I saw something very similar a few months ago. It was a web app vibe coded by a surgeon. It worked, but they did not have an index .html file in the root web directory and they would routinely zip up all of the source code which contained all the database connection strings, API credentials, AWS credentials, etc.) and place the backup in the root web directory. They would also dump the database to that folder (for backup). So web browsers that went to https://example.com/ could see and download all the backups.
The quick fix was a simple, empty index.html file (or setting the -Indexes option in the apache config). The surgeon had no idea what this meant or why it was important. And the AI bots didn't either.
The odd part of this to me was that the AI had made good choices (strong password hashes, reasonable DB schema, etc.) and the app itself worked well. Honestly, it was impressive. But at the same time, they made some very basic deployment/security mistakes that were trivial. They just needed a bit of guidance from an experienced devops security guy to make it Internet worthy, but no one bothered to do that.
Edit: I do not recommend backing up web apps on the web server itself. That's another basic mistake. But they (or the AI) decided to do that and no one with experience was consulted.
interesting, so the ai got the hard stuff right. password hashing, schema design, fine. it fumbled the stuff that isn't really "coding" knowledge, feels more like an operational intuition? backup folder sitting in web root isn't a security question, it's a "have you ever been burned before" question, and surgeon hadn't. so they didn't ask and the model didn't cover it, imo that's the actual pattern. the model secures exactly what you ask about and has no way of knowing what you didn't think to ask. an experienced dev brings a whole graveyard of past mistakes into every project. vibe coders bring the prompt
The competence profile of any LLM-based AI is extremely spiky - whether it does a particular task well or not is pretty independent of the (subjective) difficulty of the task. This is very different from our experience with humans.
This is what I’m noticing. At my workplace, we have 3 or 4 non-devs “writing” code. One was trying to integrate their application with the UPS API.
They got the application right, and began stumbling with the integration - created a developer account, got the API key, but in place of the applications URL, the had input “localhost:5345” and couldn’t get that to work, so they gave up. They never asked the tech team what was wrong, never figured out that they needed to host the application. Some of the fundamental computer literacy is the missing piece here.
I think (maybe hopeful) people will either level up to the point where they understand that stuff, or they will just give up. Also possible that the tools get good enough to explain that stuff, so they don’t have to. But tech is wide and deep and not having an understanding of the basic systems is… IMO making it a non-starter for certain things.
Maybe this is what's missing in the prompt? We've learned years ago to tell the AI they're the expert principal 100x software developer ninja, but maybe we should also honestly disclose our own level of expertise in the task.
A simple "I'm a professional surgeon, but sadly know nothing about making software" would definitely make the conversation play out differently. How? Needs to be seen. But in an idealized scenario (which could easily become real if models are trained for it), the model would coach the (self-stated) non-expert users on the topics it would ordinarily assume the (implicitly self-stated) expert already knows.
The fix is to not let users download the credentials. In fact, ideally the web server wouldn't have access to files containing credentials, it would handle serving and caching static content and offloading requests for dynamic content to the web application's code.
Disabling auto-indexing just makes it harder to spot the issue. (To clarify, also not a bad idea in principle, just not _the_ solution.) If the file is still there and can be downloaded, that's strictly something which should not be possible in the first place.
Agent-Native DevOps tools are probably necessary. There should be no reason they would do it manually.
How I see it happening: agents like CC have in built skills for deployment and uses building blocks from either AWS or other simpler providers. Payment through OAuth and seamless checkout.
Probably, but these are people who are being charged for political "crimes" brought mostly because the government doesn't think people have a right to protest. While it's unsurprising that the citizen who discharged their weapon was tried for this, most of the other folks were just doing run-of-the-mill protest stuff.
I also get that in Texas they are fine "criminalizing" protesting, but that's just part of its hyper-authoritarian "charm", and a lot of us don't think that protesting in itself should be criminal.
The person whose Signal notifications were extracted, Lynette Sharp, was not the one who shot a cop in the neck, no. The reason she pleaded guilty to “providing material support to terrorists” is that she helped the shooter get away afterward and gave him a disguise; he remained on the lam for ten days.
The major difference, here, is this is intended for multiple users (not one person). Imaging 5,000 users all using the device at the same time. The amount of memory, open file handles, network connections, etc. for many users at once adds up.
We knew 30 years ago that message attachments (mostly email at that time) were a huge security problem. All those binary file types to parse... what could go wrong ;)
It's good to see Apple's Lockdown mode having such success by simply disabling message attachments.
I know you're not being serious, but for anyone who may not realize that, it does more than disabling attachments. Lockdown Mode's "optional, extreme" protection substantially changes the experience of using your device. https://support.apple.com/en-us/105120
There's a ton of sanitization of attachments. It just isn't foolproof.
On iOS messages attachments are decoded in a separate, heavily restricted and sandboxed process, and the decoded sanitized results are sent back to the UI process. It just isn't perfect.
If the main concern is preventing an LLM from taking some action (sending emails, text messages, adding calendar events or making phone calls), can't you just simply not allow the LLM to do that? Don't give it access.
It's not rocket science. If the LLM has no access to do those things, then it can't be tricked into doing those things.
Don't carry them with you. I'm old and I can tell you from experience... you can live life without holding a cellphone all the time. It's not as hard as you think.
> ... I'm old ... you can live life without holding a cellphone all the time. It's not as hard as you think.
I'm in my 50s and I don't know where this stance comes from. Sure, you physically can in the same sense that anywhere can be walked to if you're willing to walk long enough. But so many businesses and services have gone "mobile-first" or "mobile-only" to the point that if you're traveling for leisure you're doing extra work on your vacation, and if you're traveling for business you're wasting time that could be used doing your job. Just as a first order, the denizens of every airline subreddit will tell you that the most useful tool during a trip is the airline's mobile app and that's either tied with or just above or below the Flighty app if anything goes wrong.
Combine that with QR codes for everything from menus to parking, public transit tickets and fare cards that can be easily loaded into a phone instead of using a ticket machine made when we were kids, or paper maps increasingly hard to find if they're available at all, and you're looking at a real challenge. How are you going to talk to and plan with your travel partner or colleagues with payphones removed?
It's also not incumbent upon us to make the government's life easier by making our lives harder. "Just leave your phone at home" is ludicrous behavior to expect when it's the government being the intrusive jerks.
Sure it’s inconvenient sometimes, but on the whole I’d say my life is better than those I see glued to their phones.
This belief is reinforced whenever people ask for my number (dentist, doctor, whatever)
The gusto which they invariably reply “OMG I WISH I could get rid of my phone!”
Do you really recommend people travel internationally in 2026 without a cellphone? I’m kind of bewildered by this suggestion. As someone who has to go between LATAM and US frequently, I have no choice but to bring my cellphone.
I went to Thailand for three weeks in November. I didn’t bring a phone or a laptop. I printed my maps, reservations, and emergency numbers. It was awesome. Don’t lock yourself into imaginary prisons.
I don't bring phones either. I go straight to the nearest mall/bazaar/market and buy one. Anyplace developed enough that you need a phone has them for sale. Anyplace where you can't find a phone has enough other people without them you can still get around. The phone gets trashed before I go through the next international border.
IMHO today is difficult to do anything without a smartphone. I hate the state of affairs, but it is just so. Anything needs an app to work. Public services in some countries requiere it. Paying, etc.
But in traveling is almost essential. GPS to navigate, search for hotels, places to eat, take fotos… yes, you could carry many devices… but seriously?! Ah btw… what about being in touch with family?
Do you remember a time people did all those things without a phone?
I’ve driven across multiple continents and many dozens of countries without a phone or gps.
Talking to locals to ask directions is half the fun, especially when I don’t speak the language. I’ve been invited to parties, weddings and more because of it.
> Talking to locals to ask directions is half the fun, especially when I don’t speak the language.
I can absolutely understand that you and many people love that. But maybe you can understand other people prefer to never feel lost, be able to translate signs, find places to eat easily, discover “must see”[1] things, take fotos, be in contact with family, all in a device which weighs 200g in my pocket. Even having it can I eventually forget it, and talk with locals… but when I want to go back to the hotel, is nice to know exactly how[2]
I am old enough that I did travel without cell:
[1] it happened to my many times (at least 3 out of the top of my head) that locals have bo idea where a museum is, or the house of X, or other things that tourists may find interesting, but locals don’t give a shit
[2] if you have been in places like Turkey or South America, you may know that taking a taxi is an interesting exercise. Sometimes they charge you wrong, sometimes they take you for a 20km ride. Having (a) gps, (b) a mean to call the police and (c) a mean to check online what should the travel cost, (d) a translator in your pocket, seems very convenient for me.
Or in other words: do you understand that now having the phone you can still do everything as you used to, asking for directions without understanding, talking with people, all, but now when you want you have a super tool? The best is: is smaller that a foto camera from those days, can take 100000 more fotos, and has 20 more functions!
People used to live without electricity, fride, email… so? Why should I not use what is avaible today?
By no means was I suggesting that everyone should live without a phone. Merely that I prefer life without one. Yes, it's inconvenient sometimes, but I decided a long time ago that convenience was not the goal of my life, experiences are.
To have the experiences I want, I need more time. To have more time, I need to go to work less. So spending less money means I get to spend time with my daughter, go snowboarding have adventures around the globe.
It turns out not having a phone is another great way to save money, and go to work less.
I often wonder how I survived going for a random drive or even simply leaving the house from 1980 through to the advent of smart phones. Was I simply more brave and self-sufficient back then?
But then I note that there was some infrastructure and also some attitude differences back then that don't exist now.
When my car would break down in the 1980s or 1990s, typically there would be a pay phone nearby. One time in the early 90s, I just knocked on a random door and the resident let me use their land line to call a tow truck (I'm not sure anyone would let a random stranger into their home now, but maybe they still do). Breaking down in the boonies was no fun, but likely someone would come by eventually and help (or murder you, but probably help).
I was reminded recently of this when I went to park in the city in a garage that I frequently patronize only to find they had removed the payment terminal, which was replaced by a sign that said "use our app!". I have a low-data phone plan, so if I had to install their app, I would probably blow past my limit for the month. Also, there was no signal in the garage. So I just left and found another place to park (and was almost late for my appointment).
Also I don't like having to pay just to print my boarding pass at the check-in kiosk. Maybe I am not less brave but just more cheap.
> Was I simply more brave and self-sufficient back then?
Probably! A good reason to exercise those skills again
> (I'm not sure anyone would let a random stranger into their home now, but maybe they still do).
Curious what makes you think that. Perhaps as an exercise, do something that requires asking a favour of someone. You might be pleasantly surprised. Despite all the ills in society, faith can be restored be some amazing interactions with people offline
> So I just left and found another place to park
That's exactly the right response. Being late sucked but hopefully just a once off .
> Maybe I am not less brave but just more cheap.
This is honestly unsaid in a lot of these discussions! The non phone methods can be a bit more expensive. It's a good point but sometimes the difference isn't huge
The problem is that it actually gets harder. I was a holdout against cell phones when I was young. Eventually payphones started disappearing. Pre-cellphone they were everywhere. By the time I finally caved and got a cellphone I knew where there still were some in important spots around Chicago. Plus you ran into changing norms. Before cell phones people would schedule a meetup (let's meet at noon in this square then go do what we were going to do) but after cell phones it became, "just call me when you get close."
I then tried to resist smart phones and stick with my nokia. But then you start to get into things like, the kiosk where they would print your boarding pass doesn't do that anymore. You need a QR code on your phone. You can't call places anymore, you need to do it on their website, etc.
Now the government is starting to treat a lack of social media or technology as a reason for suspicion. In the not-too-distant future I imagine it will not be possible to go to an airport without a smart phone and a digital history known to Palentir.
I've done a fair bit of domestic (USA) flying over the last six months and when flights are spontaneously cancelled for weather/staffing/crew timeouts/random apocalyptic actions, a phone has been priceless in getting quickly rebooked and out of the trouble zone. Even if that means cancelling the flight and buying a ticket on a different airline (looking at you, AA)
You do not want to spend an hour in the customer service line to find out that all open seats on the next flight out were scooped up 59 minutes ago.
I'm sad we've just accepted that no useful staff at the airport is an acceptable state of affairs.
They're full of outsourced agents whose contracts are very specific and don't include things like assisting customers during IRROPS, as I understand it. Or they have their hands tied by the airlines
I'd like government intervention now that the free market has failed - there is almost no choice you can make that offers real customer service
There are physical staff at airports, but you can't have 40 agents standing around at each counter waiting for the next disaster to arrive and help with rebooking. So you hire two per counter. But that means when something comes up, everyone is stuck in line for hours to get help face-to-face.
I didn't say there is no staff. I said "useful staff" and then clarified I meant staff empowered to help during IRROPS. But I appreciate this is about the US and most of my experience is in Europe. I guess things aren't so bad in the US?
In my experience in Europe, there are very very few staff who can help, except at major hubs. Even then, if you've not got high status, you won't get much help.
> but you can't have 40 agents standing around at each counter waiting for the next disaster to arrive and help with rebooking
That is the exact excuse they used to reduce the empowered agents to 0
Or, if you want to have one with you, leave your regular cell phone at home (or ship it ahead to your destination via parcel carrier) and carry a burner/travel-only phone instead. Don't put any personal data on that phone. Not even contact numbers. Carry those in printed form separately.
We really need some straightforward way to carry a mostly-wiped phone, and then download an app, input credentials [0] (stored in your head), and have everything [1] downloaded from a cloud server and ready to go.
[0] since I'm spelling this out, one of those credentials should be a passphrase such that the server doesn't have access to your data
[1] modulo data/apps you actually want on a phone in a foreign country, of course
Interesting idea. But, in your vision, what would be the main difference between this approach and actually wiping your device, install just some basic apps you need during the travel (e.g. airline's app for the boarding pass and flight info) and then restore from your cloud backup at the end of the flight? Main difference I see is that Apple/Google wouldn't have access to your data, but this only makes sense if you're not using their services to start with.
Does iCloud not blast you with a bunch of "2FA" hassles the way Google does? That passwords are no longer complete account credentials makes this approach a non-starter, unless you want to come up with some protocol with a trusted person who stays home (with access to your account) and can perform those verification steps for you.
Even so I would still be worried about the nonstandard behavior of activating a new device in a foreign country causing my Apple/Google account to get straight up locked by their arbitrary and capricious "security" systems.
Passkeys are stored in your Apple Keychain. I don’t think you have to go through 2FA if you use a Passkey with Google.
I can throw my iPhone in the ocean, go to the nearest cell phone store/Apple Store and log into my Apple account and you won’t be able to tell the difference between my old phone and new phone - all apps, data, icon positions, passwords, photos, settings, bookmarks, history, messages etc will be restored
I don't really know how Passkeys or Apple Keychain works. But regardless I would think there has to be some other step to go from merely knowing a password to being able to access a cloud account (which includes the Keychain), no?
Are you saying that you can throw your phone in the ocean, have access to no other devices (including a SIM card), obtain a new phone, input your email+password, and reliably have that new phone onboarded? Because it certainly doesn't work that way in Android+GApps land from everything I've experienced - rather there is always a step where at the very least you have to authenticate using another logged-in session or email challenge.
That’s exactly what I’m saying. It’s worked that way since 2011.
If you go into the Apple Store or your carrier, they hand you new phone, you log in to your iCloud account and it asks you which back up you want to use if you have multiple backups. You might these days have to enter your passcode from your old device.
You or they call your carrier or depending on your carrier you can register your e-sim directly from your phone.
International travel is infinitely more difficult without a cell phone.
When I was younger and international roaming was expensive I travelled internationally without a phone. It’s possible, but it’s so much easier to do it with a phone. Later when I finally stopped being a cheap student and bought a data plan my trips were so much more efficient because I wasn’t losing so much time trying to figure everything out without a phone.
For international business trips, devices are mandatory. This isn’t even an option.
The last time I didn’t have a cell phone with me in my pocket was 1995.
But how in 2026 when I travel am I going to get directions? Get an Uber? I am in a Spanish speaking country right now and I speak some Spanish. But it really is convenient just to take my cell phone out and translate.
What is your next piece of wisdom? That I also don’t need a computer with 16GB RAM because my first computer had 128KB?
Oh and I also don’t need the web because back in my day Gopher and Usenet were good enough
Some older people don't hear well so they talk louder due to that. It's not that they intend to be loud, it's just they don't hear as well as younger people do. Many vets also having hearing loss due to service related injuries. So next time you hear someone talking loud... remember that.
Yeah, in my open space office there's an old guy that talks in Teams calls all day like he learned to whisper in a helicopter, and me and others complained to management about him disturbing everyone trying to focus on our work, and boss said "he's deaf, what do you want us to do about it, give him a private office?" and my answer in my head was "no, but have you heard of this wild idea called WFH where people can't disturb others or get disturbed by others talking too loud? Crazy idea, right?"
I love OpenBSD for similar reasons, except, I still run it as my primary desktop and on an old Chromebook. It just works. No drama with updates. Upgrade every six months. I'd be lost without it.
Large well-regarded CS schools still have 'systems' and other traditional CS specializations. I would encourage looking at those programs.
Experience is still needed too. You can't just blindly trust AI outputs. So, my advice is to get experience in an old-fashioned CS program and by writing you own side projects, contributing to open source projects, etc.
> Experience is still needed too. You can't just blindly trust AI outputs. So, my advice is to get experience in an old-fashioned CS program and by writing you own side projects, contributing to open source projects, etc.
The issue is you can't blindly trust humans either, and increasingly you're better off asking an AI than a human.
Drivers, kernels, firmwares, low-level networking, the likes. Some higher-level infrastructure, like compilers, interpreters, runtime systems (Qt/Glib-like code).
I'm not sure where the question comes from? The divide between systems and app programming is almost as old as coding itself; it's not some distinction without difference - it's the difference between writing a TypeScript microservice for handling CRUD on some tables versus contributing to the TypeScript compiler, Node runtime (eg. uv), and PostgreSQL query planner.
Both kinds of programming are needed; both require specific (diverging in places) skills to do well. FWIW, I don't think systems programming is any safer (maybe a little bit) from AI than making apps, but the distinction between the two kinds of programming is real.
I'm not sure. You'd have to define "level of rigor". TypeScript has a vastly more expressive type system than C, for example, so given their respective prevalence in their domains, you could easily say that coding apps nowadays is actually more rigorous. There's Rust, but somehow people write lots of apps in it. And so on.
I don't think systems programming is inherently harder than writing apps. You deal with different sets of problems (users stubbornly misusing your UI vs. hardware vendors notoriously lying in the manuals; hundreds of dependencies vs. endemic NIH syndrome; etc.), but coding is, for the most part, the same thing everywhere. IME, the "level of rigor" (as in "kinds and pervasiveness of actions taken to ensure correctness") depends much more on actual people or organizations than on the domain.
IMO people should eat more fiber. A lot more fiber. It cleans the gut, the liver, absorbs cholesterol, slows insulin response and makes you feel full longer. The microbes in our guts need it to function.
Rather than jumping from one fad diet to another, just eat what you like and be sure to get a lot of fiber each day.
Agreed, but I think the mechanism relates to different microbes. If there are two microbes in your gut, and type A requires a dose of high-calorie, low-fiber food coming down the pipe every day, and type B is not able to reproduce as fast as type A but is able to live on high-fiber food, this tells you two things:
type A cannot have been living in humans thousands of years ago, but type B might have
type A benefits from making your brain worse at choosing healthy foods, and type B does not
How sure are we about this? How certain are we that those specific species of mold have a net negative effect, rather than a net positive (like for example mushrooms)? Penicillium grows on stale foods and I doubt eating it would have a net negative effect.
Muchrooms have mycotoxins too. And red meat is a carcinogen. And predator fish have plenty of heavy metals. And the list goes on and on. Yet we eat all those things. Hence the "net positive".
Roughly what I follow. I pour chia seeds into everything I eat. Also: edamame, goji berries, green peas. Etc etc. My particular motivation is 1) health, but 2) I lift quite a bit and try to get as much protein from food as possible.
This has been the recommendation for general health for as long as I have been alive. Fiber is really important and there are plenty of easy healthy options that are cheap, unlike the astroturfed beef checkoff primal diet
The quick fix was a simple, empty index.html file (or setting the -Indexes option in the apache config). The surgeon had no idea what this meant or why it was important. And the AI bots didn't either.
The odd part of this to me was that the AI had made good choices (strong password hashes, reasonable DB schema, etc.) and the app itself worked well. Honestly, it was impressive. But at the same time, they made some very basic deployment/security mistakes that were trivial. They just needed a bit of guidance from an experienced devops security guy to make it Internet worthy, but no one bothered to do that.
Edit: I do not recommend backing up web apps on the web server itself. That's another basic mistake. But they (or the AI) decided to do that and no one with experience was consulted.
reply