So the guy was Google's planted ~expert~ lobbyist for the European Commission and now he's rich enough to quit, and makes a blogpost about it because people are rightfully skeptical about his motives?
It's just sad that these kind of bugs still slip through. So many people lack the ability to come up with the most straightforward edge cases for their validation code.
To me it feels like people who build LEGO their whole lives but never once stray away from the step-by-step manual and never have built something "outside the box".
Respectfully, it sounds like you just haven't dealt with any significant tax or regulatory tasks.
There's entire industries of experts who work on these tasks, and they don't just work for people trying to skirt the rules. I've hired people for both tasks and the reason was specifically to comply.
NIST, MS, and the security community all recommend against forcing people to change their passwords on fixed intervals. They should only be changed when there is an indication they have been compromised.
PCI requirements demand mandatory 30 day rotation intervals on user passwords for users with administrative privileges, IORC. Something like that.
They haven’t kept up. So until they change the rules you can either be PCI compliant or implement the current best practice. Not both.
Your example completely ignores the temporal dimension.
The best practice was to rotate your passwords, but we discovered that this led users to picking less secure and easier to remember passwords and patterns.
Once technology offered up solutions to problems like password managers and breach notifications, that recommendation changed.
PCI used to mandate password changes for in-scope accounts (meaning they have access to credit card flows). Now that MFA is widely deployed that requirement only remains for accounts that do not have a second factor for authentication.
If you were ahead of the curve and implemented strong password policies that did not conform the the PCI baseline, all you had to do was explain to the auditor why. Assuming what you were doing genuinely increased your security posture it would be approved.
Other standards all used to recommend password rotation. Most have amended it to deprecate or even prohibit password rotation.
> Once technology offered up solutions to problems like password managers and breach notifications, that recommendation changed
It wasn’t just that.
The original recommendation for password expiration failed to take into account the human practices that resulted.
Everyone has worked in an office with passwords on post-it notes, or seen passwords numbered with sequentially incremented integers at the end. Password rotation isn’t merely a baseline level of assurance, it has a negative impact on security because of the effect it has on password hygiene. In practice, passwords that expire can be easily guessed by appending something to the end of the prior password. And they are more likely to be written down in plaintext.
Permanent, non-expiring passwords without MFA are stronger in practice than expiring passwords.
Is this a story from the Epstein universe? Because the town of York during that time had some interesting characters like Donald and Kashoggi. Also "Lago Mar" in Florida sounds familiar.
Edit: At the end the main protagonist even mentions having Iran Contra evidence and speaks to the commission, but two senators present evidence that devalues his testimony. Interesting.
Looks good, nice features. But somehow the spark does not ignite on my side because it feels too artificial. I don't know if the metrics are faked, if the convenience functions actually work, if there is any proper hardening.
I can accept if stuff is vibe coded and has autogenerated README. But even the announcement blogpost is AI-generated, and I personally have zero data points to see if your understanding of software quality is the same as mine.
It's a weird world, if this would've been announced without any AI disclaimers some years earlier I would've eaten it up without a doubt. But right now if I see a fancy README with several good-looking command line parameters I immediately wonder if the README is hallucinated and the command line parameters actually exist.
Hi, author here - a few critical pieces of this, like async-ebpf, were written long before those coding agents were released. I use AI assistance a lot when creating zeroserve itself, but I manually check AI output and take responsibility for it :)
I'm of the school of thought that if a practicing/retired software engineer (i.e. someone I reasonably believe has experience writing software for "production") wrote it, I've got to show it's trash, rather than assume it's trash. "Innocent until proven guilty" and all that. But I'm in the rather luxurious position of mostly using open source, rather than maintaining it, so I understand that others come down differently on this topic.
FWIW, I like the writeup and concept behind this. Very close to some passions of mine (like serving a website from a single-file archive).
if the point is to avoid the lua-issue on nginx, how do you expect people will implement things like geoip, request content match post ssl termination, etc?
Small static file (174 B) - the bread and butter of static sites:
server req/s p99
zeroserve 36,681 5.4 ms
nginx 31,226 7.8 ms
Caddy 12,830 22 ms
zeroserve serves small files about 17% faster than nginx on a single core, with a tighter tail. HTML pages, small JSON, CSS - this is the case zeroserve is tuned for.
Large static file (100 KB):
server req/s throughput p99
zeroserve 8,000 782 MB/s 22 ms
nginx 7,600 773 MB/s 28 ms
Caddy 6,084 590 MB/s 44 ms
I'd go with a more storied project that's been audited, battle tested, hardened etc than this upstart. There's not enough improvement to justify the risk.
The problem with pasting LLM output is that no human with sound mind and body would waste their finite time on this Earth informing you that small static files are "the bread and butter of static sites".
> It's a weird world, if this would've been announced without any AI disclaimers some years earlier I would've eaten it up without a doubt. But right now if I see a fancy README with several good-looking command line parameters I immediately wonder if the README is hallucinated and the command line parameters actually exist.
Yeah, that is unfortunate. Recently there was this ffmpeg-wasm project. I tested it. It worked. But it was vibe-coded AI. I can't stand AI. Even if things work.
I decided to stay in the oldschool era as much as possible. Clever people publish software. Clever people maintain software. They don't need AI. That's my niche.
We may die out but I still prefer that. (Oh, and only if these clever people write documentation. Many clever people hate writing documentation. I decided a long time ago that if software comes without documentation, it is not worth my time, no matter how great that documentation is. This refers mostly to on-the-application side; I only rarely looked at the Linux documentation, but others stated that it is not too terrible either, so who knows.)
reply