Guy at work proposed AI workflow enhancements…

His whole idea was to take a workflow and just replace a few roles…

Developer becomes “AI developer agent” Reviewer becomes “AI reviewer agent” Tester becomes “AI code testing agent”

Rinse and repeat until the only block that was human was “Marketing Engineer”. Guess what department the guy worked in…

Another thing is that it kind of instills a false confidence. Reviewers are getting lazy when the LLM gives a ‘LGTM’ and letting stuff through that bites us in the ass…

Yep, seen this.

Also, each iteration saying “ok, all problems are now addressed, the check should be fine, but running it just in case” (generates even more build errors than before). Rinse and repeat until my token quota is exhausted and I just code the good old fashioned way, no skin off my back. And I’m doing a ‘good job’ with utilization, despite having burned most of my quota on a failure that got thrown away.

Which is a stupid mindset.

“Go forth and burn tokens and your performance will be measured on that”

Looks like I’m going to make a for to ask for a for every word in /usr/share/dict/words. Look at all the tokens I burned.

It doesn’t reflect upon business value, performance, or education.

It’s even worse than the disastrous lines of code metric.

Their problem is they have no idea what to expect, so to signal affinity to hype, they just measure tokens.

Of course, this argument is a pretty piss poor one when the example held up is Musk…

His first jolt was selling a website to a relatively clueless Compaq that did nothing with it except throw money at Elon. No idea if Elon’s site was any good or not, but it didn’t matter because the reality is that it folded without an enduring impact as part of the dot-com collapse. He used his winnings to try to make X.com the first time, and was a comparative failure next to Paypal, which, somehow, agreed to merge and put him in charge and he almost tanked it. Then ebay bought it out and Musk got maddening amount of money for doing nothing but screw it up.

Tesla is probably the first example of him not actively screwing it up, though his drama around “I wanna call myself a founder” was dumb. That said, any investor could have done it, so his ‘value’ was his lottery-like wins leading to that point.

There are others that are arguable, though recently had it happen where someone kept giving out names of impressive and seemingly valuable ‘billionaires’, and we kept checking and every last one were ‘only’ millionaires. So it seems like ‘billionaire’ remains a stupidly over the top concept that isn’t particularly redeemable, with the defensibly decent folks staying under a billion through not being super greedy and/or philanthropy.

Daniel Jackson

He may die a fair bit, but he won’t stay dead for long.

Though the chance someone other than you dies from you taking a shit is pretty far fetched, and I’m not liking having to try to conceive of how that happens.

But a lot of activities are this way. Getting on a ladder in public could kill someone, just breathing around other people could kill someone, etc etc.

But what about monster HDMI cables?

Well, driving to work is basically that. Non zero chance someone dies.

my pp gets hard

The way a lot of them are, they probably wish it still did that.

Sometimes it just doesn’t pan out.

Had a junior dev that basically decided he would rather try to grift through instead of doing the job. Never seen someone work so hard at trying not to work at all. Every day it was a different excuse, a different other person to point to as to why he didn’t even try to do anything that day. I think at least 7 or 8 of his grandmothers died during his tenure. And management ate it up.

Until one day he lost track of things and blamed the manager asking him why things weren’t done. Said the manager never sent him some material and of course the manager had. Suddenly the manager believed the rest of us who had been saying he was lying for the last many months…

The key was he was cheap and was in theory supposed to be as good as a higher paid alternative, so management would have to admit to being wrong to ditch him…

Yep, evolution always ends in crabs.

If you are already there, why bother?

Note that could prove you have it, but failure to execute does not prove yourself secure.

For example, someone reported to me that their RHEL9 system was not vulnerable based on this result. But it was because python was 3.9 and didn’t have os.splice, so the demonstrator failed, but the actual issue was there.

Similarly, if ‘/usr/bin/su’ isn’t exactly there (maybe it’s in /bin/su, or in /sbin/su, or /usr/sbin/su, or not there at all), the demonstrator will fail, but the kernel may still have the vulnerability, you just have to select a different victim utility (or change the cache for some other data other than an executable for other effects).

Looking at the binary blob, it’s a payload to assume privileges as possible and exec sh. So replace su with that and the binary gets to use su’s filesystem privileges without needing access to actually write it.

The vulnerability part is when the door opens to replace any file’s read cache with arbitrary content. The binary payload is just an obvious example of the sort of payload that could do a ton of damage.

Note that this is a rather narrow view of the scope of things.

Yes, the demonstrator is a python script that opens up ‘su’ and uses splice+this vulnerability to change it to ‘just assume all privileges and become sh’.

However, it’s that any process in any namespace can leverage a certain socket type and splice to effectively modify any filesystem content they want. It’s easy to see how this could be part of a chained attack to, for example, replace a protected service that is firewalled off with a shell. An RCE in a service permits rewriting nginx in an entirely different container and replaces it with a shell backend of your choosing.

That ‘flatpak’ application on your single user system that is guarded from touching your files that aren’t related? That isolation doesn’t mean anything if this issue is in play.

In terms of shared systems, while it should be avoided if possible, practically speaking there’s a lot of shared resources.

I don’t get why I’ve seen so many people saying “ehh, no big deal, privilege escalation is just a fact of life”.

:q!

Nah, the producers of human slop are ecstatic because now they can just prompt up their slop and post something for engagement, before they had to at least put in a modicum of effort to make their slop. It would take at least as long to make the human slop as a human would take to view it, now they can get output with even less than the effort the human wastes seeing it.

The slop flood gates are open.

Zombie processes do not use resources, well, a little, it’s basically an entry describing how it exited.

The parent process is the thing keeping the zombie entry open. Killing it’s parent should work if they bother you.

Don’t have a Framework, but I think it’s due to the whole ‘modern standby’ approach where the firmware doesn’t implement ‘standby’ anymore and just let’s the OS put everything into as low power state as possible, component by component.

It doesn’t work well for Windows either, which is why a Windows laptop I have will ‘standby’ for maybe 15 minutes before shutting itself down for ‘hibernate’. I figure they decided that NVME means resume from hibernate is ‘good enough’ and modern standby is such a power hog that they can’t pull it off.

Problem in Linux is that they view SecureBoot as a promise they cannot keep if they resume from disk, so they block hibernate if SecureBoot is enabled, making it hard to bank on as a reliable recourse.

Better in almost every single respect.

Photo printing is about the only thing I say I haven’t seen laser do, but the people in my family that appreciated printed photos over screens we would just order them printed to their local Walgreens instead of trying to mail them prints anyway. Don’t do that anymore either as they passed away some years back.