While I agree the name change has not (yet) been made with the proper authority, I'm quite partial to the name and prefer to use it despite its prematurity. I think it does a better job of communicating the types of work actually done by the department and rightly gives people pause about their support of it. Though I'm sure that wasn't the administration's intention.
For context, lobste.rs has been struggling lately with a high uptick in posts on the front page that were either clearly vibecoded themselves or just about vibecoding something small, while the userbase is polarizing itself into two groups: one that dislikes ai for usually ethics-related reasons and makes anti-ai comments on every post that mentions it, and a smaller but still present pro-ai group that tries to discuss using coding models in good faith. Imo it's something of an identity crisis for lobste.rs.
I realize that this comment comes off as pro-ai, but I mostly agree with the first group that a lot of these posts are low effort and annoying. To me "This weekend I used Claude Code to poorly copy someone else's markdown editor here's Claude's story of how it did it" and similar is about as interesting as "I copied a bunch of code snippets I don't understand from stack overflow, here's all the links to them."
Somehow or another, HN has done a better job of keeping up a greater variety of content on the front page so it's not as much of an issue for me here, though it does still happen on e.g. days with big model releases.
The article is nearly useless for users of the software who want to know how their data may have been affected. The researchers' website is more descriptive, especilly wrt specific findings.
That's much better, thanks. According to the Bitwarden blog post: https://bitwarden.com/blog/security-through-transparency-eth... which contains its full cryptography report at the end, all the issues have been fixed except a few which are considered part of the design (see below), so if I understand correctly you have nothing to worry about if you don't use organizations and use a strong password.
Issue 5: Organisation Key Injection (Medium)
When users interact with organizations, a trust relationship is established through the exchange
of cryptographic keys. A malicious server could add users to arbitrary organizations by
encrypting an organization symmetric key under the user's public key and including it in sync
responses. The client would silently accept the new organization membership. Alternatively,
when a user creates an organization, the malicious server could substitute the newly created
organization's keys with attacker-controlled keys during the post-creation sync.
Issue 7: Disable KDF Bruteforce Protection (Low)
Bitwarden uses Password-Based Key Derivation Functions (PBKDF2 or Argon2id) to derive the
master key from the user's master password. The iteration count – currently defaulting to
600,000 for PBKDF2 – provides brute-force resistance. The researchers identified that KDF
settings are stored on the server without authentication, allowing a malicious server to reduce
the iteration count and receive a master key hash that is faster to brute-force.
Issue 9: Malleable Vault Format and Unencrypted Metadata (Low)
The researchers identified that while individual fields are encrypted, metadata about field positions and item structure is not integrity-protected, potentially allowing field reordering or item manipulation
Issue 10: Access Violation in Organisation Collections (Low)
Organization collections enable shared access to vault items among organization members. By
design, the organization symmetric key is shared with all organization members, allowing them
to access collection contents to which they have specifically been granted access
"All issues have been addressed by Bitwarden. Seven of which have been resolved or are in active remediation by the Bitwarden team. The remaining three issues have been accepted as intentional design decisions necessary for product functionality."
For clarity, one of the "Accepted" vulnerabilities is that attackers who control the Bitwarden servers can set the PBKDF iteration count to "1". They set the severity of this to "low".
They've also "accepted" a vulnerability --- BW01 from the paper, I believe --- that allows a malicious server to read all vault items from a user as soon as they accept any invitation (real or not) to an "organization".
No matter how compromised a server gets, ideally the client should never be able to provide it unencrypted data, or data is encrypted in a way such that the server can decrypt it. It is unclear if Bitwarden has fixed this core issue or not.
I have no problem with experienced senior devs using agents to write good code faster. What I have a problem with is inexperienced "vibecoders" who don't care to learn and instead use agents to write awful buggy code that will make the product harder to build on even for the agents. It used to be that lack of a basic understanding of the system was a barrier for people, but now it's not, so we're flooded with code written by imperfect models conducted by people who don't know good from bad.
one does not have to use anything at all… but if someone is “senior” and is incapable of using llms for some parts of her/his job then senior part is just age related and not tied to skill level
Yeah I’m baffled why people are surprised that senior+ engineers who are being told in one breath they will be replaced by this tool and also they MUST use this tool to make it better to replace them aren’t happy about it or want to use it willingly.
I also find it wild how we’re sleepwalking into this, but I’m also part of the problem and using these things too.
Where are you encountering all this slop code? At my work we use LLMs heavily and I don't see this issue. Maybe I'm just lucky that my colleagues all have Uni degrees in CS and at least a few years experience.
> Maybe I'm just lucky that my colleagues all have Uni degrees in CS and at least a few years experience.
That's why. I was using Claude the other day to greenfield a side project and it wanted to do some important logic on the frontend that would have allowed unauthenticated users to write into my database.
It was easy to spot for me, because I've been writing software for years, and it only took a single prompt to fix. But a vibe coder wouldn't have caught it and hackers would've pwned their webapp.
You can also ask Claude to review all the code for security issues and code smells, you'd be surprised what it finds. We all write insecure code in our first pass through if we're too focused on getting the proof of concept worked out, security isnt always the very 1st thing coded, maybe its the very next thing, maybe it comes 10 changes later.
Yes we do, you don't just start a brand new web project and spit out CORS rules, authentication schemes, roles, etc in one sitting do you? Are you an AI?
So let me get this straight, you get instructed to build an Instagram clone, and you sit down and one shot code every single feature for the project? My point is about in one sitting, doing EVERYTHING all at once, without pausing, without standing up, without breaks. I don't know about you but people who tend to rush code out make just as many if not worse mistakes than AI does.
I've worked with many competent engineers and have built things people couldn't even google help for before AI existed, and that surpassed mine and my teams expectations both solo and in a team setting, none of them were done in one sitting, which is what you're suggesting. Everything is planned out, and done piecemeal.
For the record, I can one shot an AI model to do all of those things, with all the detail they need and get similar output as if I gave a human all those tasks, I know because I've built the exact tooling to loop AI around the same processes competent developers use, and it still can do all of it in record time.
So if you're going to build a massive application say, YouTube, Facebook or Instagram you're going to sit down, and write out every template, db model, controller, view model, etc in one single sitting for the entire application? No bathroom breaks, no lunch, no "I'll finish that part tomorrow" you do it ALL in one sitting? Because you will miss something, and that's my point, nobody gets their first crack at a greenfield project 100% in one sitting, you build it up to what it is. The AI is used the same way.
I actually do build all of those things before standing something up in prod. Not doing that is insane. Literally every web framework has reasonable defaults baked in.
Any competent tech company will have canned ways to do all of those things that have already been reviewed and vetted
Why are you building and deploying a site critical enough to need CSP and user security & so on in one sitting lol
Anyways, yes, if I know I'm gonna need it? Because every framework has reasonable defaults or libraries for all of those things, and if you're in a corporate environment, you have vetted ways of doing them
1. import middleware.whatever
2. configure it
3. done
Like, you don't write these things unless you need custom behavior.
The issue isn't when the programmers start using it. It's when the project managers start using it and think that they're producing something similar to the programmers
We're in a transition phase, but this will shake out in the near future. In the non-professional space, poorly built vibecoded apps simply won't last, for any number of reasons. When it comes to professional devs, this is a problem that is solved by a combination of tooling, process, and management:
(1) Tooling to enable better evaluation of generated code and its adherence to conventions and norms
(2) Process to impose requirements on the creation/exposure of PRDs/prompts/traces
(3) Management to guide devs in the use of the above and to implement concrete rewards and consequences
Some organizations will be exposed as being deficient in some or all of these areas, and they will struggle. Better organizations will adapt.
The unfortunate reality is that (1) and (2) is what many, many engineers would like to do, but management is going EXACTLY in the opposite direction: go faster! Go faster! Why are you spending time on these things
There were always musicians who were better than you. If that didn't stop you, why did AI? Were you only making music to be the best? Surely you knew that was extraordinarily unlikely. If you like making music, then make music and like it.
Fair point. Just trying to analysis my thoughts a bit more here...
...
Before when writing music I could come up with something in my head and make that thing real with significant effort. Now anyone can do that, including myself using AI in just 15 minutes. That demotivates me because why would I put effort into something that AI can do as good, or better than me 10-20x faster? I think if I was such a good musician that the delta between myself and AI was significant it would make sense to continue making music, but in my case it is not.
I also really like music production and music production specifically increasingly feels too easy... Over the last 5 years there's been a huge range of "click and make it sound good" type plugins. I could spend hours trying to make something sound good, but I feel like it's less impressive these days because everything can sound good with minimal effort.
I feel the same about lots of creative stuff tbh... I used to like photography, but smart phone cameras and AI filters / editing are so good these days the delta between what I can take on my $3,000 camera + photoshop skills is actually quite minimal now vs someone with an iPhone. 10-20 years ago it would be completely incomparable.
I used to spend hours designing websites too... Thinking about the brand and UX was one my favourite parts of building new projects. I'll never do that again now. Claude Code is good enough that I can't add enough additional value to make it worth designing from hand.
Part of this is just me as a person being obsessed with how I can add something to the world. A lot of the digital creativity which I used to love are no longer productive or value-adding pursuits. And I think for that reason I'm naturally pivoting my time into other things. Specifically creating physical things.
Not saying everyone is like me obviously. If something brings you enjoyment personally then go do it. Just don't expect anyone to actually care if you spend weeks designing a website or writing some music anymore. It's just not impressive.
That's really cool. I was looking at them and thinking "I could probably make these with vanilla html/css but it'd be pretty tedious." Perfect use case for AI. I need to work on developing a reflex for it.
I've also started doing this, and it's surprisingly enjoyable to both do and even to read. The end result is often more readable to me than using a 3rd-party JS visualization library, because I only need to know standard HTML/CSS concepts to understand what's going on. And a side benefit is smaller pages with less bitrot due to being able to skip the dependencies.
"From" other countries is overly broad and I assume not what you intended. I am actually interested though in the idea of legislating how frequently home owners have to actually be within range of the home, for example. A friend has had a hell of a time with a landlord in Malaysia who's never seen the property.
They do it by citizenship, and you might be surprised how many investment properties are vacant homes, but I’m not necessarily advocating for this in any case. The real cure would just be right to build laws.
The problem is, you can’t do that at the federal level, and the people who vote at the local level are the homeowners who benefit from housing restrictions.
The federal government has a very difficult task. They want to make home prices basically stay flat for a long time, and they have limited tools with which to do it since they can’t do the one thing every economist agrees would solve the problem.
Could homeowners be convinced with truckloads of money? As in, yes if you increase density beyond demand the value of each individual home decreases, but the value of the land dramatically increases if suddenly your single family home with a lawn could be converted to a 9 story tower renting out units to 20+ households with infrastructure spending diverted to your area to improve it. Are landowners unaware or just do not care about the profit potential?
I just don’t think it works that way. The developers don’t buy existing homes, they buy farms and golf courses and large vacant tracts. They don’t frequently just like buy 4 homes and put 20 where they had been.
Most people have most of their money tied up in their home equity and would lose an amount that hurts
Many countries prohibit non-citizens from owning any real estate or businesses at all, even if they have a long-term resident status. Thailand is one example. Ownership is limited to 49%, a local partner must own at least 51%.
does that work out in their favor in the end? seems like that would really deter investment in the country. I'm not familiar with any large thai corporations.
At least in my case, I'm pretty sure I can afford to own all the music I listen to. I only listen to 5,000 minutes per year of mostly the same few hundred songs. I've spent 8 years x 12 months x 13 = $1248 on Spotify in my life so far, so even at $.99 per song (which is above average if I buy albums), I'm losing money
Imagine all the incredible fan works that could spark careers and businesses if e.g. the original star wars trilogy were public domain, or how many indie dev studios could get started by riffing on pokemon. But alas, fans of both franchises continue to make works but can't profit from them and need to pray that Disney and Nintendo won't send lawyers after them if they get popular
Fan works of Star Wars have long been as good or better than the official releases. The world would be a much richer place if anyone was free to create whatever they wanted.
Attracting the ire of the music industry seems like a huge, unnecessary risk. I wish they had performed this as some kind of other entity to try to keep the ebook archive protected from the fallout. I fear this will not end well.
