Pinned Tweet
@om_patel5 this is the failure mode nobody priced into their stack assumptions. Companies treat AI accounts as critical infrastructure, but the contractual setup is closer to a loyalty program the vendor can pull at any time
English
Greg Val
237 posts
Greg Val
@val__greg
Building https://t.co/7dDABA5EIO - what happens when you lose access to everything. Founder + CTO across startups and enterprise with 20y+ experience.
Joined Nisan 2026
164 Following21 Followers
@NabilChiheb eeach of the 4 auth patterns was the right answer to the thing in front of the founder at the time, the dev was reading the combination and it didn't add up
English
@val__greg dev i know opened a lovable repo last month. 4 auth patterns. 6 files. sat there for 20 min. went for coffee. never came back to the desk. founder still thinks hes 90% done
English
every lovable app i audit follows the same arc
month 1: shipped in a weekend
month 2: auth breaks. ai keeps rewriting what worked
month 3: hired a dev. he opened the repo and went quiet
month 4: google still can't find the site
the founder thinks they're 90% done
they're 40% shipped
i map the gaps. document the fixes. hand you an exit plan.
$299. one audit. no retainers.
English
Use Codex /goal to create a skill based on your request and test and validate the skill, grade it, and keep improving it in a loop until it meets a target threshold.
Share the skill on Twitter, monetize it, repeat?
English
@bradgessler tthe graph that makes it 40 minutes lives in the vendor's session, the asset took years to build and now a pricing change is the only thing standing between you and re-doing it. still trying to keep that graph portable across vendors
English
“A $300/hour therapist reading this book and applying it to my life couldn't do this in 40 hours, because they don't have the full graph of my professional context”
Took AI 40 min to do all that.
These superhuman unlocks are what’s exciting about the potential of AI.
Garry Tan@garrytan
English
@callmidavid tthe e2e claim is technically true for message content but ads are inferred from metadata, contact graph, who views whose status, and timing, all of which the vendor sees by default
English
WhatsApp claiming our chats are end to end encrypted, but still, they're using the same chats to display personalized ads while viewing status is wild!
English
@_czepluch tthe gap between adoption and trust shows up because the alternative is slower than double-checking ai output, daily users keep typing the prompt because the speed wins even when trust didn't. still poking at what makes trust catch up to use
English
I like this heat map a lot.
Quite worrying but very well reflects the current state of things.
Solidity@solidity_lang
Solidity Developer Survey 2025: AI trust vs. usage frequency 36% of daily AI users express distrust in the output. Nearly all who highly trust AI (37 of 38) are daily users. 88% adoption, 45% distrust. Developers adopt AI faster than they trust it.
English
tthe audit on whether blackmail behavior is gone lives entirely inside anthropic, you can't verify 'completely eliminated' from outside, the audit gap shows up everywhere a vendor controls user state. haven't sketched what verifiable vendor claims could look like at the model layer
English
@IntCyberDigest tthe detection happened downstream of the vendor, windows smartscreen flagged the publisher mismatch and that's the only reason 24h became 24h instead of weeks. haven't worked through which surfaces would catch publisher swaps fastest
English
‼️🚨 The official JDownloader website was breached, attackers swapped the Windows and Linux installers with malware for over a day before anyone noticed.
JDownloader is a popular download manager with millions of users on Windows, macOS, and Linux.
Timeline:
▪️ May 5, 23:55 UTC: attacker tests the method on a dummy page.
▪️ May 6, 00:01 UTC: real attack goes live. Alternative download links for Windows and Linux are replaced with malicious installers.
▪️ May 7: a Reddit user notices Windows SmartScreen flagging the installer with a strange publisher ("Zipline LLC", "The Water Team", "Peace Team") instead of "AppWork GmbH".
▪️ Hours later, the JDownloader dev team confirms the breach and takes the site offline.
How they got in: an unpatched vulnerability let attackers modify the website's access control list (ACL), give themselves edit rights, and swap the download links. No further details on the bug have been shared.
What's compromised:
▪️ Windows installer (alternative download links).
▪️ Linux shell installer (alternative download links).
What's safe:
▪️ macOS installers (still validly signed).
▪️ The core JDownloader.jar file.
▪️ Flatpak, Winget, and Snap packages (separate infra, sha256 checksums unchanged).
▪️ In-app auto-updates (separate servers, end-to-end signed).
If you downloaded JDownloader from the website between May 6 and May 7, treat your machine as compromised.
This is the third trusted-software website breach in recent weeks, after Daemon Tools and CPU-Z / HWMonitor.
English
@ZackKorman hhaving a policy doc and having something that catches violations are usually different projects, the second one only gets prioritized after the first incident makes someone go look for it. still hunting for what makes that audit signal visible before the first incident
English
How many of you have an AI use policy at work?
Thinking of making a feature to allow security teams to upload their policy so our models can detect and alert on actions that violate it. But I don’t want to make that only to find no one has a policy to begin with.
English
@anchorstack_dev tthe auth example is the cleanest one, the founder is the only person whose access path was specified, every other user is a 'we'll figure it out' that no one owns until they show up
English
The mistake vibe-coded apps make isn't in the feature code.
It's in the assumptions underneath it.
No migration workflow. No observability. No rollback. Auth that works for the founder.
The demo ships. The foundation doesn't.
English
the home server pattern relocates the single point of failure from someone else's server to your own, the architecture is right but you still need the home server running for any thin client to mean anything. still puzzling over how to spread the SPOF without making everyone an admin
English
People at major AI labs (using internal models) 3-4 months ahead of startup silicon valley engineers
SV founders/eng 3-6 months ahead of NY
NY founders/eng 6-12 months ahead of rest of world
Most people have no idea how fast AI shifting as 1-2 years behind SOTA
"The future is here, just not equally distributed" - Robert Heinlein
English
The fastest AI workflows run on CLI tools, not fancy dashboards, because terminals don't add latency for aesthetics.
Every layer of UI between the agent and the system is a tax on speed that nobody's customer is willing to pay.
Amal Roy@RoyAmal
Most AI agents still rely on: «APIs browser automation MCP servers» Meanwhile the fastest AI workflows increasingly use: «CLI tools.» Why? Because terminals are still the most direct way to control real systems. This repo organizes the best CLI tools for AI agents into one place 👇 And honestly… It feels like an operating system for autonomous workflows. What’s inside: «Curated CLI tools for Claude Code, Cursor, Codex & AI agents Each tool includes a "SKILL.md" file that teaches agents how to use it Progressive loading system keeps context windows efficient Supports: Google Workspace Stripe Notion GitHub cloud infrastructure databases automation tools developer workflows» The interesting part: These aren’t just: «terminal commands» They become: «reusable agent behaviors.» That’s a massive difference. Because future AI systems probably won’t rely only on: «prompts» They’ll rely on: «skills tools orchestration layers workflows runtime systems executable environments.» Examples from the repo 👇 «Google Workspace CLI Stripe CLI Notion CLI GitHub tooling DevOps workflows Infrastructure automation Cloud management Productivity pipelines» And every skill teaches agents: «installation authentication execution workflows guardrails» automatically. The deeper insight: AI engineering is slowly shifting from: «chat interfaces» To: «programmable environments.» That’s why: «MCP skills agent CLIs orchestration systems workflow runtimes» …are suddenly exploding. Because agents become dramatically more powerful once they can: «operate real systems directly.»
English
@natmiletic the deprecation announcement is the moment the cost becomes visible, but the cost was building for months while google's priorities shifted, you just didn't see the meter running. still trying to design the meter that surfaces vendor risk before deprecation
English
Google just killed FAQ schemas.
If your SEO strategy depends on features that Google can easily deprecate, you have a dependancy, not a strategy.
English
@matteocollina @nodejs @bunjavascript the token cost is the visible bill but the real cost is the long tail of npm packages relying on undocumented node behavior, 99.8% of the suite passing isn't 99.8% of user code surviving. still digging into how to make the rewrite survive that long tail
English
Should @nodejs attempt a rewrite to Rust like @bunjavascript is doing by burning unlimited tokens?
English
@jarredsumner passing 99.8% of the existing suite is what makes the rewrite still 'bun', the implementation language is replaceable underneath the contract. haven't sorted out what the equivalent is for products without a test suite
English
99.8% of bun’s pre-existing test suite passes on Linux x64 glibc in the rust rewrite
English