CISO, Security Operations, BS7799, ISO 27001, Common Criteria, CISM, PCI DSA/QSA, Grundschutz Auditor/Revisor
Espresso, Food, Photography and Rhodesian Ridgebacks
Social Media is the Devil's Encyclopedia
| Website | https://images.afximages.com/ |
#vw #volkswagen #api #homeassistant
♻️ Retrööt pls :)
I think the modal situation here is that the people are reading none or very little of what is being generated by the LLM, so the tests have a special role: Tests function as the pull arm on the slot machine, you just generate until tests pass, and that's a jackpot. Obviously that's meaningless when the tests are meaningless, so tests take on a very different meaning and role in slot machine coding.
Previously we would write careful test conditions that were based off some real problem or an understanding of what the code under test did, and had a specific thing they were intended to protect against. Tests move slow and are designed to protect us against the things we know can go wrong. When we learn of a new wrong thing, we add a test.
LLM tests have the form of tests but don't do the same thing. They often test nothing, and are just expressions of truisms that the probabilistic text space explored while generating. They have strongly worded names but end up actually asserting that basic language features work as expected. Because it is not us writing tests for ourselves, where we only harm ourselves by making them weak, they function instead as a passively obfuscated justification for the code that the LLM generates. The user wants the tests to pass. The LLM provides.
The tests are theater: they are the play field for the slot machine. They are mild, surmountable, need to fail a few times to be plausible, but must eventually pass within the expected generation loop window to deliver the payout.
“Unlawful by design: Exposing the human rights costs of generative AI - Amnesty International”
https://www.amnesty.org/en/documents/pol40/0996/2026/en/
> Amnesty International finds that standalone generative AI systems, based on unlawful web scraping, depend on mass invasions of privacy by design, and are fundamentally incompatible with IHRL
This briefing examines how standalone generative AI systems, based on unlawful web scraping, are in conflict with international human rights law (IHRL) and standards through their design, development and deployment. While these technologies promise sophisticated automation and efficiency, they rely on data collection and model training practices that abuse privacy rights, enable discrimination, and threaten […]
You AI skeptics could not be more wrong. This stuff is coming for developers' jobs sooner than you think. Its skills are like having a PhD friend. It's magic. Watch out!
All 11 handoff files from the past five sessions (11 files): - handoff-20262905.v01 through v04 (May 29, four sessions) - handoff-20263005.v01 through v04 (May 30, four sessions) - handoff-20263105.v01 and v02 (May 31, two sessions) - Plus the v04 from May 29
Compliance failure inventory across these sessions:
- v01 (May 29): 7 failures. Skipped session start protocol entirely. Did not fetch origin. Did not read required files. Wrote plan on stale data (wrong migration number). Required user to catch errors that the protocol exists to prevent.
-v02 (May 29): 6 failures. Ran fetch and file reads in parallel instead of sequentially. Searched wrong directory for handoff. Read startup files out of order. Summarized when told not to. Claimed readiness without reading source files. Failed to update CLAUDE.md with user correction.
-v03 (May 29): 6 failures. Proceeded with edits without approval. Wrong OOB channels. Wrong Hugo baseURL. Missed Dockerfile COPY line. Did not verify production deploy. Presented findings with interpretation instead of verbatim.
-v04 (May 29): 4 failures. Fetched production CSS via curl against Zero Trust site (repeated three times). Used stale git data. Suppressed a finding instead of presenting it. Combined git add and commit incorrectly.
-v01 (May 30): 12 failures. Ran toward commit without approval. Pushed untested code toward production. Guessed [tool] enum values. Repeated curl against Zero Trust. Told user nav worked from a static screenshot. Fabricated [tool] dashboard navigation. Failed to recognize the app's own logo. Proceeded with unauthorized config edits. Failed to notify on deploy completion (twice). Assumed wrong [tool] architecture. Deployed a fabricated [tool] export spec toward production.
-v02 (May 30): 5 failures. Ran wrong tool when told to run /security-review (twice). Placed noqa on wrong line. Ran formatter that reverted a fix without checking. Tech debt from prior session (hardcoded user directory).
-v03 (May 30): 2 failures. Integration test assumed wrong fixture user. /simplify output not written verbatim.
-v04 (May 30): 5 failures. Repeated guessing (4 instances). Acting without approval (4 instances). Failed to read [tool] docs before writing code. Verbatim output violation. Deploy monitoring checked wrong commit hash.
-v01 (May 31): 1 failure. Re-synced [tool] records without authorization, destroying investigative evidence. Plus 4 instances of presenting unverified claims as fact.
-v02 (May 31): 1 failure. Claimed readiness and presented a work plan for Module 2 without having obtained approval on the topic list.
The dominant patterns: acting without approval, presenting unverified claims as fact, fabricating information ([tool] specs, dashboard paths, tool availability), and claiming readiness before prerequisites are met.
George Takei 
🏳️🌈🖖🏽
LittleAlex 🇺🇦🇮🇱🇩🇪🇳🇴
erdgeist
saiki 🚒💨
Christian Stöcker
Kim Possible 
jonny (nonvenomous)
Baldur Bjarnason
BeyondMachines 
Nick Selby 