lucasluitjes (u/lucasluitjes)

lucasluitjes commented on Ask HN: Why there are no actual studies that show AI is more productive? · Posted by u/make_it_sure

AugustoCAS · 6 days ago

Dora released a report last year: https://dora.dev/research/2025/dora-report/

The gains are ~17% increase in individual effectiveness, but a ~9% of extra instability.

In my experience using AI assisted coding for a bit longer than 2 years, the benefit is close to what Dora reported (maybe a bit higher around 25%). Nothing close to an average of 2x, 5x, 10x. There's a 10x in some very specific tasks, but also a negative factor in others as seemingly trivial, but high impact bugs get to production that would have normally be caught very early in development on in code reviews.

Obviously depends what one does. Using AI to build a UI to share cat pictures has a different risk appetite than building a payments backend.

lucasluitjes · 6 days ago

The full report can be found here: https://services.google.com/fh/files/misc/2025_state_of_ai_a...

That 17% increase is in self-reported effectiveness. The software delivery throughput only went up 3%, at a cost of that 9% extra instability. So you can build 3% faster with 9% more bugs, if I'm reading those numbers right.

lucasluitjes commented on I'm losing the SEO battle for my own open source project twitter.com/Gavriel_Cohen... · Posted by u/devinitely

lucasluitjes · 11 days ago

I've been annoyed with Google search quality lately and was wondering how the others fared on this specific issue. Turns out, mostly not much better.

Bing, DuckDuckGo, Qwant, Ecosia, Brave all had the github repo and nanoclaw.net (the fake homepage) in the first or second place. Marginalia had fascinating results about biology but only tangentially related Nanoclaw results, not the github repo or either the fake or real homepage.

Mojeek was the exception, sort of. It had some random news sites up top, but the github repo in 2nd place and nanoclaw.dev (the real homepage) in the 4th place. The fake nanoclaw.net did not show.

Kagi is the only one I couldn't try because apparently I used up my free credits a year back. Can anyone see how they compare?

lucasluitjes commented on Running Claude Code dangerously (safely) blog.emilburzo.com/2026/0... · Posted by u/emilburzo

embedding-shape · 2 months ago

That's because Vagrant isn't "VM", it's a developer tool you use locally that happens to use VMs, and it was created in a era where 1) containers didn't exist as they do today, 2) packaging and distribution for major languages wasn't infected with malware and 3) LLM agents now runs on our computers and they are kind of dumb sometimes and delete stuff.

With new realities, new workflows have to be adopted. Once malware started to appear on npm/pypi, I started running all my stuff in VMs unless it's something really common and presumed vetted. I do my banking on the same computer I do programming, so it's either that or get another computer.

lucasluitjes · 2 months ago

Agree with all of that, especially modern supply chain risk (imho the more important reason to opt for VM isolation rather than containerization). But the original article specifically talks Vagrant as an isolation solution, and describes it as not protecting against VM escape, but also that guest-to-host 0day is rare.

Hence pointing out that VM escape is a lot easier than that if your VM management tool syncs folders the way that Vagrant does by default.

lucasluitjes commented on Running Claude Code dangerously (safely) blog.emilburzo.com/2026/0... · Posted by u/emilburzo

embedding-shape · 2 months ago

Doesn't this assume you bi-directionally share directories between the host or the VM? Or how would the AI inside the VM be able to write to your .git repository or Vagrantfile? That's not the default setup with VMs (AFAIK, you need to explicitly use "shared directories" or similar), nor should you do that if you're trying to use VM for containment of something.

I basically do something like "take snapshot -> run tiny vm -> let agent do what it does -> take snapshot -> look at diff" for each change, restarting if it doesn't give me what I wanted, or I misdirected it somehow. But there is no automatic sync of files, that'd defeat the entire point of putting it into a VM in the first place, wouldn't it?

lucasluitjes · 2 months ago

It's the default behaviour for Vagrant. You put a Vagrantfile in your repo, run `vagrant up` and it creates a VM with the repo folder shared r+w to `/vagrant` in the VM.

lucasluitjes commented on Running Claude Code dangerously (safely) blog.emilburzo.com/2026/0... · Posted by u/emilburzo

lucasluitjes · 2 months ago

> What you’re NOT protecting against:

> a malicious AI trying to escape the VM (VM escape vulnerabilities exist, but they’re rare and require deliberate exploitation)

No VM escape vulns necessary. A malicious AI could just add arbitrary code to your Vagrantfile and get host access the first time you run a vagrant command.

If you're only worried about mistakes, Claude could decide to fix/improve something by adding a commit hook. If that contains a mistake, the mistake gets executed on your host the first time you git commit/push.

(Yes, it's unpleasantly difficult to truly isolate dev environments without inconveniencing yourself.)

lucasluitjes commented on Ask HN: Who wants to be hired? (January 2026) · Posted by u/whoishiring

lucasluitjes · 2 months ago

  Location: The Netherlands. I'm flexible with working hours, I usually work with clients from either Western Europe or the USA.
  Remote: Yes
  Willing to relocate: No, but willing to travel/visit
  Technologies: especially Ruby (including Ruby on Rails, Sinatra, and standalone applications), PostgreSQL, Ansible, Linux. Lots of others at the end of my comment.
  Résumé/CV: https://www.luitjes.it
  Email: lucas@luitjes.it

I do dev/devops/security, usually for startups or scale-ups or other small orgs with limited resources, and I've been doing that for 15+ years. So, if you:

* Have a slow web application that’s often down?

* Want to improve security and don’t know where to start?

* Have a legacy system that needs to be replaced?

* Are considering an acquisition but not sure about the technical side?

I can help with that. For example, in the past I have:

* Massively improved performance and reliability for a data visualization platform.

* Led a large effort to improve security for a cybersecurity SaaS.

* Built a micropayments system for a prominent media startup.

* Rebuilt an aging e-learning platform from scratch for a GDPR compliance SaaS.

* Conducted technical due diligence for acquisitions.

For more information: https://www.luitjes.it

Other tech I've worked with: Elixir, C#, Java (Spring/Hibernate), JavaScript, HTML/CSS/XSLT/XPATH/XSLFO, Elasticsearch, MongoDB, MySQL, Redis, Solr/Lucene, Graphite, Kibana, Grafana, Logstash, Icinga, Jenkins, Varnish, HAProxy, Pound, Nginx, Apache, Passenger, Vagrant, Docker, DCOS, Kubernetes, SSH, OpenVPN, TCP/IP, tcpdump/strace/lsof/etc, AWS (EC2, ELB/ALB, S3, CloudFront, Lambda, Batch, VPC, etc.

lucasluitjes commented on AI scrapers request commented scripts cryptography.dog/blog/AI-... · Posted by u/ColinWright

throw_me_uwu · 4 months ago

> most likely trying to non-consensually collect content for training LLMs

No, it's just background internet scanning noise

lucasluitjes · 4 months ago

This.

If you were writing a script to mass-scan the web for vulnerabilities, you would want to collect as many http endpoints as possible. JS files, regardless of whether they're commented out or not, are a great way to find endpoints in modern web applications.

If you were writing a scraper to collect source code to train LLMs on, I doubt you would care as much about a commented-out JS file. I'm not sure you'd even want to train on random low-quality JS served by websites. Anyone familiar with LLM training data collection who can comment on this?

lucasluitjes commented on Leaker reveals which Pixels are vulnerable to Cellebrite phone hacking arstechnica.com/gadgets/2... · Posted by u/akyuu

derbOac · 4 months ago

They couldn't answer the question most on my mind: "We’ve reached out to Google to inquire about why a custom ROM created by volunteers is more resistant to industrial phone hacking than the official Pixel OS. We’ll update this article if Google has anything to say."

lucasluitjes · 4 months ago

GrapheneOS is basically the Android equivalent of iOS Lockdown mode. Considering how the threat landscape has changed, it would be nice if Google offered this itself. Or became a long-term sponsor of GrapheneOS, seeing how great a job they've been doing.

lucasluitjes commented on Ask HN: Freelancer? Seeking freelancer? (October 2025) · Posted by u/whoishiring

lucasluitjes · 5 months ago

SEEKING WORK | REMOTE | Dev, DevOps, Security | Location: The Netherlands

Willing to relocate: no, but willing to travel/visit. I'm flexible with working hours, I usually work with clients from either Western Europe or the USA.

I do dev/devops/security, usually for startups or scale-ups or other small orgs with limited resources, and I've been doing that for 15+ years. So, if you:

* Have a slow web application that’s often down?

* Want to improve security and don’t know where to start?

* Have a legacy system that needs to be replaced?

* Are considering an acquisition but not sure about the technical side?

I can help with that. For example, in the past I have:

* Massively improved performance and reliability for a data visualization platform.

* Led a large effort to improve security for a cybersecurity SaaS.

* Built a micropayments system for a prominent media startup.

* Rebuilt an aging e-learning platform from scratch for a GDPR compliance SaaS.

* Conducted technical due diligence for acquisitions.

For more information: https://www.luitjes.it

Favorite buzzwords: Ruby (including Ruby on Rails, Sinatra, and standalone applications), PostgreSQL, Ansible, Linux.

Other buzzwords: Elixir, C#, Java (Spring/Hibernate), JavaScript, HTML/CSS/XSLT/XPATH/XSLFO, Elasticsearch, MongoDB, MySQL, Redis, Solr/Lucene, Graphite, Kibana, Grafana, Logstash, Icinga, Jenkins, Varnish, HAProxy, Pound, Nginx, Apache, Passenger, Vagrant, Docker, DCOS, Kubernetes, SSH, OpenVPN, TCP/IP, tcpdump/strace/lsof/etc, AWS (EC2, ELB/ALB, S3, CloudFront, Lambda, Batch, VPC, etc.

lucasluitjes commented on Contemplative Artificial Intelligence arxiv.org/abs/2504.15125... · Posted by u/lucasluitjes

lucasluitjes · 6 months ago

TLDR: they wrapped prompts with concepts from Buddhism and got better performance on alignment tests. Actual prompts are in appendix D in this PDF: https://osf.io/az59t

I'm curious what effects you would see with secular moral philosophy, other religions, etc. Is Buddhism special, as the paper seems to argue?