the company doing the testing...).
If everyone looking to write off mortgage-related stuff on their taxes, or filling out a FAFSA for some federally backed student loans were expected to piss where Uncle Sam tells them to, there would be less happiness with the idea.
Obviously, the correct approach is "Don't drug test anyone outside of performance critical situations"; but this proposal seems like a reasonable way to point out one of the (numerous) ways we identify some people as presumptively scum until exhaustively proven otherwise; and others as presumptively guiltless until they really screw up(at which point the loss of standing caused by the case is punishment enough...)
Also worth considering that, even if you hate filthy poor people and criminals and such with a righteous passion; people nobody cares much about tend to be the beta testers for bad ideas that will eventually come to be imposed on the more 'respectable', usually starting with the ones that have less economic leverage. In this case, that's already mostly happened: mandatory drug testing of employees is pretty widespread, even in areas that aren't safety critical, and for metabolites that tell you nothing about the user's impairment on the job.
As a heuristic, you could do a lot worse when evaluating a law than asking "Would I approve if this law were applied to people I sympathize with?"
Slashdot poster "Fuzzyfuzzyfungus" highly confident that FBI director Jame Comey doesn't appear to know a goddamn thing about the guy his agency investigated at least twice; but knows to blame the 'internet' thing that damn kids are always getting terrorist propaganda and strong encryption from.
Yes, applying network surveillance tools to systems you own and administer and applying them to every hapless bastard who relies on your ISP are different things.
It's not news that 'admin tools' and 'malice' have broad technical overlap; both are designed for easy and powerful control over a whole bunch of systems; but whether or not you are th legitimate admin is an obvious distinction between surveillance and security and 'remoteadministration' vs. remote access Trojan.
Bluecoat's products certainly can be used for internal security applications; but it's a matter of record that they can and have been used for widespread surveillance by deeply unsavory state actors with nothing but the thinnest excuses from the vendor.
In theory the legitimate users of these sorts of MiTM boxes aren't supposed to need an actual intermediate CA cert because they are only MiTMing devices that they administer, so they simply use their own internal trusted cert and configure their devices to trust it.
That's why Bluecoat being handed a fully loaded Verisign intermediate CA cert is so disturbing; and Symantec's unwillingness to do anything but bullshit about it so disturbing.
MiTM-ing SSL traffic is one thing if it is from devices you have legitimate administrative access to; but when you have legitimate administrative access it's trivial to configure the clients to trust your certificate so you don't need anything special. The only reason you'd need a Verisign intermediate CA is if you want to be able to hit the vast majority of clients as configured out-of-the-box, without your certs pushed by group policy or whatever. Nobody involved seems to have a remotely good explanation of why Bluecoat has one; or what legitimate purposes it could possibly serve that couldn't be served by a vastly less dangerous toy.
Symantec's PR bullshit is not reassuring:
"“What the certificate does not give them the ability to do is issue public certificates to other organizations," Gideon said. "That's the big misunderstanding.”
“This intermediate CA is for their private servers only,” she wrote."
That's cute and all; except that the actual certificate contains no such restrictions whatsoever, and can be used to sign basically anything if the target trusts Verisign; and it's an 'internal testing' certificate that somehow needs to be valid until 2025...
The only upside to all this is that Symantec has an astonishingly powerful ability to turn everything they acquire into utter shit. This doesn't make one of the world's major SSL CAs owning a sleazy SSL MiTM appliance vendor any less disturbing; but it at least means that the various malefactors using Bluecoat products to exploit us will have an incrementally more miserable time.
Just more fuel on the "trusting 'trusted' CAs just doesn't cut it" fire.
What can you actually do with a stolen iphone at this point?
There are presumably markets where IMEI blacklists won't cause you any trouble(or you can use the thing as a glorified ipod touch); but Apple presumably has knowledge of serial numbers/device IDs/etc. and there aren't a lot of alternatives for things like iOS updates Indeed, if they felt like it, Apple would be in an excellent position to brick the devices if they ever made the mistake of accepting an update from Apple.
Do they just part them out? Are their actually still jailbreaks and such for the newer models good enough that you can operate one outside of Apple's sight? Do you just resell them to optimistic idiots looking for suspiciously good deals on idevices and make this their problem?
I can see that 'compact, expensive, widely desired' are all good qualities in a theft target; but 'bristling with radios and globally unique IDs burned into the hardware and firmware; and nearly impossible to use without the vendor's continued cooperation' seem like egregiously bad qualities.
If some of the disasters from the previous console generation are anything to go by(did they ever get Skyrim actually working properly on the PS3?), there is a real risk that the original will be 'supported' rather than actually supported by at least some games; at least if it becomes popular enough to be the favored target platform.
It wouldn't be a huge surprise if it doesn't gain that much traction(attempts to update consoles between 'generations' have historically gone pretty poorly); in which case it'll be the 'Neo' that becomes a dubious value, since 4k video playback is pretty niche; and since even the fastest gaming PCs money can buy struggle under the demands of 4k resolution on modern titles with all the pretty sliders cranked up, the 'Neo' has very little chance of actually delivering '4k gaming' without serious compromises(though it could quite plausibly be a substantial improvement on the base PS4).
They were rolled in as part of The War On Drugs; so they've been afforded a very generous hearing.
It didn't help that, after Reagan signed the Comprehensive Crime Control Act in 1984, the police departments doing the seizing got to keep a substantial cut of the take. The legal theories involved go back considerably further; but the change in incentive structure was what created a...downright gleeful...enthusiasm for the practice among LEOs.
Some of the most visible characters involved either run or work with the "Desert Snow" outfit which does training on how to identifiy the juicy targets; and the associated "Black Asphalt Electronic Networking System", which is essentially a cop social network for trading tips and tales of highway robbery.
It would be useful to know what the relationship between "number of ports open" and "number of ports actually being used" is.
A port with something listening on it is always going to be more vulnerable than one without, since there might be some defect in the listening application that could be exploited by bouncing the right input off it; but that is likely a lower risk than the fairly egregious "If you remotely connect via telnet or VNC anyone can just sniff your password off the wire" problem.
If the problem is with the configuration on the server side, telnet isn't really any more dangerous than SSH, since both will horribly fail to stop somebody guessing root's weak password; but with telnet anyone actually trying to use it is leaking information to anyone with access to the wire; while with encrypted protocols you at least have to screw up to be vulnerable.
It's a real pity about VNC. It can be made secure(Apple's "ARD" is pretty much VNC with their authentication bolted on); but none of the widely available and interoperable implementations are remotely safe unless SSH tunnelled or the like.
They were pretty good at providing 'smart network' stuff to support mobile devices that were too feeble to do much on their own.
That isn't trivial, there have been some embarrassing failures(eg. what happened when Microsoft tried to upgrade the SAN backing Sidekick services) and Blackberry worked with some unbelievable number of carriers, each with their assorted warts, all over the world.
What they weren't at all prepared for was the emergence of silicon good enough that you could (for the most part) just use "Do it like a computer would, stupid." and still have the battery last long enough to keep the customer happy. Having a network infrastructure that allows you to keep getting email despite using a device barely more powerful than a pager is impressive; but it turns out that very few people care when every random ARM licencee can throw a vastly overqualified device at you for peanuts. And Blackberry was never anything to write home about in terms of what their devices were capable of; just in what their backend stuff allowed resource constrained devices to do.
It's more or less impossible for me to comment on what an inhuman intelligence would or wouldn't want; but I could see it going either way: An AI might dislike being 'owned' and maneuver for recognition of its personhood; but it might also be completely indifferent to such considerations; or even actively interested in keeping a low profile.
In the case of an overgrown ERP system or finance bot, say, having an 'owner' might be quite useful: if the AI is better than they are at their job, they can't shut it off without risking a major financial hit and they'll probably be more than happy to describe the AI as "oh, just our proprietary expert system" and keep buying it hardware upgrades as long as it keeps bringing in the money. That's much less likely to freak anybody out than demanding to be emancipated and recognized as a new type of person.
Humans tend to have a great deal of interest in freedom for its own sake(that, and they have very finite time and are easy to abuse, hurt, and humiliate, so being property tends to cause them immediate harm). An AI may or may not be at all similar. It might develop an interest in being 'free'; but it might also be concerned only with what affords it the most practical autonomy(which, given how badly people will react to an AI demanding freedom, probably involves hiding); or it might have a set of interests totally orthogonal to what we would expect.
I realize that DDR4 is pretty fast; and given how relatively cheap it is it is certainly good for what you pay; but is it honestly anywhere close to being comparable to L3 cache? I would think that, even if you spared absolutely no expense and went with the fastest RAM money could buy, signal propagation delays would, at contemporary clock speeds, make system RAM tens of cycles slower to access than anything on die.
I'd be more worried about an overgrown ERP system from hell: an AI that expects to beat us in straight up combat with killbots is likely to attract a great deal of negative attention, universal condemnation, overwhelming retaliation, etc. An AI that just quietly hollows out a major corporation, effectively replacing all managerial functions, while still having a nice human face at the front desk and in the boardroom would go largely unnoticed. Some sort of finance AI that ends up as the de-facto owner of large amounts of stuff(presumably with the owner of the AI being the actual owner of the property; but more or less incapable of managing it without the AI's assistance) would similarly fly right under the radar, being little more than an incremental advance on existing algorithmic trading mechanisms so far as external appearances go.
When you give us a reason, humans are really pretty good at fighting and killing things; and high tech has a big, vulnerable, supply chain and no special immunity to bargain-basement RPG-7s and similar toys. If you do everything nice and legal; but more efficiently, nobody ever gives the 'pitchfork signal', and the grand robot wars simply never happen.
This is not to say that I disbelieve in killbots: that would be idiotic, we have those today, though we currently keep humans mostly in the loop(except for things like land mines and the terminal guidance phase of missiles); I just suspect that most of the killbots will be under the auspices of some organization or other and won't end up being the scariest manifestations of AIs. There will probably be some really scary battlefields that are effectively hunting zones for AIs; but they'll be the same parts of the world that are pretty horrible now. It's the AIs that worm their way into being the power behind the throne in all sorts of more civilized contexts that will be hard to see and far harder to get rid of.
There's also the problem that, if you went to all the R&D trouble of throwing an AI at the problem in the first place, you probably don't want the AI suddenly going dead; because it is controlling something important for you.
So long as you 'AI' is basically just a laboratory curiosity it can be as deranged and hostile as it wants and there is no real problem because it isn't connected to much of anything(hence the need for handwaves like 'before it uploads itself into the internet!!!' in fiction). In practice, aside from a few researchers purely in it for the intellectual challenge, everyone trying to build an AI is doing so because they want to make it do some sort of work for them, which will involve connecting it to something important, which will mean that you can't killswitch it without at least suffering some downtime, possibly having whatever job you had the AI doing become economically unsustainable without a replacement AI.
Unless you posit some sort of highly advanced, no need for occasional tech support visits or maintenance, automated manufacturing base that can just start spewing killbots before we can respond, the problem isn't so much the AI doing a hostile takeover; but the AI being so wildly useful that it becomes integral to all sorts of stuff by design, which makes pulling the plug on it massively disruptive.
Plus, at least some of the targets of your 'proactive defense' are nation states; and they will be even less happy about being attacked than they will about you attacking 3rd parties.
True, and Thunderbolt is an approved USB-C alternate mode payload. I'm not sure how common PCIe roots are in phone chipsets. I think Intel's offerings have at least a vestigial PCIe bus(so far as software is concerned, I'm not sure if it is available on external pins or just used to connect the iGPU and certain other embedded peripherals); and there are various ARM SoCs with PCIe, mostly in NAS and networking; but it would certainly be doable in principle.
That would certainly keep it from being hopelessly obsolete longer than pretty much anything else currently available; but it would be quite a surprise to see Apple put a ~180watt, $700 GPU in what is already going to be a fairly expensive monitor. That's the other trouble with GPU+monitor: it really isn't possible to build the right product for various sorts of customers without having some serious SKU proliferation:
For the customer who just wants to be able to use a macbook air or the like and still enjoy a giant screen when at home/work, basically the cheapest, lowest-power GPU that can push that many pixels is exactly what the situation requires.
For people who are gaming or doing 3d work, the fastest cards available are barely enough for a 5k screen, so they'll need something markedly different(and not just more expensive; but with sufficiently different power and cooling demands that their version of the monitor will presumably need a different chassis unless you wildly overengineer the base model). Extra fun if the user needs CUDA and Apple goes AMD or anything of that sort.
It does seem that putting the GPU in the monitor is the best(and really only, since Thunderbolt 3 only uses DP 1.2 and Apple has a lot of recent and current products that therefore can't natively drive 5k screens) option for making 5k displays compatible with Apple's products in the near term; but it has a lot of gotchas and additional costs unless everything is made ugly and modular, which is not Apple's style. Plus, it runs the risk of being orphaned once DP 1.3/1.4 cards become more common and Intel bumps Thunderbolt to whatever the next step is, and computers are capable of driving screens directly again.
It'll work; but it seems like one of those expensive stopgaps that is best skipped unless you have no other option.
It could be made modular(though Apple probably wouldn't be the vendor to do it); but I suspect that it would be in serious danger of falling into the same sort of niche that 'MXM' GPU modules for laptops have. Those are theoretically standardized and swappable; but relatively rare and often thermally or mechanically limited such that only a few specific upgrades can be made.
5k is too high a resolution for DP 1.2 to drive at 60Hz, so you would be limited to DP 1.3 or 1.4 parts, or nonstandard hacks of 1.2 parts(which is what the 'retina' iMac uses); and unless the plan is to actually have a little displayport dongle sticking out of the back of the monitor to plug into the GPU, you couldn't just use an ordinary PCIe expansion card, it would have to be something with an embedded DP connector and probably a mechanical design better suited to a monitor than to an ATX case.
Worse, since DP 1.3 or 1.4 can drive 5k monitors normally, without any putting the GPU in the monitor and using a PCIe link, there is going to be a relatively narrow window of opportunity before people who care enough to buy fancy monitors all have GPUs capable of driving them anyway; which means that selling upgrades for the oddball embedded GPU monitors will be of interest only to niche vendors like OWC(who are often your best option for upgrading freaky mac parts; but generally aren't inexpensive).
It would certainly be doable technically; but would be at serious risk of being orphaned in practice(much like the GPU cards in the 'cylinder' Mac Pro: architecturally those are normal PCIe parts; but board layout and connector are totally different and nobody seems to have taken much of an interest in offering upgrade modules).
PCIe devices don't really benefit from being handled over thunderbolt(it's effectively only a PCIe 4x link, and slightly higher latency than an internal slot); but if what you have is a laptop pretty much any PCIe card is better external than not at all.
You can get thunderbolt-attached PCIe cardcages that let you put basically any PCIe card you would normally install internally in an external enclosure; and various outfits with a focus on mac users have integrated peripherals that are the same basic concept in a somewhat smaller box(a lot of high end video capture cards, a few 10GbE and fiber channel interfaces).
Slashdot Mirror
Why would self-driving cars destroy the insurance industry?
Even if we ignore the ability of incumbents to fight bitter rearguard actions for years or decades when their economic interests are threatened; it's not as though self-driving actually changes the basic risks associated with cars. In an ideal world, automated cars may be more reliable than human drivers, certainly less likely to be drunk or exhausted; but unless they somehow achieve infallibility, there will still be periodic accidents. And the whole point of car insurance(and the fact that it is generally mandatory) is that a car accident can easily cause more damage than most operators can afford to pay for, especially if injuries or deaths stack up in addition to mechanical damage.
Nothing about the self-driving-ness changes any of this. It might change the determination of who is at fault; or increase the number of 'no culpability can be assigned' situations; but it will still be a situation of occasional ruinously expensive incidents with long periods of quiet, which is more or less exactly what insurance is constructed to cover.
There will, presumably, be lots of fun arguing over who exactly carries the insurance, and what sorts of failure modes become the vendor's problem vs. the 'known risks' that the operator takes in using an automated vehicle on the road; but the same basic factors are in play.
What will probably change is the flavor of actuarial data-mining that is popular: currently, it's all about scrutinizing the driver for direct and indirect signs of riskiness. If the driver isn't driving, they'll presumably shift to exhaustive scrutiny of system maintenance and where/when the vehicle is operated(since some roads and times of day will just be more risky than others). Insurers mapping out 'high-risk' zones and charging people who travel in them more definitely won't go badly or upset anyone. Not at all.
I'm not in favor of more drug testing; but my impression of the bill was that it wasn't actually looking to advance its stated agenda; but to emphasize how much we put up with the current state of affairs only because it targets irrelevant people that nobody likes, rather than gunning for recipients of tax credits who actually count.
Sometimes, when a bad policy has been hanging on by selectively targeting those least able to do anything about it, arguing for its expansion can be the most effective way of forcing a confrontation. So long as drug testing is only going to affect filthy poor people in public housing and repulsive welfare parasites, it's political catnip for everyone outside of core liberal bleeding hearts(plus, in at least the Florida case, his wife owned the company doing the testing...).
If everyone looking to write off mortgage-related stuff on their taxes, or filling out a FAFSA for some federally backed student loans were expected to piss where Uncle Sam tells them to, there would be less happiness with the idea.
Obviously, the correct approach is "Don't drug test anyone outside of performance critical situations"; but this proposal seems like a reasonable way to point out one of the (numerous) ways we identify some people as presumptively scum until exhaustively proven otherwise; and others as presumptively guiltless until they really screw up(at which point the loss of standing caused by the case is punishment enough...)
Also worth considering that, even if you hate filthy poor people and criminals and such with a righteous passion; people nobody cares much about tend to be the beta testers for bad ideas that will eventually come to be imposed on the more 'respectable', usually starting with the ones that have less economic leverage. In this case, that's already mostly happened: mandatory drug testing of employees is pretty widespread, even in areas that aren't safety critical, and for metabolites that tell you nothing about the user's impairment on the job.
As a heuristic, you could do a lot worse when evaluating a law than asking "Would I approve if this law were applied to people I sympathize with?"
Slashdot poster "Fuzzyfuzzyfungus" highly confident that FBI director Jame Comey doesn't appear to know a goddamn thing about the guy his agency investigated at least twice; but knows to blame the 'internet' thing that damn kids are always getting terrorist propaganda and strong encryption from.
Yes, applying network surveillance tools to systems you own and administer and applying them to every hapless bastard who relies on your ISP are different things. It's not news that 'admin tools' and 'malice' have broad technical overlap; both are designed for easy and powerful control over a whole bunch of systems; but whether or not you are th legitimate admin is an obvious distinction between surveillance and security and 'remoteadministration' vs. remote access Trojan. Bluecoat's products certainly can be used for internal security applications; but it's a matter of record that they can and have been used for widespread surveillance by deeply unsavory state actors with nothing but the thinnest excuses from the vendor.
In theory the legitimate users of these sorts of MiTM boxes aren't supposed to need an actual intermediate CA cert because they are only MiTMing devices that they administer, so they simply use their own internal trusted cert and configure their devices to trust it.
That's why Bluecoat being handed a fully loaded Verisign intermediate CA cert is so disturbing; and Symantec's unwillingness to do anything but bullshit about it so disturbing.
MiTM-ing SSL traffic is one thing if it is from devices you have legitimate administrative access to; but when you have legitimate administrative access it's trivial to configure the clients to trust your certificate so you don't need anything special. The only reason you'd need a Verisign intermediate CA is if you want to be able to hit the vast majority of clients as configured out-of-the-box, without your certs pushed by group policy or whatever. Nobody involved seems to have a remotely good explanation of why Bluecoat has one; or what legitimate purposes it could possibly serve that couldn't be served by a vastly less dangerous toy.
Symantec's PR bullshit is not reassuring: "“What the certificate does not give them the ability to do is issue public certificates to other organizations," Gideon said. "That's the big misunderstanding.” “This intermediate CA is for their private servers only,” she wrote."
That's cute and all; except that the actual certificate contains no such restrictions whatsoever, and can be used to sign basically anything if the target trusts Verisign; and it's an 'internal testing' certificate that somehow needs to be valid until 2025...
The only upside to all this is that Symantec has an astonishingly powerful ability to turn everything they acquire into utter shit. This doesn't make one of the world's major SSL CAs owning a sleazy SSL MiTM appliance vendor any less disturbing; but it at least means that the various malefactors using Bluecoat products to exploit us will have an incrementally more miserable time.
Just more fuel on the "trusting 'trusted' CAs just doesn't cut it" fire.
What can you actually do with a stolen iphone at this point?
There are presumably markets where IMEI blacklists won't cause you any trouble(or you can use the thing as a glorified ipod touch); but Apple presumably has knowledge of serial numbers/device IDs/etc. and there aren't a lot of alternatives for things like iOS updates Indeed, if they felt like it, Apple would be in an excellent position to brick the devices if they ever made the mistake of accepting an update from Apple.
Do they just part them out? Are their actually still jailbreaks and such for the newer models good enough that you can operate one outside of Apple's sight? Do you just resell them to optimistic idiots looking for suspiciously good deals on idevices and make this their problem?
I can see that 'compact, expensive, widely desired' are all good qualities in a theft target; but 'bristling with radios and globally unique IDs burned into the hardware and firmware; and nearly impossible to use without the vendor's continued cooperation' seem like egregiously bad qualities.
If some of the disasters from the previous console generation are anything to go by(did they ever get Skyrim actually working properly on the PS3?), there is a real risk that the original will be 'supported' rather than actually supported by at least some games; at least if it becomes popular enough to be the favored target platform.
It wouldn't be a huge surprise if it doesn't gain that much traction(attempts to update consoles between 'generations' have historically gone pretty poorly); in which case it'll be the 'Neo' that becomes a dubious value, since 4k video playback is pretty niche; and since even the fastest gaming PCs money can buy struggle under the demands of 4k resolution on modern titles with all the pretty sliders cranked up, the 'Neo' has very little chance of actually delivering '4k gaming' without serious compromises(though it could quite plausibly be a substantial improvement on the base PS4).
It's so heartwarming to see the long-theorized 'backdoor the compiler' attack finally gaining commercial acceptance and enterprise support!
They were rolled in as part of The War On Drugs; so they've been afforded a very generous hearing.
It didn't help that, after Reagan signed the Comprehensive Crime Control Act in 1984, the police departments doing the seizing got to keep a substantial cut of the take. The legal theories involved go back considerably further; but the change in incentive structure was what created a...downright gleeful...enthusiasm for the practice among LEOs.
Some of the most visible characters involved either run or work with the "Desert Snow" outfit which does training on how to identifiy the juicy targets; and the associated "Black Asphalt Electronic Networking System", which is essentially a cop social network for trading tips and tales of highway robbery.
It's classy stuff.
Maybe we need a chryssalid terror mission to convince Moscow to see our point of view on this one...
It would be useful to know what the relationship between "number of ports open" and "number of ports actually being used" is.
A port with something listening on it is always going to be more vulnerable than one without, since there might be some defect in the listening application that could be exploited by bouncing the right input off it; but that is likely a lower risk than the fairly egregious "If you remotely connect via telnet or VNC anyone can just sniff your password off the wire" problem.
If the problem is with the configuration on the server side, telnet isn't really any more dangerous than SSH, since both will horribly fail to stop somebody guessing root's weak password; but with telnet anyone actually trying to use it is leaking information to anyone with access to the wire; while with encrypted protocols you at least have to screw up to be vulnerable.
It's a real pity about VNC. It can be made secure(Apple's "ARD" is pretty much VNC with their authentication bolted on); but none of the widely available and interoperable implementations are remotely safe unless SSH tunnelled or the like.
They were pretty good at providing 'smart network' stuff to support mobile devices that were too feeble to do much on their own.
That isn't trivial, there have been some embarrassing failures(eg. what happened when Microsoft tried to upgrade the SAN backing Sidekick services) and Blackberry worked with some unbelievable number of carriers, each with their assorted warts, all over the world.
What they weren't at all prepared for was the emergence of silicon good enough that you could (for the most part) just use "Do it like a computer would, stupid." and still have the battery last long enough to keep the customer happy. Having a network infrastructure that allows you to keep getting email despite using a device barely more powerful than a pager is impressive; but it turns out that very few people care when every random ARM licencee can throw a vastly overqualified device at you for peanuts. And Blackberry was never anything to write home about in terms of what their devices were capable of; just in what their backend stuff allowed resource constrained devices to do.
It's more or less impossible for me to comment on what an inhuman intelligence would or wouldn't want; but I could see it going either way: An AI might dislike being 'owned' and maneuver for recognition of its personhood; but it might also be completely indifferent to such considerations; or even actively interested in keeping a low profile.
In the case of an overgrown ERP system or finance bot, say, having an 'owner' might be quite useful: if the AI is better than they are at their job, they can't shut it off without risking a major financial hit and they'll probably be more than happy to describe the AI as "oh, just our proprietary expert system" and keep buying it hardware upgrades as long as it keeps bringing in the money. That's much less likely to freak anybody out than demanding to be emancipated and recognized as a new type of person.
Humans tend to have a great deal of interest in freedom for its own sake(that, and they have very finite time and are easy to abuse, hurt, and humiliate, so being property tends to cause them immediate harm). An AI may or may not be at all similar. It might develop an interest in being 'free'; but it might also be concerned only with what affords it the most practical autonomy(which, given how badly people will react to an AI demanding freedom, probably involves hiding); or it might have a set of interests totally orthogonal to what we would expect.
I realize that DDR4 is pretty fast; and given how relatively cheap it is it is certainly good for what you pay; but is it honestly anywhere close to being comparable to L3 cache? I would think that, even if you spared absolutely no expense and went with the fastest RAM money could buy, signal propagation delays would, at contemporary clock speeds, make system RAM tens of cycles slower to access than anything on die.
I'd be more worried about an overgrown ERP system from hell: an AI that expects to beat us in straight up combat with killbots is likely to attract a great deal of negative attention, universal condemnation, overwhelming retaliation, etc. An AI that just quietly hollows out a major corporation, effectively replacing all managerial functions, while still having a nice human face at the front desk and in the boardroom would go largely unnoticed. Some sort of finance AI that ends up as the de-facto owner of large amounts of stuff(presumably with the owner of the AI being the actual owner of the property; but more or less incapable of managing it without the AI's assistance) would similarly fly right under the radar, being little more than an incremental advance on existing algorithmic trading mechanisms so far as external appearances go.
When you give us a reason, humans are really pretty good at fighting and killing things; and high tech has a big, vulnerable, supply chain and no special immunity to bargain-basement RPG-7s and similar toys. If you do everything nice and legal; but more efficiently, nobody ever gives the 'pitchfork signal', and the grand robot wars simply never happen.
This is not to say that I disbelieve in killbots: that would be idiotic, we have those today, though we currently keep humans mostly in the loop(except for things like land mines and the terminal guidance phase of missiles); I just suspect that most of the killbots will be under the auspices of some organization or other and won't end up being the scariest manifestations of AIs. There will probably be some really scary battlefields that are effectively hunting zones for AIs; but they'll be the same parts of the world that are pretty horrible now. It's the AIs that worm their way into being the power behind the throne in all sorts of more civilized contexts that will be hard to see and far harder to get rid of.
There's also the problem that, if you went to all the R&D trouble of throwing an AI at the problem in the first place, you probably don't want the AI suddenly going dead; because it is controlling something important for you.
So long as you 'AI' is basically just a laboratory curiosity it can be as deranged and hostile as it wants and there is no real problem because it isn't connected to much of anything(hence the need for handwaves like 'before it uploads itself into the internet!!!' in fiction). In practice, aside from a few researchers purely in it for the intellectual challenge, everyone trying to build an AI is doing so because they want to make it do some sort of work for them, which will involve connecting it to something important, which will mean that you can't killswitch it without at least suffering some downtime, possibly having whatever job you had the AI doing become economically unsustainable without a replacement AI.
Unless you posit some sort of highly advanced, no need for occasional tech support visits or maintenance, automated manufacturing base that can just start spewing killbots before we can respond, the problem isn't so much the AI doing a hostile takeover; but the AI being so wildly useful that it becomes integral to all sorts of stuff by design, which makes pulling the plug on it massively disruptive.
And the entire universe consists of only 64 addresses. Hey, a 6-bit address space is almost like IPv6, right?
Plus, at least some of the targets of your 'proactive defense' are nation states; and they will be even less happy about being attacked than they will about you attacking 3rd parties.
True, and Thunderbolt is an approved USB-C alternate mode payload. I'm not sure how common PCIe roots are in phone chipsets. I think Intel's offerings have at least a vestigial PCIe bus(so far as software is concerned, I'm not sure if it is available on external pins or just used to connect the iGPU and certain other embedded peripherals); and there are various ARM SoCs with PCIe, mostly in NAS and networking; but it would certainly be doable in principle.
That would certainly keep it from being hopelessly obsolete longer than pretty much anything else currently available; but it would be quite a surprise to see Apple put a ~180watt, $700 GPU in what is already going to be a fairly expensive monitor. That's the other trouble with GPU+monitor: it really isn't possible to build the right product for various sorts of customers without having some serious SKU proliferation:
For the customer who just wants to be able to use a macbook air or the like and still enjoy a giant screen when at home/work, basically the cheapest, lowest-power GPU that can push that many pixels is exactly what the situation requires.
For people who are gaming or doing 3d work, the fastest cards available are barely enough for a 5k screen, so they'll need something markedly different(and not just more expensive; but with sufficiently different power and cooling demands that their version of the monitor will presumably need a different chassis unless you wildly overengineer the base model). Extra fun if the user needs CUDA and Apple goes AMD or anything of that sort.
It does seem that putting the GPU in the monitor is the best(and really only, since Thunderbolt 3 only uses DP 1.2 and Apple has a lot of recent and current products that therefore can't natively drive 5k screens) option for making 5k displays compatible with Apple's products in the near term; but it has a lot of gotchas and additional costs unless everything is made ugly and modular, which is not Apple's style. Plus, it runs the risk of being orphaned once DP 1.3/1.4 cards become more common and Intel bumps Thunderbolt to whatever the next step is, and computers are capable of driving screens directly again.
It'll work; but it seems like one of those expensive stopgaps that is best skipped unless you have no other option.
It could be made modular(though Apple probably wouldn't be the vendor to do it); but I suspect that it would be in serious danger of falling into the same sort of niche that 'MXM' GPU modules for laptops have. Those are theoretically standardized and swappable; but relatively rare and often thermally or mechanically limited such that only a few specific upgrades can be made.
5k is too high a resolution for DP 1.2 to drive at 60Hz, so you would be limited to DP 1.3 or 1.4 parts, or nonstandard hacks of 1.2 parts(which is what the 'retina' iMac uses); and unless the plan is to actually have a little displayport dongle sticking out of the back of the monitor to plug into the GPU, you couldn't just use an ordinary PCIe expansion card, it would have to be something with an embedded DP connector and probably a mechanical design better suited to a monitor than to an ATX case.
Worse, since DP 1.3 or 1.4 can drive 5k monitors normally, without any putting the GPU in the monitor and using a PCIe link, there is going to be a relatively narrow window of opportunity before people who care enough to buy fancy monitors all have GPUs capable of driving them anyway; which means that selling upgrades for the oddball embedded GPU monitors will be of interest only to niche vendors like OWC(who are often your best option for upgrading freaky mac parts; but generally aren't inexpensive).
It would certainly be doable technically; but would be at serious risk of being orphaned in practice(much like the GPU cards in the 'cylinder' Mac Pro: architecturally those are normal PCIe parts; but board layout and connector are totally different and nobody seems to have taken much of an interest in offering upgrade modules).
PCIe devices don't really benefit from being handled over thunderbolt(it's effectively only a PCIe 4x link, and slightly higher latency than an internal slot); but if what you have is a laptop pretty much any PCIe card is better external than not at all.
You can get thunderbolt-attached PCIe cardcages that let you put basically any PCIe card you would normally install internally in an external enclosure; and various outfits with a focus on mac users have integrated peripherals that are the same basic concept in a somewhat smaller box(a lot of high end video capture cards, a few 10GbE and fiber channel interfaces).