we love to say things like these, but... most security issues are in fact BYPASSABLE - virtualization, firewalls, autorollbacks, ro-filesystems and so on are many of the tools we have on our belsts
decades of WordPress have taught us that insecure apps can 100% be securely deployed
it's a bit of an art, most recently edicated devops/sre ppl suck at it, but it's doable
...aeons a go in a former life we ran production apps that got hacked weekly, and nobody batted an eye at it, backups servers recreated from secure ro-images were span up with last-clean-app version, occassionally we had fun disassembling whatever reverse shells and other mallware that got beached on our systems (but couldn't "swim" bc everything we ran was "too exotic" for them to figure out the next steps of a proper attack), development and business continued as usual with zero interruptions etc
If you go against every principle (defense in depth, security through obscurity), maybe you should ask yourself "am I willing to be on the record saying this when my company gets hacked?"
There can be multiple reasons system crumbles, do you want to be behind one of them... intentionally?
100%. I'm willing to prioritize what matters at the right time. if "inner-system security" is not the right priority, and security can be attained at the "outer-system level" better, we should have the balz to say it. fuckitol
Imagine if your doctor said "we don't really need to do this if some other guy or nurse does a right job, so fuck it".
In other critical professions you don't want to screw up because when you lose license you're legally unemployable. Maybe it's time to require a license to be a programmer. We used to have a strong culture but those days are gone and stakes are higher. Putting people at risk because you think VC can vibe code an insecure app and then it's everybody else's responsibility to ship it securely?
you got everything I said wrong: I'm familiar with security and infrastructure best practice and I'm confident I/we can securely deploy almost any vibe-coded crap someone can throw at us - we understand security, we understand defense-in-depth, we understand the subtle trade offs of why security by obscurity is usually a bad idea (and when it does help) etc.
sure, if the vibe-coded sloptopus does bank transfers and stuff, properly carving out these pieces out of it might require actual engineering work before containerizing it - but someone is willing to pay for it it can be done
some "toy" example: take a crappy app that stores llm keys in config files that the llm agents themselves can edit - after isolating it up, but an llm proxy in front of it and have those keys be short lived proxy-keys with aggressive rate limits and monitoring etc etc
isolation, injecting proper monitoring into code of apps, putting proxies between app and apis, and layers between app and infra it runs on or touches etc
and these things now can be mostly cookbook-ified / automated 90% of the way too
as long as you can shop things into little ppl and ensure short-lived and granular access to valuable data you can 100% run totally unsecure and buggy code reliably and get value from it
it's engineering and understanding security from first principles [and a culture arund it - that _is_ the HARD af bit though...] instead of just believing in "secure app best practices" from the "holy scriptures" - secure apps are hackable, and unsecure apps can be unhackable, heck even mil systems run on unpatched old software everywhere, they're just properly insulated, the components are insecure but the system as a whole can be perfectly secure
As a developer becomes better, they become better than an LLM, being able to deal with more complex things than what an LLM can handle. Some people will not be able to pass it, but others will.
When there will ever be AGI (I don't think this can be achieved with the current architecture, it needs another AI breakthrough), then we might not be able to surpass it, much like chess currently.
I think the evidence that AI is better at knowledge work without a human in the loop... is very limited.
Humans with many agents will be more productive, but the tendency has been for these models is to regress to the mean when it comes to strategic insights.
So far, I think you're right. But the rate of progress just seems so crazy that I'm not seeing any moats that look fundamental. I hope I'm wrong and you're right.
There’s diminishing returns to luxuries like this. You’ve found it to be worth it personally, but my point isn’t that a single individual won’t like it, my point is that most drivers don’t really need it and shouldn’t go out of their way to compromise on other aspects of the vehicle to get it.
I would compare this to a niche luxury feature like cooled or massaged seats. The people who seek out those features swear by them but it’s not good advice to tell an average person to spend the money on them, and they aren’t universally praised by people who try them.
I like watching my wealth grow in investments rather than investing in depreciating assets like vehicles. My attention at the wheel in my paid off 12 year old Mazda is free, and I’m still safer than any automated system for the time being (Tesla has the worst fatal accident rate of any brand [1] so I assume that FSD can’t be all that safe)
I also like reducing how much I drive wherever I can rather than band-aiding the problem of driving fatigue with driving automation. Driving less is a solution to driving fatigue. Taking public transit is a solution to driving fatigue. The $30k it costs to buy a gently used Tesla would be better invested in a down payment on an appreciating house or condo in a less car-dependent neighborhood. Hell, moving to the Netherlands and buying a bicycle doesn’t even cost $30k.
> FSD will refuse to engage in those situations, often
this is not true. It will basically engage any time your foot is not on the brake, the steering angle isn't beyond some threshold, and path prediction is relatively stable (which is approximately all the time). The main place it will refuse to engage is if you're in the middle of an intersection and it's ambiguous where your destination lane is.
"Smart people have economic opportunities that align them away from being evil"
For some definition of evil, some of the time, ok. But as economic opportunities compound (looking at the behavior of the ultra-rich), it seems there's at least strong correlation in the other direction, if not full-on "root of all evil" causation.
Sure, but that’s not “slaughter a stadium of people with drones” evil or “poison the water supply” evil or “take out unprotected electrical substations” evil.
So much infrastructure is very soft because the evil people aren’t smart enough to conceive of or conduct an attack.
Capitalism is a continuum, not a binary, hence occasional discussion "China is communist!" "No, it is state-capitalism!"
Is Russia currently capitalist, or non-capitalist? Which is Myanmar?
Anyway, personally I think it's the wrong axis; while capitalism and democracy and free press are often correlated, I think that the latter two are the important ones for actually choosing the lesser evils, though capitalism does generate more options to choose between.
Good. This is how we will force the world to reckon with the isolated, the disgruntled, and "lone wolf" terrorist. Real "sigma males" actually exist, and when they decide "society has to pay" we are all worse off for it. If Ted Kaczynski (quintessential example of a real actual sigma) had been in his prime operating right now, he'd have mail-bombed NeurIPS and ICLR already. I'm not cool with being in crowds of AI professionals right now for physical security reasons given the extreme anti-AI sentiment that exists from nearly everyone outside of the valley: https://jonready.com/blog/posts/everyone-in-seattle-hates-ai...
That’s not quite true. Take a look at all the billionaires destroying society. Being evil is the surest way to get to get rich. In fact it’s the only way to amass that level of capital: there’s no ethical billionaire.
This feels like a wild overgeneralization. People can become rich without resorting to evil methods, especially now with global markets and software. Case in point: Minecraft was wildly successful, and now Notch is a billionaire.
Pre-wealth, Notch was friendly, kind, and downright jolly! Even as he started to accumulate wealth, he was donating huge sums of money to various indie games. Whenever a Humble Bundle dropped he would top the leaderboard for the amount he paid for the games. Things took a major turn for the worse after the acquisition and after he left Mojang. That's when he ran out of purpose and turned to drugs and conspiracy theories.
> getting an image URL are basically impossible except for McGuyver tricks
Assuming you're talking about an image in the browser? Long press, drag it to the address bar, that'll load the image alone and you can copy the address from the bar.
Holy crap, you can do this? I always assumed for some reason you had to pay for expenses with an HSA in the year they were incurred.
reply