I was reviewing a HTTP proxy implementation emitted from Claude Code 4.6 or 7. Don’t remember. I saw that it could rapidly create convincingly plausible code with tons of rationalizing that further strengthened all of it not just its human’s but its own wild leaps of judgment and thinking. But the code was completely insecure and didn’t follow or really seem to understand HTTP rfcs at all despite the “author’s” direct prompting to use them as a reference.
As someone with over 30 years experience in computer security, both in corporate as well as boutique security and startup shops, who has been consistently fighting this trend, and recently bearing witness to and engaging in the current AI surge: I can say with absolute confidence that it is only getting and going to get even worse yet.
People like me who know there is a better way are getting pushed harder to lean on AI tooling even though we know that it is making things worse. This isn’t just because our founder/funding overlords are pressing us to do it. The sheer volume of new mission critical code being pumped out enabled by vibe coding is also leaving us little choice but to lean in too just to try and keep up.
We can all see it as clear as day: The tech isn’t ready for any of this. But nobody wants to hear that and everyone is marching off the cliff together anyway. We’re all going to land in the same waste pit together. Raise a glass and whimper.
AI is far better at security than the majority of security professionals. It is a net positive.
People constantly compare AI to this very rare expert human rather than the reality of who is already employed. Experts like you are a major culprit of this. And it puts you at odds with yourself to both admit the industry is full of subpar workers and then lament that they will be replaced with workers that are better, but still worse than you.
What is wrong with someone to make them think in this manner? Is it just a kneejerk response with little thought? Is it ego? Is it a coping mechanism? I find it very strange and interesting and annoying.
You are leaping to the assumption that I don’t actually believe in the tech. This is incorrect. I am griping with the way it is being recklessly and stupidly deployed by poeople who really don’t know what they’re doing.
I actually agree somewhat with jatora. However a large segment of the top ~20% of security folks are being forced to become reverse centaurs, as opposed to centaurs (disempowered vs empowered) due to the factors I mentioned.
I genuinely see value in the tech, but it is currently being deployed recklessly and stupidly.
Me too precisely. But after getting acclimated to a self hosted vaultwarden for the backend and beginning to explore some of the 3rd party Bitwarden frontends that implement its API, I’d recommend hanging in there a bit longer. I think there may be a moat around BW already for self-hosting.
What’s next in the circle is keepass I guess? And it’s just not friendly/robust enough yet for me to switch to it with my family who will probably just go back to using the same passwords on multiple sites if they hit resistance in ease of use.
I have my vaultwarden running on a container on my home-lab server acessible only from Tailscale. The container itself is only accessible as its own node on my Tailscale private network and can’t be reached any other way (there are no inbound port forwards for the container itself, tailscale handles this)
My phone and laptop both use tailscale to access this and a few other containers I have set up similarly. I also have tailscale ACL rules to limit just “me” or whomever I want to allow to use it (family etc) also on my tailnet.
Backups are encrypted and stored locally as well as to AWS glacier.
What would happen if you lost access to phone and laptop? Is there another "backup" device, or a mechanism to register a new device to your Tailscale network that doesn't require vaultwarden?
I was thinking about Brave too while reading this thread. I’m not on a memory constrained system exactly but Brave seems to be tons snappier due to its as blocking. I wonder too if Brave is a case where you can pull it off and still take advantage of chromium based.
You're not alone, I heavily rely on vi mode and often struggle if I'm on someone else's machine and can't use it. I always wonder how you're supposed to work without it but I never dare to ask
it is an additional burden to switch to shell vi mode, it is not the standard. Maybe you can put it in all of yout bashrc files but you will probably hear some swearing from the people logging to your machines :).
If you aren't aware already, you can put 'setxkbmap -option ctrl:swapcaps' in one of your startup config files, like .bashrc or somesuch. That flips left CTRL and CAPS LOCK.
… Is why I picked my name.
reply