My team is currently facing this issue. We had large layoffs that cut us down to a very small size while simultaneously having new initiates pushed our way that require speed. Everyone is afraid to ask what feel like basic questions, again.. layoffs, so everything is hidden in DM's. Add on top of it the push (read requirement) from higher ups to use AI and it's simply in a terrible state.
What seem like great initiatives are being watered down because nobody can keep up, debugging issues takes so much longer because everything is changing at once, and everyone is exhausted and hardly talking to each other which feeds into a cycle of having no idea what is happening.
This describes my team to a T ... are we working at the same place?!?
We actually talk more now which helps, but it is still hard to keep up when everyone is barreling ahead doing their own thing. In addition to more talking, there needs to be a semblance of strategy that everyone is aligned on and understands their role in.
A high-agency, high-functioning team has always been a superpower, but mastering this capability is what will make or break organizations that are trying to run lean with AI. It's a "people problem" at its core, and no amount of technology can fix that.
we love to say things like these, but... most security issues are in fact BYPASSABLE - virtualization, firewalls, autorollbacks, ro-filesystems and so on are many of the tools we have on our belsts
decades of WordPress have taught us that insecure apps can 100% be securely deployed
it's a bit of an art, most recently edicated devops/sre ppl suck at it, but it's doable
...aeons a go in a former life we ran production apps that got hacked weekly, and nobody batted an eye at it, backups servers recreated from secure ro-images were span up with last-clean-app version, occassionally we had fun disassembling whatever reverse shells and other mallware that got beached on our systems (but couldn't "swim" bc everything we ran was "too exotic" for them to figure out the next steps of a proper attack), development and business continued as usual with zero interruptions etc
If you go against every principle (defense in depth, security through obscurity), maybe you should ask yourself "am I willing to be on the record saying this when my company gets hacked?"
There can be multiple reasons system crumbles, do you want to be behind one of them... intentionally?
100%. I'm willing to prioritize what matters at the right time. if "inner-system security" is not the right priority, and security can be attained at the "outer-system level" better, we should have the balz to say it. fuckitol
Imagine if your doctor said "we don't really need to do this if some other guy or nurse does a right job, so fuck it".
In other critical professions you don't want to screw up because when you lose license you're legally unemployable. Maybe it's time to require a license to be a programmer. We used to have a strong culture but those days are gone and stakes are higher. Putting people at risk because you think VC can vibe code an insecure app and then it's everybody else's responsibility to ship it securely?
you got everything I said wrong: I'm familiar with security and infrastructure best practice and I'm confident I/we can securely deploy almost any vibe-coded crap someone can throw at us - we understand security, we understand defense-in-depth, we understand the subtle trade offs of why security by obscurity is usually a bad idea (and when it does help) etc.
sure, if the vibe-coded sloptopus does bank transfers and stuff, properly carving out these pieces out of it might require actual engineering work before containerizing it - but someone is willing to pay for it it can be done
some "toy" example: take a crappy app that stores llm keys in config files that the llm agents themselves can edit - after isolating it up, but an llm proxy in front of it and have those keys be short lived proxy-keys with aggressive rate limits and monitoring etc etc
isolation, injecting proper monitoring into code of apps, putting proxies between app and apis, and layers between app and infra it runs on or touches etc
and these things now can be mostly cookbook-ified / automated 90% of the way too
as long as you can shop things into little ppl and ensure short-lived and granular access to valuable data you can 100% run totally unsecure and buggy code reliably and get value from it
it's engineering and understanding security from first principles [and a culture arund it - that _is_ the HARD af bit though...] instead of just believing in "secure app best practices" from the "holy scriptures" - secure apps are hackable, and unsecure apps can be unhackable, heck even mil systems run on unpatched old software everywhere, they're just properly insulated, the components are insecure but the system as a whole can be perfectly secure
this usually because of lack of accountability on executive level. The salary should be low and bonus to be tied to metrics 1-2-3yr from now, then they will be more careful and pragmatic about breaking things.
"Slow is smooth, and smooth is fast." If you move fast _and_ you break things you just end up with a lot of broken things. I never did understand this philosophy.
> When speed is the priority, there’s no incentive to improve or invest in the shared system (e.g. a design system or codebase) under a tight deadline.
These guardrails are precisely what should be laid down in advance to enable workers to run safely with AI. Write all the rules in your AGENTS file, and point your AI reviewer at it. Encode whatever you can describe algorithmically in commit hooks. This will get you 90% of the way there, and peer review will take care of the rest.
I am hopeful that AI will empower smaller companies, where there is less deadweight, and consensus can be formed more quickly. Discussing what to build is not wasted time; it's one of the few things that favors humans.
This isn’t related at all but it’s sure interesting how our brains evolved. When we are cognitively taxed, our ability to communicate breaks down. When we are physically taxed and doing something we are built to do (like running), conversations flow in the strangest ways. Heck, I’ve had long in depth conversations about Infinite Jest with total strangers on trail runs. It kind of makes you wonder about a whole lot of stuff we have filled our worlds with.
I'm seeing this with ideation. It's so easy now with AI to come up with a new idea in a 40 page manifest that no-one has the time to really mentally ingest. Everything is defined to the T, milestones, success measures, all of it. Things become a binary do all of this, or don't do it. There's no room for conversation.
> But I’m also pro-slowing the fuck down and doing actual human thinking before pulling a trigger … We all love dopamine, we all love seeing new ideas come to life
You can spend 100M tokens/week and generate something that is good enough for end to end demo to paying clients in 1-4 weeks depending on complexity of the project. Doing this feels like being on drugs, in that the creative process is a high, and that you will be mentally exhausted at the end of every day (the crash).
This is true in military tactics but it is often phrased in the contrapositive: if you want to move fast, establish enough trust such that talking is not needed.
The idea is that speed is *essential* but coordinative action is too. Most combat situations in history have not allowed for hierarchical resolution of all important decisions nor the slower, alternative consensus-based decision process. Independence and alignment with the mission allows for more agile, more effective units. As technology advances, it actually gets EASIER to talk and coordinate actively rather than train and pre-bake the coordination. Ship captains today can be released with much less latitude than 200 years ago because we can raise them on the radio at need.
I'm not arguing we should adopt military metaphors or even that exigencies force speed somehow, as they do often in military matters. I AM arguing that we ought to consider there are local and system-wide virtues to training and coordinating in such a way that you can move without talking.
I am not sure for people who wrote this, did they realize most of the time these conversations are just for politics reasons? In a non cooperative environment, projects moving fast does not mean individual is moving fast or vice versa. But if you are in a cooperative environment pretty much people just act what he suggested naturally.
The way to view LLMs is that it is a better google search. This allows you to speak to coworkers only when they have the context you need. For other trivial things there’s AI.
Optimally you must only disturb your coworkers when necessary.
58 comments
What seem like great initiatives are being watered down because nobody can keep up, debugging issues takes so much longer because everything is changing at once, and everyone is exhausted and hardly talking to each other which feeds into a cycle of having no idea what is happening.
We actually talk more now which helps, but it is still hard to keep up when everyone is barreling ahead doing their own thing. In addition to more talking, there needs to be a semblance of strategy that everyone is aligned on and understands their role in.
A high-agency, high-functioning team has always been a superpower, but mastering this capability is what will make or break organizations that are trying to run lean with AI. It's a "people problem" at its core, and no amount of technology can fix that.
I’m sure they’re all riddled with security issues, but am I gonna go be the one pointing it out? Heck no.
decades of WordPress have taught us that insecure apps can 100% be securely deployed
it's a bit of an art, most recently edicated devops/sre ppl suck at it, but it's doable
...aeons a go in a former life we ran production apps that got hacked weekly, and nobody batted an eye at it, backups servers recreated from secure ro-images were span up with last-clean-app version, occassionally we had fun disassembling whatever reverse shells and other mallware that got beached on our systems (but couldn't "swim" bc everything we ran was "too exotic" for them to figure out the next steps of a proper attack), development and business continued as usual with zero interruptions etc
There can be multiple reasons system crumbles, do you want to be behind one of them... intentionally?
In other critical professions you don't want to screw up because when you lose license you're legally unemployable. Maybe it's time to require a license to be a programmer. We used to have a strong culture but those days are gone and stakes are higher. Putting people at risk because you think VC can vibe code an insecure app and then it's everybody else's responsibility to ship it securely?
sure, if the vibe-coded sloptopus does bank transfers and stuff, properly carving out these pieces out of it might require actual engineering work before containerizing it - but someone is willing to pay for it it can be done
some "toy" example: take a crappy app that stores llm keys in config files that the llm agents themselves can edit - after isolating it up, but an llm proxy in front of it and have those keys be short lived proxy-keys with aggressive rate limits and monitoring etc etc
isolation, injecting proper monitoring into code of apps, putting proxies between app and apis, and layers between app and infra it runs on or touches etc
and these things now can be mostly cookbook-ified / automated 90% of the way too
as long as you can shop things into little ppl and ensure short-lived and granular access to valuable data you can 100% run totally unsecure and buggy code reliably and get value from it
it's engineering and understanding security from first principles [and a culture arund it - that _is_ the HARD af bit though...] instead of just believing in "secure app best practices" from the "holy scriptures" - secure apps are hackable, and unsecure apps can be unhackable, heck even mil systems run on unpatched old software everywhere, they're just properly insulated, the components are insecure but the system as a whole can be perfectly secure
Time and time again proven true.
> When speed is the priority, there’s no incentive to improve or invest in the shared system (e.g. a design system or codebase) under a tight deadline.
These guardrails are precisely what should be laid down in advance to enable workers to run safely with AI. Write all the rules in your AGENTS file, and point your AI reviewer at it. Encode whatever you can describe algorithmically in commit hooks. This will get you 90% of the way there, and peer review will take care of the rest.
I am hopeful that AI will empower smaller companies, where there is less deadweight, and consensus can be formed more quickly. Discussing what to build is not wasted time; it's one of the few things that favors humans.
> But I’m also pro-slowing the fuck down and doing actual human thinking before pulling a trigger … We all love dopamine, we all love seeing new ideas come to life
You can spend 100M tokens/week and generate something that is good enough for end to end demo to paying clients in 1-4 weeks depending on complexity of the project. Doing this feels like being on drugs, in that the creative process is a high, and that you will be mentally exhausted at the end of every day (the crash).
The idea is that speed is *essential* but coordinative action is too. Most combat situations in history have not allowed for hierarchical resolution of all important decisions nor the slower, alternative consensus-based decision process. Independence and alignment with the mission allows for more agile, more effective units. As technology advances, it actually gets EASIER to talk and coordinate actively rather than train and pre-bake the coordination. Ship captains today can be released with much less latitude than 200 years ago because we can raise them on the radio at need.
I'm not arguing we should adopt military metaphors or even that exigencies force speed somehow, as they do often in military matters. I AM arguing that we ought to consider there are local and system-wide virtues to training and coordinating in such a way that you can move without talking.
The way to view LLMs is that it is a better google search. This allows you to speak to coworkers only when they have the context you need. For other trivial things there’s AI.
Optimally you must only disturb your coworkers when necessary.