In general, you don’t know. Sure thing if you have a specific code base in which you already had a bunch of tests (non ai generated ) and the code you are regenerating is always touching the logic behind those tests, sure you can assess to some extent your skills/prompt changes. But in general you just don’t know. You havr a bunch of skills md files that who knows how they work if changed a little bit here a little bit there. People who claim they know are selling snake oil

Cloudflare is not the solution

What is a better solution?

You have to think hard about the problem and apply individual solutions. Cloudflare didn’t work for the author anyway. Even if they had more intrusive settings enabled it would have just added captchas, which wouldn’t likely have stopped this particular attacker (and you can do on your own easily anyway).

In this case I assume the reason the attacker used the change credit card form was because the only other way to add a credit card is when signing up, which charges your card the subscription fee (a much larger amount than $1).

So the solution is don’t show the change card option to customers who don’t already have an active (valid) card on file.

A more generic solution is site wide rate limiting for anything that allows someone to charge very small amounts to a credit card.

Or better yet don’t have any way to charge very small amounts to cards. Do a $150 hold instead of $1 when checking a new card

As far as cloudflare centralization goes though, you’re not going to solve this problem by appealing to individual developers to be smarter and do more work. It’s going to take regulation. It’s a resiliency and national security issue, we don’t want a single company to function as the internet gatekeeper. But I’ve said the same about Google for years.

None of your solutions seem useful in this case, especially a $150 hold. Site-wide rate limiting for payment processing? Too complicated, high-maintenance, and easy to mess up.

You can't block 100% of these attempts, but you can block a large class of them by checking basic info for the attempted card changes like they all have different names and zip codes. Combine that with other (useful) mitigations. Maybe getting an alert that in the past few hours or days even, 90% of card change attempts have failed for a cluster of users.

>None of your solutions seem useful in this case, especially a $150 hold.

Attackers are going after small charges. That's the reason they're going after these guys in the first place.

>Site-wide rate limiting for payment processing? Too complicated, high-maintenance, and easy to mess up.

And then you give a solution that is 10x as complicated, high maintenance, and easy to mess up.

>You can't block 100% of these attempts, but you can block a large class of them by checking basic info for the attempted card changes like they all have different names and zip codes.

This is essentially a much more complex superset of rate limiting.

A $150 hold would clearly be noticed by the victim, so the attacker wouldn't even try it.

Maybe if my bank emailed me, otherwise I doubt it. Local gas stations routinely use $200 holds and I'd have to go way out of my way to see it happen.

The point is whether every user actually notices it, it's that enough of them do that attackers are specifically looking for the ability to do small charges. If you remove that capability, they will look elsewhere.

Yeah… no it wouldn’t. I’ve watched users have their bank accounts emptied (by accident) because they kept refreshing. A measly £150 isn’t going to register until it’s too late anyway.

There's a reason attackers exploit any site that lets them do small charges, it's because enough users will notice a larger charge.

Whether every user notices it or not, attackers are looking for the ability to do small charges, and if you remove that they'll move on.

Progress is good. But why on earth should we support Anthropic/OpenAI/etc? What the planet needs is less multibillion corporations, not more

You don't have to. Just like you don't have to support Amazon for web services and file stores.

Or Oracle for databases.

Or Microsoft for operating systems.

Or DEC for computers.

There are perfectly good open source LLMs and agents out there, which are getting better by the day (especially after the recent leak!)

I want to support local models and compute over SaaS models.

I want to support RISC V over Intel.

I want other things too, and on balance, Intel+Anthropic is most compliant with my various preferences, even if they're not perfect.

Can’t we just sabotage AI? We have the means for sure (speed light communication across the globe). Like, at least for once in the history of software engineering we should get together like other professionals do. Sadly our high salaries and perks won’t make the task easy for many

- spend tons of tokens on useless stuff at work (so your boss knows it’s not worth it)

- be very picky about AI generated PRs: add tons of comments, slow down the merge, etc.

I think you should be very picky about generated PRs not as an act of sabotage but because very obviously generated ones tend to balloon complexity of the code in ways that makes it difficult for both humans and agents, and because superficial plausibility is really good at masking problems. It's a rational thing to do.

Eventually you are faced with company culture that sees review as a bottleneck stopping you from going 100x faster rather than a process of quality assurance and knowledge sharing, and I worry we'll just be mandated to stop doing them.

> be very picky about AI generated PRs: add tons of comments, slow down the merge, etc.

But that's the opposite of sabotage, you're actually helping your boss use AI effectively!

> spend tons of tokens on useless stuff at work (so your boss knows it’s not worth it)

Yes, but the "useless" stuff should be things like "carefully document how this codebase works" or "ruthlessly critique this 10k-lines AI slop pull request, and propose ways to improve it". So that you at least get something nice out of it long-term, even if it's "useless" to a clueless AI-pilled PHB.

Generate hundreds repos of plain old spaghetti code and put it on github. Easiest thing you can do.

Weird. Their main appeal was that they were EU based. Now not even that

Their appeal is quality of translations. The customers who care about them being EU based are a rounding error at most.

Not really. I use claude at work and I wouldn’t use at home because a) the same plan would cost $200/month… and I don’t enjoy paying that amount of money for a toy, b) it’s not open source, so I cannot trust antrohpic to give them access to my stuff

> So we have been able to argue things like add one local + ai is better than about 20-100 Indians

And you just say this like it’s nothing. Lack of respect to tons of Indian people who work in IT, of which I have had the pleasure to work with.

I am yet to see quality work come out of India.

I do not believe I have even seen "good value" output.

What is there to respect?

All my colleagues that feel super productive pushing code written by LLMs share the same traits: they never really cared much about quality. And nowadays nobody wants to review their code/docs because it’s just painful. Heck, not even they are reviewing their supposedly own stuff. PRs with dozens of changes the author doesn’t even understand? Won’t touch that. An RFC of 30 pages of which the author didn’t write a single line? Won’t read that

And they write hundreds of MD files (for skills) that never break. No sense of accountability.

I love tech. Reading tech books is something I do on a daily basis. I work on personal side projects, learn new ways of solving things, languages, frameworks, libraries, etc.

But I have to say that as I grow older, I like less and less the tech my boss makes me work on. And that applies to perhaps the majority of potential bosses out there.

I wish that were also true for the case of Claude/Codex/etc