I was one of the “lucky” few to witness the school of slur-fish.
Being in security I laughed because of how egregious it was but also because I knew someone on HN with some actual time on their hands to help properly would be along soon.
I also appreciate this post mortem. Vibe-coded anything in prod is a lot of my work load in IR these days but it was nice to see such a low stakes project properly documented.
People will be quick to jump on the "it was vibe coding's fault" but at least two of the issues are pretty common even in designed systems without AI - leaving in a "test admin" access and verifying tokens but not cross-checking them.
This is pretty reductive of the actual problem people typically complain about with vibe coding - It produces very workable prototypes fairly quickly and without a lot of hassle. Great! The problem is, and this is a great example (of many) where someone mistook the working prototype with a system that was ready for production. The JWT thing in particular is not really a mistake many people who work on that kind of thing would make.
People need more understanding of the risks of vibe coding and YOLOing to prod with these tools. They are powerful, but like all powerful tools, can be wielded irresponsibly.
most in-use LLMs prompted with a simple "You're in charge of infrastructure security, let's review possible problem points" would have uncovered this.
I wouldn't fault a compiler for erring when someone left out a period; i'd tell the person to start including it -- but for some reason the expectation for LLMs is hands-off work ; I guess we're just in that phase of the hype at the moment.
> for some reason the expectation for LLMs is hands-off work
The expectation is the same as the expectation for self driving: users expect it to be fully hands off, even when they are explicitly told they need to keep their hands on the wheel.
This is because it's tricky, tedious, and unejoyable to thouroughly vet the actions of a machine in realtime.
very interesting- i actually enjoy monitoring claude code and telling it when it is going the wrong way on something. i also don’t mind monitoring the car doing its lane keeping, perhaps it is an autism trait?
I think it's pretty reasonable to expect AI to produce systems with issues "pretty common even in designed systems without AI" because that's what AI was trained on.
I expect these AI and LLM to be, basically, a middle of the bell-curve type producer of code. Just like their other output. Not terrible, not exceptional, just what a Mid could do - only faster.
Not sure what's being marketed, but I expect mediocre.
It does sound condescending. I think the sentiment is important though. Asking someone to be specific can help them think clearly. What’s a nicer way to do that?
I think "Who, specifically, claims that [...]?" comes off as less condescending than "Who claims that [...]? Be specific." just by virtue of the latter using imperative language, which triggers a reflexive "you're not the boss of me" reaction.
The message is clear in both cases. It's easier to put aside these irrational reflexive reactions and think about
whatever worth can be derived from the message than it is to carefully manage the emotions of varied readers whom you don't know. This is different from bring overtly inflammatory, although the lines for this are subjective.
Ultimately it's probably not a productive use of time to be commenting here at all from a strict EV perspective. Meaning that if you're posting here, you're probably getting something else out of it. The value of that "something else" determines how you should approach the problem of managing the gut reactions of your readers.
If someone asks for a better way to word something to reduce reader hostility to their point, I assume that they will be better off for knowing the answer to that question, and can decide for themselves whether they want to change their writing style or not - and, whether they do or do not, the effects of their writing will be more intentional.
In the two cases, the meaning of the message may be the same, but the tone of the message is different. One tone invites further engagement, the other invites disengagement.
I thought checking a token against the cert is actually called verifying or is noawadys verifying just if it looks like a token it maybe a valid token?
I actually did see one, while the site was #1 and well before the overnight excitement. (Good grief, even at this late age I have something to do with my Friday evenings...)
I don't really know what you want me to tell you about it. The swastika per se as I recall had to be drawn backwards, because there is no meaningful overlap between its outline and that of a fish, so unlike the penis case this is very easy for the classifier. It wasn't clever and it wasn't funny. Several people reported it and it quickly disappeared, whereupon apparently someone decided we shouldn't have nice things, or not for a little while at least.
> But if you had the displeasure of viewing my website between the hours of 2AM (20 minutes after I went to sleep) and 8AM (when I woke up) EST on Aug 3, then you would have seen chaos. Every single username was transformed to a heinous slur, many unsavory fish had made it into the fishtank, and many beautiful fish were gone.
At some point, asking for more starts to seem like rubbernecking at a car crash, you know?
Being in security I laughed because of how egregious it was but also because I knew someone on HN with some actual time on their hands to help properly would be along soon.
I also appreciate this post mortem. Vibe-coded anything in prod is a lot of my work load in IR these days but it was nice to see such a low stakes project properly documented.