People keep assuring me that LLMs writing code is a revolution, that as long as we maintain sound engineering practices and tight code review they're actually extruding code fit for purpose in a fraction of the time it would take a human.

And every damned time, every damned time any of that code surfaces, like Anthropic's flagship offering just did, somehow it's exactly the pile of steaming technical debt and fifteen year old Stack Overflow snippets we were assured your careful oversight made sure it isn't.

Can someone please explain this to me? Is everyone but you simply prompting it wrong?

It's a good thing programmers aren't susceptible to hubris in any way, or this would have been so much worse.

A bittersweet announcement: I was impacted by the layoffs at Consumer Reports, alongside a number of extremely talented colleagues.

I’m deeply grateful for the opportunity and so proud of the work we did fighting for consumers and helping people stay safer online.

• Claude code source "leaks" in a mapfile
• people immediately use the code laundering machines to code launder the code laundering frontend
• now many dubious open source-ish knockoffs in python and rust being derived directly from the source

What's anthropic going to do, sue them? Insist in court that LLM recreating copyrighted code is a violation of copyright???

As a research project, I built a needed tool with Claude Code. I thought it would be a disaster, but it wasn't. I have some complicated feelings about it.

https://taggart-tech.com/reckoning/

Today I learned about flare.io, a company that provides other companies with detailed intel about data leaks affecting them.

Here's the catch: Unlike @haveibeenpwned or even intelx, they store everything that they can get their hands on. During a live demo, they proudly pulled up all email/password pairs that they have for a company that is not one of their customers, showed off how it saves not just the combo but everything the infostealer got, including all browser cookies and a screenshot of the personal machine of an affected employee.

So many things wrong with this..

• We just told them which company to look up, no verification at all.
• Bringing a demo laptop logged in to a "full admin" account that can see all data that they have access to, to a conference stand
• Storing a screenshot of a personal machine from an employee is absolutely not okay.
• and so much more...

When asked about legalities, they claim "it's based on needing to know this information for the companies" and falsely claimed "haveibeenpwned does the same thing, they also sell access to the combos" 🫨

Anyway, i sent a GDPR request for my data (and subsequent deletion), let's see what happens.

#infosec #insomnihack #privacy

ETA: to be clear, this wasn't a one off demo, they do this demo for everyone that walks up to their stand, and we have strong reasons to believe that the cleartext passwords that they show anyone that asks are real passwords and not demo data.