For a reflected XSS? Tell me who is paying that much for such a relatively common bug...
To elaborate, to exploit this you have to convince your target to open a specially crafted link which would look very suspect. The most realistic way to exploit would be to send a shortened link and hope they click on it, that they are logged into discord.com when they do (most people use the app), that there are no other security measures (httponly cookies) etc
No real way to use this to compromise a large amount of users without more complex means
It isn't about the commonality of the bug, but the level of access it gets you on the type or massive scale of the target. This bug you your blog? Who cares. This bug on Discord or AWS? Much more attractive and lucrative.
Yes, but this is not a particularly high access level bug.
Depending on the target, it's possible that the most damage you could do with this bug is a phishing attack where the user is presented a fake sign-in form (on a sketchy url)
I think $4k is a fair amount, I've done hackerone bounties too and we got less than that years ago for a twitter reflected xss
Why would that be the maximum damage ? This XSS is particularly dangerous because you are running your script on the same domain where the user is logged-in so you can pretty much do anything you want under his session.
In addition this is widespread. It's golden for any attacker.
Because modern cookie directives and browser configs neuter a lot of the worst XSS outcomes/easiest exploit paths. I would expect all the big sites to be setting them, though I guess you never know.
I would not be that confident as you can see: on their first example, they show Discord and the XSS code is directly executed on Discord.com under the logged-in account (some people actually use web version of Discord to chat, or sign-in on the website for whatever reason).
If you have a high-value target, it is a great opportunity to use such exploits, even for single shots (it would likely not be detected anyway since it's a drop in the ocean of requests).
Spreading it on the whole internet is not a good strategy, but for 4000 USD, being able to target few users is a great value.
Besides XSS, phishing has its own opportunity.
Example: Coinbase is affected too though on the docs subdomain and there are 2-step, so you cannot do transactions directly but if you just replace the content with a "Sign-in to Coinbase / Follow this documentation procedure / Download update", this can get very very profitable.
Someone would pay 4000 USD to receive 500'000 USD back in stolen bitcoins).
Still, purely with executing things under the user sessions there are interesting things to do.
> some people actually use web version of Discord to chat, or sign-in on the website for whatever reason
Beside this security blunder on Discord’s part, I can see only upsides to using a browser version rather than an Electron desktop app. Especially given how prone Discord are to data mining their users, it seems foolish to let them out of the web sandbox and into your system
Again, here you have not so much sold a vulnerability as you have planned a heist. I agree, preemptively: you can get a lot of money from a well-executed heist!
There is a market outside Zerodium, it's Telegram. Finding a buyer takes time and trust, but it has definitively higher value than 4k USD because of its real-world impact, no matter if it is technically lower on the CVSS scores.
What happens in all these discussions is that we stealthily transition from "selling a vulnerability" to "planning a heist", and you can tell yourself any kind of story about planning a heist.
Also the XSS exploit would have been dead in the water for any sites using CSP headers. Coinbase certainly uses CSP. With this in place an XSS vuln can't inject arbitrary JS.
Dario Amodei claimed "AI will replace 90% of developers within 6 months" about a year ago. Still they are just loosing money and will probably will be forever while just producing more slop code that needs even more devs to fix it.
Good job AI fanboys and girls. You will be remembered when this fake hype is over.
I'm more of a doomsayer than a fan boy. But I think it's more like "AI will replace 50% of your juniors and 25% of your seniors and perhaps 50% of your do-nothing middle managers", And that's a fairly large number anyway.
100% in the doomers camp now, wish I could be as optimistic as these people who think AI is all hype but the last few weeks it's starting to finally be more productive to use these tools and I feel like this will be a short little window where the stuff I'm typing in and the review of whats coming out is still worth my salary.
I don't really see why anywhere near the number of great jobs this industry has had will be justifiable in a year. The only comfort is all the other industries will be facing the same issue so accomodations will have to be made.
I wouldn't be surprised if it is only software and creative jobs that die. Whilst I still find it expensive to buy a house, get food, and the grunt work will still need labor.
What that means for society where there are extremely rich people who owns resources and capital, and everyone else is only valued for their dexterity and physical labor (vs skills) I can only guess.
I do think the AI labs have potentially unleashed a society changing technology that ironically penalizes meritocracy and/or intelligence by making it less scarce. The jobs left will be the ones people avoided for a reason (health, risk, etc)
Stripe has become shitty for big and small players over the years. Small guys get screwed and just plain scammed, big players just push and pushed into higher fees. Have seen it in many projects as a freelancer.
You can maybe use them for a quick prototype because the APIs/SDK just work well, but for anything serious look for alternatives.
It goes the other way too. It's hard to imagine a {EU,German,whatever} institution releasing a scientific study that directly contradicts the administration's viewpoints out of fear of reprisal via loss of funding or even shakedowns.
After waiting 5 minutes, the only feedback I get was "You would've gotten a better answer with Phind Pro.
Upgrade to unlock multiple rounds of searching for better answers -- automatically. Upgrade to Phind Plus, Pro, or Ultra to continue researching in depth!"
Not a single thing was actually shown or build. Astonishing what kind of crapware gets funded by YC if they slap AI on the application
Hey to be fair getting in the front page of HN floods a site with traffic and that’s even harder for an AI app. Just wait a bit and will likely be fine.
Congrats on the launch and keep up the great work.
Yes, those using the tools use the tools, but I don't really see those developers absolutely outpacing the rest of developers who do it the old fashioned way still.
I think you're definitely right, for the moment. I've been forcing myself to use/learn the tools almost exclusively for the past 3-4 months and I was definitely not seeing any big wins early on, but improvement (of my skills and the tools) has been steady and positive, and right now I'd say I'm ahead of where I was the old-fashioned way, but on an uneven basis. Some things I'm probably still behind on, others I'm way ahead. My workflow is also evolving and my output is of higher quality (especially tests/docs). A year from now I'll be shocked if doing nearly anything without some kind of augmented tooling doesn't feel tremendously slow and/or low-quality.
I think inertia and determinism play roles here. If you invest months in learning an established programming language, it's not likely to change much during that time, nor in the months (and years) that follow. Your hard-earned knowledge is durable and easy to keep up to date.
In the AI coding and tooling space everything seems to be constantly changing: which models, what workflows, what tools are in favor are all in flux. My hesitancy to dive in and regularly include AI tooling in my own programming workflow is largely about that. I'd rather wait until the dust has settled some.
totally fair. I do think a lot of the learnings remain relevant (stuff I learned back in April is still roughly what I do now), and I am increasingly seeing people share the same learnings; tips & tricks that work and whatnot (i.e. I think we’re getting to the dust settling about now? maybe a few more months? definitely uneven distribution)
also FWIW I think healthy skepticism is great; but developers outright denying this technology will be useful going forward are in for a rude awakening IMO
Of course they are. The two things aren’t contradictory at all, in fact one strongly implies the other. If AI is writing 90% of your code, that means the total contribution of a developer is 10× the code they would write without AI. This means you get way more value per developer, so why wouldn’t you keep hiring developers?
This idea that “AI writes 90% of our code” means you don’t need developers seems to spring from a belief that there is a fixed amount of software to produce, so if AI is doing 90% of it then you only need 10% of the developers. So far, the world’s appetite for software is insatiable and every time we get more productive, we use the same amount of effort to build more software than before.
The point at which Anthropic will stop hiring developers is when AI meets or exceeds the capabilities of the best human developers. Then they can just buy more servers instead of hiring developers. But nobody is claiming AI is capable of that so far, so of course they are going to capitalise on their productivity gains by hiring more developers.
If AI is making developers (inside Anthropic or out) 10x more productive... where's all the software?
I'm not an LLM luddite, they are useful tools, but people with vested interests make a lot of claims that if they were true would result in a situation where we should already be seeing the signs of a giant software renaissance... and I just haven't seen that. Like, at all.
I see a lot more blogging and influncer peddling about how AI is going to change everything than I do any actual signs of AI changing much of anything.
How much software do you think happened at Google internally during its first 10 years of existence that never saw outside light? I imagine that they have a lot of internal projects that we have no idea they even need.
> The two things aren’t contradictory at all, in fact one strongly implies the other. If AI is writing 90% of your code, that means the total contribution of a developer is 10× the code they would write without AI. This means you get way more value per developer, so why wouldn’t you keep hiring developers?
Let's review the original claim:
> AI will replace 90% of developers within 6 months
Notice that the original claim does not say "developers will remain the same amount, they will just be 10x more effective". It says the opposite of what you claim it says. The word "replace" very clearly implies loss of job.
> > AI will replace 90% of developers within 6 months
That’s not the original claim though; that’s a misrepresentative paraphrase of the original claim, which was that AI will be writing 90% of the code with a developer driving it.
that’s not what he claimed, just to be clear. I’m too lazy to look up the full quote but not lazy enough to not comment this is A) out of context B) mis-phrased as to entirely misconstrue the already taken-out-of-context quote
>"I think we will be there in three to six months, where AI is writing 90% of the code. And then, in 12 months, we may be in a world where AI is writing essentially all of the code," Amodei said at a Council of Foreign Relations event on Monday.
>Amodei said software developers would still have a role to play in the near term. This is because humans will have to feed the AI models with design features and conditions, he said.
>"But on the other hand, I think that eventually all those little islands will get picked off by AI systems. And then, we will eventually reach the point where the AIs can do everything that humans can. And I think that will happen in every industry," Amodei said.
you’re once again cutting the quote short — after “all of the code” he has more to say that’s very important for understanding the context and avoiding this rage-bait BS we all love to engage in
edit: sorry you mostly included it paraphrased; it does a disservice (I understand it’s largely the media’s fault) to cut that full quote short though. I’m trying to specifically address someone claiming this person said 90% of developers would be replaced in a year over a year ago, which is beyond misleading
edit to put the full quote higher:
> "and in 12 months, we might be in a world where the ai is writing essentially all of the code. But the programmer still needs to specify what are the conditions of what you're doing. What is the overall design decision. How we collaborate with other code that has been written. How do we have some common sense with whether this is a secure design or an insecure design. So as long as there are these small pieces that a programmer has to do, then I think human productivity will actually be enhanced"
> "and in 12 months, we might be in a world where the ai is writing essentially all of the code. But the programmer still needs to specify what are the conditions of what you're doing. What is the overall design decision. How we collaborate with other code that has been written. How do we have some common sense with whether this is a secure design or an insecure design. So as long as there are these small pieces that a programmer has to do, then I think human productivity will actually be enhanced"
uh it proves the original comment I responded to is extremely misleading (which is my only point here); CEO did not say 90% of developers would be replaced, at all
reply