Not exactly realistic anymore. It’s one thing to vet the libraries used directly, and only at a very surface level at that, but forget going down the whole chain of what they import as well and so forth. No one has time for that, especially if it’s just a quick little project.
I’m also kind of surprised everyone seems to blame the user instead of being critical about the guy who made the malicious prompt-injection. Some people are just learning. Did everyone forget what it’s like to be a beginner? I wasn’t close to safe about anything when I was a kid, jfc. It took me a year or two just to understand what a virtual environment was. GitHub should have banned this guy tbh.
I call bullshit on this “don’t have the time” shtick. If one doesn’t have time to review code prior to hacking on it then they ought to rearrange their priorities.
Offloading this basic and essential responsibility to any tool is an explicit abdication of claims to grievance over the result of such negligence.
So much more so when offloading that responsibility to LLM “agents”. If you find yourself disagreeing with this then you need to educate yourself about those tools.
Vet your deps isn’t some nice-to-have platitude. You own the thing being built. Offloading that responsibility to a clanker is irresponsible.
And everyone is rightfully blaming the user because the software is just some random code on the internet. The sheer audacity and entitlement of the mouth breather class to his free code is astounding. Don’t like it? Don’t use it. It is that simple.
The “some people are just learning” angle is bullshit. If you’re learning with the clanker and just blindly trust what it tells you, that is a categorical error. The clanker is not an infallible oracle but an adversarial bullshit generator. It is a very useful tool, but it is just a tool. You still need to put in the mental effort to learn and exercise your curiosity.
Finally, in today’s clanker reality, there is little reason to have a long ass list of dependencies with shitloads of transitive ones. Just build what you need from scratch. Code production is super cheap now. And even if your clanker makes the same security mistakes as the dependencies you would have used, it is now bespoke to your application. The ROI on pwning something like leftpad vs. your bespoke application is so lopsided. The CVEs lose a lot of power in a polyculture.
Not exactly realistic anymore. It’s one thing to vet the libraries used directly, and only at a very surface level at that, but forget going down the whole chain of what they import as well and so forth. No one has time for that, especially if it’s just a quick little project.
I’m also kind of surprised everyone seems to blame the user instead of being critical about the guy who made the malicious prompt-injection. Some people are just learning. Did everyone forget what it’s like to be a beginner? I wasn’t close to safe about anything when I was a kid, jfc. It took me a year or two just to understand what a virtual environment was. GitHub should have banned this guy tbh.
I call bullshit on this “don’t have the time” shtick. If one doesn’t have time to review code prior to hacking on it then they ought to rearrange their priorities.
Offloading this basic and essential responsibility to any tool is an explicit abdication of claims to grievance over the result of such negligence.
So much more so when offloading that responsibility to LLM “agents”. If you find yourself disagreeing with this then you need to educate yourself about those tools.
I recommend this Internet of Bugs video: Don’t Use Any AI Agents or Browsers Until You Watch This https://www.youtube.com/watch?v=TdHg9ee56Iw
and the deeper dive on their second channel: Technical Breakdown: How AI Agents Ignore 40 Years of Security Progress https://www.youtube.com/watch?v=_3okhTwa7w4
This isn’t some anti-AI doomer crap. This is understanding computer science and continuing to think critically about its evolution.
Vet your deps isn’t some nice-to-have platitude. You own the thing being built. Offloading that responsibility to a clanker is irresponsible.
And everyone is rightfully blaming the user because the software is just some random code on the internet. The sheer audacity and entitlement of the mouth breather class to his free code is astounding. Don’t like it? Don’t use it. It is that simple.
The “some people are just learning” angle is bullshit. If you’re learning with the clanker and just blindly trust what it tells you, that is a categorical error. The clanker is not an infallible oracle but an adversarial bullshit generator. It is a very useful tool, but it is just a tool. You still need to put in the mental effort to learn and exercise your curiosity.
Finally, in today’s clanker reality, there is little reason to have a long ass list of dependencies with shitloads of transitive ones. Just build what you need from scratch. Code production is super cheap now. And even if your clanker makes the same security mistakes as the dependencies you would have used, it is now bespoke to your application. The ROI on pwning something like leftpad vs. your bespoke application is so lopsided. The CVEs lose a lot of power in a polyculture.
What’s the last library you vetted?