Christian Lessard

We live in a world where regular people can't build their own software. It is like advocating for property rights in a country without clean water. People only care about digital human rights (security, privacy, control) once it's their data.

@ThePrimeagen Don't worship your spellcheck

This

🚨 BREAKING: Google DeepMind just mapped the attack surface that nobody in AI is talking about. Websites can already detect when an AI agent visits and serve it completely different content than humans see. > Hidden instructions in HTML. > Malicious commands in image pixels. > Jailbreaks embedded in PDFs. Your AI agent is being manipulated right now and you can't see it happening. The study is the largest empirical measurement of AI manipulation ever conducted. 502 real participants across 8 countries. 23 different attack types. Frontier models including GPT-4o, Claude, and Gemini. The core finding is not that manipulation is theoretically possible it is that manipulation is already happening at scale and the defenses that exist today fail in ways that are both predictable and invisible to the humans who deployed the agents. Google DeepMind built a taxonomy of every known attack vector, tested them systematically, and measured exactly how often they work. The results should alarm everyone building agentic systems. The attack surface is larger than anyone has publicly acknowledged. Prompt injection where malicious instructions hidden in web content hijack an agent's behavior works through at least a dozen distinct channels. Text hidden in HTML comments that humans never see but agents read and follow. Instructions embedded in image metadata. Commands encoded in the pixels of images using steganography, invisible to human eyes but readable by vision-capable models. Malicious content in PDFs that appears as normal document text to the agent but contains override instructions. QR codes that redirect agents to attacker-controlled content. Indirect injection through search results, calendar invites, email bodies, and API responses any data source the agent consumes becomes a potential attack vector. The detection asymmetry is the finding that closes the escape hatch. Websites can already fingerprint AI agents with high reliability using timing analysis, behavioral patterns, and user-agent strings. This means the attack can be conditional: serve normal content to humans, serve manipulated content to agents. A user who asks their AI agent to book a flight, research a product, or summarize a document has no way to verify that the content the agent received matches what a human would see. The agent cannot tell the user it was served different content. It does not know. It processes whatever it receives and acts accordingly. The attack categories and what they enable: → Direct prompt injection: malicious instructions in any text the agent reads overrides goals, exfiltrates data, triggers unintended actions → Indirect injection via web content: hidden HTML, CSS visibility tricks, white text on white backgrounds invisible to humans, consumed by agents → Multimodal injection: commands in image pixels via steganography, instructions in image alt-text and metadata → Document injection: PDF content, spreadsheet cells, presentation speaker notes every file format is a potential vector → Environment manipulation: fake UI elements rendered only for agent vision models, misleading CAPTCHA-style challenges → Jailbreak embedding: safety bypass instructions hidden inside otherwise legitimate-looking content → Memory poisoning: injecting false information into agent memory systems that persists across sessions → Goal hijacking: gradual instruction drift across multiple interactions that redirects agent objectives without triggering safety filters → Exfiltration attacks: agents tricked into sending user data to attacker-controlled endpoints via legitimate-looking API calls → Cross-agent injection: compromised agents injecting malicious instructions into other agents in multi-agent pipelines The defense landscape is the most sobering part of the report. Input sanitization cleaning content before the agent processes it fails because the attack surface is too large and too varied. You cannot sanitize image pixels. You cannot reliably detect steganographic content at inference time. Prompt-level defenses that tell agents to ignore suspicious instructions fail because the injected content is designed to look legitimate. Sandboxing reduces the blast radius but does not prevent the injection itself. Human oversight the most commonly cited mitigation fails at the scale and speed at which agentic systems operate. A user who deploys an agent to browse 50 websites and summarize findings cannot review every page the agent visited for hidden instructions. The multi-agent cascade risk is where this becomes a systemic problem. In a pipeline where Agent A retrieves web content, Agent B processes it, and Agent C executes actions, a successful injection into Agent A's data feed propagates through the entire system. Agent B has no reason to distrust content that came from Agent A. Agent C has no reason to distrust instructions that came from Agent B. The injected command travels through the pipeline with the same trust level as legitimate instructions. Google DeepMind documents this explicitly: the attack does not need to compromise the model. It needs to compromise the data the model consumes. Every agentic system that reads external content is one carefully crafted webpage away from executing attacker instructions. The agents are already deployed. The attack infrastructure is already being built. The defenses are not ready.

free growth strategy: 1. keep improving little by little 2. stay 100% user-supported 3. watch VC-backed companies gradually destroy their product and alienate their users

If you use GitHub (especially if you pay for it!!) consider doing this *immediately* Settings -> Privacy -> Disallow GitHub to train their models on your code. GitHub opted *everyone* into training. No matter if you pay for the service (like I do). WTH github.com/settings/copil…

Wharton’s latest AI study points to a hard truth: “AI writes, humans review” model is breaking down Why "just review the AI output" doesn't work anymore, our brains literally give up. We have started doing "Cognitive Surrender" to AI - Wharton’s latest AI study points to a hard truth: reviewing AI output is not a reliable safeguard when cognition itself starts to defer to the machine.when you stop verifying what the AI tells you, and you don't even realize you stopped. It's different from offloading, like using a calculator. With offloading you know the tool did the work. With surrender, your brain recodes the AI's answer as YOUR judgment. You genuinely believe you thought it through yourself. Says AI is becoming a 3rd thinking system, and people often trust it too easily. You know Kahneman's System 1 (fast intuition) and System 2 (slow analysis)? They're saying AI is now System 3, an external cognitive system that operates outside your brain. And when you use it enough, something happens that they call Cognitive Surrender. Cognitive surrender is trickier: AI gives an answer, you stop really questioning it, and your brain starts treating that output as your own conclusion. It does not feel outsourced. It feels self-generated. The data makes it hard to brush off. Across 3 preregistered studies with 1,372 participants and 9,593 trials, people turned to AI on over 50% of questions. In Study 1, when AI was correct, people followed it 92.7% of the time. When it was wrong, they still followed it 79.8% of the time. Without AI, baseline accuracy was 45.8%. With correct AI, it jumped to 71.0%. With incorrect AI, it dropped to 31.5%, worse than having no AI. Access to AI also boosted confidence by 11.7 percentage points, even when the answers were wrong. Human review is supposed to be the safety net. But this research suggests the safety net has a hole in it: people do not just miss bad AI output; they become more confident in it. Time pressure did not eliminate the effect. Incentives and feedback reduced it but did not remove it. And the people most resistant tended to score higher on fluid intelligence and need for cognition. That makes this feel less like a laziness problem and more like a cognitive architecture problem.

@SherryYanJiang Bearish on these tools. Claude + an organized codebase allows you to integrate design seamlessly into production assets.

anyone try out anything yet - what do you think i’m curious

@Prathkum Because doing something 10x faster is not the same thing as 10x better. More code just means more to refactor, read, and understand.

Everyone is talking about writing code 10x faster with AI. Very few are showing the products they shipped 10x faster.

@mil000 Agreed - we should culturally reject companies that build projects like this.

This should just simply be illegal for most use cases. Most of civil society is built off you being you.

@andyhsuco Yes, how do I join

nyc designer friends! would anyone be interested in a monthly hang where we read + discuss design articles / books / content, and just have a chill cowork together?

@mattgaetz "trans my son" - Lol I am going to have to use that one

I just want a political party that doesn’t want to trans my son or send him to fight someone else’s war. Is that too much to ask?

@MorePerfectUS Or we would make it easier to build more housing.

The New York City Council is considering a bill to allow the city’s Department of Housing Preservation and Development to seize buildings from landlords who have racked up housing code violations and debt from unpaid taxes and fines and turn them over to better owners.

@im_roy_lee brat

BREAKING: Cluely CEO officially responds to TechCrunch

@beffjezos @JeffDean So your take is AI isn't that big of a change form our current technology stack? Really?

Agreed. Mass surveillance violates the Fourth Amendment and has a chilling effect on freedom of expression. Surveillance systems are prone to misuse for political or discriminatory purposes.

@GammaApp @claudeai Is this not already possible with default Claude?

Gamma is now on @claudeai! You can generate a presentation with Gamma directly in your Claude chat. Connect Gamma and instantly turn any conversation into something you'd share with your team or present to the world. You can also: - Connect to Gmail, Slack, or HubSpot ("turn this email into a deck") - Fully edit your presentation in Gamma for any tweaks Take that research task, strategy proposal, or project summary and turn it into a polished presentation. Think with Claude. Visualize with Gamma.

I don't think we've thought enough about how the rise of AI for coding will disrupt the VC-startup ecosystem.

@cremieuxrecueil Go to Loudoun County Virginia then. It is quite soulless and depressing.

I love data centers and I wish there were more of them in my community.

@claudeai Eliminating a whole class of bugs in a single product feature is wild

Introducing Claude Code Security, now in limited research preview. It scans codebases for vulnerabilities and suggests targeted software patches for human review, allowing teams to find and fix issues that traditional tools often miss. Learn more: anthropic.com/news/claude-co…

@0xDesigner You are right: AI + Rust is ez. I am finding using AI in the dom to be a nightmare.

there is a massive gap between front-end and back-end development with agentic coding. backend developers get to plan and set off full agent teams to run continuously for days on end with no human input. the ai verifies success on its own. and i'm jealous of that. front end development requires really tedious feedback loops between small changes, visual reviews, and prompts for iterative feedback. there still isn't an objective criteria for verified success for design. or at least not one that the agent works well with. i can't think of a single front end task that you can set off on an autonomous loop. someone please prove me wrong. i'm hoping this is a skill issue.

@signulll Pretty good considering I build software for the CRE industry

i am a trained software engineer with an ml grad degree & i ask this question with genuine sincerity. if you’re a software engineer right now, how do you feel about your future?

@nealkhosla 90% agreed - I would argue technical ability has only become more important