"everything else is just efficiency" is a nice line but the efficiency is the hard part. the core of a search engine is also trivial, rank documents by relevance. google's moat was making it work at scale. same applies here.
Sure, but understanding the core concepts are essential to make things efficient and as far as I understand, this has mainly educational purposes ( it does not even run on a GPU).
the interesting question is why dario published this. these disputes normally stay behind NDAs and closed doors. going public means anthropic decided the reputational upside of being the company that said no outweighs the risk of burning the relationship permanently. that's a calculated move, not really just a principled one.
MCP's only real value is the auth handshake for third-party SaaS. the actual tool execution is worse than a subprocess call. more tokens, harder to debug, and the failure modes are worse. if someone just extracted the OAuth layer into a standard that CLIs could use, there's very little reason for the rest of the protocol to exist.
It happens all the time, and it doesn’t even require coordination, just synchronized intent.
Examples:
- ai.com launching with a super bowl ad and being taken down just from large sign up volume
- Taylor Swift drops an album on Spotify, everyone rushes to stream it, crashes Spotify
- random small websites get featured on reddit front page and get hit offline
> how large would the number of users need to be
depends on the target. small website on shared hosting could be hit offline by 1000 concurrent users. major platform might need millions of users concurrently hitting write paths, not just loading cached/static content. or all requiring open sustained connections
I work for a $50B+ company (is this big tech? idk), but I’ll answer this because we are fully embracing AI (Cursor, Claude Code, cloud agents, AI reviews, you name it)
> Have you noticed faster pace of development?
Yes, our org has had a 50% increase in PRs since Opus 4.5 released.
> Have you seen changes to code quality or code review?
Yes, significantly more bugs (no exact number), but consider it maybe 3-4x in volume. However, nothing catastrophic and everyone just uses AI for fast-follow fixes anyways. The company as a whole is embracing this style of development for better or worse.
> Do teammates that use these tools complete sprint tasks faster than those who don't?
Yes, but my entire team uses them. I’d say the ones who use it more effectively (crazy skill setups, better tooling/commands, better scaffolding) finish much faster. Probably 80% of my team still uses Cursor in the one-shot way with very vague requirements, and don’t have the AI connected to github, jira, slack, etc which can actually feed really important context into decision making.
If I do something more than once a day, I write a custom slash command for it. This has personally 2x’d my pace.
From this and several other comments here, I think the next big play here is to build something to completely eradicate the bugs that are generated by these AI tools.
everyone in the comments is talking about stylometry and rewriting your posts with LLMs. the paper barely uses stylometry. the attack surface is semantic: your interests, your city, the conference you mentioned once 2 years ago. you can't rewrite your way out of having said you work in fintech in austin and own a golden retriever.
you can intentionally add false biographical information. what if you had a bot posting responses in subreddits for cities across the world on your account
That's adding noise, not removing metadata. One can filter the noise.
Your interests can show up in all sorts of ways. Perhaps it's not saying "I like Madonna" on some social network, but the urge to interact with one specific song she recorded. One like can be the difference of giving away who you are or not.
With AI, there's a higher chance of active deanonymization tactics. This was possible for only select targets in the past. It's the creation of content or design of interactions that is meant to surface certain behavioral patterns (such as offering you that song "casually" in some timeline to gauge if you're going to interact with it).
Trying to mask or change your behavior is likely to result in a weird and very noticeable presence. Like trying to change how you walk will often lead to a caricaturized behavior, not something that someone would naturally do.
Acting naturally is probably the starting point of any attempt to prevent deanonymization, and the hardest to achieve. You have to be aware of your own behavior much more than people often do.
There are some extremely concerning security vulnerabilities in this project that even the weakest of hackers could exploit.
Is this product a ragebait/troll?
1) Account takeover of any user with just their email: POST /v1/account/recovery with any user's email, the API response gives you the plaintext recovery secret. Call PUT /v1/account/recovery with that secret + a new password. You now own their account. No email inbox access needed. Two curl commands.
2) Password hashes returned by the API: GET /v1/users with any API key returns every user's full argon2 hash, algorithm, and tuning parameters. tested and got $argon2id$v=19$m=65536,t=3,p=4$... for test@kraz.in.
3) CORS reflects any origin with credentials: Send Origin: https://evil.com to any endpoint — server responds with Access-Control-Allow-Origin: https://evil.com + Access-Control-Allow-Credentials: true. Any website on the internet can silently read authenticated API responses from logged-in users
There is literally like 50 more of these though. The author probably didn't spend more than 5 minutes on security hardening.
"advanced manufacturing center" which is 20k sqft, about 1/7 the size of a typical Costco. I wouldn't hail this as the great revival of american manufacturing
