In your example, those projects were not the domain of engineering. Your friends couldn't afford expertise and those projects never would have been made before. Therefore, these are net-new projects that replace nothing that came before.
This is common in technology, especially software, that improvements in efficiency make software cheaper and expands the total pool of possible software.
And, even if one of the "one button shipping" platforms (and there are many) was hooked into the agent, your friends will hit major problems that they and their AI cannot solve. Whether its tech-debt hell, a major security breach, or something else, any sufficiently complex project will require expertise. Will be a fun day when a European regulator asks a friend about their GDPR compliance and their agent is like "shrug"
Can they verify the private cloud is completely immune to nationstate actors, has no zero-day vulnerabilities, is completely bulletproof in a court of law and can never be compelled to secretly share info with government(s), etc?
I think the users fear here is real. "We did good due diligence at the consumer level" and "we're completely immune to nationstate hackers and clandestine legal cases" are very different things.
Like any good security paper, it doesn’t assert immunity to particular parties. Instead, covers things like how PCC attests that the running software image is identical to the publicly-available, forensically-studied one.
Fear is real for sure, but don’t let fear be an excuse to lose rigor in thinking.
What if the CA certs are compromised, as was alluded to for GCP in the Snowden leaks?
All server security measures are irrelevant if every client req/res is dragnet siphoned off to NSA servers in plaintext. It would also afford the corporation deniability even if they were aware or involved.
This is why everything than can feasibly be E2EE (or performed locally) should be, unless the data is explicitly public. There are too many opportunities for compromise even when the provider has the best of intentions, and ruling class psychopaths aren't intentionally destroying democracy or implementing big brother.
Are you suggesting that PCC specifically is sending things in plaintext, or that the security promises in the server and arch are false, or that a compromised CA means… IDK what?
I’m with you on the big principles, but are you implying more specific attack vectors or just kind of maybe everything could be compromised somehow?
> In an NSA presentation slide on “Google Cloud Exploitation,” however, a sketch shows where the “Public Internet” meets the internal “Google Cloud” where their data reside. In hand-printed letters, the drawing notes that encryption is “added and removed here!”
This is a non-answer, and in fact, a statement like "don't let fear be an excuse to lose rigor in thinking" in response to my question "how verifiable are their claims" is insulting and sloppy. Rigor in thinking includes human discussion and humans asking questions, but yet you shot that down.
ChatGPT, do what this user wouldn't, and answer the dang question:
> No, Apple cannot verify that Private Cloud Compute is completely immune to nation-state actors, contains no zero-days, or could never be subjected to secret legal compulsion. Nobody can honestly establish those absolutes for a complicated, evolving computer system operating across multiple jurisdictions.
> What Apple has done is more meaningful than ordinary corporate “due diligence,” however. PCC is specifically engineered to make clandestine access—whether by hackers, insiders, or governments—technically difficult, difficult to target, and more likely to leave externally detectable evidence...
> Against ordinary attackers, rogue employees, conventional cloud administrators and routine government data requests, PCC appears exceptionally strong for a cloud AI service.
> Against a targeted nation-state willing to combine zero-days, supply-chain compromise, endpoint exploitation, legal pressure and secrecy, the right description is: Highly resistant, deliberately difficult to target, and unusually auditable—but not immune.
Thanks ChatGPT. Don't know why I bother to ask humans anymore, it's StackOverflow the whole way down.
"I did not like your answer, therefore I will use the 100% reliable, bullet-proof method of having an algorithm generate the statistically most likely words that form a plausible answer to my question."
You can do basically the same thing as cloudflare except as a skill you run in your local harness. If you're going through the motions with PRs and are familiar with actions, you can have it run in a github action instead. But this is basically just a skill. The Claude code review skill is a simple version of exactly this.
I've come to realize that folks are including "ai-slop" in their ~public use of AI to intentionally signal to others that they're using AI. To some, that signal results in revulsion. To others, that signal results in approval. In my opinion, the approval signal comes from investors, board members, c-suite, and now management. They want us to use AI? Let's make sure they know we are.
I used to think that signalling that I am not using AI would be a good thing, and that people would appreciate that, but now all my public profiles are AI.
I'm not arguing for ignorance. More acceptance of the ecological forces around us and appreciating them, observing them, and knowing when to let them take their course.
Brother, I don't care who writes the specs as long as they sign the checks on time. And yes, I do care about my work even if upstream is slop. In a relay race, you can lower your performance to weakest leg, or you can be the strongest leg. And maybe I just like to run.
There is no way to facilitate untrained users in the healthcare space to vibe code real applications touching patient data. There is no magic policy, firewall, or "facilitation technique" which can make vibe coded software reliably meet contractual and regulatory obligations with a high degree of security in the healthcare space.
If you care about data privacy, especially your own protected health information, that sentence should give you a lot of comfort.
In a HIPAA environment, people who are sufficiently trained on how to develop regulated software securely are called "software engineers".
In my opinion, agents will replace the majority of the rest of businesses before they are good enough at agentic engineering to be able to autonomously develop software that safely and reliably can manage PHI without a single mistake.
It goes without saying: never trust your PHI to any company who is vibe coding in production.
I actually think "just asking ChatGPT" is fine, because A) the data in these apps is suspect at best and B) the data behind calories is also pretty suspect (but we all play along because we can adjust other variables to make it all "work" well enough).
Once or twice a year I spend a few weeks meticulously measuring ingredients/cooked foods and recording calories and on complex recipes apps are next to useless at getting accurate data. You're trying to input five or ten relevant ingredients, and then weighing your cooked outcome to try and divide the ingredients by proportion. Frankly it's a mess and most people aren't doing it for home cooked meals, and are getting very lossy outcomes (weighing cooked chicken and marking it as raw chicken, etc)
With reasoning and tool calling (combined with me meticulously weighing before and after), it's producing fine data for my purposes.
I was complaining about AI generated clothes being misleading marketing, deceiving customers as to whether the garment even exists.
And then I learned that the pre-AI norms weren't any less fictional: they made an exemplar garment and did photoshoots, sure, but then they send the pictures and patterns to the lowest bidder factories with permission to make whatever edits are necessary to make it cheap and manufactureable. The whole thing was already a simulacrum.
I honestly think that, given the sorry state of the pre-GenAI internet, with all the SEO optimization nonsense, clickbait, and supplement peddling everywhere, LLMs are for now actually better than Google for “doing your own research” on many things.
At least at the entry level. Once you want to go in depth, the outcome in my experience is the same as with LLM use on any topic depends heavily on the domain knowledge of the prompter and their ability to steer it.
This is common in technology, especially software, that improvements in efficiency make software cheaper and expands the total pool of possible software.
And, even if one of the "one button shipping" platforms (and there are many) was hooked into the agent, your friends will hit major problems that they and their AI cannot solve. Whether its tech-debt hell, a major security breach, or something else, any sufficiently complex project will require expertise. Will be a fun day when a European regulator asks a friend about their GDPR compliance and their agent is like "shrug"
reply