HackerTrans
TopNewTrendsCommentsPastAskShowJobs

caleblloyd

no profile record

Submissions

Show HN: CargoWall – eBPF Firewall for GitHub Actions

github.com
14 points·by caleblloyd·4 месяца назад·2 comments

comments

caleblloyd
·в прошлом месяце·discuss
I recently switched off Max flat rate to Enterprise API pricing and I went from 200/mo to 10k/mo with the same usage pattern on Opus. They don’t offer flat rate to enterprises.

So Fable would cost me 20k/mo at Enterprise rates. That’s around the average cost of a loaded SWE in the USA. “But I’m >2x more productive” doesn’t justify doubling the opex of the Software/IT department for most companies when revenue isn’t even up 10%.

I switched to DeepSeek v4 Pro with OpenCode and am on track for a few hundred dollars of spend this month.

Rewriting your stack from Ruby to Go in 2 days where it would’ve taken 6 months is impressive and fun. But that isn’t upping revenue.

Iterating on net new business features and ideas that are niche that the LLM isn’t trained for are much harder. Is 20x the token cost worth it there?
caleblloyd
·8 месяцев назад·discuss
Sure, but say the implementation lets you try 5 codes in that 10 minutes with a 30 minute lockout. An attacker could trigger Account Recovery, blindly try 5 six-digit codes immediately, and have a 0.0005% chance getting into your account.

They could script this to run over a long period of time targeting 1 account, or they could target many accounts at once, and would probably have success.
caleblloyd
·8 месяцев назад·discuss
I used Ory Kratos in a Go application a couple years ago by installing it as a dependency. It worked pretty well but in hindsight I would have hosted it as a separate application because it was a pain to bring along all of its dependencies.

One of my biggest complaints was that one of the Account Recovery flows was just an emailed 6-digit code. So a 1 in 1 million chance that somebody without access to any of your stuff could hack you by just hitting reset and guessing "123456". It's actually surprising how many other Account Recovery flows across the web I have noticed recently that do the same thing. Not sure if Ory has added the option for more entropy in this code as of today's release though it's been a while since I've used it.

Otherwise it was a great project to work with that has tons of knobs to customize. I commend the authors, aeneasr especially. It must be a ton of work to keep up with all of the auth standards and offer this in an Apache2 licensed package all while building a business around it as well!
caleblloyd
·9 месяцев назад·discuss
I sometimes dream of what it would have looked like to become a doctor (or PA or similar) instead of choosing Software. Mainly the allure of interacting with and helping more people.

This young person sounds like they are motivated enough to succeed at any study they put their mind to. Of course many companies will deny a young person employment based on age, just like they would deny them employment based on a lack of a formal degree.

But one day you turn 25, you are the right age, and you have the right degree. Then the praises for saving the company 70% on their cloud computing costs stop, and the same managers start asking you to work the weekend to fix other people’s code. And if you oblige, the burnout will become as real as a Doctor’s burnout, I imagine.
caleblloyd
·11 месяцев назад·discuss
I still like AWS all these years later. It’s trusted in the enterprise and you can empower people to do what they need to themselves with IAM. And it’s pretty reliable.
caleblloyd
·11 месяцев назад·discuss
Flash removal broke multiple government sites. I couldn't take a required training course for a few months after flash support was removed and the site was taken offline for an upgrade.

I’m sure ActiveX and Silverlight removal did too. And iframes not sharing cross domain cookies. And HTTP mixed content warnings. I get it, some of these are not web specs, but some were much more popular than XSLT is now.

The government will do what they do best, hire a contractor to update the site to something more modern. Where it will sit unchanged until that spec too is removed, some years from now.
caleblloyd
·11 месяцев назад·discuss
I don’t quite understand the part of the article that deems that you can skip all the checks under the assumption that this is an older browser, and that there is no CSRF vulnerability.

The algorithm seems sane for modern browsers. But you could probably find an outdated browser - older Android device WebView would be common -where the whole thing breaks down.

So I think tokens can be a thing of the past for modern browsers. I like the middleware, I hope it does show up in ASP.NET proper soon. My guess is they’ll keep tokens middleware around alongside it for some time once it does though, and the decision on which to use will come down to whether or not you want to make sure older browsers are secure.
caleblloyd
·11 месяцев назад·discuss
I am the Product/Eng Lead and a Co-founder of a company formed ~1 year ago building AI-native developer tooling for Platform Engineers. Have been able to iterate very quickly through PoC phases and get initial feedback on ideas quicker. For features that make it into production code, we do have to spend some time re-working them with more formal architectures to remove "AI slop" but we are also able to try more things out to figure out what to move forward, so I feel like it is a net gain.

Part of "AI-native" means being able to really focus on how we can improve our Product to lessen upfront burden on users and increase time-to-value. For the first time in a while, I feel like there is more skill needed in building an app than just doing MVC + REST + Validation + Form Building. We focus on the minimum data needed for each form upfront from our users, then stream things like Titles, Icons, Descriptions, etc in a progressive manner to reduce form filling burden on our users.

I've been able to hire and mentor Engineers at a quicker pace than in the past. We have a mix of newer and seasoned Engineers. The newer Engineers seem to be learning far quicker with focused mentoring on how to effectively prompt AI for code discovery, scaffolding, and writing tests. Seasoned Engineers are able to work across the stack to understand and contribute to dependencies outside of their main focus because it's easier to understand the codebase and work across languages/frameworks.

AI in development has proven useful for some things, but thoughtful architecture with skilled personnel driving always seems to get the best results. Our vision from our product is the same, we want it to be a force multiplier for skilled Platform Engineers.
caleblloyd
·12 месяцев назад·discuss
We may just get this, along with a $7.25 per hour base wage!
caleblloyd
·12 месяцев назад·discuss
The reason we are not seeing this in mainstream software may also be due to cost. Paying for tokens on every interaction means paying to use the app. Upfront development may actually be cheaper, but the incremental cost per interaction could cost much more in the long term, especially if the software is used frequently and has a long lifetime.

As the cost of tokens goes down, or commodity hardware can handle running models capable of driving these interactions, we may start to see these UIs emerge.
caleblloyd
·12 месяцев назад·discuss
Been using gRPC with json transcoding to REST on a greenfield project. All auto generated clients across 3 languages. Added frontend wrapper to pre-flight auth requests so it can dynamically display what users are allowed to do.

Claude Code has been an absolute beast when I tell it to study examples of existing APIs and create new ones, ignoring bringing any generated code into context.
caleblloyd
·12 месяцев назад·discuss
I agree. My experience is that regularly scheduled 1:1s without an agenda seem to turn into therapy sessions for a surprising amount of people. I like doing ad-hoc 1:1s with specific agendas though, such as pair programming or an architecture session for an issue an Engineer is starting to work on.
caleblloyd
·12 месяцев назад·discuss
Yes. Any language that dynamically links to the OS crypto library (like OpenSSL) is more attractive because your Government customer can install your software on their OS with their FIPS compliant OS crypto library.

This moves the needle for Go but you still need to cut a FIPS version of your software since this crypto is still statically linked. I like this option quite a bit if the Government customers get on board with it.

There are some Go forks maintained by Microsoft and RedHat I believe that do dynamic linking for crypto which requires CGO.
caleblloyd
·в прошлом году·discuss
The same way they handle it when a vandal does it to a random car at a Walmart parking lot. Nothing at all until one day the manufacturers put sentry mode on every car instead of just Teslas.
caleblloyd
·в прошлом году·discuss
Amen! NATS is how we do AI streaming! JetStream subject per thread with an ordered consumer on the client.
caleblloyd
·в прошлом году·discuss
Some may. If it allows you to skip learning how to navigate a complex web app because the AI experience will help navigate for you, you may be drawn to it.
caleblloyd
·в прошлом году·discuss
It wasn’t a joke, but I do see your point. US subsidies for EVs are massive as well. I guess I just hadn’t dug into the numbers. Now I’m not sure who gives more subsidies, the US or China.

The federal tax credit in the US is much higher than the Chinese equivalent it appears. But the factory and R&D subsidies are much harder to compute.
caleblloyd
·в прошлом году·discuss
Another (possibly bigger) reason cars are cheaper in China is because their government subsidizes the heck out of BYD and the likes. It would be like if Tesla didn’t have to pay anything to build their factories.
caleblloyd
·в прошлом году·discuss
Signed by mostly people at RedHat, which is owned by IBM, which makes Watson, which beat humans in Jeopardy in 2011.

> These are early days of AI-assisted software development.

Are they? Or is this just IBM destroying another acquisition slowly.

Meanwhile the Dotnet Runtime is fully embracing AI. Which people on the outside may laugh at but you have extremely talented engineers like Stephen Toub and David Fowler advocating for it.

So enterprises: next time you have an IBM rep trying to sell you AI services, do yourself a favor and go to any other number of companies out there who are actually serious about helping you build for the future.

And since I am a North Carolina native, here’s to hoping IBM and RedHat get their stuff together.
caleblloyd
·в прошлом году·discuss
Awesome! Only a little over a billion more to go before GitHub’s very own OpenAPI Spec can start overflowing int32 on repositories too, just like it already does for workflows run IDs!

https://github.com/github/rest-api-description/issues/4511