For most of my career (over 30 years now) where I've had sufficient access privileges to matter, I've fairly diligently maintained a "Important credentials and access" list, which I've sent to my employer when leaving, strongly advising them of the need for them to disable or rotate those credentials.
This especially includes creds like root or admin level access to AWS/GCP/whatever-cloud-or-hosting-service, and other critical creds like user/password management, domain name registrations, AppleStore and GooglePlay accounts, source code repos, documentation and internal tooling, external services like observability/analytics/crash-trcking. It also keeps a current(ish) list of all clients/projects where I've had any access at all, listing things like API keys, ssh keys and bastion hosts, project or platform admin creds, as well as systems like databases (SQL and KV caches), firewall rule specific to me.
I also try to list anything else I could, if I were a malicious disgruntled ex employee, use to cause grief to the employer or their clients.
I point out in this email that if I were to be rouge, I'd most likely have intentionally left something out or left behind backdoors or timebombs, and while I am not that kind of person and I have not done those things, they owe it to themselves and their clients to have someone else senior and experienced enough to carefully audit everything to ensure I cannot access anything.
I send this from a personal email account, so I still have timestamped records of having sent it. If an ex employer ever gets hacked shortly after I leave, I want evidence I did everything I reasonably could to remind them to lock me out.
(Writing this down reminds me it's been a while since I updated this - I guess thats something I'll ned to get on to soon.)
I'm pretty sure we are getting close to the point where a few thousand bucks worth of tokens is enough for an agent coding session to reproduce a significant sized (but not linux kernel sized) C codebase in Rust that's 100% security bug for security bug compatible with the original. And _maybe_ "given enough eyeballs, all bugs are shallow" was true or even close top true once. But non of the "new code" ever has a _single_ eyeball cast over it. You know how sometimes you can stare into the code you wrote for weeks, but as soon as somebody else sees it they go "Hmmm, that bit looks odd. Are you sure it's right?" For most vibe coders or agents coders, it's all the same tool that generated the code that's looking for the bugs - it seems reasonable to assume that if a particular LLM generated the buggy code in the first place, it's at least as unlikely to find the bugs as a human who write buggy code?
> I'm pretty sure we are getting close to the point where a few thousand bucks worth of tokens is enough for an agent coding session to reproduce a significant sized (but not linux kernel sized) C codebase in Rust
Given a comprehensive test suite for the original, probably, yes. if the test suite isn't great, you are still going to spend a lot of time/tokens chasing edge cases.
> that's 100% security bug for security bug compatible with the original
You can do this part without AI. c2rust will give you a translation that retains all the security bugs (and all the memory unsafety). The hope is that the AI in the loop will let you convert it to idiomatic rust (and hence avoid the memory unsafely, and in doing so, also resolve some of the security issues).
Id Louis Rossman's YouTube rant is correct, nobody involved here modified the AGPLK software. They just used a version of the AGPL software from before Bambu Labs changed the auth code.
While I agree that the AGPL does not grant users any rights to Bambu's cloud service, sending DCMA nastygrams to people hosting copies on old versions of their software isn't the right (or even legal) way to enforce that. And since Bambu choose to build their products and software stack on pre existing AGPL code, they've backed themselves into a corner a bit with other options. They can add new auth to new versions of the code (which is stringer than just hardcoded useragent-like strings in the code) but they'll then have to release the source code to their new version - exactly like the original authors who chose the AGPL intended.
> The US's justice system is certainly lacking in many, many ways, but wow, this is barbaric.
I am lucky enough to have a lot of middle aged middle class white male privilege.
I wonder how many minority people in the US have much worse opinions and life experience of the justice system than you're implying?
I wonder how many people consider typical ICE arrests and detention to be at least as "barbaric" and "psychological torture" as what's described in the article?
I wonder how many young African American males (and their families) look at the private for-profit prison system and conclude the US justice system and policing are designed for "high conviction rates, regardless of guilt or innocence.
You can see that's not a particularly useful metric to evaluate a legal system (and in the US, states, tribal, federal differ).
Americans ostensibly have the bill of rights in their favor, while Japan doesn't. Sure, you can't be indigent if you expect a vigorous defense from the state, but your odds are good if your case isn't hopeless, and many are - the incidence of plea deals typically reflects this.
Prisons in US might be run by gov but private companies profit heavily on services provided to these facilities. Basically everything possible is outsourced - commissary, food, healthcare, labour…
Add that to highest incarceration rate in the world - around 600 people per 100k residents (japan for example is 40 per 100k).
You get what people call for-profit prison system. It's not some secret or controversial claim.
>Basically everything possible is outsourced - commissary, food, healthcare, labour…
That's as true at the DMV as it is for the DOD and BOP, isn't it? Even Japan's system buys goods from the private sector and hires people.
The stated purpose of the prison system(s) is to store people away from communities as part of the justice process until they can reenter society. The evidence of that is clear in the inmates held, something to the tune of 1-1.5m when you add up state and federal prisons. I think it's straightforward to explain a higher incarceration rate than Japan through a higher crime rate than Japan.
Incarcerations (using yours) - US is ~15 times higher
US: 600/100k
JP: 040/100k
Murder (2023 [1]) - US is ~25 times higher
US: 5.76/100k
JP: 0.23/100k
Yes, there are more crimes than homicide, but the US trends more criminal and more violent than JP. Our demographics and culture are different than JP.
>It's not some secret or controversial claim.
It's a claim without direct proof relying on inference where people will see what they want to see like a Rorschach test, similar to calling a conflict a 'war for oil' or the broader description of the military-industrial complex.
Right now it kinda feels to me like "Open Source" is the Russian army, assuming their sheer numbers and their huge quantity of equipment much off which is decades old.
Meanwhile attackers and bug hunters are like the Ukrainians, using new, inexpensive, and surprisingly powerful tools that none of the Open Source community has ever seen in the past, and for which it has very little defence capability.
The attackers with cheap drones or LLMs are completely overwhelming the old school who perhaps didn't notice how quickly the world has changed around them, or did notice but cannot do anything about quickly enough.
Well this argument was certainly inventive.
What a weird impression to have about these things.
Who exactly is the innocent little Ukraine supposed to be that the big bad open source is supposed to be attacking to, what? take their land and make the OSS leader look powerful and successful at acheiving goals to distract from their fundamental awfulness? And who are the North Korean canon fodder purchased by OSS while we're at it?
Yeah it's just like that, practically the same situation. The authors of gnu cp and ls can't wait to get, idk, something apparently, out of the war they started when they attacked, idk, someone apparently.
I guess I should have realised that comment could be so easily interpreted in ways I hadn't intended - given the political nature of that war.
I wasn't intending to pass judgement on which side is the "innocent little" and which is the "big bad", but I (and the downvoters) clearly see the it obviously reads one specific way.
I wish I'd chosen a less contentious example of a unarguably good army that's 50 or 100 years old and is still using tactics and equipment from the 70s and earlier, fighting against a somewhat less clearly "good" army using new tools that barely existed 5 years ago and new tactics that the older army (and everybody else) has never seem before with the capability to create new weapons and adjust tactics at speeds previously thought impossible. But that war doesn't exist (at least not outside of blindly loyal Russia supporters).
For the record, I believe Russia is clearly on the side of evil and Ukraine is clearly on the side of good in this conflict.
> even C code born long ago, if it's still in wide use, has been hardened by now. Examples: Linux kernel
There have been two LPE vulnerability and exploits in the Linux kernel announced today. After the one announced just last week. I don't think as much of the C code born long ago has been as carefully hardened as you think.
(Copy Fail 2 and Dirty Frag today, and Copy Fail last week)
Sure, I didn't mean to say that these examples are guaranteed 100% safe -- just that I trust them to be enormously more safe than software that accomplishes the same task that was hand-written by either a human or an an LLM last week.
Are you sure? I'd really like that to be true, I felt bad finishing up work on Friday evening having applied the Dirty Frag mitigation to all our instances, but knowing (thinking?) the Copy Fail 2 vulnerability was still exploitable.
Technically there are two things that need to be fixed in the kernel indeed (and one of them was fixed already), but they're both under the "Dirty Frag" umbrella and the proposed mitigation to not allow the affected modules to load applies to them both.
"Dress up. Leave a false name. Be legendary. The best Poetic Terrorism is against the law, but don’t get caught. Art as crime; crime as art." -- T.A.Z.: The Temporary Autonomous Zone, Ontological Anarchy, Poetic Terrorism, 1985
"Dress up. Leave a false name. Be legendary. The best Poetic Terrorism is against the law, but don’t get caught. Art as crime; crime as art." -- T.A.Z.: The Temporary Autonomous Zone, Ontological Anarchy, Poetic Terrorism, 1985
reply