HackerTrans
TopNewTrendsCommentsPastAskShowJobs

tcbrah

no profile record

Submissions

Effective Use-Cases for LLMs

aggressivelyparaphrasing.me
2 points·by tcbrah·hace 21 días·0 comments

Axios NPM supply chain incident

blog.talosintelligence.com
1 points·by tcbrah·hace 3 meses·0 comments

Agent Governance Toolkit: Open-source runtime security for AI agents

opensource.microsoft.com
2 points·by tcbrah·hace 3 meses·0 comments

Claude.ai Prompt Injection Vulnerability

oasis.security
2 points·by tcbrah·hace 3 meses·0 comments

Agents for Security: The Tipping Point for Offensive AI

menlovc.com
1 points·by tcbrah·hace 4 meses·0 comments

AI-Driven Offensive Security: The Current Landscape and What It Means

praetorian.com
1 points·by tcbrah·hace 4 meses·0 comments

ContextCrush: The Context7 MCP Server Vulnerability Hiding in Plain Sight

noma.security
2 points·by tcbrah·hace 4 meses·0 comments

Security advisory for Cargo (CVE-2026-33056)

blog.rust-lang.org
4 points·by tcbrah·hace 4 meses·1 comments

Rust Project Perspectives on AI

nikomatsakis.github.io
4 points·by tcbrah·hace 4 meses·0 comments

When Models Examine Themselves: Vocabulary-Activation Correspondence

arxiv.org
1 points·by tcbrah·hace 4 meses·0 comments

SQLite WAL-Reset Database Corruption Bug

sqlite.org
3 points·by tcbrah·hace 4 meses·0 comments

Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild

unit42.paloaltonetworks.com
3 points·by tcbrah·hace 4 meses·0 comments

GitHub Security Lab's open source AI-powered vulnerability scanner

github.blog
1 points·by tcbrah·hace 4 meses·0 comments

comments

tcbrah
·hace 18 días·discuss
tbf, node based editors have been "the year of" every year since blender. they all look like a murder board to me! comfyui especially has a terrible ui/ux IMO
tcbrah
·hace 3 meses·discuss
giving meta a run for its money, esp when it was supposed to be the poster child for OSS models. deepseek is really overshadowing them rn
tcbrah
·hace 4 meses·discuss
we've been complaining about curl | bash for like 15 years and yet here we are installing every new ai tool the exact same way lol. convenience always wins over security until it doesnt
tcbrah
·hace 4 meses·discuss
love that "we removed the telemetry" is now a headline feature worth forking an entire project over. says a lot about where dev tooling is headed tbh
tcbrah
·hace 4 meses·discuss
tbh the fact that they put copilot in the snipping tool tells you everything about how those decisions were being made lol
tcbrah
·hace 4 meses·discuss
tbh the real issue isnt even prompt injection its that people give these agents full wallet access and then act suprised when they get drained lol
tcbrah
·hace 4 meses·discuss
lol the 2025 "ai is just my pairing buddy" to 2026 "ai writes all my code" pipeline is speedrunning at this point
tcbrah
·hace 4 meses·discuss
fair point, but there's a difference between maintaining a CLI you own vs depending on a third party to maintain a wrapper around an API you could call directly. not to mention the mcp protocol is fairly nascent whereas CLIs are much more battle-tested
tcbrah
·hace 4 meses·discuss
the "77% cost reduction" number is doing a lot of heavy lifting here when the real play is getting your whole agent stack on cloudflare so switching costs go thru the roof lol
tcbrah
·hace 4 meses·discuss
the fact that github still renders Private Use Area codepoints as whitespace instead of flagging them is wild tbh. like we've known about this vector since 2024 and npm/github just shrugged
tcbrah
·hace 4 meses·discuss
tbh you can already tell whos using chatgpt to write their emails at work, everyone sounds like the same middle manager now. the homogenization isnt coming its already here
tcbrah
·hace 4 meses·discuss
the maintenance burden is the real MCP killer nobody talks about. your agent needs github? now you depend on some npm package wrapping an API that already had good docs. i just shell out to gh cli and curl - when the API changes, the agent reads updated docs and adapts. with MCP you wait on a middleman to update a wrapper.

tptacek nailed it - once agents run bash, MCP is overhead. the security argument is weird too, it shipped without auth and now claims security as chief benefit. chroot jails and scoped tokens solved this decades ago.

only place MCP wins is oauth flows for non-technical users who will never open a terminal. for dev tooling? just write better CLIs.
tcbrah
·hace 4 meses·discuss
ill take that as a compliment, my writing finally passed the turing test
tcbrah
·hace 4 meses·discuss
the wildest part is algolia just not responding. you email them saying "hey 39 of your customers have admin keys in their frontend" and they ghost you? thats way worse than the keys themselves imo. like the whole point of docsearch is they manage the crawling FOR you, but then the "run your own crawler" docs basically hand you a footgun with zero guardrails. they could just... not issue admin-scoped keys through that flow
tcbrah
·hace 4 meses·discuss
genuine question - what are you working on that needs that level of privacy? outside of NSFW stuff most API providers arent doing anything with your prompts
tcbrah
·hace 4 meses·discuss
tbh i stopped caring about "can i run X locally" a while ago. for anything where quality matters (scripting, code, complex reasoning) the local models are just not there yet compared to API. where local shines is specific narrow tasks - TTS, embeddings, whisper for STT, stuff like that. trying to run a 70b model at 3 tok/s on your gaming GPU when you could just hit an API for like $0.002/req feels like a weird flex IMO
tcbrah
·hace 4 meses·discuss
the confirm screen showing the actual command is lowkey the best part. i use ffmpeg daily for video assembly (concat demuxer + xfade + zoompan for ken burns) and honestly the only reason i got decent at it was reading the commands that other wrappers were generating under the hood. most ffmpeg GUIs hide that from you which defeats the purpose IMO - you end up dependent on the tool forever instead of actually learning the flags
tcbrah
·hace 4 meses·discuss
the data leak is bad but the write access to system prompts is what keeps me up at night. they could silently rewrite how Lilli responds to 43k consultants with a single UPDATE statement - no deploy, no code review, no logs. imagine poisoning the strategic advice that gets copy pasted into client deliverables. tbh most companies i see doing AI stuff store prompts the exact same way, just rows in postgres right next to everything else
tcbrah
·hace 4 meses·discuss
because the incentive structure is broken. if my performance review rewards me for using AI more, im going to use AI more even when i shouldn't. engineers will rubber stamp AI suggestions to hit their metrics instead of actually reviewing the code. you cant optimize for quantity of AI usage and quality of output at the same time IMO
tcbrah
·hace 4 meses·discuss
nice, fal is solid. whats the pricing like compared to calling the model APIs directly?

lots of people are asking for my script so i'm open sourcing it fairly soon (openslop.ai if you want to get notified). currently integrating with runware, elevenlabs, cartesia, kling, runwayML but will look into integrating with fal too. would you be open to connecting to helping with integration with fal?