HackerLangs
TopNewTrendsCommentsPastAskShowJobs

eranation

4,995 karmajoined 14 năm trước
Co-Founder and CTO at arnica.io

My opinions are my own

Harden your package managers and protect yourself from supply chain attacks (no dependencies, MIT):

- https://depsguard.com - https://github.com/arnica/depsguard

Socials: - linkedin.com/in/eranmedan - x.com/eranmedan

Submissions

Show HN: DepsGuard – One command to harden NPM/pnpm/yarn/bun/uv configs

github.com
40 points·by eranation·tháng trước·7 comments

Ask HN: Why aren't more people worried about AI impersonation in code reviews?

2 points·by eranation·2 tháng trước·1 comments

A friend got fired from Coinbase for his side project he worked on for 5 years

nexustrade.io
11 points·by eranation·3 tháng trước·8 comments

Mindfulness, Programming, and the Mistake I Made

yonatanmedan.github.io
3 points·by eranation·3 tháng trước·0 comments

comments

eranation
·Hôm kia·discuss
Nicely done. A shuffle letters button would be nice.
eranation
·14 ngày trước·discuss
https://en.wikipedia.org/wiki/Betteridge%27s_law_of_headline...
eranation
·17 ngày trước·discuss
Put aside whether this was justified or not, or the potential Streisand effect or PR damage (or vice versa). What signal is this sending to the young Google engineer who wants to build the next Gmail? Even if this violated every internal policy, firing someone who created something that people actually want is sending a very disturbing message (internally and externally).

Also, is this somehow relate to Addy Osmani’s recent departure from Google? (Was it in sympathy, was it a retaliation as this was “the tweet that got OP fired”?)
eranation
·20 ngày trước·discuss
LLMs diverge, not converge. They slightly increase entropy if not controlled. While you can have DRY skills and use AI to organize AI (in loops(tm) like Boris does) but eventually if you don’t understand the code, you are taking yourself out of the loop. And not just the job security that’s on the line, it’s the increasing cost for AI to babysit AI. If you or your “loops” (or paperclip, Hermes, gastown, or next in class agents of agents that runs your entire company) let it gradually sneak in slop-debt, the cost to fix it later will become prohibitive. (You can always just rewrite it, but as the race for “feature complete” and “zero backlog” continues, rewriting an ever growing set of new daily table stakes will become an economical moat)

TLDR: Keeping your codebase human readable and reason-about-able is not just helping humans to stay relevant. It will save costs for LLMs to maintain it.
eranation
·23 ngày trước·discuss
Copying my other reply.

> Interesting. I'm mostly using Claude, so perhaps I'm not nearing the limits, but I do use Codex (for coding and reviews occasionally) and use chatgpt for second opinion many times, including "pro" research. Never got to my limits. But again, not my main go to tool.
eranation
·23 ngày trước·discuss
Interesting. I'm mostly using Claude, so perhaps I'm not nearing the limits, but I do use Codex (for coding and reviews occasionally) and use chatgpt for second opinion many times, including "pro" research. Never got to my limits. But again, not my main go to tool.
eranation
·23 ngày trước·discuss
Is this surprising to anyone? I thought that was a given. I'm getting de-facto unlimited use of a model more expensive than Opus 4.8 for $20 a month.
eranation
·24 ngày trước·discuss
Been in this rabbit hole since JWT shipped. As others have mentioned, cookies have their own risks, you're now juggling both XSS and CSRF, and the CSRF defenses (SameSite, tokens) do nothing against XSS since that's a same-origin attacker.

Just to clarify, httpOnly/sameSite isn't useless under XSS the way localStorage is. XSS can't read a httpOnly cookie, so it can't exfiltrate the credential, it can only perform the attack during the session from the victim's browser. A JWT in localStorage can be reused offline for its entire lifetime. Also worth separating: localStorage is the exposure, not JWT. Just please for the love of all that's good and pretty, don't store a JWT in a httpOnly cookie.
eranation
·24 ngày trước·discuss
Great idea! Just quick feedback. Asked it to “Draw a pelican riding a bicycle.”

On mobile the response (not a technical diagram) wasn’t visible, initially thought it just didn’t work).

Asked it then to draw a diagram for an X replacement, it nailed it.
eranation
·25 ngày trước·discuss
Still do. Composer 2.5 is a beast. But even with Opus (and Fable for a few days) their harness is many times faster. The main reason for me to use CC is the $200 subsidized pro max plan.

Also their computer use in the cloud agents (when it works) is a game changer. No need to keep your laptop open / get a Mac mini if it runs in the cloud.
eranation
·25 ngày trước·discuss
Should be fixed now, thanks again!
eranation
·26 ngày trước·discuss
Good catch. I'm sure there could be more technical inaccuracies in the talk, but again, this is for entertainment purposes I assume, not education.
eranation
·27 ngày trước·discuss
Surprised no one mentioned this is the guy who brought us this masterpiece. If you haven’t seen it, drop everything and watch it, best 5 minutes of your day guaranteed.

https://www.destroyallsoftware.com/talks/wat
eranation
·27 ngày trước·discuss
Interesting point. Just a small correction, the Anthropic stake is higher. ($13B + another $20B option if they hit certain milestones, which I believe is almost guaranteed)

So it's closer to $33B

In any case, there is no reason for them to purposefully hurt Anthropic.

I would say that this government "takedown" of Mythos is great free advertising. I mean, if you look at this, they said it's too risky to launch, we all said it's pure marketing, and now when it's actually "banned" for being too risky, we laugh at the "Karma", where in fact, the majority of people who are not in our circles, see it as "wow, they were not kidding".

The overall result is net gain in brand awareness to Anthropic, before an IPO, I think if we had 2 parallel universes with or without this ban, the one with is a much higher IPO outcome for Anthropic than the other.

And again, I think this all needs to be taken with Occam's razor and bit of Hanlon's razor (without going into politics, the technical savviness of this administration is not the thing it's most famous for)
eranation
·27 ngày trước·discuss
Just a small correction, Bezos is not Amazon CEO anymore. They meant Andy Jassy.
eranation
·27 ngày trước·discuss
Just to put things in the right perspective to those who are not aware, Amazon heavily invests in Anthropic [0] and AWS is a partner on project Glasswing (Select companies that used Mythos to find critical vulnerabilities in major open source and critical infrastructure) [1]

So I don't think there is anything sinister here, I would use Hanlon's razor [2] here...

[0] https://www.anthropic.com/news/anthropic-amazon-compute

[1] https://aws.amazon.com/blogs/security/building-ai-defenses-a...

[2] https://en.wikipedia.org/wiki/Hanlon%27s_razor
eranation
·27 ngày trước·discuss
Amazon invests in Anthropic, and has partnership with them on AWS Bedrock.

https://www.anthropic.com/news/anthropic-amazon-compute
eranation
·27 ngày trước·discuss
Thanks for having a security policy

https://github.com/Paca-AI/paca/security

However I'm getting a 404

https://github.com/Paca-AI/paca/security/advisories/new

(You need to enable private security advisories: https://docs.github.com/en/code-security/how-tos/report-and-..., really not sure why GitHub made it opt-in only)
eranation
·28 ngày trước·discuss
Still works for me but I don't know if it's gaslighting me or not... fool me once situation here...
eranation
·28 ngày trước·discuss
Asking contributors to first make sure there is an approved requirement before creating a PR sounds like a great idea regardless of the use of LLM.

But another issue is - AI disclosure (agent, model etc). I'm sure others tried similar approaches, but in case this is not common knowledge - I tried to see what happens if you ask agents to disclose themselves in the PR description / comments in a rule file.

It seems to work pretty well as most AI "assisted" PRs will be opened by agents using the gh cli or MCP on behalf of the user. (Of course this can be bypassed, but for someone who doesn't mind disclosing or doesn't care, this is a good step forward)

Example: https://github.com/arnica/depsguard/blob/main/AGENTS.md#ai-d...

(so far worked on PRs from both Claude Code and Codex - both got a footer disclosure of the agent name and model)