ooc, would you claim its the responsibility of the security researcher to remove the webshell, or the company's as soon as they were notified? was it publically discoverable and exploitable or was there some form of protection?
I would agree it's the researcher's responsibility. It's not that the company put up a webshell for kicks. The researcher found an exploit (good), and used it to install a webshell, demonstrating the highest possible risk (fine).
Once the shell is up, anyone who finds the URL has code execution on the server, because that's what a webshell is. Using it is a different skill than installing it.
Imagine I figure out how to jackpot your bank's ATMs, and I demonstrate this by setting a public ATM into "press button to receive $20" mode, pressing the button, getting $20, and sending you a letter describing how I did that, with the $20 scrupulously enclosed. Meanwhile, the ATM remains in the state of "press button to receive $20". How happy would you be?
Was it publicly discoverable?
Technically, yes, though realistically you'd have to guess the URL. I would find it pretty funny if one attacker got access somewhere by guessing the URL of a webshell installed by a different, more self-sufficient attacker, but that's not to say it doesn't happen.
Was it publicly exploitable?
Yes; the researcher didn't set up any authentication or anything.
Once the notification is in and the shell demostrating it is up it should be immediate redeploy to a clean state, fix the hole, redeploy to a patched state.
The shell disappears on step one.
Instead some moron has the audacity to get all hurt because the broken system he is responsible for has not been patched back by the attackers?
something something you're paid the amount the market values your work, which in today's job market is an order of magnitude less than the profit you bring the company
Well then why make it easy for my work to get devalued? It's not like workers are sitting on the sidelines here, they (I'm aggregate, at least) hold all the power.
The US still largely believes everything that Reagan Republicans preached about the "evils" of taxation and regulation of oligarchy, despite the US economy overall (and the "average joe") doing quite well in the era that followed "soak the rich" taxes being passed.
So many claims about how it would lead to far better lives for everyone, but the working conditions and general affordability have basically gone down for 40 years. Imagine bringing back the white collar work in the 80s, with a private office with a door, and people whose jobs were to help coordinate and schedule things even if you weren't an exec, instead of you just having a phone to answer all hours of the day.
Wouldn't the parent's post mean that you bring profit to the company, but you're worth less than the full amount of that profit because, should you demand to be paid more, you can be replaced by someone who won't demand more.
(Has there actually been a lot of terminations in the US tech industry, or is that an odd biasing mechanism causing me to see such things as bigger than they are?)
I don't think the generators themselves were open-sourced (only the generated SDKs were already open-source). That leaves three main (recommended) options:
* Manual Maintenance: Returning to the pre-Stainless era.
* Agentic Coding: Works to an extent, but you lose the deterministic, review-free output required to keep an SDK perfectly structured and coherent.
* Open-source Generators: Helpful for basic use cases, but they lack Stainless's full-stack features like multi-language generation and publishing, MCPs, and documentation.
Reach out to transition@stainless.com, the team can provide more details and clarify eligibility.
What I can say for sure is that the stlc approach comes with vanilla release–please support for the release flow (I worked on that part) and that stlc has been designed for both local and CI contexts. We also have extensive docs covering all of that
Every object in git (commit, tree, revision of a single file) has a hash that is guaranteed unique within a repository (otherwise many more things than a web UI would break) and likely also globally. I can understand wanting to isolate repositories to prevent hash collisions from causing problems, but within a repo everything has a universally unique ID.
edit: for instance, that specific VERBS.md is represented by the blob 3b9a46854589abb305ea33360f6f6d8634649108.
> this should be sufficient to represent the file.
Except it's not, because the oid can be a short hash (https://github.com/gritzko/beagle/blob/a7e172/VERBS.md) and that means you're at risk of colliding with every other top-level entry in the repository, so you're restricting the naming of those toplevel entries, for no reason.
So namespacing git object lookups is perfectly sensible, and doing so with the type you're looking for (rather than e.g. `git` to indicate traversal of the git db) probably simplifies routing, and to the extent that it is any use makes the destination clearer for people reading the link.
turns out that "blob", "raw" and "commit" have nothing to do with the hash itself, but are functions to describe how the object in question is to be presented. so what i said above about blob being redundant is false, the problem is rather that it is in a weird place. it should be at the end, like a kind of extension because it signifies the format of the output. except i think putting it at the end makes handling relative paths more difficult as it would have to be appended to every link to other files.
the roxen webserver has an interesting solution for that. they call it prestates and it's placed at the beginning of a url: https://github.com/(commit)/gritzko/beagle/a7e172/VERBS.md . it sets the format value visually apart, and you could have multiple prestate values separated by a comma. i have used that feature extensively on my own sites. i even expanded on the concept in custom modules.
They are following the /key/value/key/value pattern, but the first two pairs in a GitHub URL are fixed to user and project, which lets them omit the key names. I could see them not being willing to hardcode the third pair to blob.
Back when GitHub URLs were kind of cool, github.com/user/gritzko/project/beagle would have been much less cool than just github.com/gritzko/beagle.
Chinese company has an issue being a Chinese company for international legal or optics reasons, relocates to Singapore while still being controlled by Chinese nationals or all-but-Chinese-Nationals. Bytedance is a great example. Russian companies do the same thing with Switzerland, see Kaspersky.
They could just as well relocate to California for that matter.
The question is are they still controlled by the PRC. China doesn't allow dual citizenship (like other Asian countries), so people might legitimately want to work abroad while keeping their native passport.
While it would be a hilarious failure mode to encounter, this is actually a good thing!
These models already have the skills that humans were using them for, so either by training the models to use subagents or simply inlining the work done by the AI, you have a much easier time training the model to perform tasks from a human-distribution. The humans have done the work of making the human-distribution look more like an AI distribution.
Not when all of the marketing of LLMs is touting their abilities to do the exact thing and that is what investors are being presented.
If it is as you say, then eventually the house of cards will crumble. Then we can finally go back to work and quit being inundated with needing to use AI for everything.
I think it's partly because "sit" is one of the first commands they learn so if they're not sure what to do, they'll default to sit as that often gets the treat.
That's also why you teach "sit" first before, "bite the face of the person in front of me" (talking German Shepherds again)
Open access typically means authors pay a publication fee, which leads to the same result of the government paying twice and the journal profiting twice.
It's really easy to understand that everything is typed as Any/Object/whatever upper bound type your statically-typed language of choice uses.
Desiring something better does not mean a lack of understanding of the status quo.
reply