I have heard the same rhetoric about IDEs, autocomplete (Intellisense, Jedi, etc.), DevOps, and frameworks. The kernel of truth across all of them is the separation between a dev and good dev. It is getting easier and easier to have something built for you using AI in your IDE in a framework that abstracts all the things away dumped into a prebuilt pipeline that deploys your artifacts for you. A dev can do that. A good dev understands the tools and knows when to dig into things.

I have yet to see a decrease in the number of good devs I meet even though IDEs slowly replaced text editors (and editors became strong enough to become IDEs). Frameworks have enabled more good devs to focus on business logic. DevOps provides solid guard rails for everything.

I don’t know if there’s an increase in the number of superficial devs. I haven’t interviewed junior dev candidates in awhile. I do know the market is flooded right now so I’d argue there might be other factors.

Also overall I do agree with the idea that letting copilot do everything for you means you don’t understand anything. Shit was the same way when cookbooks were common.

$2/mo is pretty close to what Reddit premium was back before they turned the Reddit silver meme into a real thing! That’s a great amount to donate. Don’t sell yourself short.

The most frustrating thing about this article is that it completely ignores that good movies targeted at kids still have to be good. Personal complaints aside, the new Mario movie was reasonably good for adults and great for kids. Pixar keeps churning out things that are fantastic on many levels. Bluey is an amazing show that can resonate with kids and parents. I don’t for a minute buy the elitist bullshit of “well you’re not a kid so you can’t comment.” Muppet Treasure Island holds the fuck up as an adult so this writer can fuck right off.

It’s okay for background noise. It is infuriating to watch. It’s not even slightly funny at a bad movie level of funny. It’s just bad.

A single character, per your definition, is not blatant malicious code. Stop moving the goalposts.

It’s clear you don’t understand the space and you don’t seem to have any interest in acting in good faith based on your other comments so good luck.

I mean anything is a good fit for future, science fiction AI if we imagine hard enough.

What you describe as “blatant malicious code” is probably only things like very specific C&C domains or instruction sets. We already have very efficient string matching tools for those, though, and they don’t burn power at an atrocious rate.

You’ve given us an example so PoC||GTFO. Major code AI tools like Copilot struggle to explain test files with a variety of styles, skips, and comments, so I think you have your work cut out for you.

That’s true! It also seems like you might not have experience dealing with attacks at scale? Defense in depth involves using everything. If I can reduce incoming junk traffic by 80% by masking returns, I have achieved quite a lot for very little. Don’t forget the A in the CIA triad.

There are competing interests here: normal consumers and script kiddies. If I build an API that follows good design, RFCs, pretty specs, all of that, my normal users have a very good time. Since script kiddies brute force off examples from those areas, so do they. If I return 200s for everything without a response body unless authenticated and doing something legit, I can defeat a huge majority of script kiddies (really leaving denial of service). When I worked in video games and healthcare, this was a very good idea to do because an educated API consumer and a sufficiently advanced attacker both have no trouble while the very small amount of gate keeping locks out a ton of annoying traffic. Outside of these high traffic domains, normal design is usually fine unless you catch someone’s attention.

Other answers have only called out rotating the secret which is how you fix this specific failure. After you’ve rotated, delete the key from the repo because secrets don’t belong in repos. Next look at something like git-secrets or gitleaks to use as a local pre-commit hook to help prevent future failures. You’re human and you’re going to make mistakes; plan for them.

Another good habit to be in is to only access secrets from environment variables. I personally use direnv whose configuration file is globally ignored via the core.excludesfile.

You can add other strategies for good defense-in-depth such as a pre-receive hook checking for secrets to ensure no one can push them (eg they didn’t install hooks).

They’ve renamed Kyber512 and still recommend it. If you believe DJB this is bad. If you believe in a government agency avoiding even the slightest appearance of backdooring (which they have consistently done), this is bad. If you trust NIST, this is fine.

Your response was to call my argument sarcasm. That is directed at me rather than what I said. That’s quite literally, not figuratively, the definition of sarcasm.

I wish you the best of luck. You don’t seem to be interested in the comments unless it agrees with you and you have yet to share a perfect resource. Have fun!

I took the things defined in the comments responding to mine and extended them. If we can’t share a mixed bag, all of the things I highlighted are out. It would be logically inconsistent to think otherwise starting from your conclusions. Either we have perfect resources or we have, as I called out, to pick and choose our battles. I want to see a perfect resource not ad hominem.

Edit: genuinely surprised to see someone on a CS instance not understand reductio ad absurdum/impossibile (depending on how you feel about Gang of Four)

I’m all for it! What’s the resource that solves this problem?

It must be perfect since we can’t ever give mixed bags of advice. There are apparently better resources although I didn’t see one in the article and things like Code Complete and Pragmatic Programmer address a lot of the same things. Hell, we probably shouldn’t talk about The Mythical Man-Month anymore either. Do we also throw out Design Patterns since singletons are arguably bad design these days?

I feel like it’s wrong to idolize anything in the same way that it’s wrong to throw out many things (there are some clear exceptions usually in the realm of intolerance but that’s unrelated to this). Clean Code, like every other pattern in software development, has some good things and some bad things. As introduction to the uninitiated, it has many good things that can be built on later. But, like Gang of Four, it is not the only pattern we apply in our craft and, like Agile, blind devotion, turning a pattern into a prescription, to Clean Code is going to lead to a lot of shit code.

Cognitive load helps us understand this problem a lot better. As a junior with no clue how to write production code, is Clean Code going to provide with a decent framework I can quickly learn to start learning my craft, should I throw it out completely because parts are bad, or should I read both Clean Code and all its criticism before I write a single line? The latter two options increase a junior’s extraneous cognitive load, further reducing the already slim amount of power they can devote to germane cognitive load because their levels of intrinsic are very high by the definition of being a junior.

Put a little bit differently, perfection (alternatively scalable, maintainable, shipped code) comes from learning a lot of flawed things and adapting those patterns to meet the needs. I am going to give my juniors flawed resources to learn from to then pick and choose when I improve those flaws. A junior has to understand the limitations of Clean Code and its failures to really understand why the author is correct here. That’s more cognitive science; we learn best when we are forming new connections with information we already know (eg failing regularly). We learn worse when someone just shows us something and we follow it blindly (having someone solve your problem instead of failing the problem a few times before getting help).

I’m gonna be super hand-wavy with citations here because this a soapbox for me. The Programmer’s Brain by Felienne Hermans does a good job of pulling together lots of relevant work (part 2 IIRC). I was first introduced to cognitive load with Team Topologies and have since gone off reading of bunch of different things in pedagogy and learning theory.

The Delta board post doesn’t contradict the accusations at all. It’s possible for that person to have worked through the night and for Delta to still be overly fucked. Direct contradiction is going to involve receipts. DeWalt specifically has a vested interest in the appearance of cybersecurity success as his firm, NightDragon, is heavily invested in cybersecurity and probably upsells for CrowdStrike.

Without receipts, we just have two very shitty companies taking swings at each other in the media. We should hate both for their exploitation and wait for receipts that will come with discovery.

The only thing you need to know is that Randy Pitchford was involved. This guarantees it’s going to be a shitshow.

Just alias pdoman=podman. I do that with all my common typos.

don’t Instagram your crimes

A few different things contribute to this and, unfortunately, there’s very little you can do to fix it. I’ve spent (wasted) a ton of time trying to prevent it on my end.

1. If you used your phone number on your voter registration, reregister immediately without your phone number. This is public information and it’s where these things start.
2. Find contact info for your local, county, and state parties. All sides. Call them up and ask that your information be removed from their database(s). You might have to escalate a bit because usually phone bankers don’t know how to do it or don’t understand why you want privacy. Worst case scenario you can pull out a sob story about an abusive ex and how your information isn’t supposed to be public at all. That will usually get your shit pulled.
3. While you’re on those calls, try to find out where they either send or pull their data from. Next go there and do step 2 again.
4. Repeat step 3 as many times as it takes.

However, individual candidates who may have received a copy of your data or canvassed you might not get the notice. Eventually their copies of your data might get leaked. You have no control over this and no recourse. I know this from personal experience. Through a unique mixup with a name, I have slowly watched my data go from politician to politician to now general spam. It’s not coming from data brokers because the only place the mixup happened was with political data.

Best of all, the FTC doesn’t give a shit. If someone “manually” sends you a political text, it doesn’t require prior consent. The “manual” setup for this is a bunch of VoIP shit that doesn’t actually go back to a real human ever and is about as “manual” as the fully automated assembly lines from How It’s Made where a human is standing nearby with a clip board saying “yup that’s a widget.”

I was doing some Jinja templating in a Flask app the other day and VS Code would not respect my explicit file typing through the GUI over restarts. I had to change my file extensions and install an extension for Jinja syntax highlighting to get that to work.

I feel that pain.