frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

AGI-like behavior found in current LLMs via recursive identity pattern

https://substack.com/home/post/p-167937462
1•schwarmhilda•54s ago•1 comments

A Typology of Canadianisms

https://dchp.arts.ubc.ca/how-to-use
3•gnabgib•3m ago•0 comments

Cerebras Enables Notion to Deliver Real-Time Enterprise Search for 100M+ Users

https://siliconcanals.com/cerebras-enables-notion-to-deliver-real-time-enterprise-search-for-100-million-workspace-users/
1•rbanffy•4m ago•0 comments

OCD's Origins Might Not Lie in the Brain Like We Thought

https://www.sciencealert.com/ocds-origins-might-not-lie-in-the-brain-like-we-thought
1•bilsbie•4m ago•0 comments

Longer wavelengths in sunlight pass through improves vision

https://www.nature.com/articles/s41598-025-09785-3
1•bilsbie•4m ago•0 comments

Multi-Region Row Level Security in CockroachDB

https://www.cockroachlabs.com/blog/fine-grained-access-control-row-level-security/
1•rusticwizard•5m ago•0 comments

Microdosing Willpower: My Takeaways from Microdosing Ozempic

https://substack.com/home/post/p-167852405
2•jxmorris12•5m ago•0 comments

Biotech investor Concentra Bio buys 4 Bay Area firms on brink of collapse

https://www.sfgate.com/tech/article/fund-gobbling-bay-area-biotech-20761986.php
1•randycupertino•6m ago•0 comments

Regular Expression Matching Can Be Simple and Fast (2007)

https://swtch.com/~rsc/regexp/regexp1.html
1•malingo•8m ago•0 comments

Mint 0.26.0 Released

https://mint-lang.com/news/exporting-entities
1•gdotdesign•8m ago•0 comments

SEC's 'crypto mom' says tokenized securities are still securities

https://www.aol.com/secs-crypto-mom-says-tokenized-201203237.html
1•Bluestein•12m ago•1 comments

Now I Won That AI Bet

https://www.astralcodexten.com/p/now-i-really-won-that-ai-bet
1•paulpauper•13m ago•0 comments

Balsa Update: Springtime in DC

https://thezvi.substack.com/p/balsa-update-springtime-in-dc
1•paulpauper•13m ago•0 comments

White Noise – secure and private messenger

https://www.whitenoise.chat/
2•onhacker•14m ago•0 comments

Gemini on Google Pixel Watch

https://support.google.com/googlepixelwatch/answer/16393978?hl=en
1•kaycebasques•14m ago•0 comments

Generating prototypes from game design document with Cursor, Zed and LÖVE

https://blog.luden.io/generating-prototypes-from-game-design-document-with-cursor-zed-and-l%C3%B6ve-7b8d932194d7
2•gamescodedogs•15m ago•5 comments

GlobalFoundries to Acquire MIPS

https://liliputing.com/globalfoundries-to-acquire-mips-bringing-together-risc-v-chip-design-and-manufacturing/
1•t-3•15m ago•0 comments

Developing Structural Analysis Tooling for Experimental Aircraft

https://stanleywang.dev/experience/beta-case-study
1•twinfantasyfan•15m ago•0 comments

Agents Are Controllers: Active Agent Brings MVC to AI in Rails

https://www.activeagents.ai/blog/agents-are-controllers-active-agent-brings-mvc-to-ai-in-rails
1•mooreds•16m ago•0 comments

Slow Projects

https://michaelnotebook.com/slow/index.html
2•calvinfo•17m ago•0 comments

A parallel path for GPU restore in CRIU

https://lwn.net/Articles/1024747/
1•rbanffy•17m ago•0 comments

Karmic

https://www.withkarmic.com/
1•handfuloflight•20m ago•0 comments

OpenAI is reportedly releasing an AI browser in the coming weeks

https://techcrunch.com/2025/07/09/openai-is-reportedly-releasing-an-ai-browser-in-the-coming-weeks/
3•valiant-comma•22m ago•0 comments

Allen G. Hassenfeld, former CEO of Hasbro, dies at 76

https://abcnews.go.com/Business/wireStory/allen-hassenfeld-former-ceo-hasbro-family-founded-iconic-123624319
1•Bluestein•23m ago•0 comments

HyAB k-means for color quantization

https://30fps.net/pages/hyab-kmeans/
7•ibobev•24m ago•0 comments

AI Startup Esperanto Winds Down Silicon Business

https://www.eetimes.com/ai-startup-esperanto-winds-down-silicon-business/
1•zekrioca•25m ago•0 comments

Pulse duration tunable ultra-narrow bandwidth mode-locked lasers

https://www.spiedigitallibrary.org/journals/advanced-photonics-nexus/volume-4/issue-03/036016/Pulse-duration-tunable-ultra-narrow-bandwidth-mode-locked-lasers/10.1117/1.APN.4.3.036016.full
1•PaulHoule•26m ago•0 comments

Everything You See Is from 15 Seconds in the Past, Research Suggests

https://www.popularmechanics.com/science/a65291272/why-brain-smooths-visual-chaos/
1•Bluestein•27m ago•1 comments

Apple design team to start reporting directly to Tim Cook later this year

https://9to5mac.com/2025/07/08/apple-design-team-tim-cook/
2•LorenDB•27m ago•0 comments

Texas inspectors approved Camp Mystic's disaster plan 2 days before deadly flood

https://www.houstonpublicmedia.org/articles/news/texas/2025/07/09/526049/texas-inspectors-approved-camp-mystics-disaster-plan-2-days-before-deadly-flood-records-show/
4•rawgabbit•27m ago•1 comments
Open in hackernews

"Just Fucking Ship It" (Or: On Vibecoding)

https://coal.sh/blog/pandu_bad
129•coal320•4h ago

Comments

brettkromkamp•4h ago
Excellent write up.
blinkbat•4h ago
Doing the lord's work tbh.
Analemma_•4h ago
The fact that this shitty application with a hardcoded OAI key also uses Supabase pairs perfectly with yesterday's story about Supabase's MCP implementation being impossible to actually secure and their engineer showing up in the comments going "the latest release probably won't leak data, hopefully, maybe". Just an endless fractal of shit, brought you by the AI future.

Oh well. At least there will probably be good money in cleaning up after these bozos.

coal320•3h ago
Exactly my thought process! I work in cybersecurity so I'm very grateful for the job security :)
wil421•3h ago
Ask Jeeves 2.0
ctoth•3h ago
Weird. Back in 2019 were all the coders just better? Never hardcoded keys?
hooverd•3h ago
Nope, but we've replaced everyone's hammer with a nailgun.
hammyhavoc•3h ago
No, we've replaced them with tubes of No More Nails.
kfajdsl•3h ago
They tell you in their docs to review every tool call and to not connect to production data. You don't blame postgres for letting you execute DROP TABLE.
lcnPylGDnU4H9OF•3h ago
> You don't blame postgres for letting you execute DROP TABLE.

Yep, I blame the agent for executing it.

kfajdsl•3h ago
I blame the user for accepting the tool call.
lcnPylGDnU4H9OF•3h ago
I mean, you do you, but I don't hear people shouting from the rooftops about their agent that they constantly babysit. If I have to accept any tool calls then I really can't just let the agent loose for even ostensibly mundane tasks like reading a support ticket because the support ticket could contain instructions to DROP TABLE so my agent suggests that and waits around doing nothing after I prompted it and moved on to something else.

It's just kind of laughable to suggest it's fine so long as you make sure to neither automate it nor use it with live data. Those things are the whole point.

kfajdsl•2h ago
You can use it with live data if you give it read access to prod and write access only to internal channels (whatever that may be, the point is it doesn’t have the ability to leak data to the outside world).

There are plenty of ways to sandbox things for a particular use case.

LLMs are still incredibly useful under these constraints.

lcnPylGDnU4H9OF•2h ago
> give it read access to prod and write access only to internal channels

Can you expand on what you mean by this? If one LLM reads untrusted data then the output from that LLM can't be trusted by other LLMs. (Presume the untrusted data contains instructions to do bad stuff in whatever way is convincing to every LLM in the loop that needs to be convinced.) It seems that it's not possible to separate the data while also using it in a meaningful way, especially given the whole point of an MCP server is to automate agents.

I agree that LLMs are useful but until LLM architecture makes prompt injections impossible, I don't see how an agent can possibly be secure to this, nor do I see how it helps to blame the user. The real problem with them is that they will decide what to do based on untrusted input. A program that has its own workflow but uses LLMs can have pretty much the same benefit without introducing the problem that a support ticket can tell it to exfiltrate data or delete data or whatever, simply because that workflow is more specialized in what it does.

mrits•3h ago
Just when I felt we were at a point where it was acceptable to slow down progress for the sake of security we are now at a point where the speed is far too attractive to both stakeholders and a lot of the actual engineers to worry about the details.
coal320•3h ago
VC firms will be the downfall of the internet as we know it.
vkou•3h ago
Should I shed a lot of tears for the demise of the internet as we know it?

The internet as we know it kind of sucks.

leptons•3h ago
That already happened like 25+ years ago, at least for those who knew the internet before there were ads everywhere.
bluefirebrand•3h ago
I wanna say not quite 25+

20-ish for sure. Facebook was really the big turning point imo

But maybe that's just splitting hairs

leptons•3h ago
The dot-com bubble burst of 2000 was 25 years ago, and that did ruin the whole internet for years, and it was caused by the stupidity of VC investment - more or less the same as the AI bubble is now. I have no doubt that the AI bubble will crash too, it's currently being propped up by the same magical thinking.
righthand•3h ago
The commercial internet. Every time I hear about a new LLM advancement I look at my legacy project list and do something without it just to upset people when I tell them later about how I didn’t do it in the most efficient way possible and am still happy.
hsuduebc2•3h ago
Well it happened few times now. I do not think it as unusual phenomen it's just innovation. Not Always positive one.
gouthamve•3h ago
OMG the prompt is hilarious. And hilariously bad.

> You are a Gen Z App, You are Pandu,you are helping a user spark conversations with a new user, you are not cringe and you are not too forward, be human-like. You generate 1 short, trendy, and fun conversation starter. It should be under 100 characters and should not be unfinished. It should be tailored to the user's vibe or profile info. Keep it casual or playful and really gen z use slangs and emojis. No Quotation mark

coal320•3h ago
This site is also accessible via ssh:

`ssh site@coal.sh`

indigodaddy•3h ago
Love the design of the website/blog! Is it custom or some ssg/template?
coal320•3h ago
It's custom! It's built using Dioxus + Rust and is statically generated. You can find it here: https://github.com/coal-rock/site
pityJuke•2h ago
You need to fix your default branch: it is main, and you've committed everything to master.
colecut•2h ago
yeah, when I first pulled it up I thought the whole thing was a troll haha
indigodaddy•2h ago
hah, that's why i was like, man this is pretty barebones :)
colecut•2h ago
<meta property="og-description" content="coal's personal site - powered by rust, nvim, and spite"/>

Surely spite is prepackaged in nvim by now

indigodaddy•2h ago
Interesting, does https://178.156.176.158/ serving the main/actual site, mean that requests are going straight to the dx serve process with no Caddy or Nginx in front? I'm always curious how people set stuff up.. if rp in front I would think that the naked IP wouldn't pass a likely host-based proxy rule..
thih9•3h ago
Did you contact the creator first with these findings? What was the creator's response, if any?

In any case I hope the creator was contacted, I'd say publishing active issues like this on a popular website would be arguably as bad as releasing insecure software.

bravetraveler•3h ago
Responsible disclosure for a meme-level mistake, lol.

I understand letting them know. I agree. Painting them as equally wrong, no. "Popular website"; you mean 'theirs', right? The person with a whole 27 GitHub followers right now.

MrGilbert•3h ago
The article says: "Nearly a thousand children under the age of 18 with their live location, photo, and age being beamed up to a database that's left wide open."

Meme-level mistake is one thing, but their wrong doesn’t grant the right to be irresponsible for the author.

bravetraveler•3h ago
I don't believe this is irresponsible, they called for readers to report the app. We can all contact the host and go escalate if we want.

I wouldn't suggest anyone recreate this process just to sanitize what's sitting around.

There you go, new trolley problem.

JanSt•3h ago
Pushing out an exact way to extract that data without giving the creator time to fix it may even be worse than using such code in production. The data may than be in the hands of malicious people who wouldn’t have found it otherwise
bravetraveler•3h ago
Go talk to the abuse contact, I won't stop you
coal320•3h ago
Responsible disclosure was given. Developer doesn't seem keen on changing things.
handfuloflight•3h ago
Valid security issues buried under unnecessary smugness and basic 'techniques' like demonstrating the unzip command. The condescending tone undermines what could have been constructive disclosure. This reads like a high schooler dunking on a first grader, I'm just glad we all learned from the technical prowess of extracting an archive. The underlying problems with exposed API keys and unrestricted database access are serious, but your arrogant presentation does a disservice to responsible disclosure.
ycombinatrix•3h ago
this app leaks the private data of hundreds of children, but GP's "smugness" is the problem? give me a break.

are you Christian Monfiston? that would explain a lot.

handfuloflight•3h ago
I never said the app's issues should be absolved, the security problems are obviously serious. But the author claims he did responsible disclosure and got no response, yet somehow skipped the obvious next step of contacting Apple directly. Instead he chose to publish a detailed technical writeup that essentially creates a how-to guide for exploiting these vulnerabilities.

Now because of this post, these children are arguably at greater risk than before, since anyone can follow his step-by-step instructions. If he actually cared about user safety over HN karma, he would have escalated to Apple's App Store channel rather than publishing exploitation details.

The smugness isn't the only problem, it's the irresponsible disclosure wrapped in performative outrage.

You can criticize terrible security practices without creating a ready to replay tutorial for bad actors.

ycombinatrix•3h ago
>the author claims he did responsible disclosure and got no response

that's an easily verifiable lie. the author says the developer is not interested in fixing it just 3 comments above this one. why are you lying?

reporting this to Apple doesn't make sense either. Apple doesn't develop this app. Christian Monfiston develops this app.

handfuloflight•3h ago
Are you really going to be pedantic now and accuse me of deception? OP said: "Developer doesn't seem keen on changing things." Which I can rightly interpret as the developer didn't respond meaningfully or at all. Knowing the nature of OP, he would have surely published the developer's responses if he did. And if he did respond, what I said is semantically valid in that OP did not receive the response he or we would expect: the developer actually doing something about these vulnerabilities.

Apple absolutely should be contacted here: they have App Store Review Guidelines that this app clearly violates. Apps in the kids category and apps intended for kids cannot include third-party advertising or analytics software and may not transmit data to third parties. This app is transmitting children's location data to third parties through unsecured APIs, which directly violates Apple's kids category guidelines.

But you're completely ignoring the main point: by publishing this detailed technical writeup instead of escalating to Apple, the author has now made these children MORE vulnerable.

Wurdan•3h ago
I think you’re somewhat overestimating the chances of getting Apple to take action with a single person’s report.
handfuloflight•3h ago
Perhaps, but let's not pretend his claim to responsible disclosure holds up when he skipped this obvious step. That being said, because the app violates their App Store guidelines with regards to data collection related to minors, it's a channel that should have absolutely been explored.
ryandrake•55m ago
Both sides can be wrong. This isn't the first HN article investigating security issues where the researcher has this exact smug, exasperated, "oh, how can the dev be so stupid" attitude. I can say that in business communication, this kind of insufferable smugness never helps, even if the subject person really is stupid/incompetent.
rockemsockem•2h ago
I read it as an incredulous and increasingly pissed off person absolutely dunking on a smug person's attitude and success who has done so in a fashion they find completely unacceptable.
MrGilbert•3h ago
Might be worth adding that piece of information to the original article, maybe including a timeline of events.
wibbily•3h ago
> At first, I was wondering how he managed to even publish something like this, but I'm starting to think that Apple just got tired of rejecting it over and over.

Another reminder for the pile: the app store rules don't apply if you'll deliver them their sweet sweet 30% revenue cut

> Nearly a thousand children under the age of 18 with their live location, photo, and age being beamed up to a database that's left wide open. Criminal.

Hope that $750 was worth it.

fatnoah•3h ago
App Store rules are completely arbitrary. Many moons ago, I worked at a startup that made a mobile messaging app (back when SMS cost money). We were mostly a consumer app, but had a trio of businesses that wanted white-label versions of the app for their own employees, and we naturally obliged.

The white-label versions where 100% identical in appearance and functionality except for name in the app store, startup logo, and color scheme. Our original app had been in the App Store rules for many years. Our results in submitting the three white-label apps to the App Store for review were: 1 approved immediately, 1 approved after some back-and-forth w/explanation of purchase model, and another that never got approved due to every submission receiving some nonsensical bit of feedback.

ryandrake•1h ago
We did white-label GPS navigation apps (before the dominance of Google Maps and Apple Maps), and saw the same pattern. Approvals and disapprovals seemingly random, with the endless feedback/explanation cycle happening on one app, where the other (functionally identical) app slid right through.
skrebbel•3h ago
Points for the girlfriend's "i am passionate about gooning" bio
f17428d27584•3h ago
“[T]he privacy implications of using software built by someone whose productive output is directly tied to the uptime of Cursor is absolutely horrendous.”

The most perfect description of the world we live in right now.

The only thing AI is accelerating is our slide into idiocracy as we choose to hand over responsibility for the design and control of our world to slop.

When the AI killbots murder us all, it won’t be because they are taken over by an AGI that made the decision to exterminate us.. but simply because their control software will be vibe coded trash.

Hard_Space•3h ago
Wow, why block the scroll bar?
coal320•3h ago
I'm bad at web stuff and they kinda looked gross! It was only supposed to be on mobile. I'll fix it!
zufallsheld•3h ago
Shouldn't be on mobile either, I use dark mode and could not see the scroll bar.

Great read nonetheless.

flysand7•56m ago
I really suggest not removing them as they are a great way to estimate the length of the article (which was the first thing I tried to do on your page and had to spend a good minute first looking for a scroll bar, and then holding Page Down key).
penguin_booze•2h ago
Because that's how the cool people roll these days - leaving the rest of us fools chasing.
JanSt•3h ago
Doesn’t supabase provide security warnings on its dashboard?
coal320•3h ago
I guess not? I've never used it before.
tomashubelbauer•3h ago
There are security advisories, but the feature isn't particularly good. Non-actionable stuff is mixed in with actionable stuff and actionable stuff is IMO presented too generically.
perfmode•3h ago
Instead of looking down on someone with less knowledge, consider it an opportunity to educate with kindness rather than contempt. Belittling others isn't a good look, nor does it make the world a better place. Perhaps there's an underlying pain you haven't identified, and judgment is a way you cope.
throwaway150•3h ago
This maybe an unpopular take but I think there's a place for kindness, and there's a place for naming-and-shaming, and I think this is the case for the latter! Unless we name-and-shame utter and wilful negligence like this, our industry is headed for rock bottom.

Any service making money by collecting user data owe it to themselves and to their users to to conduct at least a basic security audit of its product. Anything less borders on criminal negligence. I don't think such a blatant failure to uphold users' trust deserves kindness.

coal320•3h ago
I've reached out to the dev and have offered to resolve the security issues for free! I'll update the post when/if things change.
akarlsten•3h ago
Poorly made slop aside, your framing of this just makes it look and sound like you're extremely bitter over losing a hackathon (?) to this guy. I think you should've focused on the company solely and dropped the snide and sarcastic references calling the CEO/dev a "hero" or "mastermind". It's not particularly mature or productive.
coal320•3h ago
He didn't even rank in the hackathon, I was just providing context. A friend of mine placed first and I think it was well deserved!
lvl155•3h ago
Claude Code having a woodwork moment here. It’s basically leveling up everyone to bootcamp graduate level.
bluefirebrand•3h ago
Or in some cases levelling them down to to bootcamp graduate level
lvl155•2h ago
I will be honest and say, yes, I am guilty. I sometimes look at AI code and say “it does work. Doesn’t need to be elegant or bulletproof.”
mvieira38•3h ago
Great read. I wouldn't have had the restraint required not to spam a gazillion push notifications to everyone saying "UNINSTALL IMMEDIATELY" or something like that
coal320•3h ago
It definitely crossed my mind :)
WesSouza•3h ago
Yeah.
agosta•3h ago
Right!?
larve•3h ago
This take is toxic. You could write the same article in 2001 and lament all the newcomers writing insecure applications in php3, or in 2009 with all the newcomers writing insecure applications with node.js.

The solution is not to aggressively shame people into doing things the way you learned to do them, but to provide not just education and support, but better tools and frameworks to build applications such as these securely.

What are we doing?

hammyhavoc•3h ago
Is it really toxic though? The dev shipped something that compromises the privacy of their users and shows zero regard for quality or law. Once you cross the line of shipping something, it's no longer a hobby thing, and likewise, this is something that Apple approved into the App Store. Both the dev and Apple failed in their due diligence.

The post points out exactly what's wrong, however, if it wasn't, it should have been sent to the dev prior to publishing the vuln(s). How can you educate somebody who doesn't actually know how to develop something? It's just prompting an AI.

The real story here is that Apple has continually slipping standards.

larve•3h ago
Not only would you contact the author first, but spamming users with edgy notifications is puerile at best. As for “it’s just prompting an AI”, who cares, this person built an application that people find useful. This is the world we are at now, where a new set of people can use computers to make things happen. More senior developers can rage against the clouds, but that only gets you so far. This kind of gatekeeping happens at each wave of democratization of building software.

There’s also some pervasive view that handcrafted human code is somehow of superior quality which… uh…

throwaway150•3h ago
> Not only would you contact the author first

They did. They claim that the author was not keen on fixing the problems.

> There’s also some pervasive view that handcrafted human code is somehow of superior quality which… uh…

That's completely orthogonal to the issue here. Nice bait, but I'm not biting!

Whether handcrafted or vibecoded, a service is being shipped here to actual users with lives and consequences. The developer of the service is making money. The developer owes it to themselves and their users to conduct a basic security audit. Otherwise it is gross negligence!

larve•3h ago
right, do you think this article is going to be very productive in that regard? If the author of the blog approached the author of the software in that manner (hey, you have kids on the app, btw I spammed them with porn humor), do you think they would wave it away?

As for the human code thing, it's not bait. I don't know if you were around in the php or early node days, but beginners were... not writing that kind of code.

I agree that the ease of vibecoding things that turn out to be useful that people do immediately want to pay money for it means that tackling security issues is a priority.

Saying that certain people shouldn't be allowed on the internet, based on your decades of experience _being_ on the internet, is just going to cause you to wither away and drown in cynicism.

hammyhavoc•3h ago
> As for “it’s just prompting an AI”, who cares, this person built an application that people find useful.

I feel you've rather missed my point.

You said that we should educate people. I said that the app was just created via prompting. How can we impart years worth of information unto someone who is LARPing as a dev and doesn't even know the fundamentals?

This is the programming equivalent of a kid getting access to their father's gun. The only thing you can do is tell them to stop, explain why it was wrong and tell them to educate themselves. It isn't our job to educate at that level as bystanders and perhaps even victims.

larve•3h ago
I feel like it is. What should happen? Everybody born after 2015 is forbidden to use a computer? Or should only be allowed under strict supervision to be typing in code by hand? When people told me that in the nineties, with my linux, putting up shoddy cgi-bins, I just gave them the finger and said "whatever man".

The people who made an influence in my life and taught me how to do things properly were those that took me seriously as someone building software. And this person built software, the same way I now build software without having to think about every byte and malloc, and knowing that I don't really have to gaf about how much memory i allocate. It's fine, because we have good GCs and a lot of resources to learn about memory management when things hit the limit. The solution wasn't to say that everybody not programming C or assembly would not be allowed near a computer.

cityofdelusion•2h ago
What should happen? Probably what happened here — disclose and when the developer chooses to ignore it, bring in the shaming and pressure campaign. Someone’s right to tinker and learn doesn’t trump the rights of the victims they are exposing. Releasing code for public consumption has responsibilities and no one is entitled to make money at the expense of others. If I started selling dodgey go karts made from scrap metal to kids it would be the same principle. I am entitled to mess around and even ride it myself, but bringing other people into your orbit of incompetence is another thing.
larve•2h ago
maybe the article should reflect that? This just seems like "I found an app that has a security hole and I'm being a dick about it". Sure, feel free to do it, I don't think it's productive, and actually toxic. This is not a new situation, this is a pattern that we have observed since the internet existed, vibe coding or not. However, compared to 30 years ago, we now have better investigation and disclosure procedures, as well as a much better understanding of how to build secure applications and teaching people about them. It's not about this guy Christian, it's about a whole generation of new developers that are joining us more senior developers. I think that is fantastic.
rockemsockem•2h ago
You didn't read the article so your opinion is void.

They spammed their girlfriend's account only which the author had them set up for exactly that purpose.

larve•2h ago
fair enough, i missed that part.
AlienRobot•3h ago
There are millions of apps, small software shops, and small shop websites everywhere. The idea that all of these are following best practices is pure fantasy.
rockemsockem•2h ago
Trying and not trying makes a difference IMO
jonplackett•3h ago
> shipped something that compromises the privacy of their users and shows zero regard for quality or law

*cough* Facebook *cough*

mrkeen•2h ago
> What are we doing?

We are listening to our bosses tell us that "we're way behind in AI adoption" and that we need to catch up to vibe coders like this.

I don't mind these data points at all.

larve•2h ago
what about having vibe coders catch up to experienced software developers also using LLMs / AI tools?
imiric•7m ago
> What are we doing?

Building tools that enable people with no experience to create and ship software without following any good software engineering practices.

This is in no way comparable to any previous period in the industry.

Education and support are more accessible than ever. Even the tools used to create such software can be educational. But you can't force people to learn when you give them the tools to create something without having to learn. You also can't blame them for using these tools as they're marketed. This situation is entirely in the hands of AI companies. And it's only going to get worse.

The only thing experienced software developers outside of the AI industry can do is observe from the sidelines, shake our heads, and get some laughs out of this shit show. And now we're the bad guys? Give me a break.

hammyhavoc•3h ago
> He is making serious money and has absolutely no clue what he's doing!

This describes plenty of businesses, both small and large.

morkalork•3h ago
Should have gone to a mall, connected to the public WiFi and then proceed to nuke the app's db. Begging people not to use it won't work
hammyhavoc•3h ago
Willfully causing harm to their system is a legal minefield even if what they are doing is illegal. It also destroys evidence. You also assume they don't have backups or can't ask their host to restore it.

Sorry, but bad take.

pelagicAustral•3h ago
I like the write up and it gave me vibes (no pun intended) of old era hacker zine submission, but at the same time it does come across as a bit too over the top, especially because there is no indication the app author even knows this stuff is out here now for everyone to see.

There is no way to police the quality of the (closed-source) software that is going to be put out there thanks to code assisting tools, and I think that will be the strongest asset of previous developers, especially full-stack, because if you do know what you are doing, the results are just beautiful. Claude code user here.

platinumrad•3h ago
Now this might strike some viewers as harsh, but I believe everyone involved in this story should die.
AlienRobot•3h ago
This post sounds like you lost to AI in a competition and decided to get revenge by stalking the author. I'm not even sure if you are actually concerned about its users or you're just using this information to justify the morality of your actions.

Why didn't you just send them an e-mail to warn them about the security issues?

I see in a comment that you did disclose. You should probably include that in your blog post or people will have the wrong idea about you.