Conceptually that's no different to any security measures that prevent you from accessing data you're not supposed to? At the end of the day with all data that is colocated you're trusting that some permission feature somewhere is preventing you from accessing data you're not supposed to.
We trust that Amazon or Google or Microsoft are successful in protecting customer data for example. We trust that when you log into your bank account the money you see is yours, and when you deposit it we trust that the money goes into your account. But it's all just mostly logical separation.
> At the end of the day with all data that is colocated you're trusting that some permission feature somewhere is preventing you from accessing data you're not supposed to.
Right but ideally more than one.
> But it's all just mostly logical separation.
Yes, ideally multiple layers of this. You don't all share one RDS instance and then get row level security.
Can you give an example of more than one layer of logical separation at the data layer?
We all know that authentication should have multiple factors. But that's a different problem. Fundamentally at the point you're reading or writing data you're asking the question "does X has permission to read/write Y".
I don't know their use case enough to understand what would or would not be an appropriate mitigation. For example, with regards to financial data, you could have client side encryption on values where those keys are brokered separately. I can't exactly design their system for them, but they're describing a system in which every employee has direct database access and the database holds financial information.
Right, encryption would protect the data. But still, at the end of the day you're trusting the permission model of the database. Encryption won't prevent you updating a row or deleting a row if the database permission model failed.
Well, I think we basically agree? My suggestion is merely that a database holding financial data should have more than a single layer of security. Granting direct access to a database is a pretty scary thing. A simple example would be that any vulnerability in the database is directly accessible, even just by placing a broker in between users and the database I'd likely start to feel a lot better, and now I'd have a primitive for layering on additional security measures.
Encryption is an extremely powerful measure for this use case. If the data does not need to be indexed, you could literally take over the database process entirely and still not have access, it definitely doesn't rely on the permission model of the db because the keys would be brokered elsewhere.
> My suggestion is merely that a database holding financial data should have more than a single layer of security.
We require SSO(Azure via vault) to authenticate to the DB. We also don't expose PostgreSQL to the public internet. We aren't complete monsters :)
> Granting direct access to a database is a pretty scary thing.
For you maybe, because you were taught it's scary or it just seems different? I dunno. I'm very surprised with all the pushback about it being a single layer. Every other data access architecture will be a single layer too, it just can be made to look like it isn't. Or people think their bespoke access control system will be better because they have more control. Our experience taught us that's just bad thinking.
We've been doing direct access to PostgreSQL since 1993 without many issues. Though RLS is "recent" in terms of deployment(it came about in PG 10 I think). Before that we had a bespoke solution(written with lots of views and some C/pgsql code, it was slow and kind of sucked). RLS was a little buggy when it first was released, but within a year or so it was reliable and we moved everything over as quick as we could and haven't looked back.
> Encryption is an extremely powerful measure for this use case.
We do this with some data in some tables, but it's a PITA to do it right, so it's use is quite limited. We use Hashicorp Vault(now openbao) to hold the encryption/decryption keys.
I'm not sure where this "it's always one layer" thing is coming from, that's just not true. Nor do I see where I've said you should toss out RLS for a bespoke system - I see myself saying the opposite a few times.
> For you maybe, because you were taught it's scary or it just seems different?
Over a decade in computer security and software engineering. Nothing I'm saying is contentious. For some reason when I say "Having one boundary is bad" you say "There's only ever one boundary", which... is not true.
What is this app and what does it do? Can we see it?
I find it very hard to believe anyone could code anything complicated with Claude that 5-6 competent developers could do.
I am currently working on a relatively complicated UI on an internal tool and Claude constantly just breaks it. I tried asking it to build it step by step, adding each functionality I need piece by piece. But the code it eventually got was complete garbage. Each new feature it added would break an existing one. It was averse to refactoring the code to make it easier to add future features. I tried to point it in the right direction and it still failed.
It got to the point where I took a copy of the code, cut it back to basics and just wrote it myself. I basically halved the amount of code it wrote, added a couple of extra features and it was human readable. And if I started with this, it would have took less time!
I had trouble in my early days with the quality of things I made.
One of the things I found helped a lot is building on top of a well-structured stack. Make yourself a scaffold. Make sure it is exactly how you like your code structured, etc. Work with Claude to document the things you like about it (I call mine polyArch2.md).
The scaffold will serve as a seed crystal. The document will serve as a contract. You will get much better results.
Its a financial asset management system, and its for proprietary use only. Maybe Im doing some YT insights in the future.
>
I find it very hard to believe anyone could code anything complicated with Claude that 5-6 competent developers could do.
<
I should have put a disclaimer - Im not layman, instead 25y+ IT experience.
Without my prior experience, I think this project wouldnt have come into existence.
>Some new value will be discovered in the code itself - maybe conceptual clarity, algorithmic novelty, structural cleanliness, readability, succinctness, etc. Those values will become the new foundations for future gatekeeping.
It's a nice idea, but I feel like that's only going to be the case for very small companies or open source projects. Or places that pride themselves on not using AI. Artisan code I call it.
At my company the prevailing thought is that code will only be written by AI in the future. Even if today that's not the case, they feel it's inevitable. I'm skeptical of this given the performance of AI currently. But their main point is, if the code solves the business requirements, passes tests and performs at an adequate level, it's as good as any hand written code. So the value of readable, succinct, novel code is completely lost on them. And I fear this will be the case all over the tech sector.
I'm hopeful for a bit of an anti-AI movement where people do value human created things more than AI created things. I'll never buy AI art, music, TV or film.
The work involved in maintaining a standard library is things like bug fixes. A larger standard library (or multi versions) means there's more likely to be bugs. You also have performance improvements, and when new versions of the language come out which has features to improve performance, you will most likely want to go back through and refactor some code to take advantage of it. You will also want to go through and refactor to make code easier to maintain. All of this just gets harder with a larger surface.
And the more stuff you pack into the standard library the more expertise you need on the maintenance team for all these new libraries. And you don't want a standard library that is bad, because then people won't use it. And then you're stuck with the maintenance burden of code that no one uses. It's a big commitment to add something to a standard library.
I find it quite funny how this blog post has a big "Ask ChatGPT" box at the bottom. So you might think you could ask a question about the contents of the blog post, so you type the text "summarise this blog post". And it opens a new chat window with the link to the blog post followed by "summarise this blog post". Only to be told "I can't access external URLs directly, but if you can paste the relevant text or describe the content you're interested in from the page, I can help you summarize it. Feel free to share!"
That's hilarious. Does OpenAI even know this doesn't work?
It looks like this doesn't work for users without accounts? It works when I'm logged in, but not logged out. I went ahead and reported it to the team. Thanks for letting us know!
SDET here. A year ago when AI came into play SDET/QA roles started disappearing. People were like oh ya anyone can write tests. Then with the recent fiascos about outages and what not, I am seeing the SDE roles are disappearing and SDET roles are going back up?! Apparently AI is good at writing applications but you still need someone to make sure it is doing the right things.
It’s not really good at writing the software either — it’s a moderate to decent productivity booster in an uneven, difficult-to-predict assortment of tasks. Companies are just starting to exit the “we’re still trying to figure this out” grace period. Expect more of that as soon as these chatbot companies have to start charging enough to pull in more money than they spend. I foresee some purpose-built models that are pretty lean being much more useful in long run. It’s neat that the bot which can one-shot a simple CRUD website for you can also crank out Scrubs-based erotic fan fiction novellas by the dozen but I don’t foresee that being a sustainable business model. Having good purpose-built tools is, in my opinion, better than some unwieldy tool that can do a whole bunch of shit I don’t need it to.
Interestingly, the first real productive use of AI that I found was writing the unit tests and integration tests for my applications. It was much better at thinking about corner cases that I was.
I picked up Claude today after being away and using only ChatGPT and Gemini for a while.
I was pretty impressed with how they’ve improved user experience. If I had to guess, I’d say Anthropic has better product people who put more attention to detail in these areas.
Many people buy two separate Claude pro subscriptions and that makes the limit become a non-issue. It works surprisingly well when you tend to hit the 5 hourly limit after a few hours, and hit the weekly limit after 4-5 days. $40 vs $100 is significant for a lot of people.
I hit limit of Pro in about 30 minutes, 1 hour max. And only when I use a single session, and when I don't use it extensively, ie waits for my responses, and I read and really understand what it wants, what it does. That's still just 1-2 hours/5 hours.
You're probably having long sessions, i.e. repeated back-and-forth in one conversation. Also check if you pollute context with unneeded info. It can be a problem with large and/or not well structured codebases.
The last time I used pro, it was a brand new Python rest service with about 2000 lines generated, which was solely generated during the session. So how I say to Claude that use less context, when there was 0 at the beginning, just my prompt?
So you had generated 2000 lines in 30 minutes and ran out of tokens? What was your prompt?
I’d use a fast model to create a minimal scaffold like gemini fast.
I’d create strict specs using a separate codex or claude subscription to have a generous remaining coding window and would start implementation + some high level tests feature by feature. Running out in 60 minutes is harder if you validate work. Running out in two hours for me is also hard as I keep breaks. With two subs you should be fine for a solid workday of well designed and reviewed system. If you use coderabbit or a separate review tool and feed back the reviews it is again something which doesn’t burn tokens so fast unless fully autonomous.
Thanks for the tip, didn’t think of using 2 subscriptions at the same company.
When reaching a limits, I switch to GLM 4.7 as part of a subscription GLM Coding Lite offered end 2025 $28/year. Also use it for compaction and the like to save tokens.
I'm using it via Copilot, now considering to also try Open Code (with Copilot license). I don't know if it's as good as Claude Code, but it's pretty good. You get 100 Sonnet requests or 33 Opus request in the subscription per month ($20 business plan) + some less powerful models have no limits (i.e. GPT 4.1), while extra Sonnet request is $0.04 and Opus $0.12, so another $20 buys 250 Sonnet requests + 83 Opus requests. This works for me better since I do not code all day, every single day. Also a request is a request, so it does not matter if it's just a plain edit task or an agent request, it costs the same.
Btw. I trust Microsoft / GitHub to not train on my data more (with the Business license) than I would trust Antrophic.
I agree! I recently migrated from ChatGPT to Claude and it is just superior in every way. It doesn't blather on the at the end ask me for clarification. It's succinct and clarifies vital information before providing a solution.
Oh interesting. I've never used voice input on either so I can't comment, but understandable why you can't switch if it's disruptive to your workflow to do so.
I held off migrating from ChatGPT to Claude Code due to being a laggard that lived in the Eclipse world. I didn't believe what I was told that I wouldn't be writing code any more. Pushed into action by recent PR gaslighting from OpenAI, I jumped to claude code and they were right - I barely venture into the IDE now and certainly don't need an integration.
I agree, but in general those chat apps have relatively bad user experiences for multibillion BtoC company. I used to have a lot of surprises and frustrations while using Claude Code / Desktop, and still encounter issues, but it's the best in major LLM services.
It's funny cause, you know, fixing all those little nitty gritty things should be practically automatic with their own offerings... have your agent put in a lot of instrumentation... have it chase down bugs or dead-end user-journeys... have it go make the changes to fix it...
I've seen these tools work for this kinda stuff sometimes... you'd think nobody would be better at it than the creators of the tools.
I had something similar happen with skills today. A popup appeared saying, "hey, did you know ChatGPT has skills?" Clicking on it opened a new chat window, and after some thinking it said, "I tried to launch the built-in skills demo flow, but it isn’t available".
Following this process summarizes the blogpost for me. Perhaps the difference is I'm signed into my account so it can access external URLs or something of that nature?
This is infuriating. However, for those in this situation, know this: it works if the document or spreadsheet is in OneDrive. I just wish Copilot told you this instead of asking you to upload the doc.
This is such a stale take. In the past 3 years I’ve worked on multiple products with AI at their core, not as some add-on. Just because the corpo-land dullards[0] can’t execute on anything more complex than shoehorning a chatbot into their offerings doesn’t mean there aren’t plenty of people and companies doing far more interesting things.
[0] In this case, and with heavy irony, including OpenAI, although it sounds like most of this particular snafu is due to a bug.
>> This is such a stale take. In the past 3 years I’ve worked on multiple products with AI at their core, not as some add-on. Just because the corpo-land dullards[0] can’t execute on anything more complex than shoehorning a chatbot into their offerings doesn’t mean there aren’t plenty of people and companies doing far more interesting things.
I feel like this is just a disagreement of what "AI integration" means. You seem to agree that the trend they're describing exists, but it sounds like you're creating new products, not "integrating" it into existing ones.
Kinda reminds me of crypto. There are certainly very interesting things happening in the crypto space. But the most visible parts of the crypto universe are the stupid parts (buying PNGs for millions, for example)
But when I was in the crypto space in 2018, there was a lot of interesting things happening in the smart contract world (like proofs of concepts of issuing NFTs as a digital "deed" to a physical asset like a house).
I don't think any of those novel ideas went anywhere, but it was a fun time to be experimenting.
Yeah, like most startups. I'd argue that a majority of AI startups now will go nowhere as well. That's just how new technology goes. Lots of shiny objects, lots of hype, and maybe 1%, if that, goes on to become a foundation of society.
Jury is still out on if crypto will become a foundation for society (if anything, it would be foundational for something boring and invisible like banking). I wouldn't bet on a startup doing that, but that's the only viable thing I can foresee crypto being useful for. But it doesn't mean that other applications can't be interesting and useless!
I mean, to be fair, both things can be technically true. There can be lots of interesting things being done, even while most can be low-effort garbage.
But this is just Sturgeon's Law (ninety percent of everything is crap), not an actually insightful addition to the discussion, and I very much agree it's a stale take.
This is not only openai, but other models as well. Last week I added a summarise with AI block on a product blog page. I had seen it somewhere and felt like it’s a cool feature to have. Wrote a small shortcode in hugo for the block and added it with various models.
It’s like a hit and miss, sometimes claude says i cannot access your site which is not true.
I think you might have hit on the issue - just the wrong way around. I would assume they’re using LLMs for testing, and no humans or maybe just one overworked human, and that is the problem
As bad as Google Gemini telling me it couldn't search Google Flights or Google reverse image search for me. These companies really need to dogfood their own products first. Do they not realize how embarrassing it is when their flagship intelligence refuses to interop with their own services?
In Codex I was suggested to try Codex Spark for a limited time. So for my next session, I gave it a shot.
It is much, much faster. However on the task I gave it, it spun around in circles cycling through files and finally abandoned saying it ran out of tokens.
Major fail.
Different team "manages" the overall blog than the team who wrote that specific article. At one point, maybe it made sense, then something in the product changed, team that manages the blog never tested it again.
Or, people just stopped thinking about any sort of UX. These sort of mistakes are all over the place, on literally all web properties, some UX flows just ends with you at a page where nothing works sometimes. Everything is just perpetually "a bit broken" seemingly everywhere I go, not specific to OpenAI or even the internet.
> Or, people just stopped thinking about any sort of UX. These sort of mistakes are all over the place, on literally all web properties, some UX flows just ends with you at a page where nothing works sometimes.
It's almost like people are vibe coding their web apps or something.
If only there was some kind of way to automatically test user flows end to end. Perhaps testing could be evaluated periodically, or even ran for each code change.
They're having service issues - ChatGPT on the web is broken for a lot of people. The app is working in android - I'd assume that the rollout hit a hitch and the chatbox in the article would normally work.
Welcome to a big company where pretty much everyone has been working full steam for years, in order to take advantage of having a job at a company during a once-in-a-lifetime moment.
>allowing API users to return everything at once can be a problem both for our server (lots of data in RAM when fetching from the DB => OOM, and additional stress on the DB)
You can limit stress on RAM by streaming the data. You should ideally stream rows for any large dataset. Otherwise, like you say you are loading the entire thing into RAM.
Buffering up the entire data set before encoding it to JSON and sending it is one of the biggest sources of latency in API based software. Streaming can get latencies down to tens of microseconds!
This was the same for me. M4 Pro is my first Macbook ever and it's actually incredible how much I prefer the daily driving experience versus my brand new 9800x3d/RTX 5080 desktop, or my work HP ZBook with 13th Gen intel i9. The battery lasts forever without ANY thought. On previous Windows laptops I had to keep an eye on the battery, or make sure it's in power saving mode, or make sure all the background processes aren't running or whatever. My Macbook just lasts forever.
My work laptop will literally struggle to last 2 hours doing any actual work. That involves running IDEs, compiling code, browsing the web, etc. I've done the same on my Macbook on a personal level and it barely makes a dent in the battery.
I feel like the battery performance is definitely down to the hardware. Apple Silicon is an incredible innovation. But the general responsiveness of the OS has to be down to Windows being god-awful. I don't understand how a top of the line desktop can still feel sluggish versus even an M1 Macbook. When I'm running intensive applications like games or compiling code on my desktop, it's rapid. But it never actual feels fast doing day to day things. I feel like that's half the problem. Windows just FEELS so slow all the time. There's no polish.
My work MBP also can drain the battery in a couple hours of light use. But that's because of FireEye / Microsoft Defender. FireEye has a bug where it pegs the CPU at 100% indefinitely and needs to be killed to stop its infinite loop. Defender hates when a git checkout changes 30,000 files and uses up all my battery (but I can't monitor this because I can't view the processes).
It’s always the corporate wares that caused the issues, in my case it’s crowdstrike and zscaler. Even with these wares I can last a full day with my M1 pro, I only notice the battery was drained to 0 once when I went to vacation for a week, it’s never happened before these wares
I also have to run Defender on my MacBook at work.
If you have access to the Defender settings, I found it to be much better after setting an exclusion for the folder that you clone your git repositories to. You can also set exclusions for the git binary and your IDE.
Have you checked whether the work laptop's bad battery life is due to the OS, or due to the mountain of crapware security and monitoring stuff that many corporations put on all their computers?
I currently have a M3 Pro for a work laptop. The performance is fine, but the battery life is not particularly impressive. It often hits low battery after just 2-3 hours without me doing anything particularly CPU-intensive, and sometimes drains the battery from full to flat while sitting closed in a backpack overnight. I'm pretty sure this is due to the corporate crapware, not any issues with Apple's OS, though it's difficult to prove.
I've tended to think lately that all of the OSes are basically fine when set up reasonably well, but can be brought to their knees by a sufficient amount of low-quality corporate crapware.
Part of why Windows feels sluggish is because a lot of the components in many Windows machines are dogshit - especially storage. Even the old M2 is at 1400 MB/s write speed [2], M5 is at 6068 MB/s [2]. Meanwhile in the Windows world, supposed "gamer" laptops struggle to get above 3 GB/s [3]. And on top of that, on Apple devices the storage is directly attached to the SoC - as far as I know, no PCIe, no nothing, just dumb NAND. That alone eliminates a lot of latency, and communication data paths are direct as well, with nothing pesky like sockets or cables degrading signal quality and requiring link training and whatnot.
That M2 MBA however, it only feels sluggish at > 400 Chrome tabs open because only then swapping becomes a real annoyance.
> Part of why Windows feels sluggish is because a lot of the components in many Windows machines are dogshit - especially storage.
Except that you can replace Windows with Linux and suddenly it doesn't feel like dogshit anymore. SSDs are fast enough that they should be adding zero perceived latency for ordinary day-to-day operation. In fact, Linux still runs great on a pure spinning disk setup, which is something no other OS can manage today.
Hmm, for most desktop stuff, you're still limited to random access, where even if leagues above HDD, the NVMe still suck compared to sequential. It's sad that intel killed Optane/3D X-point, because those are mych better at random workloads and they had still lower latencies than the latest NVMe (not by much anymore).
I don't understand why Optane hasn't been revived already for modern AI datacenter workloads. Being able to augment and largely replace system RAM across the board with something cheaper (though not as cheap as NAND, and more power-hungry too) ought to be a huge plus, even if the technology isn't suitable for replacing HBM or VRAM due to bulk/power constraints.
Windows laptops have been pretty much exclusively NVMe for years. The 2.5" SATA form factor was a waste of space that laptop OEMs were very happy to be rid of, first with mSATA then with M.2 using SATA or NVMe. NVMe finished displacing SATA years ago, when the widespread availability of hardware supporting the NVMe Host Memory Buffer feature meant that entry-level NVMe SSDs could be both faster and cheaper than the good SATA SSDs. Most of the major SSD vendors discontinued their M.2 SATA SSDs long ago, indicating that demand for that product segment had collapsed.
If someone needs access to a secret, you would implement it in this DSL and commit that to the system. A side effect would run on that which would grant access to that secret. When you want to revoke access, you commit a change removing that permission and the side effect runs to revoke it.
Yep. But on HN, there's a huge cohort of people saying AI is useless.
Everyone sees the downsides but the upside is the one everyone is in denial about. It's like yeah, there's downsides but why is literally everyone using it?
As a rule of thumb, most people who say things like "X is useless and a waste" or "Y is revolutionary and is going to change everything by tomorrow" when the dust hasn't even begun to settle are stupid, overly-excitable, too biased towards negative outlooks, and/or trying to sell you something.
Sometimes they have some good points so you should listen to what they have to say. But that doesn't mean you have to get absorbed into their world view. Just integrate what you see as useful from your current POV and move on.
We trust that Amazon or Google or Microsoft are successful in protecting customer data for example. We trust that when you log into your bank account the money you see is yours, and when you deposit it we trust that the money goes into your account. But it's all just mostly logical separation.
reply