Education time = time at school + time doing assignments
OP said:
> Obviously the answer to testing and grading is to do it in the classroom.
So my question is, when is homework done? If it is being done at school, then our two options are to extend hours spent at school or give up time normally spent lecturing. I guess there's the alternative of getting rid of homework and only evaluating students on exams, but considering how terrible of an idea this is, I'm assumed that's not what's being suggested.
Now I'll be fair, I interpreted "testing and grading" as including homework. Why? Well...
1) exams are already performed (primarily) in the classroom. Everyone is already aware of how supervised settings reduce (but not eliminates) cheating. I'm assuming the OP isn't so disconnected that they are aware of this. I'm assuming they also went to school and had a fairly typical education. I'm also assuming that the OP isn't making the wild assumption that the majority of school teachers and news reporters aren't comatose, so capable of understanding this rather obvious solution.
2) I assumed the OP RTFA
The entire problem that's constantly talked about, including THE ARTICLE, is HOMEWORK. No one is talking about 1) for the aforementioned reasons. *Everyone is talking about homework.* It has been the conversation the entire time. So I restate, if you are evaluating /homework/ in class, then what are we giving up? It really doesn't take a genius to figure out something has to give, right?
Sure, you're right, we don't have to treat time as a zero sum game (normally I'm upset about non-zero sum games being treated as zero sum lol). But that's a different problem. Yes, we don't need to worry about time if our goal is to meet a fixed quality of education. You can increase the quality of education, getting more done in less time.
But that's a different optimization problem. My assumption here is that we want to maximize education, not meet a specific threshold. Especially if we're talking about the US. Maybe there is a specific threshold we want to reach, but I don't think we're close enough that this is the main concern.
So that's why I'm treating time as a finite and scarce resource.
And you're right to point this out. We're making different assumptions about what problem to solve and we should make sure we're not talking past one another. So I hope this helps clear up some of my assumptions.
Yeah, there is a whole interesting story about the Thoratec Heartmate II bloodbpump ("artificial heart") implant and Dick Chaney. Can't be having a back door into the VPs heart implant...
The articles title combined with the much more middle of the road sub title and then a final request that you give them money to figure out what the fuck is going on is all you need to know about the journalists integrity.
As a security professional who makes most of my money from helping companies recover from vibe coded tragedies this puts Looney Toons style dollar signs in my eyes.
Since the entire concept of Vibe Coding existed for a grand total of 5 months, how do companies reach the level of saturation with vibe coding, that it's not only prevalent, but makes sense to specialize in helping them recover from it?
It only takes one tiny vibe-coded insecure extension to a pre-existing codebase (that might have been good secure code), to turn the whole thing into a catastrophe.
It's basically the same as in other parts of IT security: It only takes one lost root password, one exploited software/device/oversight, one slip, to let an attacker in (yes, defense-in-depth architecture might help, but nonetheless, every long exploit-chain starts with the first tiny crack in the armor).
My guess is tons of small/medium sized companies were enamored with the speed and ease of use that LLMs promised and very quickly found solutions that “just worked”.
Also we don’t really specialize in it since that’s not something you would really do. It’s just that the usual vulnerabilities are more common AND compounded.
I shudder at the thought of some novice vibe coder giving me thousands of lines of AI-generated flaming poop, and insist that it's almost correct, I just need to fix it here and there.
Would love to hear more about your work and how you have tapped into that market if you're keen to share. Even if it's just anecdotes about vibe-in-production gone wrong, that would be really entertaining.
Before vibe coding became too much of a thing we had the majority of our business coming from poorly developed web applications coming from off shore shops. That’s been more or less the last decade.
Once LLMs became popular we started to see more business on that front which you would expect.
What we didn’t expect is that we started seeing MUCH more “deep” work wherein the threat actor will get into core systems from web apps. You used to not see this that much because core apps were designed/developed/managed by more knowledgeable people. The integrations were more secure.
Now though? Those integrations are being vibe coded and are based on the material you’d find on tutorials/stack etc which almost always come with a “THIS IS JUST FOR DEMONSTRATION DONT USE THIS” warning.
We also see a ton of re-compromised environments. Why? They don’t know how to use CICD and just recommit the vulnerable code.
Oh yeah, before I forget, LLMs favor the same default passwords a lot. We have a list of the ones we’ve seen (will post eventually) but just be aware that that’s something threat actors have picked up on too.
EDIT: Another thing, when we talk to the guys responsible for the integrations or whatever was compromised a lot of the time we hear the excuse “we made sure to ask the LLM if it was secure and it said yes”.
I don’t know if they would have caught the issue before but I feel like there’s a bit of false comfort where they feel like they don’t have to check themselves.
> We also see a ton of re-compromised environments. Why? They don’t know how to use CICD and just recommit the vulnerable code.
This one sticks out to me. A while back the UK did a security assessment of Huawei with a view to them being a core infrastructure provider for the 5G rollout, and the conclusion wasn't that they were insecure, it was that they were ~10 years away from being able to even claim they were secure.
Contrasting this to my current employer, where the software supply chain and provenance is exceptional, it's clear to me that vibe coding doesn't get you far in terms of that supply chain, and is arguably a significant regression from the norm.
Third party dependencies, runtime environments/containers, build processes, build environments, dev machines, source control, configuration, binaries, artifact signing and provenance, IDEs, none of these have good answers in the vibe-coded ecosystem and many are harmed by it. It will be interesting to see how the industry grapples with this when someone eventually pushes back and says they won't use your software because you don't have enough context about it to even claim it's secure.
We’ve had a few of these stem from custom LLM agents. The most hilarious one we’ve seen was one that you could get to print its instructions pretty easily. In the instructions was a bit about “DON’T TALK ABOUT FILES LABELED X”.
No guardrails other than that. A little creative prompting got it to dump all files labeled X.
This is the best thread response I've seen in a while, made me chuckle because i can't understand how people say they vibe code stuff and it works (My experience is not that) and i just feel out of the loop reading all other HN posts and comments about how good it is.
Hard to say for a number of reasons but I can tell you what kind of teams we see.
College grads with no seniors or too few senior devs to oversee them tend to be the worst. Surprisingly, it seems that the worst of these is where the team is very enthusiastic about tech in general. I’ve wondered if it’s a desire to be the next Zuckerberg or maybe not having the massive failure everyone has eventually that makes you realize you aren’t bullet proof.
Experienced devs with too much work to do are common. Genuinely feel bad for these guys.
Off shore shops seem to now ship worse crap faster. Not only that but when one app has an issue you can usually assume they all have the same issue.
Also as a side note Tech focused companies are the most common followed by B2C companies. Manufacturing etc. are really rare for us to see and I think that may be something to do with reticence to adopt new patterns or tech.
In my experience, LLMs do not make a lot of the security mistakes most developers do, just because it is aware of their existence while most devs just are not. But then they could also make the mistake at some point, and the vibe coder guiding it might not catch it... Do you have any examples? I find this really interesting.
LLMs aren’t aware of anything - that’s pareidolia of intelligence – but they hopefully have been trained on code which has more secure than insecure code. That’ll help with some classes of problem like using string operations to make database queries but it does have the cost that people might not review it as deeply for more subtle problems.
It gets kind of philosophical really fast. What does it mean when software can be automated through a bash loop? (Not to 100%, to 80%. What does that mean to software outsourcing in the consulting industry?)
Yeah, I totally get it man. Like when I discovered these techniques back in February, it really spooked me. And I guess 5-6 months later it's starting to become known even though I've been publishing full details on how to do this shit. It turns out that the best way to spread knowledge in San Francisco is to get drunk with YC founders...
