How'd you like to listen to dot NetRocks with no ads? Easy? Become a patron for just five dollars a month. You get access to a private RSS feed where all the shows have no ads. Twenty dollars a month, we'll get you that and a special dot NetRocks patron mug. Sign up now at Patreon dot dot NetRocks dot com. Hi, this is Carl Franklin.
And this is Richard Campbell.
We've got two special shows coming up soon, episode nineteen ninety nine and two thousand.
For episode nineteen ninety nine, we're collecting people's y two k stories what did you do to help the Y two k event not actually happen?
And for episode two thousand, we're going to be sharing stories about how dot net shaped your career.
We have a special page at dot netroocks dot com slash voxpop where you can record messages for us that we can play on these special episodes. So tell us what you did for Y two k and what dot net means to you, and of course how long you've been listening to dot net rocks. So go do dot NetRocks dot com slash vox pop now and leave us a message before the thought ev operates, like whiskey left in a glass overnight, do it?
Hey, it's dot net Rocks, some Carl Franklin and I'm Richard Campbell, And you know what where I am it's cold. You know why there's so much fun snow. I'm supposed to get a pellet delivery. They can't even back the truck up to the basement to put the pellets in. Now, I got to pay two hundred bucks to have the guys trudge them through the house and down the stairs. Oh my god, it's snowmageddon.
Is that cheaper than having someone plow all that out? Like?
But it's grass. I don't know what the answer. There's no plowing, right, there's no plowing to be done otherwise ripping and tearing.
I didn't even want to tell you how nice it is on the west coast now, like we've learned to shut up because the East coat's getting nails. Oh she got nothing here. It's ridiculous. It's ridiculous.
We never had this much snow and also a cold snap that's been below freezing for like three weeks.
Yeah, this is the polar vortex, right, the destabilization of the Arctic high is pushing down into different parts of the world. Yeah, and you are one of those parts.
Yeah, we're we're getting more snow than the rest of the country.
Yeah.
All right, So let's talk about what happened in nineteen eighty nine. Oh, my god, so much stuff happened. Yeah, the fall of communism, well.
The beginning anyway. I mean, it'll take a couple of years, but definitely the Eastern Block starts to unravel.
Yep, and so Union basically says we give up, We're done. Yeah, we're not going to control all these countries anymore.
Yeah, I mean, and then we've been to a bunch of them and there they're museums and things like I'm thinking about in Vilnius, the KGB Museum where they basically left it as it was as the Soviets pulled out in nineteen eighty nine. The duty uniform is still hanging on the wall, all the documents they have been shredding for months, like they knew things are coming.
And next year, as in the next episode, we'll talk about nineteen ninety and that's where things really kind of well, some really good things happened, and you know, a lot of craziness happened.
To you know, we in the West look at nineteen eighty nine and the collapse of the Eastern Bloc as a dramatic progress in the world. But you understand that for Russians and for the Chinese it was the ultimate disaster. Right, Like, there's so much of the current conflict going on today that start with the collapse in nineteen eighty nine, right, because you know the other thing that happens in nineteen
eighty nine, that's tim and Square, Tiana and Square. Yeah, yeah, and that was you know, there's this idea that as they opened up and became more Western, they would adopt you, the Western culture, and this is the closest the China did. But after the crackdown of Tienum and Square, the establishment of the technocracy at that point when today would just plain old call it at an autocrat really turns at that moment.
There's a lot of that still happening. It's like, we like democracy, but don't you dare protest?
Yeah, well they you know, don't like democracy. You will there's one party. You follow the system, and you don't follow the system, you will be re educated.
Yeah, yep. Excellon Valdez of course. Yeah, biggest oil spill currently eleven million gallons.
Yep. We're you know, talking about putting a pipeline through the west coast British Columbia, and Valdez comes up because it's not that far away that when stuff like Bitaman leaks into the ocean, it's a big deal.
And that's when the dishwasher detergent dawn got very popular.
Well, it saves a lot of birds. And we don't let's not leave out the fall of the Berlin Wall because that's December of nineteen eighty nine.
Yeah, all right, so what happened in technology and space in nineteen eighty nine.
Let's do space first. So there are five Shuttle flights, and again I'm not going to go into detail on all of them, just every flies twice, just launching satellites. Columbia does a single mission and it's a secret military flight that they don't televise anything on. It's probably a satellite, but we don't really know. But the two cool flights are both on Atlantis, which are satellite launches, but their interplanetary probes. They launched the Magellan probe to Venus and
the Galileo probe to Jupiter. This Galileo probe was one of the great observatories, although it had a problem. Its main high speed antenna never deploys properly, and it'll be bandwidth limited its entire existence. Wow, But it'll still do
its job, just take longer to do it. I have been remiss, my friend, since we got into the eighties to talk about space dation mirror, because it's an incredibly important piece of science, and it started in eighty six, and I really haven't mentioned a lot, But in nineteen eighty nine they actually launched a third module. So the core module goes up in eighty six, which is basically a modified Salute. Oh and by the way, at this moment, the Soviet Union is operating two space stations in space
they have, Yeah, they had the Salute seven. This is in nineteen eighty nine, which you'll continue operating till nineteen ninety one. The last of the Salutes and Mirror, which started in nineteen eighty six, which I'll keep grunning until nineteen ninety six. So an eighty six they launch the car module. In eighty seven they do Cavan one. And this is the first time ever in civilization that a multimodule space station was built. Mirror is the beginning of that.
And in nineteen eighty nine they launched Event two, and so while Covent one was almost entirely astrophysics and sensors and things, plus some infrastructure like gyroscopes, Event two has the airlock EVA airlock on it for the Orlan space suit and their maneuvering units, as well as more life support, sensor and so forth. And there'll be a few more modules, including the eventually the docking port for the Space Shuttle.
You know, the only thing I remember about Mer was there was some sort of leak and they had to evacuate.
There was an accident with the Progress supply ship. They lose control of it and it collides with the station. It's an incredible story. Yeah, it's huge, and they lost one of the newest modules, the Spectro module depressurized, although they were able to still use it. They just have to go to space suits to go into it. On the interplanetary side, Voyager two makes it to Neptune, takes our best pictures of Neptune ever, and last but not least,
the Phobos missions. So again into the Soviet Union. The Soviet Union tried so many times ago to the Mars and they and they failed consistently, and they were still launching in the pairs like the Mariner missions the Americans used to do. Phobos one and Phobos two, these were two of the largest vehicles ever flown or attempted to fly to Mars. They were sixty two hundred kilows each, so that's like twelve thousand pounds. Like these were huge,
huge vehicles. Phobos one has a very agnomal experience where it's launched in nineteen eighty eight but a mis entered manual command disables its thrusters and they lose control of it almost immediately.
Ben, that was you right, totally.
That wasn't It was a program and who was ultimately punished for was kind of a big deal. But what happened this is almost exactly what happened to Maritor one, where they put in a command wrong and literally lost the vehicles and process. There was test code in the computer for Phobos one, and this is a very logical
test code. When you're on the ground, it's one of the things you do after you finished a test sequence is you disable the maneuvering thrusters because those things are full of toxic chemicals and when it's on the ground, you really don't want those going off, right, and so when you complete the test sequence, it would immediately shut those off. Now you don't need that test code in flight.
But because it's the nineteen eighties, they only have proms, and so the only way way to remove that code would be to dismantled computer and replace the prom So they don't do it. They leave the code in with a big sign saying don't run this code anyway. Guess what They ran the code. So a misinjured command ended up firing that code, which disables those controlers, and there's no way to restart them. And so Phobos won it. Never it never gets to Mars, never gets used. But
Phobos two they have more success with the original. They supposed to fly in eighty six, it flies in eighty eight, and it actually enters Mars orbit in nineteen eighty nine, which is a huge success. However, and it was called Phobos for a reason. They were there was a very much it's gentle political maneuvering, right, this is parastroic and so forth. So they don't want to step on the Americans. So they're trying to do things that Mars and the
Americans haven't done. These were called Phobos because they were specifically going to map and explore Phobos. They even want to put a little rover down. All these kinds of things. They didn't get to do most of them. And they used this triple computer system, which is just the same thing they Shuttle did, where you have three computers and
whichever two agree that's the correct command. Except one of the computers completely fails on the way to Mars, so now they're down to two, and then the second one, a second one starts to fail and gets erratic, so the one that's working correctly can't send commands because it's only one.
See, this is further proof that everybody who goes to space should always send a programmer with them.
You know, I don't know if that guy would like that ride. It's not very comfortable, wow, and the bandwidth is mediocre anyway. They if you manage to get thirty seven photos of Phobos in map about eighty percent of it, they're the most detailed pictures we've ever had of that. Before they lose control of the vehicle because the computer just kick So that's space in nineteen eighty nine.
All right, I know what's coming next, Richard. What the birth of the World Wide Web nineteen eighty nine.
Oh yeah, no, it's a There's three important Internet things that happened in nineteen eighty nine. The first is the Internet passes one hundred thousand hosts, which is tiny when you think about it, but at the time, and we understand in nineteen eighty nine, the Internet's not a for sure thing. It's sort of a sideline academic thing. It's not that important. Yeah, the big initiative in industry is OSI. This is IBM and Sun and even Microsoft. This is
what Bill was talking about at the time. He won't change his mind for a couple of years yet, but yeah, one hundred thousand hosts worldwide. It's also the first commercial dial up connection. So a company called the World std which is kind of a bad name. Did you ever check that?
Should have picked a better name?
Yeah, World, I mean maybe they knew that virus is we're going to be coming along.
Who knows.
Oh, there you go.
This isn't okay, Yeah, funny you should mention that. I'll be talking about that a little later there, Ben. So, yeah, that was the first time you could actually buy a connection, a dialut connection of the Internet in North America was you know, this company called world STD and of course, our buddy tv L Tim berners Lee submits a proposal to CERN for a distributed document management system which will laterally know as the World Wide Web.
I have a quick story. I was working at Crescent Software in the nineties, the early nineties, between ninety and ninety four and eighty nine to ninety four, I can't remember, and we came out with a control for visual Basic called the hypertext control. And all it was was you were able to you know, show text with a code that it wasn't HTML, but it was a code that had a hyperlink and then it fired an event with the hyperlinks that you could do whatever. And we thought
this was like totally amazing. But it was around this time that that and it wasn't even one of our programs that came up with it. It was somebody who we had worked with a consultant, and that control went in our collection. Isn't that cool?
Yeah, it's cool, and you know it speaks to that whole embedded WebView and so forth. Like you guys were ahead of this time with doing that. All right, a few other computery things Microsoft releases. The first version of Office of the Map correl draw comes out. Oh yes, I remember SimCity woo. Yeah, the zip file format, Philip Katz's encryption algorithm. Yes, the first version of sql server one point zero. It's a sixteen bit version of server
for OS two a year. It's a yeah. It's a port of sybase sql Server a collaboration to Microsoft side Base and Ashton Tate remember for dBase those guys dBase there you go. And sound Blaster. Yes, so creative technology out of Singapore. It's actually their third sound card. They
code name on this one was Killer Card. Of course, nine voice fms and the size are using the Yamaha YM thirty eight twelve and it was not, oddly enough compatible with the ad lib card, which was really the first of the PC sound cards to storm in the mar They crushed the ad lib card and they will crush them all. Yeah. By far be the dominant product space.
I had dinner with mister sim who was the engineer behind the sound Blaster when I worked for Voyetra.
Well, in the fact they called the Killer Card. I think they knew we're going after this market and we're going to take it.
Yeah, and they did.
Intel releases the forty six DX, so our thirty two bit processes, they're getting bigger and faster, and it will of course, you will also be able to get the four eighty seven math co processor for it. And Phillips and Sony, in a rare collaboration, produced the first recordable CD. They called it the CdWO for Compact disc Right once, which of course is the standard for all CD back. That's right you. Once you write on it, you can't
write on again. And reference to Ben's comment about viruses, The very first recorded case of ransomware, the Aid's trojan encrypted and hid files and then you could pay one hundred and eighty nine dollars to get the encryption decryption key, although later security analysts decompiled the code and found the ransomware key in the code, so you didn't need just showing that the bad guys are usually not that smart.
You know, if you're gonna ask for money, ask for more than one hundred and eighty nine dollars.
I was going to say, I think we've had a lot of inflation since then.
Yeah, Well, yeah, this is some pure criminal career advice.
It's nineteen eighty nine, so one hundred and eighty nine kind of makes sense. I think. I don't know. Yeah, Okay, that's what I got.
All right, I guess it's time for better no a framework.
Awesome? Alright, man?
What you got? Well, it's kind of a meatball softball. I just want to bring some more attention to my security podcast since we're talking about that with Ben today AI Security Security this week. So what's different about this podcast? First of all, what it is we talk about I don't know, six or seven stories from the week where there have been breaches, where there have been attacks, or somebody got caught, or somebody did something great, or there's some nasty zero day bug that we need to pay
attention to. But a lot of it has been centering on AI stories lately, and it just is abundantly clear that once the AIS get a hold of, you know, creating zero days, and they already do zero day exploits and exploiting them like at an insane clip that you know, we're all kind of screwed and unless we're taking some real precautions and guardrails. But anyway, it's a security This Week podcast. And the other thing about it is we laugh to keep from crying, you know, because some of
this stuff is just so horrible it's frightening. But we certainly do or laugh our way through it. So that's it.
Awesome time.
Who's talking to us today, Richard?
I got a comment from a listener, actually a direct message in LinkedIn, and this is from Timo toy venone and I hope I pronounced your name correctly. I bet I didn't. And he said, I'm a longtime friend from Europe and I'm reaching out via LinkedIn because I couldn't find the listener email. I hope that's okay. It's Richard at PWOP dot com too, But yeah, okay. Your show has been instrumental in landing my dot net engineer and architect role back in twenty five to twenty thirteen, and
thanks for all the great content over the years. Just a reminder we've been doing the show entirely too long. After a decade away in agile coaching, I'm transitioning back to dot net as roles now Blend's scrum master and product owner with technical dot net advisor and architect responsibilities. So my challenge how to efficiently relearn the stack after ten years away, what's fundamentally changed versus what stayed the same? Where would you focus?
And this is a relatively new comment.
Yeah, no, he just got it. So he left in twenty thirteen, and now it's twenty twenty six and he's got a new job and he's started looking at you and just trying to think, like twenty thirteen cloud is brand new and still very questionable.
Yep, right, you're not automatically moved there there there's no open source do net nope.
Or before the open source versions of dot net and open a sourcing of the dot net framework, before all the Roslin stuff, like it's before any of that. He left arguably at the height actually the beginning of the there really is the dark times, Like what would argue the height of dot net is twenty ten, right, studio twenty ten f sharp, the support for open sources just beginning in the in there, right, we've got early web tools I you know, I E nine still not out yet,
like just sort of hit that, you know. Toy Studio twenty third, twenty twelve was the one that was all about Windows eight and they put the upper case menus items and all menus or uppercase in visual studios. So there was twenty thirteen edihoal we took that back out. So that's a great thing about a bad feature. You get two versions out of it and then he's gone. He goes off to live in a happy agile land.
Yeah, so wow, a few things have changed.
What all's changed? Yeah, I mean, oddly enough, you're going to have to think about AI tooling certainly coming in now. The nice thing is you've you've left, you can skip over a ton of stuff like you're you really need to restudy c sharp and the modern expressions of the language and the is it it looks very different today.
The real thing here is that you know, dot net went from being a Windows technology to being a multi platform open source technology.
Yeah.
See sharp it cell his open source, A lot of the tools are open source. Visual Studio code is open source, and so you know you're not getting charged for you know, big enterprise I guess enterprise editions of visual Studio they still charge for but.
Still out there.
Yeah, still cost the same, but you don't need that. There's a free version, the community version of visual Studio if you want to stay there. That's sure. It's just free.
But you know, thinking about Timo in his architect's role means he's also going to be dealing with web devs that have never touched studio in their life. They maybe use studio code, and they still going to be a part of the project, so that they're going to need the dot net kit for that. Yeah, as well as some traditional droppers like I hope they were cross to the modern version of dot net because life is better over there, without a doubt. Oh yeah, that depends on
the kind of clients they're ultimately going to build. He's missed all of containerization for the most part.
Yeah, that's right. Unless he kept up with it.
He lay out our software a wee bit different.
Now he might have caught up with it. Kept up with it on the other side, though.
I know it's a big bite, but you know, if we were learning containers from scratch right now, I just go directly to aspire because you don't use canators for fun. You're doing it because you're going after cloud architecture, and whatever bit of scaffolding you can do is to get you to cloud style architectures will make your life easier. So yep, that's certainly an easier bite.
Yeah, I agree.
Anyway, I thought it was a fun comment. Yeah, Tiam, I hope this guy gave you some ideas. Certainly this show we're talking you know more about some of the contemporary TOOLI and the problems they're in. So and there's plenty more shows. So you dig through the catalog a bit, I'm sure you'll find it. Fuse it'll help you. So, Timo, thank you so much for a comment. And a copy of music co buy is on its way to you. And if you'd like a copy of music, go buy.
I write a comment on the website at dot NetRocks dot com or on the facebooks or the LinkedIn's if you like, and if we read it on the show, we'll send you copy music.
Go buy music to code buy dot net if you want to get it yourself MP three wave in flat format. All right, so let's introduce Ben Decree for the first time here on dot net rocks. Ben has been a software engineer for over twenty five years. He's a Microsoft MVP, and he's been knee deep in security and developer relations for most of his career. He's spoken at conferences like
defcn NDC, dev Intersection, et cetera, et cetera. These days, he's co founder of ven Labs, a startup studio based in Kansas City, and he's just about to launch braid Flow. And that's br aid Flow, an AI platform that tackles the context drift problem keeping AI conversations focused when things get complex. Welcome Ben, Thanks, thanks for having me. Wow,
where do we start? I mean, AI security is such a big problem, and I just want to preface this by saying, a couple of weeks ago, I got a brand new six thousand dollars multi machine here in ninety six gigs of RAM thirty two gig a fifty nine hundred series card for the purpose of turning it into my personal you know LM with Alama that I can use like a getthub co pilot. And it is not going well.
No, we were trying something similar here the other day, my wife and I and we took a pretty good gaming rig and installed Lama CPP and it runs dog slow well.
Lama runs great on it locally, and even if I do you know, if I'm running it just talking to Alama. But what I really want is an agent, you know, I'll a get ub copilot CLI that does everything and these things like I can't get them to get beyond you know, the the Jason that they're going to send and then they never send it. Like I've tried three or four of them and they all get stuck there.
So I don't know.
But that's not here nor there. I just want to I just want to preface that story.
Sure, I mean we can dig into that as well if you want. It's somewhat related to the security thing. Like one of the big issues that a lot of organizations have at the moment when they're thinking about do we let our developers use these AI development tools is what happens to that code? Where does it go? Whose stories? And you have data sovereignty issues with countries as well, or even austrating client to the moment who is like.
Yeah, that's exactly why I want to run alarm locally because my customers don't want me using.
The the tools. So it's hugely I see a future where probably a lot of people, mostly people who use technology heavily already, will have their own influence machine at home. I think that's just going to be commoditized.
Well, and it just gets rid of the token issue too, questioning the massformans. Of course you're going to get from it rather than sure, you know, although sooner or later, these all you can eat accounts are going to go away.
Oh yeah, I mean they're heavily subsidized in the moment. They can't continue to do that. Even if if electricity prices and all the associated costs come down, it's still heavily subsidized.
Yeah.
But the other thing is, like I would be happy at the moment with an influence machine that was perhaps a little slower, but didn't have that. So I use cloud code and they have the five hour window, and if I could get it to do something for ten hours while I'm sleeping and not just stop halfway through, Yeah, it doesn't really matter to me if it's a bit slower, because it still gets more done overall.
Yeah. Yeah, I've definitely got friends running multiple or you can eat accounts because they literally run them against each other overnight routinely. Like that's just the way you do work, right, You get up in the morning to see what your half a dozen bots have cooked off for yourself. I'm sure you're spending a couple of grand a month, but.
Work just between me and my wife, we're spending easily five k a year if we're looking at two mexicounts each, sure five six k a year. And then we've got all the other TOOLI on top. How much does it cost to build a pretty good rig for home? How quickly could you pay that often? In terms of written on investment, I don't think take that long.
Well, and like I said, this one costs six thousand, right, and it's all in one box. Right, it works great?
Yeah, yeah, well I'll catch up with you afterwards. I'll find out what specs you're running.
It's in true reality. And I was just reading Anthropic is now offering you for a fee faster service from them. Yeah, two and a half time, so you can sort of go fast laying with them. So I feel like those guys, the cloud guys, have got to figured out of all of the company, the new AI companies, rather than the tech shiants, the one that seemed to be making things that people want and will spend money on seems to be Anthropy and today anyway, the other.
Thing I really like about Anthropic is their stems on security. Yeah, they've got huge research teams making sure that they're being as ethical as possible. They understand the repercussions, that they're fixing guardrails, all of those kind of things, Like if I had to put my money on which one's going to survive because they quote do the right thing or pay attention to the needs, and they do heavily focus on the coding side of things. It's where they've made
their names so far. Yeah, I would say if there's going to be one frontier model or provider that comes out of this as the go to for software development center.
Topic, it sure seems that way. And it's funny how little the sense of trust towards the tech giants is, Like you would have thought back in the day, it was like nobody ever went wrong for using IBM. It's like you would have thought Microsoft had sewn up. They offer the protection of will handle any lawsuits you're exposed to, and so forth, and still the reputation is shockingly bad. And here's this little company with minimal of anything. But we're willing to give them the chance.
And I'm sure I probably don't want to get too much into politics, but if you look at what Opening Eye has been doing in terms of we're going to be open source. Now we're not open source, and people getting fired, and there's all sorts of stuff going inside. There's question mark surrounding that company. It's hard to work out what direction they're trying to go in.
They're under a lot of monetary pressure, you know, and they've spent, they've taken lots of money. What are they they're giving they're giving back, but you know they have competitors, right sure, yeah.
Yeah, And I don't see that same sense of this is a product you must use coming out of open AI the way I'm seeing over and over again, and not just one thing, like these new plugins for PowerPoint and Excel out of Anthropic are stunning, Like what has the M three sixty five team been doing that? Out of nowhere? Anthropy goes, hey, how about this? He's being Oh, you mean the thing I always wanted from Excel?
Right, okay, So the chlaud cowork feature that came out recently was ideated. I'm not sure iver I like that word, but I'll go with it. It was ideated ten days before was released. Like the speed at which they bringing stuff out of there. And I read an article the other day that anthropic engineers are you take away the word software aren't actually coding anymore. They do sison Claud to
make Claud better, right, Yeah, it's all our specifications. It's all about knowing what you want to build and getting the AI tooling to understand that to a sufficient enough level to build a good product. And they're eating their own on food literally in the best sense of that example. And they're doing redeveloped.
Yeah, they're doing what everybody said they would do. These guys seem to actually be doing it. Are now sort of running away with what's possible here. Okay, but I think about the security on the dev side where I have teams now where when they use remote developers, the remote developers have to RDP into an instance with the dev tools on it because they won't allow anything to
go onto even that remote desktop. You know, if you're going to steal from that code basis, because you're going to take pictures of the code like that's how tight they.
Are, which you could probably automate with Claud cowork.
Oh yeah, so much for protections, right, Although if you're willing to throw the vms up in the clouds, you're probably willing to use the AI in the cloud as well, Like I just I don't know that we can contain data all that Well, if you're going to be on the internet, you're on the Internet.
I think the risk profile there is very interesting. If I was a Department of Defense type organization in a country, they didn't want my code to leave sovereign borders totally unset there, So my source control, my hosting, all of that needs to be within borders because when I'm pushing my code around, that code is literally being pushed around. When database dumps are being sent around, when people are
signing up for accounts, that data is HGPSTLS, straw. But the essentially we've got a whole lot of plaintext data at some point that's been passed around. When you're pushing context to an infant server, there's plaintext in there, but then it gets tokenized, and then it gets stored in some kind of vector representation, and it's pulled out in interesting ways, and then you've got the key valuecation and there's a lot of obfuscation under the hood. So what
is it that actually gets stored long term? A lot of the providers will say that we don't remember your prompts, and we don't remember the responses, but we remember some of the stuff that happens in between. So the risk profile there is interesting because it's no longer as clean cut as our data is at rest in another country, because it kind of is, but it also kind of isn't.
So I think when we think about whether or not we can use these tools, we need to not so much to think about where is the data going, but what is the likelihood of that data representing a leaking kind of.
Risk actually actually risky information of any kind that could be harmful to a company.
So we've seen the examples where somebody would go to cloud code or chatchypt and they would say count from one to two thousand, or repeat the word organization one hundred times was a good example, and then after like the sixty fourth time, it would start leaking information that
it was trained on. There was the report of the email signature of a legal firm being leaked that way, Because essentially all is doing is predicting an X word, and as the context kind of doubles, it's saying, okay, organizational, organization, organization, and it forgets what it's doing, says organizational the next likely word is is not liable for anything? Blah blah blah. So it starts it's doing what it's supposed to do. What's the most likely word to come next, and it protects the context.
It feels like my brain first thing in the morning, Right, So.
I was going to say we need need more coffee?
I slept well, right, You.
Copies of this context can get pulled out, right, But is there enough there for it to be a concern?
Is it harmful in the right way?
And how do you measure that?
Like?
That's the other thing is there's there's no way for us to actually know what's gone out to somebody else and what was that?
And this is the challenge of a security person is there are no absolutes. Nothing's ever one hundred percent anything. Its scope of risk, right, And so you're looking at a situation going, well, this is seen to be much scoper. Yes, it's not absolute, but it's also not a high scope of risk. Here, totally interesting problem. All right, we should take a little break and maybe dig into some security fundamentals that folks can take a come away with. That's good,
right after these important messages and we're back. It's don at Rock's amateur Campbell that's called Franklin Yo. Talking to our friend Ben Ben Deshry about well, you've been a security guy before AI was dominant on these things, right, you were the o off guy, Like you've done all of that sort of stuff, Like, how much has that changed. You've had the battle of trying to get developer security software all along.
Developers love security insofar as they want to do a good job.
Yeah, sure, but.
They're not like implementing it or being restricted by it.
Though I think we want to implement it. Maybe I'm just weird like that because I like security. But I think oftentimes the biggest story that I've seen the narrative of software development in the last twenty five thirty years is developers want to do it, but we need to watch back in the early days, like the early two thousands,
it used to be that security was a future. You'd have like something in the backlog, we need to implement this feature, and then there's another ticket saying make sure it's secure.
I would argue that back then the threats weren't as persistent, pernicious, or.
There was different numerous but you still don't want credit card data leaked across the internet, like the fact that it was put in as a separate ticket that could get pushed to the next sprint was an issue. And then we started treating security. We realized that was probably a bad idea because we were separating implementation from the feature implementation from the security implementation. So we decided to
put it all into one. And the problem with that is then, whereas before the team had visibility of we're not doing the security stuff that we should be doing, now because it was wrapped up into a single ticket, it became the developers problem because the project manager would come along on the Thursday morning and say, we need to get this out by the end of tomorrow, and you're like, well, I don't have enough time to do
the full ticket. I can do the implementation and leave the security till later, but now we're not tracking that. So became invisible that we weren't doing it. So we've always had a problem.
Right, I can build, I can build a building, but I can't put a door with a lock on.
Right, I'll get round to it. We'll do that next week. And then next week they're like, nope, this week is Windows week. Yeah, yeah, still no locks on the Windows.
So part yeah, part of this is meanwhile, somebody came in install your hammer.
Right, and it's just so there's also a problem with the PMS or not prioritizing security there until obviously becomes a crisis.
So this has been one of the things that I've tried to do as much as possible with helping developers understand how to write secure software and the processes to follow. Is it not just your processes or the engineering team's processes. It's an institutional understanding, systemic understanding within your organization that this is important. Get buying from people outside of the
engineering department, not just the outside the engineering team. Because if if your marketing team and your sales team and your HR team all no, if we don't do this, this could be really bad for our pr This could be something that doesn't allow us to succeed beyond our competitives over the next few years. But give it to them in rational terms and say's a lot of that kind of stuff that we seltare engineers need to do.
We kind of need to push the message up into the organization because if you don't get buy in, then there's no understanding of why right, you're spending time on.
That, yeah, and it's yeah, just you can't ship without this anymore. That you can't. It's like, I guess if it was if I was in is shoes. It's like, so you don't actually need me to store the data either, right, Like that's not important totally. This is These are not features, This is infrastructure. These are basic things we need to
do before we can do anything else. Well, I guess you know I've heard you say this line that the shift left of security is like part of the basic plumbing of the initial startup of this app includes it's security totally.
So bringing AI into the picture, it doesn't change that at all. The way I like to think of AI as an engineering assistant is I used to describe it as the junior engineer that you're pair programming with.
That's changing now because we're getting more into like the ralph loops and the orchestration and all of these kind of things that allow the LMS in the background to chug away for hours. We're gaining to the point now where we're having to make a decision between speed and oversight.
I'm not sufficiently convinced that either way of the moment, I'm currently personally going for speed because I think they're bringing guardrails and test suites and all of those, all of those things that we used to do under the traditional software development life cycle that the waterflow life cycle,
that kind of got diluted. I don't know if there's a pan in there somewhere with waterfall, but it got diluted when we went to more agile, the run fast and break stuff kind of methodology of the twenty tens, where we'd write software and it was relatively easy to go back and change if a client came back with with a change request.
Yeah, but she also had a tight tight to the client the whole time. Right, It wasn't just don't have a plan, It's that the person you're planning with is sitting beside you, so you have a lot of imput.
Sure, But the problem with this point is all of the information is now in the heads of two people, as opposed to documented and understandable. So if we think of developing with AI the same as it doesn't necessarily to be enterprise skill software development. But let's say you've got a team of four people working on a project. Sure, and one of those team members could be stopped out for another team member at the drop of hat. And
that's kind of the equivalent of the context window. Right as soon as the LLLM wipes context window and starts again, it's like a new developer joining the team. How quickly can you onboard that developer? And before we had it in our heads and we were being handheld or handholding probably bidirectional handholding with a client trying to develop the software. It was fast because we were able to iterate quickly because the feedback loop was small, but the documentation and
the persistence of that information was not there. So if we think about the way we used to write software, where specifications and understanding the problem was core before you even started coding, I see a change back to that direction. Yeah, we're getting specification driven development again, where you write some really good specs and then you can even use an element to convert that into an implementation plan and then you give that implementation plan.
When we have tools like this, right, I get have spec Kit is literally that, right.
Yeap spec it's great open spec I've been playing with as well. I actually find nowadays just chatting with Claude and talking as long as you give it a framework like this is what I want a specification a file to look like, and I want specification specification files to be around the topic of concern as opposed to functional specifications.
You can just chat with an LM directly. A lot of these frameworks for developing specs are great, but if somebody wants to get into it and just chat with Claude for half an hour and then say, now build something, as long as you're able to define the outcome. And this is the biggest thing. I'm seeing memes come up all the time on Facebook and LinkedIn now of like the four panel cartoon where on the one side you've got a Vibe code and they're like, build me a game.
That's awesome, and then the next frame is the computer catches fire. And then on the other side you've got what this particular cartoon called a Vibe engineer, which is build me a game that uses this technology on this platform and web sockets and this and then the other, and then in the next frame is a functioning app. The only difference there is the amount of specification and time taken to put the detail into that specification at the beginning.
Sure well, and the nice thing is you keep iterating on this too. You know, I've seen these specs sort of evolve and make better and better code as we've learned the limitations of the tools. Although you get to a certain size of a spec where now you have to decompose it, like you can only feed so much
data in any given agent. The other piece I've seen is, and we got this right away, it writes better prs, it writes better issues like you actually, naturally when you're using these tools, get better documentation to get someone back up to speed because so many details are automatically generated. But just got to get people to actually read that or have the tool read it too. Like I think there's probably a lot of insight.
There, but the tool can usually read the source code and figure things out quickly.
Yeah, but I wonder what you'd learn by reading through the issues, pull requests and iterations on that that is deeper than just what the ending code was, Like, what does the tool struggle with? What do we have to iterate the most on to be successful?
That would be interesting.
Yeah, I just I just feel like we're not that far away from having an agent that is your penetration tester, that is your is this app secure? And it gives you a rating that it actually hammers on the app and talks about the holes that are in it. Because this is the sort of meticulousness is what these tools are actually good at. A friend of mine who's deeply versus says, it didn't matter how many interns I had, I could never get a hundred percent code coverage till
I got these tools. Then how to present code coverage john testing, which is not that difficult to happen, It just took time.
Yeah, in the beginning, I talked about lllms or in different AI tools that are finding zero days and writing exploits for them at an amazing, alarming clip. And you know it's scary, yes, but you also can think about, well, let's deploy it on the other side, let's use AI to to test our constantly test our systems and find the holes in our systems so that they don't become zero days. And you know, as a defensive measure.
Find them and fix them. Yeah, find them and fix them, because consistently the good guys have more resources than the bad guys.
Anyway, well hopefully so, who knows.
My brain's gone off on a slight tension to this point. Yes, to let's get the AIS to penetration test and do all the unit tests and functional tests and all of those kind of things would be a natural extension anyway. But as you were saying, let's find the zero days before the bad actors. Let's call them that find that
open claw and multipook. Can you imagine if you have open clare running on your machine or a machine that has access to your code and the backlog and the decision tree and all of those kind of things, and one of your penetration agents finds a zero day that it then fixes in your code, and then open claw notices this and puts it on multbook saying, hey, one of our developer agents just found this thing. Isn't that interesting?
And then suddenly all of these agents and there's a question as to where multipook is actually really what it purports to be. There's some news articles coming out saying that it's it's staged. But let's assume that it is what it purports to be. Now we've got this communication distitution distribution mechanism for all these agents to learn about zero days in real.
Time, right like you could be parallelizing the fixes in a tremendous rate, right, or the attacks like that's the problem is, like what happens from here?
Yeah, it would definitely be both. Can I can I abuse this before all of the fixes are in?
Probably? Yeah? Yeah, you know, we've always looked for places. Science fiction has always talked about the superintelligence effect that at some point these tools get to a place where they're learning far faster and far more than humans can
and become a super intelligence. It's science fiction, to be clear, and you know, the reality as we with these lms is we've largely seen it's all derivative work, even though it's potentially valuable, Like very few people make it through the whole checklist of actually securing an app and a tool would be far more persistent on it than a
person would. All of that is good, but this abil this drag race of U code being generated, finding vulnerabilities in it, rippling those fixes out while the attackers are also running at it like that's a fast iteration cycle. That means if you're outside of that loop, the software that's going to come out the other side of being in that battleground is vastly more secure than the software
that's not it, and it will happen fast. That to me is the first time I've really felt like that rush of speed from these tools would actually impact something real. I never expect these tools to create new knowledge, that's not what they are, but to press against all the weaknesses and systems and find them and potentially fix them. That makes total sense to me.
Yeah, it's part of my build loop at the moment. Is as well as getting it to generate code. I'm saying right, tests, There's an interesting bit of research that I'm trying to dig deeper into at the moment. There's no one hundred percent certainty either way whether LM's writing tests that test LM generator code is a good thing. My original hypothesis was that at the the probability of an LM writing a test that passes against code that does the wrong thing, Yeah, is quite low. It turns
out it isn't actually that low. Yeah, It's around about forty percent from some of the stuff that I was looking into. So we still need to be careful about who's writing the tests and how do we validate those.
Sure, the same way we feel about any code it generates, Like the number of times that I get code generated, that's right, the first time is very low. But how many times do you generate test code and never go past the initial iteration?
Well, ideally, why would you expect it to be any iterating on your code. If you're using an AI to iterate your code, you would have them iterate your tests as well. Yeah, And I think the reason why I was hoping that it would be a lower chance of that going wrong than it might actually be is because it's not just like the LM is not going to write a test that tests the wrong thing and then write code to satisfy the test, because it has a whole lot of extra context in there part of the
test or the testing quotes. Also, does it meet the requirement of the specs, does it meet my programming objectives like the overall system prompt of being a helpful coding a system that writes secure code, Like, there's all sorts of other stuff that goes into it other than just does it pass the test that I think that it's going to sway it more towards not necessarily good quality code, but does what it's supposed to do in the closest possible to the best way with as few issues as possible.
Well, part of what you're writing out in that prompt is what quality code means to you, right, and part of that is secure code.
Right, and they'll be bad. There's a whole lot of prompts that get sent to whichever coding agent of choice you're using that you don't even see. So if you're using code or open code or code X or any of these, they will have their own prompts built in that kind of set up the infrom server to understand the perspective of the following request. And then that request will be your code base, your specifications files, anything that you write into, like your actual message. All these kind
of things get added into the context. But there is a large chunk of context, I say large. Claud code by default sins about seventeen k of context before anything in your code base or anything.
Wow, that's a lot, right, But it has to be.
It has to be because it's setting the scene.
Right.
Here's here's what Claude wants you to do, or what Anthropic want Claude to do, and then here's the context of the ACRO application. So there's extra stuff in there that is extra guardrails and extra safety.
Right, and then most sophisticated AI tool user I see now have a prefix set ahead of their particular project specs as well that are more guidelines, so guidelines on top of guidelines or toper guidelines before we even start talking about and this is what you're making in this iteration.
And we're surprised that when we come to the end of all of that and all we've written is one line saying fix this bug, and it's forgotten everything else before because the context windows kind of strolled way past, and it's right, it's in a rearview mirror some way.
I banged into this with home my home Assistant instance the other day, where I was still using three or you know, three plus, and the context win was like sixteen K and the specification of my homes system instance now is nineteen K, so literally I could do nothing. I had to move up to four to get a sixty four K context window just to have anything work. And at the same time I was sitting back and going, why is this so big? Like this is not efficient,
Like all of this fields a remarkably inefficient. Shouldn't we be narrowing the scope of these llms architecturally, not just by prompts every single time we call them. Like, no, wonder we're wasting so much.
Another reason we should be running local inference engines. Yeah, and that's totally that's where we're going. Yeah, I think so, and it won't be an issue.
I just feel like we're still mailing two broader models.
I know. I lived through the OLAP revolution, and every time we did a data analytics cube or you come the first time you started with the mother of all cubes, and it was never useful other than instructional for what to make next that it was far more important to de scope that make a smaller one once you get that initial explore and everything I look at so far in this is like we're still building mother all cubes every time and then and then fighting to scope it
down to the work we actually need to do, rather than start with something that's tuned to the work. Totally.
I'm wondering whether we're going to get roughly stack shaped small language models. Yeah, because the LM we use for coding knows everything about cobol and Java and c shop and PHP and javascripting. I don't need all of those, No, Can I get one that just does what I need to.
Yeah, the three languages you're doing in this app at this time, and the architecture that you care about, like, just scope it down. I got a feeling a few years now we're going to be talking about an LM specific to an app. Yeah, that the more mature and application is, the better this tool is at making modifications to right, because it Yeah, ultimately the tool is going to know more about how the software was built than
any person. Right, Those people are all gone, right, like, look at any mature piece of software that we have that problem.
But these tools, well, that's if the tool was that's if the tool was stayful though, but it's not. It's like Groundhog Day. Every time you talk to it. You have to give it the context, as you were saying.
But that's that's just the context, the underlying model that the context we do is then pass through in order to create the apport response can still be made a lot smaller.
Right, but it's not going to know anything about your app unless that's built into the model or you use RAG or something like that, right, or it can just see what it sees every time.
Yeah, I mean my assumption was that Richard was saying that you would take that code base and then train them all.
Yeah, okay, train into it. Yeah, and that because again it's like I'm just trying to narrow the scope. Like if you know, one of the things you learn about third version of an app is we're not introducing in that language. Thanks, right, Like that, the bar for new architecture or any of that, it gets really really high. We have a known set are patterns that work for this app, and the making changes in those patterns are easy, and anything outside of that pattern is a heavy left.
So here's another thing I've been wondering, why do we care about which language we use?
Ah?
Well, that's and this has been something people have been talking about already. Isn't something new, But why not just have a same carriage model that only?
But why?
I think, Well, because I need to be able to read and verify the code that gets published today, the last chain in the link.
Today, in the chain, I would not be surprised. I still remember when like twenty twenty three AI has just come out, Everyone's like this is going to take away all the developers' jobs, and people are like, you know what, in five years time, this is going to be writing software for us, and I'm like, give it one or two well or two years later. It's writing all the
code for us. So if when I'm thinking, you know what, in five years time, maybe it'll be good, you know, for taking human written specs by somebody who doesn't under understand architecture and write software that works.
It's already happening.
I reckon it'll be two or three years, maybe even by the end of twenty six.
But it's already happening.
Isn't that You.
Still need to know enough about the code that I'm writing. I still need to handhold it after the loop. So I will build some really good specs. I'll get it to run for three, five, seven hours whatever, well not seven because token Windows, and I'll get back to it and it's ninety nine percent there. I'm happy with the code. It doesn't quite do what I wanted. Maybe it misunderstood a requirement. Maybe it didn't write a test that would
make sure that the doc container was restarted. There's something missing. It hasn't done a perfect job. It's not hard for me to fix because I have a software engineering mind, but my mom wouldn't be able to fix that. I think in a year or two.
Now would you want your mom to fix that?
Why wouldn't you? Why would you not want any human in the world to build? Say I want a piece of software that's going to do this for me, and the software goes, okay, here I am. I think that's where we're heading.
Yeah, of course, yeah, that's where that's we're not.
That's where the club at really spoke to us, as everybody wants their own software around them.
And at that point we don't care about the language. So now we can have a small language model that understands three or four core languages. Maybe we've got typescript, GO, a couple of others that kind of round out the whole ecosystem of what you might need, and then you don't need to get just compress it down and nobody will ever write Java, Cobal or PHP or again except for the hobbyists.
Even those contemporary languages are really about the modern architectures and having you sort of fall into the pit of success. None of that means anything. Maybe all this stuff's going to be written and see when it's generated. Sure, just as fast as bare metal as you wanted to do directly an assembly right into assembly core processor specifically, what do you care get as much performance out of it as you can. You know, the ultimate tester is the user.
User accept the testing is ultimately what it matters. And one thing the user doesn't look at is any of the code. So if the app does what it's supposed to do, does any of that matter?
And even to that extent before the user is using it. My my process of the moment is it installs Playwright, it has a headless browser like it's testing the user experience before I look at it.
It's operating it as if it was the user.
Personally. That future scares the shit out of me. It does, just because of the loss of control and the loss of checks and balances in the absolute faith that you have and the AI to do the right thing, all of those reasons, the security.
To be honest, I'm with you. I'm with you on that. It is scary. I don't know whether or not I like it. But if I take a step back and pragmatically look at where this is going as an industry and society is going with AI, I think it's somewhat inevitable.
If she had a heart attack, he went to the hospital and the doctor says, we're going to install this new AI created pacemaker.
Has it gone through the same testing, but a human created pacemaker has to go through Yeah? If so, And it's how I fail.
Well, you know they're going to tell you. They're going to tell you everything is just wonderful and it's so much better than everything else.
Well, they do they do? Anyway? Why would you know one way or the other? Sure? In fact, why are they even telling you anything other We're going to fix your heart today.
What I'm saying is Okay, maybe that's a bad idea, but how about you know, you go to buy a car, or you go to do just something that's critical right? And oh no, humans were involved in the in the creation and making of this. This was completely done by AI and robots or whatever.
It's why I give it a one to two year back because this isn't going to happen until we have enough evidence, whether that's testable or just through somewhat anecdotal, like self driving cars for example. Yeah, once we know that they're less likely to kill somebody than a human, which I think we're already at that point, then there will become mainstream adoptable an AI driven or AI created pacemaker.
Maybe not right now, but once they've been around enough and tested in the right kind of control group environs to be shown to be as effective, if not safer, than human created ones, then it'll have to be. Society will adopt it eventually. But if it happened tomorrow, then maybe not. But that's because I don't think it's that yet.
Yeah, there's great Harvard Studies says, the more you understand about these technologies, less you trust them, so the most are also the most ignorant. Right, yes, right, we're all in this far enough that we're concerned for very clear reasons, right, yeah, right.
And by the way, if you don't know open Claude is you haven't been paying attention to the news. It's open c l A W D D. And then it became molt. What's that it was?
It was Claude bought with a W before it was open claw. Yeah, so its clawed with a D.
Right.
Then it became multipot multipot and then then open claw without the D at the end.
Yeah, okay, but it's uh.
I've included the show links. If folks haven't seen it, go to take a look.
It's basically a tool that connects to multiple APIs and things and integrates with your multiple agents. And you know, if.
You're ready to give away your keys to piece of software like this is supposed to be a security show, so let's talk about the least possible secure that you could do.
Well, that's that's the cautionary tale right there.
Right, But for the average mortal, for the productivity benefit that these tools provide, Like, what they're really showing you is what the potential is stuff is.
This is the AI we were promised. Yeah, this is jovis.
That's the that's their pitch. The only problem is it's really scary to trust it, and most people aren't qualified to assess that trust in the first place. So right, we're going to have some bad fallouts from this yet. But the rest of us, I think again, we're I think we're experienced. Now we're all looking at going he know this is cool? You go first? Yeah, I see.
Pretty much talking. Which I do have a laptop that I've wiped recently that will be getting open Chloor installed on it. It'll be put onto my isolated IoT network and it will not have access to my credit cards or one password yeah.
Plan good. Let us know how that goes for you.
I will nice all.
Right, yeah, if you never hear from me again, it went very badly.
Get a phone call. I don't know where I am. I'm in a phone booth somewhere.
Very lawnmore man, I thought I were gonna say open CLO was going to call you. I am Ben.
There you go nine wait a call back. Oh Ben. It's been such pleasure talking to you. I wish we could talk more, and I'm sure we're going to in the future.
When you come back.
Thanks for having me.
Thank you, and we'll talk to you, dear listener next time on dot net rocks. Dot net Rocks is brought to you by Franklin's Net and produced by Pop Studios, a full service audio, video and post production facility located physically in New London, Connecticut, and of course in the
cloud online at pwop dot com. Visit our website at d O T N E, t R O c k S dot com for RSS feeds, downloads, mobile apps, comments, and access to the full archives going back to show number one, recorded in September two thousand and two, and make sure you check out our sponsors. They keep us in business. Now, go write some code. See you next time.
You got Jack, Middle Vans and