For context, here is the first paragraph of the book's preface:
How best to perform construction work and what it will cost for materials, labor, plant and general expenses are matters of vital interest to engineers and contractors. This book is a treatise on the methods and cost of concrete construction. No attempt has been made to present the subject of cement testing which is already covered by Mr. W. Purves Taylor's excellent book, nor to discuss the physical properties of cements and concrete, as they are discussed by Falk and by Sabin, nor to consider reinforced concrete design as do Turneaure and Maurer or Buel and Hill, nor to present a general treatise on cements, mortars and concrete construction like that of Reid or of Taylor and Thompson. On the contrary, the authors have handled the subject of concrete construction solely from the viewpoint of the builder of concrete structures. By doing this they have been able to crowd a great amount of detailed information on methods and costs of concrete construction into a volume of moderate size.
For anyone wondering what the "OTP" part is in Erlang/OTP, it is a set of libraries and associated principles that, in effect, standardize the creation of highly reliable, fault-tolerant applications, originally for the telecom domain. It's worth checking out the brief introduction to the fundamental ideas in the introduction to "OTP Design Principles":
I swear there's a video of Joe Armstrong et al. presenting part of this on stage and laughing along with it. I tried to find it last week but couldn't figure out which talk it was. A few years ago I think I watched every Erlang/OTP talk in existence.
> It's almost as if government corruption is not a byproduct of the system of government, but a byproduct of the fact that it's filled with people, and when people accrue power they will, by and large, abuse it.
If only there were a system to align incentives toward a common good under the assumption that everyone is corrupt and will therefore seek to maximize their own interests....
What are the incentives for corrupt people to fix potholes under a purely capitalist economy? No one's making any money from that. But it causes damages to everyone.
You need some kind of government for such things as education, healthcare, roads... fixing potholes...
> What are the incentives for corrupt people to fix potholes under a purely capitalist economy?
Well, in a purely capitalist economy, the answer would be property rights, competition, and liability. For example, a road would be owned by someone, and you could sue that someone for damages if the road damaged your car. A road owner could discharge liability risk by purchacing insurance, and insurance underwriters could require some minimum standard of maintenance from owners in exchange.
> You need some kind of government for such things as education, healthcare, roads... fixing potholes...
The whole point of the article that spawned these discussions is that society has already delegated the responsibility for fixing potholes to the government, and the government is doing a crappy enough job of fixing potholes that "art activists" need to make potholes into public art projects to get the government to actually do its job.
Some libertarians moved in the small town of Grafton, NH [0], with the explicit goal of turning it into a "Free Town".
> This resulted in eliminating funding to the county's senior-citizens council, town offices going unheated during the winter, poorly maintained roads filled with potholes, and the Grafton Police Department being reduced to one officer (the police chief), who said he was unable to answer calls for service as the town had no money to repair the one police vehicle left. Other issues were inconsistent basic public services, such as trash collection.
Most roads are unprofitable individually, but still beneficial to the greater economy. It's very unrealistic to expect private individuals to build and maintain them. And the logistics of paying for every street one drives one, and the profiteering this enables sounds hellish.
There was a time when the government was able to build and fix stuff. We should probably get to fixing that, by kicking out the parasitic contracters, actually hiring competent civil servants at competitive wages, taxing the ever-increasing wealth of the top 1%, etc. Not by privatizing roads, which is a nonsensical idea that failed miserably anytime it was tried.
The golden age of America (and the West) happened when redistributive taxation was maximal and the government had the means and the will to improve citizens life. We've been privatizing stuff ever since the 1980s with arguably disastrous results. It's time we came back to first base.
You can be a libertarian without being a capitalist, and you can be a capitalist without being a libertarian, so I'm not sure what point you're trying to make with a [completely accurate] libertarian dig when the original point was that if the system was more capitalist, it would get fixed faster and better.
> actually hiring competent civil servants at competitive wages
I think most people would be open to increasing cash government salaries if the rest of the job also matched the broader economy - at-will employment, no public sector unions, etc. You trade some of your cash compensation in the government for the cushy benefits, sub-40 hour work week and lots of time off, and the near impossibility of being fired especially once you've been there for a few decades.
The golden age of the West happened due to a war-time manufacturing boom that would put the industrial revolution to shame. If you're making a ton of money and your marginal tax rate is 90%, what incentive do you have to work another ten hours a week or open another factor or release a new product if you're only keeping 10% of what you earn?
> You can be a libertarian without being a capitalist, and you can be a capitalist without being a libertarian
If you say so, but I'm yet to meet such an individual. Anytime someone talks libertarianism, it's some kind of weird Randian objectivism, that is still somehow socially conservative, and they align themselves with the GOP more often than not.
I would consider myself pretty liberal (as in, pro-liberty). I just believe that to experience true freedom, equality is necessary. It's not enough to have the freedom to do X or Y, you also need to have the means to. Why should some people be freer than others just because they happened to be well-born?
> the system was more capitalist, it would get fixed faster and better.
The system is getting more capitalist. That's why we're having more and more potholes. After decades of neoliberal austerity and deregulation, there ain't any money left to fix shit.
What a government employee used to do in an hour of minimum wage now requires 10 government contractors who charge ludicrous sums for useless prestations, and don't even end up delivering because they've successfully lobbied themselves out of liability! You know, in the name of efficiency, since as we all know the government can't do anything by itself, and the private sector is that much more efficient.
> I think most people would be open to increasing cash government salaries if the rest of the job also matched the broader economy - at-will employment, no public sector unions, etc. You trade some of your cash compensation in the government for the cushy benefits, sub-40 hour work week and lots of time off, and the near impossibility of being fired especially once you've been there for a few decades.
I would argue that the rest of the economy should follow the standards of public servants, rather than degrade their working conditions to match this terrible job market.
> The golden age of the West happened due to a war-time manufacturing boom that would put the industrial revolution to shame.
That's a partial myth, a manufacturing boom alone is meaningless if the generated wealth isn't redistributed. Markets have never been this healthy, yet regular people aren't getting any richer.
Same thing for the industrial revolution. It didn't amount to much for the general population until the big labor movements and the invention of unions.
> If you're making a ton of money and your marginal tax rate is 90%, what incentive do you have to work another ten hours a week or open another factor or release a new product if you're only keeping 10% of what you earn?
Look, it worked in the 50s. I am not interested in the classic economist's argument of "it works in practice, but does it work in theory?". You can probably find books written by people much better informed than I am. For instance, do you know about Thomas Piketty?
> The wealthiest people pay a much lower tax rate because their typical form of income (capital gains) is taxed at a much lower rate than other people's (salary)...
A different way to think about this would be to say that a lower tax rate for capital gains is a trick (incentive) to get the wealthiest people to invest their wealth in the market, which provides capital for people trying to grow the economy and provide jobs, rather than spend their wealth on luxuries for themselves. In this way, we have an economy focused more on the needs and wants of regular people, and less on producing what wealthy people want.
Low capital gains tax incentivizes investment and venture capital, so the rich can grow their wealth faster than the poor, while creating a job market. Compare that to spending wealth on luxuries, a money sink that also creates a job market and grows the economy (people have to make the luxuries). The former creates more liquid assets (stock) with no clear connection towards meeting the needs of regular people. The latter creates more solid assets with no clear connection towards meeting the needs of regular people.
I vaguely remember Adam Smith talking about directing the vanity of the rich towards spending great amounts of money on proper objects in exchange for recognition. 4:00 https://www.youtube.com/watch?v=ejJRhn53X2M
> Low capital gains tax incentivizes investment and venture capital, so the rich can grow their wealth faster than the poor, while creating a job market.
You forgot the most important part. Let me add it for you: "Low capital gains tax incentivizes investment..., while creating a job market, [and, more importantly, providing goods and services that are beneficial to society as a whole]."
> The former creates more liquid assets (stock) with no clear connection towards meeting the needs of regular people. The latter creates more solid assets with no clear connection towards meeting the needs of regular people.
These claims are demonstrably false. Paper assets provide no tangible benefits. You cannot eat a stock certificate, nor can you use it to heal an infection, nor can you ask it to repair your refrigerator. To receive a tangible benefit such as these, you must consume a good or service. And what is the economy but a machine that produces the goods and services that the people within it consume? Therefore, it is the mix of goods and services consumed (which equals that produced) that determines how society benefits. And, as you've already admitted, a low capital gains tax incentivizes the wealthy to buy paper assets instead of luxuries for themselves. But luxuries are real goods and services, aren't they? In other words, doesn't that policy incentivize wealthy people to consume less and, therefore, claim a reduced share of economic benefits? Consequently, doesn't an increased share of economic benefits go to "regular people"?
>[and, more importantly, providing goods and services that are beneficial to society as a whole].
I think enshittification, cost externalization, and rent-seeking behavior cancel this out, muddying the connection towards meeting the needs of regular people. For example, we needed cap-and-trade to internalize the costs of acid rain back onto power plants.
>These claims are demonstrably false. Paper assets provide no tangible benefits.
I think my rhetorical bait worked: you seem to agree with incentivizing luxury spending on real goods and services (instead of incentivizing capital gains)? Adam Smith argues to take that vanity and drive it towards public recognition. For example, many universities put the names of rich donors on the opulent buildings they donate to build. That's good! (My college's music building was amazing!)
>In other words, doesn't that policy incentivize wealthy people to consume less and, therefore, claim a reduced share of economic benefits? Consequently, doesn't an increased share of economic benefits go to "regular people"?
I thought trade doesn't make a zero-sum game? Money supply is a zero-sum game (I think), and I want money sinks to spread the money. We want them to spend their stored money to generate more tangible wealth for all. Luxury goods often push the limits to what can be done, advancing technology and generating wealth while also depleting their money stores. But while investments and venture capital might also advance technology and generate wealth, they continue to concentrate the money supply to the rich. Not good!
> I think enshittification, cost externalization, and rent-seeking behavior cancel [general societal benefits] out.
While I agree that the factors you cited are drags on the economy, I think historical evidence suggests strongly that they do not cancel out net benefit to society in general. The fact that poor people today benefit from refrigeration, air conditioning, electronic computers, vaccinations, safe anesthesia, cancer drugs, dialysis, HDTVs, cell phones, and a host of other things that the wealthiest people of yesteryear could not have purchased with all their wealth, suggests that the net trend of the economy has been to produce benefits for all of society, including regular people.
> you seem to agree with incentivizing luxury spending on real goods and services (instead of incentivizing capital gains)?
No, that is the opposite of my original claim. My claim, put simply, is that a low capital gains tax shifts the economy's output away from luxuries and toward meeting the needs of regular people.
> I thought trade doesn't make a zero-sum game?
But resource allocation is a zero-sum game. In any given year, there are only so many productively employable atoms and human hours. If less of those resources are being used to produce luxuries for wealthy people, they can be employed to produce goods and services for regular people.
Very interesting perspective. Let me try and repeat it back. Resource allocation is a zero-sum game within any given year, resource production increases yearly as technology increases, technology increases more as capital increases, so a low capital gains tax will increase resource production more than a high capital gains tax.
If I got that right, here's my best shot at a contradiction. If resource allocation is a zero-sum game, money (liquid assets) determines resource allocation, and low capital gains tax further concentrates money to the wealthy (I would need to prove this, and in recent years the distribution of wealth has increased towards the wealthy), then the wealthy gain a greater share of resource allocation next year.
This might not result in problems, as historically the increases in resource production have increased regular people's resource allocation in absolute terms, but I see no necessity in this trend. I might argue that the poor can lose resource allocation in the zero-sum game, but I'd need to prove that (something like, inflation hurts poor people more than the rich? incomplete thoughts). I could also argue that currents trends place financial assets (intangible) above production assets (tangible), slowing the benefit to regular people.
I claim that if the wealthy were to put their money in luxuries (things that don't give capital gains), they would control more allocation in a given year, but then they would decrease their share of resource allocation the next year. I also claim that resource production would increase just fine, as technology initially benefiting luxury production expands toward general production.
First, thanks for continuing this interesting conversation!
> Let me try and repeat it back. Resource allocation is a zero-sum game within any given year, resource production increases yearly as technology increases, technology increases more as capital increases, so a low capital gains tax will increase resource production more than a high capital gains tax.
Actually, this line of reasoning is tangential to the thrust of my argument. Let’s get to it now:
> If I got that right, here's my best shot at a contradiction. If resource allocation is a zero-sum game, money (liquid assets) determines resource allocation, …
Okay, here’s what I think you’re missing. Money does not determine resource allocation. But spending money does! Only by spending money do you get to consume goods and services. Therefore, by getting wealthy people not to spend but to invest almost all of their wealth, we get them to give up their claim on where today’s resources are allocated. They control wealth but not resource allocations.
> … and low capital gains tax further concentrates money to the wealthy, …
I believe that this claim is more or less true.
> … then the wealthy gain a greater share of resource allocation next year.
But this claim does not follow. Wealthy people gain a greater share of the wealth allocation next year, but they do not spend that wealth, nor the new wealth they gain each year. They spend only a tiny fraction of it – and invest the rest. Thus, most of this “extra” wealth that wealthy people gain is invested, with resource allocations from that wealth to be determined by spending across the population in general, not by the wealthy who invested it.
> I claim that if the wealthy were to put their money in luxuries (things that don't give capital gains), they would control more allocation in a given year, but then they would decrease their share of resource allocation the next year. I also claim that resource production would increase just fine, as technology initially benefiting luxury production expands toward general production.
Let’s say that the wealthiest 1% of people control half of all wealth. If we forced them to spend that wealth, much of the economy’s resources would be redirected to provide goods and services to the top 1% of people. For a very long time, the remaining 99% of people, especially the lower 80%, would find it very hard to purchase goods and services, for their spending would be dwarfed. Resource production would increase, but I doubt it would be “just fine.” Factories producing mega-yachts, doctors providing exotic cosmetic surgeries, and master chefs preparing one-of-a-kind meals with luxury ingredients such as hand-massaged beef fed grasses from the richest soils on Earth… These are not easily adapted to produce things that regular people need.
By getting those wealthy people to invest their wealth instead, we get them to give up their ability to dictate where today’s resources go. In exchange, they (as a group) get the promise of earning more wealth tomorrow from their investments.
I agree, however, that concentration of wealth is a problem for society. When a small number of people can, in effect, buy the government with pocket change, that’s not good. But a low tax rate on capital gains is only one contributing factor to the concentration-of-wealth problem.
>thanks for continuing this interesting conversation!
Cheers!
>Money does not determine resource allocation. But spending money does!
Very good point. Investors have some say as to where the money goes, but you're right. Often said that the economy runs on debt.
>They spend only a tiny fraction of it – and invest the rest.
Well said. I suppose their wealth only represents a potential for resource allocation.
>If we forced them to spend that wealth, much of the economy’s resources would be redirected to provide goods and services to the top 1% of people.
Under most theories of value, this extreme demand and labor would cause the price of such luxury goods and services to skyrocket! The money would quickly distribute to the hands of those who provided such goods. Then the masses can spend the money.
I now see our discussion as a classic debate of supply-side vs demand-side economics. I'll steal "the unity of means and ends" from the anarchists for this: I fully believe that the masses must have the resource allocation potential in order to achieve greater wealth for all. That exists in a positive feedback loop with businesses, increasing technology and production, and increasing the general standard of living. But, investing gives the resource allocation power to the businesses. With enough wealth and power, large businesses can keep the investment cycle flowing between businesses and owners, underpaying the workers and buying out competitors. At the most extreme result, a vertically closed system where the workers must meet the needs of the business (company towns).
>These are not easily adapted to produce things that regular people need.
So many goods start out as expensive luxury goods. Refrigeration, commercial airlines, air conditioning, computers, HDTVs, cell phones...
>When a small number of people can, in effect, buy the government with pocket change, that’s not good.
Then they morph government policy towards further enriching themselves, hurting the masses in the process. Very bad!
Would you advocate for a 0% capital gains tax? Or a capital gains tax-break? How would you calculate the ideal number? (I would place capital gains tax included in income tax.)
> Would you advocate for a 0% capital gains tax? Or a capital gains tax-break? How would you calculate the ideal number? (I would place capital gains tax included in income tax.)
I wouldn't advocate for any particular tax rate for capital gains without it being part of comprehensive fiscal and government reform. The point I was trying to get across in my original comment was that, when people talk about raising the capital gains tax because they think it's an obvious way to tax the rich without affecting working people and that the only reason we're not already doing it is because the rich have rigged the system, the reality is way more complicated. There are no easy fixes. Changing the capital gains tax substantially (outside of more widespread reforms) is likely to have unwanted consequences. And even with widespread reforms, we're likely to suffer unwanted consequences.
I'm not taking a test (feel free to answer yourself) but my view is that it's the same old talking point: Help the wealthy, and the Nth order effects will benefit others. The only thing these policies deliver on reliably is the 1st order effect - helping the wealthy.
(I think that's a good way to analyse any policy - the 1st order effects are the ones you can count on; the Nth order effects are just BS that magically costs nothing, but gets others to go along - 'the people will pay for this stadium for my privately owned franchise (1st order) and it will bring business to the community (2nd order).' That's repeated over and over, and the 2nd order effect is well known to not happen, but it sometimes gets enough votes from those uneducated in the issue.)
I think in the 1980s the Reagan administration called it 'trickle-down economics', such an incredibly revealing name!
Okay, but you didn't refute the line of reasoning. You called it "the same old talking point" and then jumped to the conclusion that "the only thing these policies deliver on reliably is the 1st order effect - helping the wealthy." But you didn't show that your claim was true. Or that the claim you were responding to was false.
Can you offer a substantive argument that getting the wealthy to invest their wealth instead of spending it on themselves is a policy that benefits only the wealthy and makes life worse for everyone else?
If that's what you think is happening – tests and grades – when people come to a site whose purpose is to foster thoughtful and substantive discussions, and then on that site they share ideas and invite criticism of them, you might consider whether you're missing something.
I'm curious. What specifically about my comment made you believe it was a test and that I would be assigning grades to responses, as opposed to an idea for which I invited criticism?
> Can you offer a substantive argument that getting the wealthy to invest their wealth instead of spending it on themselves is a policy that benefits only the wealthy and makes life worse for everyone else?
Not gp, but if the investment is made in either a non-productive asset, or in the secondary market toi buy share in a company that is downsizing/stabilizing their investments (share buyback is very often a good tell), then the wealth does not benefit society in general but either inflate a bubble, or separate the owning class from the working class.
> Not gp, but if the investment is made in either a non-productive asset, or in the secondary market toi buy share in a company that is downsizing/stabilizing their investments..., then the wealth does not benefit society in general but either inflate a bubble, or separate the owning class from the working class.
That if is doing a lot of lifting. What percentage of investments do you believe satisfy that if condition? If that percentage is p, then do you agree that it's generally beneficial for society, for approximately 100% − p percent of the time, when wealthy people decide to invest in the economy instead of spend on themselves?
(Further, even when companies downsize, don't they release their resources, such as people and equipment, back to the market? And doesn't the evidence of economic history suggest that, on the whole, the market tends to take up resources, including those released from downsizing companies, and use them produce goods and services that benefit both the owning class and the working class? For example, for most of history, even the wealthiest of the owning class lacked electricity, air conditioning, refrigeration, radio, television, electronic computers, the internet, cell phones, HDTVs, antibiotics, vaccines, generic drugs, medical imaging, DNA testing, video conferences with health care professionals, and so on. Today, don't even working people benefit from these things? So, even when your if condition holds, the claimed consequence, that such investments "either inflate a bubble, or separate the owning class from the working class" seems hard to believe.)
More than two third of all public investments are on the secondary market, and this do not benefit investments or the 'real' economy. It's this beneficial to society at best 33% of the time (I'm counting MIC in 'benefic for society' only for the sake of the argument to be clear).
While a worker is beneficial to society 100% of the time.
They also did an episode about rapamycin that I thought was really cool. I had no idea the history of it and found it fascinating and it really gets the imagination going thinking about what other things are hidden all around us.
That article doesn’t explain why acupuncture works, just gives a hint of a possible mechanism. It also doesn’t contain any evidence that acupuncture works at all (other than as a placebo).
The Apple II family did indeed use 555 timers, in either 558 or 556 chips, to drive the timing circuit used to read paddle and joystick positions. The following article explains both the circuit and the reading code:
It can help. Then you plant wheat on it and the weeds grow back. I can't see my copy to give you the title, but one of the seminal books on soil health agreed that it was not possible at this time to go fully no till organically. You have to plough eventually to deal with weeds.
That's why Keith Richards kept a tape recorder on his bedside table. He credits it with capturing the famous riff for "(I Can't Get No) Satisfaction," which came to him in a dream.
> Looks like every single one of the 38 vulnerabilities were either SQL injection, XSS, path traversal or "Insecure Direct Object Reference" aka failing to check the caller was allowed to access the record.
Seems like code review against a checklist of the most common vulnerabilities would have prevented these problems. So I guess there are two takeaways here:
First, AI scanners are useful for catching security problems your team has overlooked.
Second, maintaining a checklist of the most-common vulnerabilities and using it during code review is likely to not only prevent most of the problems that AI is likely to catch, but also show your development team many of their security blind spots at review time and teach them how to light those areas. That is, the team learns how to avoid creating those security mistakes in the first place.
I think it shows exactly the opposite of the second. Even with the availability of checklists, and instructions to use them, people won't and don't actually use them consistently.
'With enough eyes, all bugs are shallow' and AI is an automatable eye that looks at things we can tell nobody has seriously looked at before. It's not a panacea, there will be lots of false positives, but there's value there that we clearly aren't getting by 'just telling humans to use the tools available'.
See also: modern practices and sanitizers and tools and test frameworks to avoid writing memory errors in C, and the reality that we keep writing memory errors in C.
> See also: modern practices and sanitizers and tools and test frameworks to avoid writing memory errors in C, and the reality that we keep writing memory errors in C.
I think there's a difference in how trivial some of these things are to detect and how difficult others are. IDOR and SQLi aren't nearly as complex as C unsafety is.
Having AI tools do the review against the checklist would probably prevent the problems. However, it would probably be substantially inferior as a teaching tool for your team. The exercise of having reviewers hunt the checklisted vulnerabilities for themselves is what develops the mental muscles needed to understand the vulnerabilities in depth and avoid them when designing and writing future code.
But, yes, I'd augment any manual review with a checklist and AI review as a final step. If the AI catches any problems then, your reviewers will be primed to think about why they overlooked them.
> The exercise of having reviewers hunt the checklisted vulnerabilities for themselves is what develops the mental muscles needed to understand the vulnerabilities in depth and avoid them when designing and writing future code.
Could not agree any more strongly. These automagic tools are one thing in the hands of a dev that groks the basics like these examples. It would be one thing if new devs were actually reviewing the generated code to understand it, but so much is just vibe coded and deployed as soon as it "works". I get flack from not immediately deploying generated code because I want to take time to understand how it works. It's really grating and a lot of friction is coming from it.
For vulnerabilities of this nature is there really a point in training if an AI will catch them from now on? Seems like a variant of the allowing calculators problem and maybe the problem codeless platforms would have had. If these style of bugs don't change design in any meaningful way then the user can just write pseudo variables and the AI can normalize to safe code and their ability to work without the AI and IDE is probably less relevant than freeing their cognitive load for more complex constraint problems.
Suppose we still need humans to be writing code and caring about this stuff for the foreseeable future, so we need people to continue learning about the ways things can go wrong. For something like injection, you still ideally have a lint rule that says "don't concatenate things that look like SQL/HTML/etc. Use the correct macros for string interpolation". What does it actually teach for a reviewer to tell you that? You can ask the reviewer for more information, but you can ask your teammate anyway if you don't understand why the linter is mad. You can also ask the robot, who will patiently explain it to you even long after all of the knowledgeable humans have retired or died. The robot could even link to a prompt asking to explain it:
If people aren't learning more with AI, that's a meta skill they need to develop.
As for training the review muscles, why would you do that if you have a linter that rejects when you make the mistake? I don't expect reviewers to check whether you eschew nulls or uninitialized variables; I expect the compiler to do that, and I expect over time that more and more things will become tooling concerns (especially given that rigid tools with appropriate feedback are clearly a massive force multiplier for LLMs).
Two issues here. First, teams that decide to delegate security responsibilities to AI are more likely to do things fast and loose, in general, and thus be less likely to "ask the robot to patiently explain" problems until they understand the problems' root causes and update their mental models to prevent those problems.
Second, to use your example, the ChatGPT response you provided does a crappy job of explaining the root cause of problem: Namely, that every string is drawn from some underlying language that gives the string its meaning, and therefore when strings of different languages are combined, the result can cause a string drawn from one language to be interepreted as if it were drawn from another and, consequently, be given an unintended meaning.
So, if the idea is that smart teams can not only delegate the catching of problems but also the explanation of those problems to ChatGPT -- presumably because it is a better teacher than the senior engineers who actually understand the salient concepts -- I'd say AI ain't there yet.
> teams that decide to delegate security responsibilities to AI are more likely to do things fast and loose
Is that true? Is that also true of e.g. teams using type checkers to avoid nulls or exceptions? Or teams that use memory safe languages to avoid memory corruption? Or using a library that has an `unsafeStringToSql` API surface, and a linter to flag its use (where you're expected to use safe macros instead)? My experience is that better tools (or languages and library designs) scanning for issues lead to fewer defects and less playing fast and loose since the entire point of the tools is to ban these mistakes.
On education, it literally tells you that the top concern is SQL injection made possible by concatenating strings, and gives an example of an auth bypass: `name = "foo' OR 1=1 --"`. It also notes that this is not just a minor nitpick, but that actually the solution is fundamentally doing something completely different (query objects with bound parameters). If you don't understand what it means you can just ask:
> Elaborate on 1
> Walk through examples of what goes wrong and why, and how the solution avoids it
etc. The knowledge is all there; you just need to ask for it. It's an infinitely patient teacher with infinite available attention to give to you. You can keep asking follow-ups, ask it to check your understanding, etc. Or there are tons of materials about it on the web or in textbooks, and if you still don't understand, you can still ask a more senior engineer to explain what's wrong.
> Is that true [that teams that decide to delegate security responsibilities to AI are more likely to do things fast and loose in general]?
Yes. See: vibe coding. See also: The shockingly widespread hype for and acceptance of vibe coding across industries that ought to know better.
Do you deny that there is a correlation between AI use and not knowing what you are doing? Isn’t one of the big selling points of AI is that it lets “regular people” create “real world” projects that they could only dream about previously?
I am not saying that serious engineers don’t use AI or that when they use it, they do so foolishly. I’m only pointing out that AI has let a lot of people who don’t know what they’re doing crank out code without understanding how it works (or doesn’t).
> Is that also true of e.g. teams using type checkers to avoid nulls or exceptions? Or teams that use memory safe languages to avoid memory corruption?
No, it is not true of those teams. When people choose to use languages with statically checked types or with memory safety or the other examples you offered, they are rarely doing it because they have no idea how to write sound code. But when people turn to AI to crank out code they couldn’t write themselves (see: vibe coding), that’s what they are doing.
> On education, [ChatGPT] literally tells you that the top concern is SQL injection from essentially concatenating strings, and gives an example of an auth bypass: `name = "foo' OR 1=1 --"`. If you don't understand what that means you can just ask...
Again, that’s a crappy explanation of the real problem. It promotes no understanding of the underlying issue—that strings are drawn from languages that give them their meanings. And, unless you understand that it’s a crappy explanation that ignores the underlying issue—which a person being gaslit by the crappy explanation would not—what stimulus is going to provoke you to ask for a better explanation? How are you going to know that the crappy explanation is crappy and tell ChatGPT to take another direction?
> The knowledge is all there; you just need to ask for it. It's an infinitely patient teacher with infinite available attention to give to you.
Yeah, and if it steers you down a crappy path, such as in your sql-injection session with ChatGPT, it will be infinitely happy to keep leading you down that crappy path. Unless you know that it’s leading you down a crappy path, you won’t be able to tell it to stop and take another path. But if you are relying on the AI to tell you what’s good and what’s crappy, you won’t be able to tell which is which. You’ll be stuck on whatever path the AI first presents to you.
> Or there are tons of materials about it on the web or in textbooks, and if you still don't understand, you can still ask a more senior engineer to explain what's wrong.
And that’s equivalent to “don’t ask the AI, use a traditional resource,” right?
I'm not following the scenario here. The original discussion was around teams using these tools, not vibe coders chasing their dreams.
If you're a "regular person" vibe coder, you're not doing code reviews with a team anyway. You presumably had no teacher and no one to tell you your mistakes. So having a security bot is strictly an improvement.
If you're on a professional team, then you're presumably in the non-foolish group that already had standards, and is using it as a tool as with any of the other quality tools they use. And if they don't have standards and don't know this stuff already, well, the bot is again an improvement. It least it raises the issue for someone to ask what it means.
If you're a professional, I also assume you've heard of SQL injection (does it never come up in a CS degree?), so you don't really need more than a "this method is exposed to SQL injection" explanation. It's like saying "tail recursion is preferred because it compiles to a loop, so it's not prone to stack overflow". It assumes it doesn't need to elaborate further, but if you don't understand a term, you can just ask. Or look it up.
And yeah books or Wikipedia still exist even if you use an automated linter. You can go read about these things if you don't know them. I frequently tell my team members to go read about things. Actually I ended up in a digression about CSRF the other day (we work on low level networking, so generally not relevant), and I suggested the person I was talking to could go read about it if they're interested so as not to make them listen to me ramble.
Also I'm still unclear on why you think the explanation is crappy. It says the problem is you're making a query via simple string substitution, shows how you can abuse quotes if you do that (so concretely illustrates the problem), and says the reason the better solution is better is that it makes a structural object where you have a query with placeholders followed separately by parameters (so you can't misinterpret the query shape), which seems better than "strings are drawn from languages that give them their meanings"?
The root of this subthread was this claim that I made and you questioned:
> Teams that decide to delegate security responsibilities to AI are more likely to do things fast and loose in general.
Note the word delegate. I claimed that teams that delegate security responsibilities to AI are more likely to play fast and loose in general. That’s because delegating security to AI—not supplementing existing security practices with AI—is likely to be a good way to launch insecure garbage into the world. AI simply isn’t good enough to get security right on its own. Maybe someday it will be good enough, but like I wrote earlier, it ain’t there yet. And any team that plays fast and loose with security is likely to play fast and loose in general.
See any problems with that logic?
I only used vibe coding as an obvious example that shows there are lots of teams that delegate security responsibilities to AI. (Vibe coders are delegating almost everything to AI.)
> If you're a "regular person" vibe coder, you're not doing code reviews with a team anyway. You presumably had no teacher and no one to tell you your mistakes. So having a security bot is strictly an improvement.
How is it strictly an improvement? Before vibe coding, “regular people” couldn't launch insecure garbage upon an unsuspecting world—they couldn't launch anything. Do you believe that it’s "strictly better" that now everyone can launch insecure garbage courtesy of their AI minions? Do you think it’s “strictly better” that lots of users are having their data sucked into insecure apps and web sites that are destined to be hacked?
> Also I'm still unclear on why you think the explanation is crappy.
It’s crappy because it tells you how to use a tool (a custom SQL interpolator) without helping you understand the cause of the problem that the tool is trying to solve. You could read this ChatGPT explanation about avoiding SQL injection in Scala and not be any wiser about how to avoid that problem in other programming languages.
Worse, you would never learn from this explanation that the underlying cause of SQL injection is the same as for cross-site-scripting holes and a host of other logic and security problems in software. That’s because ChatGTP was trained on explanations of these problems scraped from the internet, and 99% of those explanations are superficial because the people who wrote them didn’t understand the underlying issues.
But if you deeply understand the following, you will never make this kind of mistake again in any programming language:
1. Every string is drawn from an underlying language and must conform to the syntax and semantics of that language.
2. To combine strings safely, you must ensure that they are all drawn from the same language and are combined according to that language’s syntax and semantics.
Therefore, as a programmer, you must (a) understand the language beneath each and every string, (b) combine strings only when you can prove that they have the same underlying language, and (c) combine strings only according to that underlying language’s syntax and semantics.
If you understand these things, you will know how to avoid all SQL injection and XSS holes and related problems in all programming languages. Things like escaping will make sense: it converts a string in one language into its equivalent string in another language. Further, you will know when you can safely delegate some of your responsibilities to tools such as parsers, type systems, custom SQL interpolators, and the like.
But you wouldn’t learn any of this from the ChatGPT explanation you received. Worse, you wouldn’t even think to ask for this deeper explanation because you would have no reason to suspect from ChatGPT’s explanation that this deeper explanation even existed.
In any case, I appreciate your willingness to continue this conversation. It’s been fun and educational and has forced me to articulate some of my ideas more clearly. Thanks!
But I delegate checks to tools all the time. e.g. I could spend my time checking whether locks are all used correctly in our code, or I could use libraries designed to force correctness[0]. An LLM isn't an ideal solution to linting, but if you're stuck with a language with a weak type system maybe that's all you can reasonably do.
The actual problem is that you're using strings at all. The SQL solution (that the scala macros do) is to use prepared statements and bound parameters, not to escape the string substitution. Basically, work in the domain, not in the serialized representation (strings). Likewise with XSS, you put the stuff into a Text node or whatever and work directly with the DOM so the structural interpretation has all already happened before the user data is examined.
But "work in the domain as much as possible" is a good idea for a whole bunch of reasons (as chatgpt said).
It did also several times indicate there was more to the story. It didn't just say "because that way is safer"; it said it
> Builds a structured query object, not a raw string
> Instead of manipulating strings, you’re working with a query AST / fragment system
And concluded by saying there's absolutely more detail, and that it's important to understand:
> If you tell me which library you’re using (Doobie, Slick, Quill, etc.), I can show exactly what guarantees sql"..." gives in your stack—those details matter quite a bit.
On vibe coded "garbage", I expect there won't be much of a market for such things (why would there be when you can also just vibe it?), so it will more be a personal computing improvement, which already limits the blast radius (and maybe already improves the situation vs the precarious-by-default SaaS/cloud proliferation today even with poor security). I also think tooling and vibe security will be better than median professional level by the time it's actually as easy as people claim it is to vibe code an application anyway. i.e. security (which is an active area of improvement to sell to professionals) will probably be "solved" before ease-of-use. Partly exactly because issues like code injection are already "solved" in better programming languages (which are also more concise and have better tooling/libraries in general), so the bot just needs to default to those languages.
> But I delegate checks to tools all the time. e.g. I could spend my time checking whether locks are all used correctly in our code, or I could use libraries designed to force correctness[0].
Do you believe that because you can delegate some responsibilities without sacrificing important requirements that it follows that you can delegate all responsibilities without sacrificing important requirements? Do you not understand the difference between delegating to the computer proofs such as type checking that the computer can discharge faithfully without error and delegating something as wide and perilous as security to something as currently flawed as AI?
> An LLM isn't an ideal solution to linting, but if you're stuck with a language with a weak type system maybe that's all you can reasonably do.
No, in such a situation you can add LLM-based checks to your responsibility for security. But you can’t delegate away your responsibility to LLMs and say that you care about security. AI ain’t there yet.
> The actual problem is that you're using strings at all.
What percentage of the world’s existing code do you believe does not use strings at all? Tragically, that is the world we live in.
> Basically, work in the domain, not in the serialized representation (strings).
Sure, but you can’t do all your work in the domain. At some point you must take data from the outside world as input or emit data as output. And, even if you are lucky enough to work in a domain where someone has done the parsing and serialization and modeling work for you so that you have the luxury of a semantic model to work with instead of strings, who had to write that domain library? What rules did that person have to know to write that library without introducing security holes?
> [ChatGPT] did also several times indicate there was more to the story.
Great. Then show me how a person who didn’t know of the existence of the rules I shared with you in my previous post would naturally arrive at them by continuing your conversation with ChatGPT.
> security (which is an active area of improvement to sell to professionals) will probably be "solved" before ease-of-use.
I think that this is a naive hope. Security is different from virtually all other responsibilities in computing, such as ease of use, because getting it right 99.99% of the time isn’t good enough. In security, there is no “happy path”: it takes just one vulnerability to thoroughly sink a system. Security is also different because you must expect that adversaries exist who will search unceasingly for vulnerabilities, and they will use increasingly novel and clever methods. Users won’t probe your system looking for ease-of-use failures in the UI. So if you think that AIs are going to get security right before ease-of-use, I think you are likely to be mistaken.
Checking for OWASP top 10 items during code review is usually a mid level dev interview question IME. It's nothing new. Teams don't have to come up with these. These things exist.
Yee, absolutely. A team with a strong code review culture that incorporates security review against common exploits ideally wouldn't end up with holes like this.
> I guess the value of the tool is that it gives you that same benefit for the cost of a few tokens.
But it doesn't give you the same benefit. It gives you the partial benefit of catching these problems before they go to production, but it doesn't give you the remaining benefit of teaching your team about where their mental models are broken. A team that decides to delegate this responsibility entirely to AI is going to have a hard time learning about these serious defects in their mental models. Fixing those defects will pay dividends throughout the code base, not just in the places where AI would detect security failing.
Not if you treat it as a magical box that fixes things on its own. We're a tiny team and our process has improved a lot thanks to processing AI reviews and learning common patterns. It gets tiring to get the same feedback over and over so humans learn.
So you can move faster to the next features obviously. Refactoring for secure code is time consuming, and clearly wasted cycles as the code is working. /s
How best to perform construction work and what it will cost for materials, labor, plant and general expenses are matters of vital interest to engineers and contractors. This book is a treatise on the methods and cost of concrete construction. No attempt has been made to present the subject of cement testing which is already covered by Mr. W. Purves Taylor's excellent book, nor to discuss the physical properties of cements and concrete, as they are discussed by Falk and by Sabin, nor to consider reinforced concrete design as do Turneaure and Maurer or Buel and Hill, nor to present a general treatise on cements, mortars and concrete construction like that of Reid or of Taylor and Thompson. On the contrary, the authors have handled the subject of concrete construction solely from the viewpoint of the builder of concrete structures. By doing this they have been able to crowd a great amount of detailed information on methods and costs of concrete construction into a volume of moderate size.
reply