kaiser_cože 皇帝咩話

JUST IN: 🇮🇷 Iran says pre-market news is a "reverse indicator." "If they pump it, short it. If they dump it, go long…See something tomorrow? You know the drill."

“…vocabulary-rich children arrive at school with a hidden cognitive advantage ... They have heard “ridiculous” and “extraordinary” and “investigation” at the dinner table, in bedtime stories, in the overheard conversations of articulate adults. Their minds have been silently sketching the spellings of hundreds of words they have never read.. “Children from language-poor environments arrive without those skeletons… “It is a gap in prediction. And it compounds: the child who reads more easily reads more, hears more words in the context of text, forms more skeletons, and reads still more easily. The child who struggles reads less, encounters fewer new words, forms fewer skeletons, and falls further behind.”

BREAKING: Trump reveals Iran's gift: They will let us have 8 boats of oil; they will sail tomorrow.

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

I don’t mean to beak in on American goings-on as a European, but when all this is said and done (whatever your scope for “all this” is) I think there’s a non-zero chance that there are going to be guillotines lining Wall Street

FunFact: The name of “Hormuz” (Persian: هرمز) comes from the Middle Persian word “Ōhramazdē”, the name for the principal deity in the Zoroastrian tradition (“Ahura Mazda”). So basically the “Strait of Hormuz” means the “Strait of God”.