I take it that Metabase is both not paying bug bounties and not using these tools internally?

If that's the case, Metabase is not going to get meaningful investment from researchers who want to fix issues, but they'll get increased attention from malicious attackers who have no qualms exploiting the vulnerabilities for profit.

LLMs have made it a lot easier for people to find vulnerabilities in software. Open-source makes it easier, but we already have non-AI tooling (IDA Pro, Ghidra) that's good at binary reverse engineering, and LLMs can use that output to find vulnerabilities as well.

This year, as I select products to use for sensitive data, I've been paying a lot more attention to whether they offer bug bounties and for how much. For example, I like Kagi for search and thought about trying Orion, their web browser. Then, I saw that Kagi's been paying $100 for UXSS vulnerabilities.[0] For comparison, Firefox pays $8-10k,[1] and Chrome pays up to $10k for the same class of bug.[2]

[0] https://help.kagi.com/kagi/privacy/bug-bounty-program.html

[1] https://www.mozilla.org/en-US/security/client-bug-bounty/

[2] https://bughunters.google.com/about/rules/chrome-friends/chr...

https://blog.noforeignland.com/off-grid-boat-communications-...

The system is already pretty bad because vendors underinvest in security, and then to fix it, researchers have to volunteer their time to investigate with no guarantee of payment. If the vendor could force researchers to hand over findings for free, nobody would want to do security research except hobbyists having fun. They're basically signing up for hours of tedious forced labor to explain vulnerabilities to the vendor.

I wish there was legislation that allowed the government to fine vendors for security vulnerabilities like this where the amount scales based on how much user data they leaked. And it could function like other whistleblower systems where a researcher who spots a leak can report it to the government and collect 50%. That way, if the vendor says, "We're not paying you," the researcher can turn around and collect the money from fines.

Yeah, I don't think you'll find it a red-pill kind of book at all. I know what you mean about books like The 48 Laws of Power feeling like the world is 100% zero sum, so everything is about dominating or outplaying people.

How to Win Friends and Influence People is very much focused on win-win. There is an agenda to make friends and influence people, as you'd guess from the title, but the strategies are about taking a genuine interest in people and making them feel good.

It's almost 100 years old, so the style is kind of hokey, and only about half the advice resonated with me, but there are 3-4 lessons that had a major impact on me.

It reminds me of one of my favorite parts of How to Win Friends and Influence People by Dale Carnegie, where he tells a story about complimenting someone, and a student asks what he was hoping to gain from offering the compliment. Carnegie is incensed:

> I was waiting in line to register a letter in the Post Office at Thirty-Third Street and Eighth Avenue in New York. I noticed that the registry clerk was bored with his job[...] So while he was weighing my envelope, I remarked with enthusiasm: “I certainly wish I had your head of hair.”

> He looked up, half-startled, his face beaming with smiles. “Well, it isn’t as good as it used to be,” he said modestly. I assured him that although it might have lost some of its pristine glory, nevertheless it was still magnificent. He was immensely pleased. We carried on a pleasant little conversation, and the last thing he said to me was: “Many people have admired my hair.”

> I told this story once in public; and a man asked me afterwards: “What did you want to get out of him?”

> What was I trying to get out of him!!! What was I trying to get out of him!!!

> If we are so contemptibly selfish that we can’t radiate a little happiness and pass on a bit of honest appreciation without trying to screw something out of the other person in return—if our souls are no bigger than sour crab apples, we shall meet with the failure we so richly deserve.

> Oh yes, I did want something out of that chap. I wanted something priceless. And I got it. I got the feeling that I had done something for him without his being able to do anything whatever in return for me. That is a feeling that glows and sings in your memory long after the incident is passed.

The userbase of Ladybug users is so small that it's probably not worth the attackers' time, but keep in mind that it's an enormous step down in security from the mainstream browsers who are actively searching for bugs using the latest tools and paying bug bounties on external reports.

[0] https://blog.calif.io/p/mad-bugs-rce-in-ladybird

All I could find of a Dusk bug bounty was this blog post from 2023[0]:

> Although we do not currently have a bug bounty program, we will certainly create an extensive one in the near future, when we are ready to transition toward the auditing, testing, and security assessment phases of our roadmap.

And the roadmap links to a URL that now 404s.

I would be extremely reticent to use a blockchain with no bug bounty, as it means that it's easy for a malicious actor to monetize a vulnerability, but there's no incentive for an honest researcher to report it or even look for one.

[0] https://dusk.network/news/infrastructure-vulnerability-fixed

I tried with Opus 4.5 a few months ago to have it read my monthly retrospectives and then write a new one based on my weekly updates for that month. It was similar to the example I showed for James Mickens[0] where I see the similarities to my writing, but it feels more like someone parodying me than actually writing like me.

[0] https://news.ycombinator.com/item?id=47970127

[0] https://news.ycombinator.com/item?id=47970008

I asked Kimi K2.6 to write a blog post in the style of James Mickens.[0] Then I fed the output to Opus 4.7 and asked it who the likely author was, and it correctly identified it as an imitation of James Mickens[1]:

> Based on the stylistic fingerprints in this text, the most likely author is a pastiche/imitation of the style of several writers fused together, but if forced to identify a single likely author, the strongest candidate is someone writing in the voice of James Mickens

> [...]

> The piece could also be a deliberate imitation/homage to Mickens written by someone else, or AI-generated text trained on his style, since the voice is so distinctive it's frequently parodied.

[0] https://kagi.com/assistant/5bfc5da9-cbfc-4051-8627-d0e9c0615...

[1] https://kagi.com/assistant/fd3eca94-45de-4a53-8604-fcc568dc5...

I'm way less famous than Kelsey Piper, but I showed it a snippet of a book I'm working on (not yet published), and it immediately guessed me:

> Based on the writing style and content, this text is likely by Michael Lynch, who writes on his blog refactoringenglish.com (and previously mtlynch.io).

> Several stylistic clues point to him:

> - The "clean room" analogy applied to writing is consistent with his engineering-influenced approach to writing advice (he's a former software engineer who writes about writing).

> - The structural technique of presenting a flawed excuse, then drawing a parallel to an absurd scenario (the time bomb) to expose the logical flaw, is characteristic of his didactic style.

> - The topic itself—practical advice about using AI tools without letting AI-generated tone contaminate your prose—aligns closely with recent essays he's published on his "Refactoring English" project, which is a book/blog about writing for software developers.

> - The conversational-but-precise tone, use of quotes around terms like "clean room," and the focus on workflow/process advice are all hallmarks of his writing.

> If you can share the source URL or more context, I could confirm with higher confidence, but the combination of subject matter, analogical reasoning style, and formatting conventions makes Michael Lynch the most probable author.

https://kagi.com/assistant/bbc9da96-b4cf-456b-8398-6cf5404ea...

Comments URL: https://news.ycombinator.com/item?id=47964224

Points: 1

# Comments: 0

I didn't understand this. I perceive the Zig project and Mitchell Hashimoto / Ghostty to be at similar levels of "weight and signal." Especially because Ghostty is written in Zig.

It feels kind of like saying, "Oh, I didn't take this seriously when it was just Fabrice Bellard, but now that an actual influential person like Guido van Rossum is doing it, it's real."

Also, I'm assuming we're in agreement that software should not accept invalid GPS coordinates from untrusted peers regardless of semantics about whether or not they're within Earth's bounds.

Worth noting that the Blackberry-style devices are also closed source and the hardware and software is way worse than Blackberry was 22 years ago.[0]

[0] https://mtlynch.io/first-impressions-of-meshcore/#this-is-no...

It's ridiculous to me that they're concerned about the trustworthiness of AI-generated code when their code quality is so low. They don't even have automated tests and ignore attempts to add them.[0, 1, 2, 3]

Last I checked, there's little validity checking in the code, so it's possible to broadcast nonsense values (like GPS coordinates outside of Earth's bounds) and the code happily accepts it.

And that's fine if they're just like a scrappy upstart doing their best, but it annoys me to be so high and mighty about their code quality when they don't invest in it.

I really want to like MeshCore but I feel like its stewardship makes it hard. The main two people I know running it are Scott Powell and Liam Cottle, both of whom are trying to build businesses on closed-source layers on top of the firmware. I don't think there's anything wrong with an open-core business model (I ran such a business myself), but it creates perverse incentives where the core maintainers try to suppress information about the open-source alternatives and push their own closed-source paid products.

Also, MeshCore's recommended broadcast settings for the US are illegal.[4] I emailed the Liam and Scott about this months ago, and they ignored me.

[0] https://github.com/meshcore-dev/MeshCore/pull/925

[1] https://github.com/meshcore-dev/MeshCore/issues/1059

[2] https://github.com/meshcore-dev/MeshCore/pull/1065

[3] https://github.com/meshcore-dev/meshcore.js/pull/11

[4] https://github.com/meshcore-dev/MeshCore/issues/945

Comments URL: https://news.ycombinator.com/item?id=47871714

Points: 6

# Comments: 0

No software wants to be fingerprinted. If it did, it would offer an API with a stable identifier. All fingerprinting is exploiting unintended behavior of the target software or hardware.