unicolet.org

News broke recently that Claude Code found a 23yo old vulnerability in the Linux Kernel NFS driver . If, for one second, we stop with the fear mongering we can realize that this opens up lots of interesting opportunities for a better (more effective) approach to security testing. Instead of relying on outdated models like pentesting, we could "just" feed the application source code to an LLM and have it find vulnerabilities. This is enabled by the fact that understanding a large code base (or any code base for that matter) is more difficult (and practically impossible) than applying known attacks to the external surface area. LLM suddenly make the former convenient enough and actually cheaper than a pentest. Cyber Security consultancies need to update their business model. 

I'm kind of surprised Slack hasn't yet put out an AI feature. The potential is immense, imagine how many times the same question is asked and answered in a workspace... 

Mostly out of curiosity and desire to learn I've tried to run open models locally on both LM studio and ollama, but I quickly realized the limitations intrinsic to my hardware (just a high-spec'd laptop). Curious to try AWS Bedrock I eventually settled on the following setup: litellm exposing Bedrock models (Qwen, atm) locally on an OpenAPI-compatible API (yes it's a mouthful). This works great for any tool that can be configured to use an OpenAPI-compatible API like Quill meetings . Getting VS code to work with this setup was more challenging as it required VS Code Insiders (the bleeding edge, AFAIU) and even in that case VS Code tends to forget settings or use them inconsistently. For example it always uses copilot for the inline code actions. llm  required some tweaking too, in particular the setting suggested in this comment . I am very impressed with litellm which provides accurate usage tracking per team or account. The potential for offering llm access on an interna...

 Perspective is worth 80 IQ points Alan Kay’s line “Perspective is worth 80 IQ points” isn’t about literal intelligence. He’s pointing out that the ability to shift viewpoint, reframe a problem, or see a system from a higher level often produces more insight than raw analytical horsepower. Many problems look hard only because they’re being viewed from a narrow frame. Change the frame, and what looked complex becomes obvious or solvable. Why Perspective Feels Like “+80 IQ” A few mechanisms: Reframing reduces complexity. Seeing the structure of a problem—rather than its surface detail—often collapses the difficulty. It mimics what we associate with “smartness.” Most people get stuck in the default frame. They try to optimize inside an assumption instead of questioning it. Someone who steps outside can leapfrog them without being “smarter.” Systems thinking detects leverage points. Understanding how components interact exposes shortcuts, invariants, and constraints th...

You can't say you understand today's AI landscape without listening to this massive (4 hours!) Acquired episode on Google, focusing on its AI roots . Over three episodes, Acquired has a little over 12 hours worth of podcast just on Google! Well worth it IMO for  the greatest business in history . Selected highlights: [07:23]   basically every single person of note in AI worked at Google with the one exception of Yann Le Cun who worked at Facebook This is truly mind-bending to think about, especially considering that Google is (at the moment) not the first name that comes to mind when we think about AI (LLMs) today. But the real kicker comes a few minutes in when we learn that did you mean? (launched in 2001!!) and google translate  (2006) are the first practical application of language models to its search business which made it exponentially more effective. About 25 years ago, Google was already running machine learning in production, at fantastic scale (about 15...

Once again , some supremely well-thought and useful content from Oxide:  https://rfd.shared.oxide.computer/rfd/0576 This time it is about the use of LLMs within Oxide , here are my main take aways: start from values ! A phenomenal example of how values can be so much more than the vanity checklist that most companies use them for focus on the receiving end : why should I spend time reading something that the author did not think was worth enough spending the necessary time to write it? Again, goes back to their strongly writing-oriented culture and values corollary of item number 2: self review AI-generated code before asking others to review it!

Thoughtworks just published volume 33 of their Technology Radar . I found some interesting gems in it that I thought were worthwhile re-sharing: LiteLLM : I've been playing around with it to share AWS Bedrock models over a local, OpenAI-compatible API and I am impressed with the breadth of features (for example budgeting). The AI ecosystem is vibrant and flourishing. Continuous Compliance : so happy to see this mentioned! Personally I would expand the term to include other compliance tools like Vanta and I am convinced that this kind of automation and software will be essential for organizations to scale while meeting increasing regulatory demands. AGENTS.md : as someone who reads Simon's Willison blog, this is no surprise and a welcome confirmation (another file to watch out for:  CLAUDE.md ). Oxide : I wrote this post almost exclusively to mention Oxide 😅, a company I admire. Whenever people ask me about my cloud exit strategy, my answer is: Oxide. Here's why .

We are essentially taking expertise and making it a commodity, and I think that as generally democratizing, I think many of the things I mentioned, if you have wealth, you have a lot of access to, and if you don't, you don't . What a cool thing that we've made this like universally accessible. From: https://www.acquired.fm/episodes/how-is-ai-different-than-other-technology-waves-with-bret-taylor-and-clay-bavor  (slightly edited)

Via The Register : He cited a use case at US healthcare company Vizient where the CTO asked employees what tasks bother them on a regular basis – the sort of thing everyone dreads having to do when they arrive at work on Monday morning. Armed with feedback from thousands of employees, the company automated the most-complained-about chores. The result? “Instant adoption, zero change management problems,” Brethenoux said. Employees then bought in to AI and started to make good suggestions for further AI-enabled automation.

One of the things I like the most about Accelerate is how it puts the focus on Culture and how a (measurable) Culture affects information flow. In other words, you can have a great working place and be business-effective (the two are not mutually exclusive, in fact they compound each other). Also, Accelerate introduced Generative Culture to a wider audience. Recently, I read the  Poor Charlie's Almanac and one of the things that caught my attention was the inversion principle . In my words: Inversion says that, often, the best way to solve a problem is to ask ourselves how to cause the problem, and then stopping/avoiding doing that I've set a goal to apply the inversion principle more in my activities, and today I said: what if I applied it to Culture? Being the lazy person that I am I asked Claude the following question: you are a manager in a medium-sized organization. How can you actively disrupt the flow of information in order to reduce the organization's effectivene...

TL;DR: impressive 🤯 I wanted to play with D3 to create a visualization, so I picked an example ( Bubble chart) and then started hacking at it (literally) in VS Code. Before long, I realized I had just downloaded Cursor , but not had an occasion to try it out. I thought this might be as good as any. Opened the project folder and its one HTML file, then stated prompting away. It got all the modifications right: add axis labels add labels to the bubbles change the tooltip to show all the data of the particular record; one of the attributes is confidence and goes from 0 to 1: Cursor guessed it is a percent and formatted it as such!  added a line showing the break-even point Cursor edited the file for me, and I just had to accept the change, save, reload in the browser. Made some tweaks myself where it was simple enough. Much better than copying and pasting in the chat. Where it blew my mind was when I resized the chart and added a section below which I titled "Explanation:" ....

In the past years we've heard all kinds of statements on LLMs and sw development: from AI will replace developers to AI lowers code quality . I think it's a bit of both, and the reality most organizations will face is that they'll need BOTH humans and AI. The optimistically proclaimed cost-savings from replacing humans with AI will most likely not materialize in the long term. By following Simon Willison blog in the past two years, I came to the conclusion that the most effective humans are those that can bend and craft their own AI tools and are willing to go to the extreme extent of completely reworking their coding workflow to suit this new technology . For example, see Harper Reed's LLM workflow  or Simon's Willison own setup . Everybody else who's "just" relying on the IDE integration of chat will reap limited benefits, because this approach is tailored for the human and not the LLM. I would also argue that platform, integration and helpdesk/sup...

I was reading this interesting analysis on Nvidia competition (as usual, his blog should be on your feed) from Simon Willison and this bit caught my attention (emphasis mine): Technologies like MLX, Triton and JAX are undermining the CUDA advantage by making it easier for ML developers to target multiple backends - plus LLMs themselves are getting capable enough to help port things to alternative architectures . I found it curious that the very same thing that's been fueling Nvidia's success could also help reduce/eliminate their moat.

Disclaimer: I am not affiliated with Unblocked, nor Unblocked sponsored this post in any way. This is my a genuine account of my time spent with Unblocked. I wanted to give Unblocked a try for a while, but never got a good excuse. Last week I came across opslane , which does something I always thought would have been great to have as part a ChatOps setup. Since opslane does not support Prometheus Alertmanager I decided to fork it, and then give unblocked a try. First, I familiarized with the code in a codespace, once I had an idea of how the code is setup I decided to give Unblocked some tasks. The first one was to ask: how do I add a new alert source? BTW, these are the actual questions I used. As far as I can tell Unblocked answer was detailed and accurate. However, before jumping into writing code I needed to assess if my codescene could run tests. We should only touch a codebase after we've ensured it passes tests (it's green), righ...

Warning: strong language ahead.

Compelling analysis of the Verizon Data Breach Investigations Report : 1. financial motive is behind most breaches 2. IT systems are the easiest target: developers have figured out how to quickly patch their systems, IT has not yet 3. AI is *not* playing a role in cyberattacks (yet?) 4. email still plays a relevant role because  of email overload

Context: perfecting the art of managing up, and in particular, reporting to the board of directors. Another great podcast episode from The Knowledge Project/Farnam Street in which they touch on various topics, but one caught my attention. At a certain point they talk about a period of underperformance and this sentence caught my attention: I understand what you are doing and why you’re doing it, and I understand what you are not doing and why you are not doing it. See you next month. And I was thinking at the current AI hype, but then again I think it applies to any hype in technology, as we seem to experience this on a pretty regular basis (AI, crypto, microservices, big data, cloud, nosql, SOA, etc). So I think in the future I'll borrow this practice and, in addition to covering what we do, I'll also cover what we are not doing and why . On the theme of AI a couple of data points that I think are relevant: looking at impact of AI on financial results . I mean, at the end,...