Is this a story from the Epstein universe? Because the town of York during that time had some interesting characters like Donald and Kashoggi. Also "Lago Mar" in Florida sounds familiar.
Edit: At the end the main protagonist even mentions having Iran Contra evidence and speaks to the commission, but two senators present evidence that devalues his testimony. Interesting.
Looks good, nice features. But somehow the spark does not ignite on my side because it feels too artificial. I don't know if the metrics are faked, if the convenience functions actually work, if there is any proper hardening.
I can accept if stuff is vibe coded and has autogenerated README. But even the announcement blogpost is AI-generated, and I personally have zero data points to see if your understanding of software quality is the same as mine.
It's a weird world, if this would've been announced without any AI disclaimers some years earlier I would've eaten it up without a doubt. But right now if I see a fancy README with several good-looking command line parameters I immediately wonder if the README is hallucinated and the command line parameters actually exist.
Hi, author here - a few critical pieces of this, like async-ebpf, were written long before those coding agents were released. I use AI assistance a lot when creating zeroserve itself, but I manually check AI output and take responsibility for it :)
I'm of the school of thought that if a practicing/retired software engineer (i.e. someone I reasonably believe has experience writing software for "production") wrote it, I've got to show it's trash, rather than assume it's trash. "Innocent until proven guilty" and all that. But I'm in the rather luxurious position of mostly using open source, rather than maintaining it, so I understand that others come down differently on this topic.
FWIW, I like the writeup and concept behind this. Very close to some passions of mine (like serving a website from a single-file archive).
if the point is to avoid the lua-issue on nginx, how do you expect people will implement things like geoip, request content match post ssl termination, etc?
Small static file (174 B) - the bread and butter of static sites:
server req/s p99
zeroserve 36,681 5.4 ms
nginx 31,226 7.8 ms
Caddy 12,830 22 ms
zeroserve serves small files about 17% faster than nginx on a single core, with a tighter tail. HTML pages, small JSON, CSS - this is the case zeroserve is tuned for.
Large static file (100 KB):
server req/s throughput p99
zeroserve 8,000 782 MB/s 22 ms
nginx 7,600 773 MB/s 28 ms
Caddy 6,084 590 MB/s 44 ms
I'd go with a more storied project that's been audited, battle tested, hardened etc than this upstart. There's not enough improvement to justify the risk.
The problem with pasting LLM output is that no human with sound mind and body would waste their finite time on this Earth informing you that small static files are "the bread and butter of static sites".
> It's a weird world, if this would've been announced without any AI disclaimers some years earlier I would've eaten it up without a doubt. But right now if I see a fancy README with several good-looking command line parameters I immediately wonder if the README is hallucinated and the command line parameters actually exist.
Yeah, that is unfortunate. Recently there was this ffmpeg-wasm project. I tested it. It worked. But it was vibe-coded AI. I can't stand AI. Even if things work.
I decided to stay in the oldschool era as much as possible. Clever people publish software. Clever people maintain software. They don't need AI. That's my niche.
We may die out but I still prefer that. (Oh, and only if these clever people write documentation. Many clever people hate writing documentation. I decided a long time ago that if software comes without documentation, it is not worth my time, no matter how great that documentation is. This refers mostly to on-the-application side; I only rarely looked at the Linux documentation, but others stated that it is not too terrible either, so who knows.)
It's weird because why can't they train the AI to simply output secure code?
The basic security flaws with regards to input validation and overflows should never ever be output by an AI. For "security flaws due to bad design" I'll cut them slack until AGI is achieved.
> It's weird because why can't they train the AI to simply output secure code?
The most interesting security bugs have causes that are spread across large codebases, or networks of dependencies.
Training the AI to "output secure code" won't work if it doesn't also have access to the source code of every dependency that it's using... and even then, given current model speeds and prices most developers won't want to wait for an hour on every edit they make while the LLM reasons through all of the dependencies.
What's destabilizing the industry right now isn't vulnerabilities AI introduces into new code; it's a flood of sev:hi vulnerabilities in existing code, not introduced by AI but discovered by it.
> What's destabilizing the industry right now isn't vulnerabilities AI introduces into new code; it's a flood of sev:hi vulnerabilities in existing code, not introduced by AI but discovered by it.
Vulnerability discovery has essentially moved to a "proof of work" computation model with AI that has some similarities to crypto like BTC or ethereum 1.0. I don't see any reason a well funded adversary couldn't use this same process on open-source code to develop exploits. I'm sure AI would be happy to try and create exploits from the results rather than fixes.
This sort of proof of work has a notable difference from crypto in the asymmetric nature of what each side is targeting. In crypto, each miner was attempting to find a solution to the same problem and they would all move on to a new one once a solution is found. However with AI vulnerability scanning, the non-deterministic nature means an adversary is likely to find different vulnerabilities. Even if it doesn't, the adversaries have a different post-discovery workflow (i.e. probably less compute intensive aka cheaper due to only needing one viable exploit to win) than the software maintainers do.
Considering it's possible both the adversary and their target could both do all this while running Claude puts Anthropic in a real "Merchant of Death" position.
Even before that everybody was getting drowned in shitty reports from automated tools.
The goal of AI-generated code should not be that one needs a AI-based security review tool on top of it, but that the AI-generated code in itself is reasonably secure.
I think these audit tools can look beyond just security and can look for compliance audits as well. The ability to audit real targets in staging environments makes it easy to identify issues.
Your listing is not exhaustive - startups can also be acquired for politics, for marketing purposes, whatever. There is a lot of meat space things going on in the upper echelons of the US tech industry.
Recent history shows that an idealized view only focusing on fiduciary duty does not capture the whole picture of business in the USA.
Rarely does one acquire dollars for the sake of having dollars. Dollars are power tokens, and the acquisition of them beyond a certain point is almost always accompanied by a motive.
Criminals are not afraid of the police but afraid of the IRS. Smuggling and selling prohibited goods is super easy, but then you suddenly have a shitload of cash but everybody knows you as an unemployed bum without career, and they would report you to authorities if they see you in a supercar. They need a cover story and career that allows them to "earn" money without raising any suspicion.
As the other commenter said, "Ozark" is a really good show about this.
Breaking Bad was another show that addressed some of the issues with Walt buying a car wash as a way to try to launder the drug money although the problem was that there was too much money (thus the 55-gallon drums of cash buried in the desert).
What became clearer the 2nd time around was that Walter White was a horrible criminal who's downfall was that he was greedy and didn't know when to stop.
Well, yes, it's fiction. My point is that Walter White, as a written fictional character, is written as a horrible criminal.
Pay closer attention to Mike's criticism of Walter's antics; or the general contrast between Gus, who is a professional criminal, and Walter, especially when Gus "fires" Walter. Ultimately, things end up poorly for Mike and Gus because Walter doesn't know how to behave as a criminal. (Or as a tech startup founder, for that matter.)
Love your confidence. Must be just a coincidence then, huh?
Do you believe someone working for US intelligence who arranges a vanity social security number for Ghislaine and whose grandparent was head of social security administration has no means to create multiple identities?
Prior to joining Oracle, Jeff served as Chief Financial Officer of several public and private companies, including DoubleClick (sold to Google), King World Productions (sold to CBS) and Nielsen’s Media Measurement and Information Group. Earlier in his career, he was an investment banker at The First Boston Corporation.
Your "Jeff Epstein" should fix his CV, because King family was previous owners of Zorro ranch. And Nielsen family was previous owners of the Epstein island. Is your Jeff maybe the real Jeff who made a killing in finance and the publicly known "bad" Jeff was just using his name, just as he did with Marius Fortelni?
And once the "bad" Jeff goes to Florida jail in 2009 the "clean" Jeff leaves Florida with Oracle?
Edit: At the end the main protagonist even mentions having Iran Contra evidence and speaks to the commission, but two senators present evidence that devalues his testimony. Interesting.
reply