gmarik 🇺🇦

This is big... Anthropic just announced a model so powerful they won't release it to the public out of fear over the damage it will cause 😨 Claude Mythos Preview found thousands of zero-day exploits in every major operating system and web browser... The numbers are hard to believe: > $50 to find a 27-year-old bug in OpenBSD, one of the most security-hardened operating systems ever built > Under $1,000 to find AND build a fully working remote code execution exploit on FreeBSD that grants unauthenticated root access from anywhere on the internet > Under $2,000 to chain together multiple Linux kernel vulnerabilities into a complete privilege escalation exploit For context: these are the kinds of findings that previously required elite security researchers working for weeks. Anthropic engineers with no formal security training asked Mythos to find exploits overnight. They woke up to working code the next morning. The results were so impressive Anthropic assembled Apple, Google, Microsoft, Amazon, NVIDIA, and seven other organizations into Project Glasswing: A $100M defensive coalition. They're not releasing this model publicly. Instead, they're racing to patch the world's infrastructure before models like this proliferate.

My dear front-end developers (and anyone who’s interested in the future of interfaces): I have crawled through depths of hell to bring you, for the foreseeable years, one of the more important foundational pieces of UI engineering (if not in implementation then certainly at least in concept): Fast, accurate and comprehensive userland text measurement algorithm in pure TypeScript, usable for laying out entire web pages without CSS, bypassing DOM measurements and reflow

🚨‼️ BREAKING: PyPI package telnyx has been compromised by TeamPCP in yet another supply chain attack. The malware executes immediately upon importing telnyx. It drops a valid WAV audio file and runs an executable embedded within the frames.

@Keller @farzyness Well, I guess we should solve this

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

My information consumption is now 1/4 X, 1/4 podcast interviews of the smartest practitioners, 1/4 talking to the leading AI models, and 1/4 reading old books. The opportunity cost of anything else is far too high, and rising daily.

Is Traditional Software Engineering Dead? “Does this mean that traditional software engineering is dead? Absolutely not. Software engineers—even the ones who are not necessarily tuning or training AI models—these are now among the most leveraged people on earth. Sure, the guys who are training and tuning models are even more leveraged because they’re building the tool set that software engineers are using. But software engineers still have two massive advantages on you. First, they think in code, so they actually know what’s going on underneath. And all abstractions are leaky. So when you have a computer programming for you—when you have Claude Code or equivalent programming for you—it’s going to make mistakes. It’s going to have bugs. It’s going to have suboptimal architecture. So it’s not going to be quite right. And someone who understands what’s going on underneath will be able to plug the leaks as they occur. So if you want to build a well-architected application, if you want to be able to even specify a well-architected application, if you want to be able to make it run at high performance, if you want it to do its best, if you want to catch the bugs early, then you’re going to want to have a software engineering background. The traditional software engineer is going to be able to use these tools much better. And there are still many kinds of problems in software engineering that are out of scope for these AI programs today. The easiest way to think about those is problems that are outside of their data distribution. For example, if they need to do a binary sort or reverse a linked list, they’ve seen countless examples of that, so they’re extremely good at it. But when you start getting out of their domain—where you have to write very high-performance code, when you’re running on architectures that are novel or brand new, when you’re actually creating new things or solving new problems, then you still need to get in there and hand code it. At least until either there are so many of those examples that new models can be trained on them, or until these models can sufficiently reason at even higher levels of abstraction and crack it on their own… And remember: there is no demand for average. The average app—nobody wants it, at least as long as it’s not filling some niche that is filled by a superior app. The app that is better will win essentially a hundred percent of the market. Maybe there’s some small percentage that will bleed off to the second-best app because it does some little niche feature better than the main app, or it’s cheaper, or something of the sort. But generally speaking, people only want the best of anything. So the bad news is there’s no point in being number two or number three—like in the famous Glengarry Glen Ross scene where Alec Baldwin says, “First place gets a Cadillac Eldorado, second place gets a set of steak knives, and third place you’re fired.” That’s absolutely true in these winner-take-all markets. That’s the bad news: You have to be the best at something if you want to win. However, the set of things you can be best at is infinite. You can always find some niche that is perfect for you, and you can be the best at that thing. This goes back to an old tweet of mine where I said, “Become the best in the world at what you do. Keep redefining what you do until this is true.” And I think that still applies in this age of AI.”

Super congratulations to the @Tesla_AI software & chip design teams on a successful @Robotaxi launch!! Culmination of a decade of hard work. Both the AI chip and software teams were built from scratch within Tesla.

Jensen Huang on why he rarely fires people and will instead “torture them into greatness” Jensen once told Stripe founder Patrick Collison that he didn’t like firing people and seldomly did it. When asked to elaborate on this, Jensen responds: “I’d rather improve you than give up on you. When you fire somebody, a lot of people will say ‘it wasn’t your fault,’ or ‘I made the wrong choice.’ But I used to clean bathrooms and now I’m the CEO of a company. I think you can learn it. There are a lot of things in life that I think you can learn and you just have to be given the opportunity to learn it… I don’t like giving up on people because I think they can improve.” He continues: “It’s kind of tongue in cheek, but people know I’d rather torture them into greatness. I’d rather torture you into greatness because I believe in you. And I think that coaches that really believe in their team torture them into greatness. Oftentimes they’re so close. Greatness will sometimes come in one day with an ‘I got it!’ — that feeling that you didn’t get it yesterday and all of a sudden one day something clicks. Could you imagine giving up that moment right before you got it? I don’t want you to give up on that, so I’ll just keep torturing you.” Video source: @stripe (2024)

apparently Google laid off their entire Python Foundations team, WTF! ( @SkyLi0n who is one of the pybind11 maintainers just informed me, asking what ways they can re-fund pybind11) The team seems to have done substantial work that seems critical for Google internally as well. There's a hackernews thread if folks want to read more: news.ycombinator.com/item?id=401711…

“Coding” was never the source of value, and people shouldn’t get overly attached to it. Problem solving is the core skill. The discipline and precision demanded by traditional programming will remain valuable transferable attributes, but they won’t be a barrier to entry. Many times over the years I have thought about a great programmer I knew that loved assembly language to the point of not wanting to move to C. I have to fight some similar feelings of my own around using existing massive codebases and inefficient languages, but I push through. I had somewhat resigned myself to the fact that I might be missing out on the “final abstraction”, where you realize that managing people is more powerful than any personal tool. I just don’t like it, and I can live with the limitations that puts on me. I suspect that I will enjoy managing AIs more, even if they wind up being better programmers than I am.

My #FirstPullRequest: github.com/rack/rack-cont…. What was yours? firstpr.me

Hey @jarredsumner & @nikitabase, got it working! PGlite, WASM Postgres running in the browser, Bun and Node. Only 3.7mb gzipped. 🤯 In-memory or persisted to the filesystem with Bun/Node and IndexedDB in the browser. 🚀 github.com/electric-sql/p… twitter.com/jarredsumner/s…

Nvidia $NVDA CEO Jensen Huang talking about the importance of growing a tolerance for failure when innovating from back in 2011

#TIL PGO Profile Guided compiler Opmitization: train your compiler via profiler feedback go.dev/doc/pgo #golang

Profile-guided optimization for Go is great, and we have already used it to save significant amounts of money at Datadog. However, as part of a wider rollout, we noticed that one service saw an 18% increase in memory usage from pgo until we performed a rollback.

Scientist Adelbert Ames created the mind boggling ‘Ames Window’ (1951)

Friends, happy new year! I am grateful to those from whom I learned a lot, in philology, history, cardiology, theology, & bicycle maintenance. Below is the Greek-Orthodox Fasting Calendar for 2024, (Antiochian/Levantine Romoi adaptation), courtesy D. Neuwirth.

Uncle Bob's "Clean Code" is the Strunk & White "Elements of Style" of software dev. The less you understand the craft, the more helpful it seems. Once you understand the principles of the craft, you can clearly see it is toxic brain poison that can take decades to unlearn.

In perfect timing for our 20th birthday of Rails, the fine folks at Honeypot have created a wonderful documentary about the early origins of the framework. Featuring @tobi, @jasonfried, @jamis, @bitsweat, and yours truly. Here’s the trailer: youtube.com/watch?v=NaEG5D…