Readit News logoReadit News
HoyaSaxa commented on Show HN: Tips to stay safe from NPM supply chain attacks   github.com/bodadotsh/npm-... · Posted by u/bodash
HoyaSaxa · 3 months ago
For most projects, overriding every single transitive dependencies to be pinned is impractical.

Instead, for those using npm, I'd highly suggest using `npm ci` both locally and of course on CI/CD. This will ensure the (transitive) dependencies pinned in the lockfile are used.

TIL on the `npm install --before="$(date -v -1d)"` trick; thanks for that! Using that to update (transitive) dependencies should be really helpful.

For those using GitHub Actions, I'd also recommend taking advantage of the new dependabot cooldown feature to reduce the likelihood of an incident. Also make sure to pin all GitHub Action dependencies to a sha and enforce that at the GitHub repo/account level.

HoyaSaxa commented on A postmortem of three recent issues   anthropic.com/engineering... · Posted by u/moatmoat
l1n · 3 months ago
(Anthropic employee, speaking in a personal capacity)

> I’m pretty surprised that Anthropic can directly impact the infra for AWS Bedrock as this article suggests.

We don't directly manage AWS Bedrock deployments today, those are managed by AWS.

> I can’t imagine the average person equates hitting this button with forfeiting their privacy.

We specify

> Submitting this report will send the entire current conversation to Anthropic for future improvements to our models.

in the thumbs down modal. Is there a straightforward way to improve this copy?

HoyaSaxa · 3 months ago
> We don't directly manage AWS Bedrock deployments today, those are managed by AWS.

That was my understanding before this article. But the article is pretty clear that these were "infrastructure bugs" and the one related to AWS Bedrock specifically says it was because "requests were misrouted to servers". If Anthropic doesn't manage the AWS Bedrock deployments, how could it be impacting the load balancer?

HoyaSaxa commented on A postmortem of three recent issues   anthropic.com/engineering... · Posted by u/moatmoat
_da_ · 3 months ago
> This is pretty concerning. I can’t imagine the average person equates hitting this button with forfeiting their privacy.

When you click "thumbs down" you get the message "Submitting this report will send the entire current conversation to Anthropic for future improvements to our models." before you submit the report, I'd consider that pretty explicit.

HoyaSaxa · 3 months ago
Great to hear. I'm not a Claude user and the article did not make it seem that way.
HoyaSaxa commented on A postmortem of three recent issues   anthropic.com/engineering... · Posted by u/moatmoat
crazygringo · 3 months ago
Sounds fine to me. I'm assuming it wasn't obvious to readers that there was a confirmation message that appears when thumbs down is clicked.
HoyaSaxa · 3 months ago
Yes, I don't use Claude so I wasn't aware. I'm glad to hear it sounds like it is conspicuous.
HoyaSaxa commented on A postmortem of three recent issues   anthropic.com/engineering... · Posted by u/moatmoat
HoyaSaxa · 3 months ago
I’m pretty surprised that Anthropic can directly impact the infra for AWS Bedrock as this article suggests. That goes against AWSs commitments. I’m sure the same is true for Google Vertex but I haven’t digged in there from a compliance perspective before.

> Our own privacy practices also created challenges in investigating reports. Our internal privacy and security controls limit how and when engineers can access user interactions with Claude, in particular when those interactions are not reported to us as feedback.

Ok makes sense and glad to hear

> It remains particularly helpful for users to continue to send us their feedback directly. You can use the /bug command in Claude Code

Ok makes sense and I’d expect that a human can then see the context in that case although I hope it is still very explicit to the end user (I’m not a Claude Code user so I cannot comment)

> or you can use the "thumbs down" button in the Claude apps to do so

This is pretty concerning. I can’t imagine the average person equates hitting this button with forfeiting their privacy.

Posted by u/HoyaSaxa 5 months ago
Tell HN: Notion Desktop is monitoring your audio and network
HoyaSaxa commented on The AI Code Review Disconnect: Why Your Tools Aren't Solving Your Real Problem   avikalpg.github.io/blog/a... · Posted by u/avikalp
CompoundEyes · 10 months ago
I put in a code reviewer that runs and comments when a pull request is created using Github actions and Microsoft GenAIScript. It's pretty straightforward. The key thing is we have total control over the prompt to fit our repo and devs needs, can make it multi-stage and deterministic using Typescript code or use agents in GenAIScript to open adjacent files for more context. The value we've received is that a dev can look over the review to catch anything they might have missed and make changes all before another dev looks at it. That saves time. I've seen devs open draft pull requests to get preliminary feedback on work in progress. The reviewer script is versioned with the repo. Currently using a mix of gpt-4o and gpt-4o-mini in parts of the script to do smaller tasks.
HoyaSaxa · 10 months ago
I’d be interested in seeing the scripts if you are able to share (redacted) versions of them
HoyaSaxa commented on GitHub Is Down   isdown.app/status/github?... · Posted by u/arjun27
HoyaSaxa · a year ago
It appears to be back now. Many users across our company were unable to load github.com at all from ~14:43 to ~14:50 UTC. https://www.githubstatus.com/ is finally admitting to "degraded" performance
HoyaSaxa commented on Multiple new macOS sandbox escape vulnerabilities   jhftss.github.io/A-New-Er... · Posted by u/transpute
HoyaSaxa · a year ago
Impressive finds! As you allude to in your post, it seems very likely similar flaws still exist in the wild. I’d imagine we are going to see a consistent stream of XPC related CVEs unless Apple is redesigning its approach to hardening those services.
HoyaSaxa commented on Ask HN: Who is hiring? (October 2024)    · Posted by u/whoishiring
HoyaSaxa · a year ago
Narmi | New York, NY (NYC) | ONSITE (really a lax hybrid) | https://www.narmi.com

Narmi is helping reinvent banking in the United States. We create a more accessible and useful financial ecosystem by powering the online banking, mobile banking, account opening and open banking APIs for the 10,000 credit unions and community banks in the United States.

You'll be working on production software that has a real impact on the average American's life everyday. Our software helps them save money on their bills, understand their financial story, protect their families and move money.

Narmi was founded by two Georgetown University alums who previously worked as CEO and CTO of an $18 million credit union and also at some of the largest banks in the world.

We are a Series B startup with a great group of investors including a top 5 VC (NEA), we are continuing to grow quickly, and have a sustainable business model.

Even if you don't think you are an exact fit for one of our current openings, we'd still love to talk. We are always looking for well-rounded engineers to join our team in NYC.

- VP of Engineering https://jobs.lever.co/narmi/47db7f41-b421-4fca-b8ea-12c54957...

- Software Engineer II https://jobs.lever.co/narmi/3f89c175-bdfb-47b6-8d52-c34dcd49...

- Product Designer II https://jobs.lever.co/narmi/5ee0e2ba-e1ec-46a3-9b71-2fa9f63f...

You can learn more on our website (https://www.narmi.com/careers). Make sure to mention you found us on Hacker News. Also please feel free to reach out directly to me chris @ our domain.

H

u/HoyaSaxa

KarmaCake day699June 18, 2011
About
Founder @Narmi which powers the online banking, mobile banking, and open banking API for 10,000+ credit unions and community banks in the US.

Former CTO of the nation's largest student-run financial institution. Former Equity Trader at Barclays.

https://github.com/chris-griffin https://www.narmi.com/

View Original