My team worked on this research at Snyk. If you think about it, it's pretty obvious behavior:
- Generative AI uses the context you provide to help generate additional tokens
- If the context you provide is bad (low-quality code, riddled with security issues), you'll similarly get low-quality code generated
- If the context you provide is good (high-quality code), you'll get better-quality code out
The thing we wanted to highlight with this research is that security is meaningfully impacted when you're generating code, particularly with low-quality codebases.
Is this a surprise, though? I think any sane developer would expect that a generative AI code helper making suggestions based on existing patterns in your code would do exactly this. It's not "thinking" about security, performance, or other non-functionals.
It's not a surprise to me, but it probably is to a lot of people who comment that they either couldn't code or wanted the AI to boiler plate something.
If you didn't write it, then it's going to be low quality, insecure code by default.
It's worth nothing that over the holidays, I decided to pick up Go for a personal project and tried GitHub CoPilot. I was tremendously impressed. At the beginning, it was mostly useful for helping me with syntax as I could ask it to write a for loop, access member variables, etc.
Over time, it would start to suggest larger and larger blocks of code based on what I was writing. It got to the point where it would auto-suggest entire functions based on my code comments. e.g. I'd type: "//Update a user" and it would then suggest complete code for doing just that, while managing to match the style of previous methods, use the correct ORM objects, etc. In general, it seemed to be 90-95% "correct".
However, it did like to remind me that it was just really good at putting words together. For the Update user, it suggested a function that exactly matched how I'd write it, except for this:
//Persist changes to Show object to the database
user.Save()
Just a nice reminder that the GenAI is not "thinking" about what it's doing.
When I was younger I heavily abused caffeine and would spend many long nights programming while deferring sleep as long as possible.
Now that I’m older, I’ve noticed that I just can’t do it. If I don’t sleep 7+ hours a night I feel TERRIBLE: my mood is worse, my focus is worse, and my overall productivity drops off a cliff.
Last year I was put on a medication with the unfortunate side effect of causing insomnia which made sleeping a full night extremely difficult and it was a struggle. Thankfully, after changing medications a few months ago to an alternative I’m sleeping great and no longer struggling.
My advice is to look into sleep hygiene and follow all recommendations. If you’re still not sleeping well look into medications and do whatever you can to treat your body right — it’s worth it.
I have found that the #1 cause for lost sleep is anxiety. Every piece of sleep hygiene, from blue light to meals to exercise to whatever else you want to consider can't hold a candle to going to bed with a quiet head. Your advice is good but I wanted to put this out there: First fix your worrying and running thoughts, then fix your sleep environment if you still need to, then look into medication.
If your anxiety comes from not being productive enough and the not being productive enough goes existential ... and you won't get productive without sleep, then it is hard breaking that cycle with just stop worrying. Exercising can help putting your body physical at rest and you will sleep, if you are physically exhausted enough. And then you can go on do everything else.
Daily exercise knocks on both doors, so to speak. It will help you sleep and it will also help you manage anxiety. Same for maintaining gut health. We are non-orthogonal systems.
Fair enough, I don't mean to say that I'm not a proponent of exercise, or having a cold bedroom, or any of the other standard pieces of advice. I follow them all by habit at this point.
What I mean to say is that first things first. There are lots of well-meaning advice we can give to people suffering from insomnia, delayed sleep onset etc etc. Most of it will only work if it helps fix anxiety. Awareness of this can be very helpful by itself.
If I go a week or so without some real exercise my anxiety starts to creep up. It does this no matter how good or bad my sleep has been over that time.
The problem arises when the obligation to exercise impinges on sleep time, whether that be having to get up early for a run or having to stay up late after chores to get a session done.
Sleep gives immediate benefits, exercise gives longer term benefits. It's a conundrum.
I never could go without sleep even when I was 20. I never did all nighters and if I didn’t get 9 hours I’d feel bad. It actually taught me not to procrastinate and to pace my work reasonably which has been a big benefit.
Seriously, I see people talk about how much worse things are in some respect or other now that they're out of their 20's and I think... must have been nice - I guess I never felt that young. One funny aspect is that I don't really feel any older now that I'm pushing 40. I've no doubt that biology applies to me as much as anyone and senescence is coming for me as inevitably as it is for all, but I guess I'll take what I can get.
I was like those people when younger but when I reflect and introspect I feel the real issue was that I simply didn’t recognise the negative effects or take them as seriously, not that I could actually handle the poor lifestyle better than I can now.
> would spend many long nights programming while deferring sleep as long as possible.
Now that I’m older, I’ve noticed that I just can’t do it
I’ve noticed the same but I don’t know if 10 years of age explains the difference as much as simply not being at the same level of fitness. I think if I was in the same cardiovascular shape, I wouldn’t have much more problem pulling all-nighters than I did in grad school (not that I necessarily want to...)
I am a lot more active now than when I was young, and I absolutely need the sleep now. When I was young I could really push it and do overnighters, etc. No longer.
Similar experience here. I was in objectively terrible shape in my teens through mid-20s; didn’t eat enough, didn’t sleep enough, didn’t drink enough water, and spent most of my day at a desk.
Flash forward to today in my mid-30s and all of this has improved dramatically (though has room for improvement), and yet lack of sleep is much harder on me now than it was back then.
yup Same here (minus the medications), I abused caffeine and my ability to go looong hours without sleep.
I just cant do it anymore, I suspect having two kids might have been the straw that broke my abused back. the first few years of kids breaking your sleeping up are pretty hard.
What I’m curious about is if you do program all night but then take naps during the day to make up for it. Does that provide adequate rest? Or does the sleeping part have to be at night for it to be effective?
If you want more info, we have a detailed blog post on the Snyk website here: https://snyk.io/blog/leaky-vessels-docker-runc-container-bre... (we also built two open source detection tools you can use to see if anyone is taking advantage of these issues in your infrastructure): a static analysis tool and a runtime tool using eBPF.
oO This one is a clear vulnerability -- if you're able to escape a container and access the host system (usually with root access since Docker is running as root most places), that's a big issue.
Last I checked, Docker wasn't considered a security boundary and Docker escapes weren't considered a security issue. The most obvious escapes have slowly been mitigated over time, but the prevailing wisdom is that you should always assume that an attacker can work their way from the container to the host system. Obviously never put anything sensitive on a docker host, and assume anything running on the host (like the other docker containers) is running at the same privilege level.
I tried for a long time to even get docker to just give a config option to disable privileged mode with no success.
I even resorted to posting instructions on stack exchange demonstrating how to walk /sys to find device numbers and use mknod to read the hosts root volume and now as most servers don't mount their efi partition, how you could mount it rw inside a container with little effort.
Containers are namespaces and purely depend on privilege dropping for the security they provide.
Part of the problem is that container breakout is narrowly defined.
The fact that a privileged container can upload firmware or access private keys by reading the hosts root volume didn't count.
While the ability to disable privileged mode wouldn't have solved this issue it still would have reduced the attack surface. But will the projects refusal to even take that step I gave up.
Deciding that the only safe option was to consider containers as namespaces and nothing more.
Unfortunately adding persistence and other functionality tends to result people running it as uid0, which means that you have to consider as anything that can launch a container as having superuser privileges.
Poor code quality is not a unique problem to AI coding assistants -- it's also a pervasive problem in the wild, regardless of who or what is writing code.
My thoughts around code quality are generally that if you're writing code for yourself (as a hobby, for open source, whatever) -- then write code however you want, as it's for fun. Obviously, others can contribute fixes and help make things better, but there's no professional "responsibility" in these cases.
On the other hand, if you're writing software meant to be used by others (including companies you work for), it's your responsibility as a developer to ensure the code you're pushing is:
- In compliance with style conventions
- Properly reviewed for security issues (tools like Snyk and other SAST/SCA tools work well for this)
- Makes architectural sense given the rest of your codebase
- Is documented so others can easily contribute/review without a lot of handholding
The rules above are true regardless of how the code is being generated.
Fully agree here. The report also states that jr. devs are more likely to be using coding assistants, thus may not spot poor code generations and be much more likely to commit bad code.
We're still in the early days of AI and there are certain things that code assistants excel at today, and there are things they do very poorly at currently.
Conclusion: "These results challenge the current recommendation that expenditure of at least 1000 kcal per week is required to achieve exercise-induced protection against premature cardiovascular mortality."
Just as a note -- that's a good amount of exercise, even if once a week. Burning 1,000 calories is a lot of physical movement.
I'd probably wager that with walking you can go up way steeper inclines than you can otherwise comfortably jog. That might change things considerably. According to one study you burn over 30% more calories walking up a 10% incline (about 17% calories much for a 5% incline).
This is supposedly not true. Walking the same distance expends more calories (on account of using your energy-inefficient machinery for longer to achieve the same external work).
Equally, walking the same amount of time as a run expends less calories because of the greater effort involved in running to generate more external work.
I feel fine running a 5K in 30 minutes. If I cut that down to about 18 minutes, yeah, I sweat up a storm, too. I don't know why it would be unexpected that the faster you go over a set distance, the harder it's going to be.
I know the Apple Watch can be very inaccurate in measuring energy expenditure, but I weigh about 175-180lb and my ~6k runs almost always register at 450-600kcal.
I have a simple gps watch that uses my weight to estimate calories and doesn't measure heart rate. It gives me the same as you, just under 100kcal/km for the same weight. But I'm convinced this is a dramatic overestimation, I run a lot and have for years, and I'd be eating way more if I really burned that much. I think with regular exercise we become extremely efficient and the calorie burn goes way down. I don't know if heart rate accounts for that or not, but overall I'm sceptical about calorie counts.
It definitely depends a lot on metabolic adaption which already varies significantly person to person but I think for beginners just moving from a sedentary lifestyle it's a good estimate for a while (six months to a year is the number I've heard, depending on training intensity).
The last few months I've gone from a sedentary lifestyle to calorie counting and using an Apple Watch to track exercise with an intense 7-10 mile walk/run/hike 5-7x a week. With the weightloss I've experienced it seems relatively accurate (within 20%) but that's with 2-3 hours of exercise (not including weight lifting) per session.
When playing beat saber, I always assumed the Apple Watch over-estimates calorie burn if only because the watch is on the part of your body that's the most mobile (your wrist). So, getting 300kcal for a 30 minute session felt like cheating.
But, there's at least "more legit than an Apple Watch" evidence that the calorie burn is that high; 6-8kcal per minute on Expert difficult [1], and some of the Expert+ tracks could easily burn more than that (and, I weigh much more than their Standard Reference Person).
I'm not the most fit person, but I've seen surprisingly little hard evidence that the Apple Watch grossly under or over-estimates calories burned. I imagine it starts getting worse at the extremes, and nothing is perfect, and everyone is different; its an area where more research would have unbelievably high leverage (Apple has sold, hundreds, of millions, of watches) (in fact: I'm sure they've done some of this research themselves).
It's saying the previous recommendations were 1000 calories a week. This study found that a 45 min workout using 631 kcal produced similar cardiovascular benefits. But yes, 631 kcal during a 45 min high intensity workout is still quite a lot.
Yeah that's somewhere between a 5km and 10km run. If you're in shape to pick up and do that once a week, you're in better shape than most people and so it's not really a surprise that such people have lower cardiovascular mortality.
I'm not sure I would agree that most people are physically incapable of running 3 miles once a week. Unless you've got a physical disability or some very bad respiratory ailment you can do that in well under 40 minutes at a pace barely faster than walking.
Obviously everyone's different (weight, fitness etc.), but 100 calories is a decent estimate for expenditure while running a mile. So 1000 calories might be somewhere around 10 miles.
> Burning 1,000 calories is a lot of physical movement.
Divide that by 7 days per week and it’s only 142 calories per day.
The average person can burn that many calories walking a mile or mile and half. If you take your phone and answer emails while walking you’ll get there.
Some of the estimates in this thread claiming 10 mile runs are necessary are way, way off the mark.
> The average person can burn that many calories walking a mile or mile and half. If you take your phone and answer emails while walking you’ll get there.
I think most people who are in jobs where they have to answer emails would be better off, physically as well as mentally, by unplugging and learning to be connected to their surroundings, at least for that mile walk.
Welcome to my world -- we're extremely similar =) I'm also always in a cheerful mood, expressive, and jolly.
While some people prefer to keep a separate personal and professional identity, I chose to do the opposite and refused to create separate personas. I'm 34 atm, and have been working in industry full-time since I was 20.
Here's a few observations from my own experiences here:
1. If you're willing to bring your personality to work with you, it'll help you make friends. Some of my best friends are people I've met through work while just "being myself".
2. It opens opportunities you may not be aware of. Years ago I ended up switching from being a founder/CTO-type to working in Developer Relations where I would spend ~50% of my time building software and ~50% of my time doing marketing-related work (writing articles, giving presentations, etc.). I fully attribute this shift to my personality, and it's been a great fit. I really enjoy the work I do and feel like I can be my authentic self at work.
3. I've also been in situations (similar to what you describe) where I don't fit in with the corporate culture. For example, I worked at Okta for ~4.5 years or so and didn't blend in with the corporate culture AT ALL. I still feel like I enjoyed myself and made a large impact, but I certainly wasn't expecting to become a VP there or anything like that.
My advice: just be yourself and optimize your work so it's something you can fully enjoy without putting on an act.
Day One - A journaling app for iOS, iPad OS, and MacOS that lets you write journal entries, keep multiple journals, sync everything (encrypted) via iCloud, and even lets you print physical copies of your journals if you'd like.
I've been journaling with it for two years now nearly every day and it's 100% wonderful. At the end of each year I order a physical copy of the journal for my personal archive. Highly recommend.
I purchased a Model X (spent well over $100k) back in 2019. I (up until this past week) had a reservation for a maxed-out Cybertruck that I was planning to purchase, as well as a 100k+ solar + battery install.
This past week I couldn't stand the thought of giving Elon any more money and canceled all those purchases -- I'd be SHOCKED if Tesla and his other companies don't end up suffering based on his complete 180 flip over the last few years.
- Generative AI uses the context you provide to help generate additional tokens
- If the context you provide is bad (low-quality code, riddled with security issues), you'll similarly get low-quality code generated
- If the context you provide is good (high-quality code), you'll get better-quality code out
The thing we wanted to highlight with this research is that security is meaningfully impacted when you're generating code, particularly with low-quality codebases.