Sure - but people are still free to decide where they draw the line.

Each extra bit of software is an additional attack surface after all

You all do amazing work, hope I can boast the same someday - or even 50% of it ;)

Seriously, you are my heroes!

Imo its not just crypto- a lot of their reports are enlightening to read

It absolutely does

It could be pulling these resources over http ;)

Edit: Whoops sorry, morning fog

Unrelated; I just wanted to say that I learned programming from your socket tutorials when I was a kid. Everything was so well written that I used it from highschool, to varsity to my day2day job.

Without your tutorials I’m not even sure if I would have chosen the carreer I did- thank you for all the love and effort you put into your posts; Im sure that there are many other people who you’ve touched in a similar way

At some point someone needs to take responsibility for allowing modification of environment variables via something dumb like http. Debugging interfaces are fine- we should expect more from developers.

No you misunderstand- it is super simple to pay some other company a small amount to do this for you. No complexity to worry about what so ever.

And if things require even a slim amount of thought and planning - chuck it to your favourite LLM and call it a day.

Just in case the sarcasm wasn’t clear I want to personally assure you that nobody ever will confuse an access token for an ID token. :p

Or a refresh token (which might be one of those two you mentioned)

As opposed to wondering if the llm is hallucinating?

You have to expend a mental effort to think about your solutions anyway; I guess it’s pick your poison really.

Thats the issue, people just copy and paste code from llms thinking "yeah, looks fine to me". It might be a skill issue, but personally it takes me a while to understand the code its giving me and even more on how to actually implement it with all the edge cases that might happen.

Before: I’m a lazy developer so I find the best libraries and abstract logic to write the least code and do least maintenance work.

Now: I’m a lazy developer, so I get a glorified autocomplete to write 10x code than what I have the willpower to. Of course, I won’t read all of it.

Is it important if it's ocasionally hallucinating?

It's not like you should blindly throw the code in, you should run it and verify it

The more common the work you're doing the less likely it is to hallucinate, plus you can ask it to stick to whatever arbitrary coding standards you want so it's more readable to you, a rewrite to remove a wrong library takes an extra couple seconds per method/function

Also it's not like Stack Overflow or other non generated resources don't ocasionally hallucinate, it's not weird for the second or third voted answers in SO to be followed by the comment "This doesnt work because XYZ"

That’s why you take a quick glance of the answer, then read the comments. The do a deeper analysis. Take something like 10 sexonds as it seems every real answer I find that’s good is usually just one or two paragraphs.

Yeah I agree- I think the time spent verifying should vary based on the complexity and sensitivity of what you are looking at, but you never really get away from it.

I think my issue with LLMs is moreso aimed at people who wouldn’t have ever done the bare minimum verification anyway.

My main gripe is that if someone finds a vulnerability that gives you a list of urls the model falls apart. I’ve seen this happen in organisations :/

But agree with your statement here and others about the lifetime of the data - if something is sensitive or secret you want proper access controls applied, not just openssl rand -hex 8