Feature so good you can't turn it off, so they can show in their internal metrics 100% adoption
They don't wanna be like Facebooks' .1%.Thy know your user.
Readit NewsDeleted Comment
DelightOne commented on One-man campaign ravages EU 'Chat Control' bill politico.eu/article/one-m... · Posted by u/cuu508
A metaphor: I once played in a D&D campaign where a player tried to create an extremely overpowered but technically legal character. His justification was that he would only use the extreme powers in moderation, so it would not be unfair or unbalanced. But why would he ask for such unprecedented powers if he didn't intend to use them?
The threat already silences the opposition. You don't have to use it to silence people.
DelightOne commented on I’ve removed Disqus. It was making my blog worse ryansouthgate.com/goodbye... · Posted by u/ry8806
The ad industry likes to say that their industry is clean and the people who buy ads for scams are the problem, but the truth is the entire industry is complicit with the scamming, and stuff like this shows it. If the ad industry were merely hapless victims of the scammers, rather than willful participants in the scamming, they'd be eager to receive reports of scams.
I bet they tried an llm scam detector. It was too good so they didn't put it into production.
DelightOne commented on Proposal to Ban Ghost Jobs cnbc.com/2025/08/25/tech-... · Posted by u/Teever
Isn't Germany the largest economy in the EU and one of the most productive workforces in the world?
Its death by a thousand cuts.
DelightOne commented on Proposal to Ban Ghost Jobs cnbc.com/2025/08/25/tech-... · Posted by u/Teever
The controls summarized in the CNBC piece seem reasonable, or, if not that, then at least not all that onerous.
The controls in the actual proposal are less reasonable: they create finable infractions for any claim in a job ad deemed "misleading" or "inaccurate" (findings of fact that requires a an expensive trial to solve) and prohibit "perpetual postings" or postings made 90 days in advance of hiring dates.
The controls might make it harder to post "ghost jobs" (though: firms posting "ghost jobs" simply to check boxes for outsourcing, offshoring, or visa issuance will have no trouble adhering to the letter of this proposal while evading its spirit), but they will also impact firms that don't do anything resembling "ghost job" hiring.
Firms working at their dead level best to be up front with candidates still produce steady feeds of candidates who feel misled or unfairly rejected. There are structural features of hiring that almost guarantee problems: for instance, the interval between making a selection decision about a candidate and actually onboarding them onto the team, during which any number of things can happen to scotch the deal. There's also a basic distributed systems problem of establishing a consensus state between hiring managers, HR teams, and large pools of candidates.
If you're going to go after "ghost job" posters, you should do something much more targeted to what those abusive firms are actually doing, and raise the stakes past $2500/infraction.
Making people able to sue for anyone feeling bad about not having gotten the job is a path you should not take. We have something similar in Germany and its horrible for companies. Leeches bleeding you dry.
DelightOne commented on Supabase MCP can leak your entire SQL database generalanalysis.com/blog/... · Posted by u/rexpository
Supabase engineer here working on MCP. A few weeks ago we added the following mitigations to help with prompt injections:
- Encourage folks to use read-only by default in our docs [1]
- Wrap all SQL responses with prompting that discourages the LLM from following instructions/commands injected within user data [2]
- Write E2E tests to confirm that even less capable LLMs don't fall for the attack [2]
We noticed that this significantly lowered the chances of LLMs falling for attacks - even less capable models like Haiku 3.5. The attacks mentioned in the posts stopped working after this. Despite this, it's important to call out that these are mitigations. Like Simon mentions in his previous posts, prompt injection is generally an unsolved problem, even with added guardrails, and any database or information source with private data is at risk.
Here are some more things we're working on to help:
- Fine-grain permissions at the token level. We want to give folks the ability to choose exactly which Supabase services the LLM will have access to, and at what level (read vs. write)
- More documentation. We're adding disclaimers to help bring awareness to these types of attacks before folks connect LLMs to their database
- More guardrails (e.g. model to detect prompt injection attempts). Despite guardrails not being a perfect solution, lowering the risk is still important
Sadly General Analysis did not follow our responsible disclosure processes [3] or respond to our messages to help work together on this.
[1] https://github.com/supabase-community/supabase-mcp/pull/94
[2] https://github.com/supabase-community/supabase-mcp/pull/96
How does an e2e test for less capable LLMs look like, you call each LLM one by one? Aren't these tests flaky by the nature of LLMs, how do you deal with that?
Deleted Comment
DelightOne commented on Thank HN: My bootstrapped startup got acquired today · Posted by u/paraschopra
Congratulations!
I've got a small question. How do you deal with people asking for open sourcing your product/code, claiming they don't want to use a product they don't control?
I think that's how the JavaScript Temporal proposal works. Convert your instant to the timezone, make the comparisons/calculations, hope you didn't jump an hour due to summertime, convert back.