[bombcar]

People will be quick to jump on the "it was vibe coding's fault" but at least two of the issues are pretty common even in designed systems without AI - leaving in a "test admin" access and verifying tokens but not cross-checking them.

[JohnMakin]

This is pretty reductive of the actual problem people typically complain about with vibe coding - It produces very workable prototypes fairly quickly and without a lot of hassle. Great! The problem is, and this is a great example (of many) where someone mistook the working prototype with a system that was ready for production. The JWT thing in particular is not really a mistake many people who work on that kind of thing would make.

People need more understanding of the risks of vibe coding and YOLOing to prod with these tools. They are powerful, but like all powerful tools, can be wielded irresponsibly.

[serf]

it's just incompleteness -- a human issue.

most in-use LLMs prompted with a simple "You're in charge of infrastructure security, let's review possible problem points" would have uncovered this.

I wouldn't fault a compiler for erring when someone left out a period; i'd tell the person to start including it -- but for some reason the expectation for LLMs is hands-off work ; I guess we're just in that phase of the hype at the moment.

[bccdee]

> I wouldn't fault a compiler for erring when someone left out a period

I'd fault it if it silently injected multiple serious vulnerabilities.

[akdor1154]

> for some reason the expectation for LLMs is hands-off work

The expectation is the same as the expectation for self driving: users expect it to be fully hands off, even when they are explicitly told they need to keep their hands on the wheel.

This is because it's tricky, tedious, and unejoyable to thouroughly vet the actions of a machine in realtime.

[floydnoel]

very interesting- i actually enjoy monitoring claude code and telling it when it is going the wrong way on something. i also don’t mind monitoring the car doing its lane keeping, perhaps it is an autism trait?

[bombcar]

Sorry to be the one to tell you, but you might be a born manager ;)

[autoexec]

I think it's pretty reasonable to expect AI to produce systems with issues "pretty common even in designed systems without AI" because that's what AI was trained on.

[JohnMakin]

But that isn’t the expectation or what is being marketed

[edoceo]

I expect these AI and LLM to be, basically, a middle of the bell-curve type producer of code. Just like their other output. Not terrible, not exceptional, just what a Mid could do - only faster.

Not sure what's being marketed, but I expect mediocre.

[brookst]

Being marketed by who? Be specific.

[ofjcihen]

“Be specific.”

Am I the only one that feels like it’s really condescending when people say this on the internet?

It sounds like something you would see on a community college writing assignment

[ungreased0675]

It does sound condescending. I think the sentiment is important though. Asking someone to be specific can help them think clearly. What’s a nicer way to do that?

[JoshuaDavid]

I think "Who, specifically, claims that [...]?" comes off as less condescending than "Who claims that [...]? Be specific." just by virtue of the latter using imperative language, which triggers a reflexive "you're not the boss of me" reaction.

[degamad]

Dario Amodei: https://www.windowscentral.com/software-apps/work-productivi...

[bombcar]

By Brian Sheltzer, 302 Main St, Chicago, Illinois.

[throwanem]

'By whom.'

[siva7]

I thought checking a token against the cert is actually called verifying or is noawadys verifying just if it looks like a token it maybe a valid token?