HackerTrans
TopNewTrendsCommentsPastAskShowJobs

tcbrah

no profile record

Submissions

Effective Use-Cases for LLMs

aggressivelyparaphrasing.me
2 points·by tcbrah·21 dni temu·0 comments

Axios NPM supply chain incident

blog.talosintelligence.com
1 points·by tcbrah·3 miesiące temu·0 comments

Agent Governance Toolkit: Open-source runtime security for AI agents

opensource.microsoft.com
2 points·by tcbrah·3 miesiące temu·0 comments

Claude.ai Prompt Injection Vulnerability

oasis.security
2 points·by tcbrah·3 miesiące temu·0 comments

Agents for Security: The Tipping Point for Offensive AI

menlovc.com
1 points·by tcbrah·4 miesiące temu·0 comments

AI-Driven Offensive Security: The Current Landscape and What It Means

praetorian.com
1 points·by tcbrah·4 miesiące temu·0 comments

ContextCrush: The Context7 MCP Server Vulnerability Hiding in Plain Sight

noma.security
2 points·by tcbrah·4 miesiące temu·0 comments

Security advisory for Cargo (CVE-2026-33056)

blog.rust-lang.org
4 points·by tcbrah·4 miesiące temu·1 comments

Rust Project Perspectives on AI

nikomatsakis.github.io
4 points·by tcbrah·4 miesiące temu·0 comments

When Models Examine Themselves: Vocabulary-Activation Correspondence

arxiv.org
1 points·by tcbrah·4 miesiące temu·0 comments

SQLite WAL-Reset Database Corruption Bug

sqlite.org
3 points·by tcbrah·4 miesiące temu·0 comments

Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild

unit42.paloaltonetworks.com
3 points·by tcbrah·4 miesiące temu·0 comments

GitHub Security Lab's open source AI-powered vulnerability scanner

github.blog
1 points·by tcbrah·4 miesiące temu·0 comments

comments

tcbrah
·18 dni temu·discuss
tbf, node based editors have been "the year of" every year since blender. they all look like a murder board to me! comfyui especially has a terrible ui/ux IMO
tcbrah
·3 miesiące temu·discuss
giving meta a run for its money, esp when it was supposed to be the poster child for OSS models. deepseek is really overshadowing them rn
tcbrah
·4 miesiące temu·discuss
we've been complaining about curl | bash for like 15 years and yet here we are installing every new ai tool the exact same way lol. convenience always wins over security until it doesnt
tcbrah
·4 miesiące temu·discuss
love that "we removed the telemetry" is now a headline feature worth forking an entire project over. says a lot about where dev tooling is headed tbh
tcbrah
·4 miesiące temu·discuss
tbh the fact that they put copilot in the snipping tool tells you everything about how those decisions were being made lol
tcbrah
·4 miesiące temu·discuss
tbh the real issue isnt even prompt injection its that people give these agents full wallet access and then act suprised when they get drained lol
tcbrah
·4 miesiące temu·discuss
lol the 2025 "ai is just my pairing buddy" to 2026 "ai writes all my code" pipeline is speedrunning at this point
tcbrah
·4 miesiące temu·discuss
fair point, but there's a difference between maintaining a CLI you own vs depending on a third party to maintain a wrapper around an API you could call directly. not to mention the mcp protocol is fairly nascent whereas CLIs are much more battle-tested
tcbrah
·4 miesiące temu·discuss
the "77% cost reduction" number is doing a lot of heavy lifting here when the real play is getting your whole agent stack on cloudflare so switching costs go thru the roof lol
tcbrah
·4 miesiące temu·discuss
the fact that github still renders Private Use Area codepoints as whitespace instead of flagging them is wild tbh. like we've known about this vector since 2024 and npm/github just shrugged
tcbrah
·4 miesiące temu·discuss
tbh you can already tell whos using chatgpt to write their emails at work, everyone sounds like the same middle manager now. the homogenization isnt coming its already here
tcbrah
·4 miesiące temu·discuss
the maintenance burden is the real MCP killer nobody talks about. your agent needs github? now you depend on some npm package wrapping an API that already had good docs. i just shell out to gh cli and curl - when the API changes, the agent reads updated docs and adapts. with MCP you wait on a middleman to update a wrapper.

tptacek nailed it - once agents run bash, MCP is overhead. the security argument is weird too, it shipped without auth and now claims security as chief benefit. chroot jails and scoped tokens solved this decades ago.

only place MCP wins is oauth flows for non-technical users who will never open a terminal. for dev tooling? just write better CLIs.
tcbrah
·4 miesiące temu·discuss
ill take that as a compliment, my writing finally passed the turing test
tcbrah
·4 miesiące temu·discuss
the wildest part is algolia just not responding. you email them saying "hey 39 of your customers have admin keys in their frontend" and they ghost you? thats way worse than the keys themselves imo. like the whole point of docsearch is they manage the crawling FOR you, but then the "run your own crawler" docs basically hand you a footgun with zero guardrails. they could just... not issue admin-scoped keys through that flow
tcbrah
·4 miesiące temu·discuss
genuine question - what are you working on that needs that level of privacy? outside of NSFW stuff most API providers arent doing anything with your prompts
tcbrah
·4 miesiące temu·discuss
tbh i stopped caring about "can i run X locally" a while ago. for anything where quality matters (scripting, code, complex reasoning) the local models are just not there yet compared to API. where local shines is specific narrow tasks - TTS, embeddings, whisper for STT, stuff like that. trying to run a 70b model at 3 tok/s on your gaming GPU when you could just hit an API for like $0.002/req feels like a weird flex IMO
tcbrah
·4 miesiące temu·discuss
the confirm screen showing the actual command is lowkey the best part. i use ffmpeg daily for video assembly (concat demuxer + xfade + zoompan for ken burns) and honestly the only reason i got decent at it was reading the commands that other wrappers were generating under the hood. most ffmpeg GUIs hide that from you which defeats the purpose IMO - you end up dependent on the tool forever instead of actually learning the flags
tcbrah
·4 miesiące temu·discuss
the data leak is bad but the write access to system prompts is what keeps me up at night. they could silently rewrite how Lilli responds to 43k consultants with a single UPDATE statement - no deploy, no code review, no logs. imagine poisoning the strategic advice that gets copy pasted into client deliverables. tbh most companies i see doing AI stuff store prompts the exact same way, just rows in postgres right next to everything else
tcbrah
·4 miesiące temu·discuss
because the incentive structure is broken. if my performance review rewards me for using AI more, im going to use AI more even when i shouldn't. engineers will rubber stamp AI suggestions to hit their metrics instead of actually reviewing the code. you cant optimize for quantity of AI usage and quality of output at the same time IMO
tcbrah
·4 miesiące temu·discuss
nice, fal is solid. whats the pricing like compared to calling the model APIs directly?

lots of people are asking for my script so i'm open sourcing it fairly soon (openslop.ai if you want to get notified). currently integrating with runware, elevenlabs, cartesia, kling, runwayML but will look into integrating with fal too. would you be open to connecting to helping with integration with fal?