• Human Infrastructure
  • Posts
  • Human Infrastructure 396: Going All-In On AI, A Cool Excel Trick, Tiny Firewalls, and More

Human Infrastructure 396: Going All-In On AI, A Cool Excel Trick, Tiny Firewalls, and More

AuthorAuthor

Drew Conry-Murray & Ethan Banks
April 10, 2025

SOME THOUGHTS ON THE SHOPIFY AI MEMO

Shopify CEO Tobi Lutke wrote an internal memo declaring that all employees must now actively use AI in their work. The memo leaked, and quickly became something of a manifesto for tech and business leaders. There’s interesting ideas in this memo, as well as a few that tingled my spider senses.

The memo includes six short, clearly-written requirements regarding AI use. You can read the full memo here, but for context here’s the first sentence of each requirement:

1. Using AI effectively is now a fundamental expectation of everyone at Shopify

2. AI must be a part of your GSD [Get Shit Done] Prototype phase

3. We will add AI usage questions to our performance and peer review questionnaire 

4. Learning is self-directed, but share what you learn 

5. Before asking for more Headcount and resources, teams must demonstrate why they  cannot get what they want done using AI 

6. Everyone means everyone [i.e. executives too] 

Good Points

The requirement to use AI effectively is a good one. Just as with any tool, effective use of AI should help workers get more work done. (“Effective” is doing some heavy lifting, but at least Lutke employs that qualifier.)

Lutke writes in the memo that “using AI well is a skill that needs to be carefully learned by…using it a lot.” I appreciate his acknowledgement that AI use is a skill that has to be developed. I hope this means the company will provide resources and time for training.

I also applaud extending this requirement to everyone at the organization, including executives. Adopting new tools introduces risks; for example, someone might invest in an AI tool that turns out to be the wrong one. A project might get launched that goes nowhere and wastes time and money. An AI initiative might go sideways and result in fines, penalties, or reputational damage.

If executives and contributors alike are compelled to embrace AI, this shared fate may foster a more nurturing, less punitive environment in which to operate.

Self-directed learning also makes sense. Teams and individual contributors may have a better instinct for tools or services that will drive their productivity as opposed to top-down imposition of a tool or product. Sharing one’s learnings also makes sense; one person’s success or failure can save other people time and headaches.

Concerns

1. AI Tied to Performance Reviews

Lutke says AI usage is going to be added to performance and peer review questionnaires. Lutke’s intent seems to be to improve employees’ skills at prompts and context-loading, but managers the world over know that you have to be careful about what and how you measure when it comes to employee performance.

This need for care is explained by a concept called Goodhart’s Law, after the economist Charles Goodhart: “When a measure becomes a target, it ceases to be a good measure.”

For example, in the memo Lutke references the 10x contributor who becomes a 100x contributor using AI. So is 100x the target? What if AI only increases my output by 2x? Is that good enough?

What if my 100x output is just in emails and Slack messages sent, or in trouble tickets opened? Getting workers to use AI vs. getting them to use AI well are different things. 

2. F*** You, Headcount

Lutke says teams have to demonstrate why they need more people or resources instead of using AI to get something done. That’s chilling. 

Society has been in a tug of war between human and machine labor since the Industrial Revolution. Lutke’s memo is probably the most honest statement we’ve gotten from a tech CEO about the potential for AI to reduce the need for human workers. 

I think there’s a class of executives in Silicon Valley (and other industries, but especially tech) that harbors contempt for its employees. Employees are meat sacks that want healthcare and PTO. They want to leave at 6 pm to go to their kid’s soccer game instead of grinding 18 hours a day to be a 100x contributor.

It’s not even about salaries, because executives will spend any amount of money on a new, untried tech if they think it will spare them adding headcount. It’s because they see humans as a drag on productivity. AI fulfills their ultimate wish: a room full of machines that work 24/7 without complaint. 

I don’t know if this sentiment lives in Lutke’s heart, but I do know that every employee should understand their relationship with their employer. No matter what a CEO might say about creating an environment to foster the personal growth of their workers (see Lutke’s memo for that language), you and I are one technological advancement away from being fired.

3. Herd Mentality

Lutke’s memo is catnip for the LinkedIn crowd. It got lots of high-fives from execs who wished they were getting the same attention as Lutke. Meanwhile, thought leaders opened their missile silos to launch pronouncements such as “Every large company that doesn’t implement a version of this will die.”

Fear of impending death is not the best head-space for making decisions. But you can sense the huffing and stamping in C-suites as executives scent the wind, paw the earth, and dart their eyes to see who will be the next to bolt toward an all-AI strategy. Then comes a headlong stampede into ill-conceived investments, expensive consulting engagements, and panicked buying that may or may not produce returns or provide a strategic advantage.

It’s not Lutke’s fault if he starts a stampede. Presumably he and other leaders in the company have thought through their AI stance and decided it’s right for Shopify. But lots of companies are happy to go with the herd, even if it’s not the right direction.

Accelerant

Like arsonists, Silicon Valley execs want their fires to burn hot and spread fast. Lutke’s memo says Shopify has to run just to stay still. He says his company, which is growing 20-40% every year, “must improve by at least that every year just to re-qualify.” For Lutke, AI is the accelerant to fuel that improvement.

But every business needs to think hard before it starts spraying AI around the organization and lighting matches. An accelerant can light you up. Or it can burn you down. - Drew

Am I doing AI right?

THIS WEEK’S MUST-READ BLOGS 🤓

Model Context Protocol (MCP) is the newest witchery to bubble to the surface of the AI cauldron. MCP is a framework for LLMs to connect to third-party applications and data sources. With the industry conjuring agentic AI as its latest trick, MCP is the spell that developers will invoke to connect all the disparate models, services, and data sources required for an agent to complete a task.

However, as the two blogs above note, MCP has entirely predictable security holes that are ripe for exploitation, including remote code execution and prompt injection. While the MCP documentation suggests validating incoming messages, sanitizing inputs, and implementing access controls as best practices (among others), it’s entirely up to developers and platform builders to do so.

And that means network, DevOps, and infosec teams will have an entirely new risk area that needs to be instrumented, monitored, analyzed, and responded to. Maybe there’s an agent for that? - Drew

Jason Gintert celebrates 26 years as a network engineer. He looks back over his career and divides it into 5 stages, and shares some advice based on things he learned at each stage. Good stuff! - Drew

I expect this story will become more common over time. A software engineer realized the person he was interviewing via a video call had prepped for the interview using AI. Apparently the candidate had anticipated some of the interview questions and had ready responses, generated by a chatbot, that made it sound as if they had more software development experience than they actually did. When the interviewer probed for more detail, the applicant wasn’t able to provide it, and eventually confessed. Interesting times! - Drew 

Bryan shares some code he wrote that lets you copy cells in Excel and export them as a JSON document. Thanks for sharing, Bryan! - Drew  

MORE BLOGS

Browse Bravely.
In a brave new world of AI and the cloud, your secure browser is the new edge. Meet the Secure Browser from Prisma® Access that's designed for the future. Want to learn how Prisma® Access Browser can enable your team to browse bravely? Contact Palo Alto Networks today and experience the secure browser.
https://start.paloaltonetworks.com/contact-us-pab.html

TECH NEWS 📣

TL;DR. Fast flux is the hiding of a botnet behind a steadily changing series of IP addresses and domain names, making it harder to identify them. In a fast flux scheme, IPs and domain names rotate as fast as hourly. Click for more details on how this obfuscation is achieved using wildcard DNS records.

Read the original cybersecurity advisory by the US Cybersecurity & Infrastructure Security Agency (CISA) here. - Ethan

OpenStack “Epoxy” has some new features added to make it easier for folks who want to migrate off of VMware by Broadcom to another platform, including storage drivers.

That’s a smart play by the OpenStack community, but I think the market has spoken. We already know that most big VMware shops have submitted to the new order of things, committing to VMware Cloud Foundation and the new cost structure.

Migration to non-VMware platforms is for smaller shops whose business Broadcom is far less interested in. I don’t see those smaller shops looking to OpenStack. - Ethan

This news is about a week old as I write this, but leaving it here just in case you might be impacted. Give this piece a read if you are a customer of Juniper Session Smart Routers, the product that came from the 128T acquisition. If you’re a user Palo Alto Networks’ PAN-OS GlobalProtect remote access, you should read this one as well. Much probing and poking going on, as well as mitigation strategies noted. - Ethan

If you’ve ever needed proof that some big tech companies profess one set of values publicly, but operate their businesses in ways entirely antithetical to those publicly-stated values, ‘Careless People’ seems to be it. Even without digging into the text, you just need to know that Meta, Facebook’s parent company, a supposed advocate of un-moderated free speech, got a gag order slapped on the author to keep her from speaking publicly about the book.

The title ‘Careless People’ comes from a line in the novel The Great Gatsby: “They were careless people, Tom and Daisy- they smashed up things and creatures and then retreated back into their money or their vast carelessness or whatever it was that kept them together, and let other people clean up the mess they had made.” Sound familiar? - Drew

MORE NEWS

FOR THE LULZ 🤣

Shared on the Packet Pushers Slack channel by Kaj N.

RESEARCH & RESOURCES 📒

Self-describes as “A free, lightweight and non-intrusive firewall” for Windows on Intel/AMD silicon. This is a project you can build on if you like—source code available in the repo. Or download the current binary from the official website. FAQ is here. - Ethan

In this post, Thomas explains in detail different options for running commands against the underlying operating system from Python. - Ethan

This is a really good podcast episode on the power and water usage of AI infrastructure, and the frankly insufficient measures that companies such as Google are taking to address these demands. - Drew 

MORE RESOURCES

Get AI-Native Security that moves at the speed of your business

Don’t let network protection slow you or your business down.

Juniper’s new SRX4700 Firewall is designed to protect data in motion, bringing security and networking together in a single, streamlined platform. That means you can mitigate risk without interruption. Making sure users aren’t just well protected, but enjoying the very best network experience.

And with the Mist AI Predictive Prevention Feature, it’s never been easier to keep the network safe from potential, initial, and subsequent attacks. That means you, future cybersecurity hero, can detect and stamp out bad actors and sophisticated threats before they wreak havoc on the business.

With Juniper, you’re always one step ahead.

<Explore Our Solutions Now>

INDUSTRY BLOGS & VENDOR ANNOUNCEMENTS 💬 

This Kentik blog analyzes a route leak caused by a DDoS mitigation provider that misdirected traffic from around world and sent it through Bucharest, Romania. This was a mistake, not a malicious event. Besides breaking down how this route leak happened, the blog also provides some background and definitions of the phenomenon. From the post: “The BGP leak analyzed in this post can be referred to as a “path leak” or “adjacency leak,” meaning that the mistake occurred in the middle of the AS path, not at the beginning (rightmost ASN). And since no routes were mistakenly originated in a problematic way, origin-based solutions like RPKI ROV would not be in a position to help.” - Drew 

Portnox provides a cloud-based zero trust NAC service built around a cloud-delivered RADIUS offering. The company has just secured a B series funding of $37.5 million, which comes on top of an A round of funding of $22 million back in 2022. Zero Trust is all the rage at the moment, so Portnox is well positioned to leverage the buzz. - Drew 

HPE is announcing new deployment options for Aruba Networking Central. They include a virtual private cloud option, and an on-prem option that’s disconnected from the cloud. There’s also an option for government customers. From the press release: “HPE Aruba Networking Central On-Premises for Government provides a new deployment option, which includes FIPS 140-2 certified server hardware to meet related government security requirements.” - Drew

DYSTOPIA IRL 🐙

TOO MANY LINKS WOULD NEVER BE ENOUGH 🐳

LAST LAUGH 😆

Shared on the Packet Pushers Slack channel by Chris E.