Countries in which the income disparities ARE so high are also the ones where the "poor" are the richest. They just feel poor in comparison not in absolute terms.
70K a year is poor in California, but top 1% rich in almost any country in the world.
Low income disparities are countries like Albania, Afghanistan, Armenia to name the first three with below 30 GINI income.
This is an anomaly and left over from the time when middle class was growing after the 2nd world war. We (Western countries) are dismantling all the back stops and the process will reverse and move all the wealth to the few rich people in the capital class. When this process is complete the poverty levels in the west will equal those of the countries you mentioned, Afghanistan etc.
The USA and UK are leading the process since they started to pursue this goal aggressively during the 80s with Reaganism and Thatcherism.
and you’re claiming the process still isn’t complete more than 40 years later? shouldn't the wealth gap between the poor in the US vs the poor in Afghanistan be starting to get smaller if your argument is correct?
And this is exactly why nominal $ amount comparisons are completely pointless. Someone who makes $70k in southern or eastern Europe is living like a king (or living at least good life anywhere in Europe) while someone making $70k in expensive parts of California is going to struggle.
Wealth is equal to your share of the overall resources, $ amounts are just an abstraction.
as an old coworker once said, when talking about a certain manager; That boy's just smart enough to be dumb as shit (The AI, not you; I don't know you well enough to call you dumb)
What didn't you understand? The point isn't whether I do specific thing A or specific thing B, the point is that when I can I do the best in the situation to improve the average. The specifics don't matter. It is the overall impact. OP is playing the "debate" game which is about winning, and not about the issue itself. It is because OP doesn't care to understand, they just want to score points, hence their desire to focus on specific instances.
Had OP said something like "How can you make an informed decision congruent with your ethics when so many ubiquitous companies violate human rights?" that would have been a genuine question. Instead OP said "Tell me why you don't do X" and behind that is "because I win." That's arguing from bad faith (a polite way to describe OP).
You said AMA, he asked a very simple question. You can not answer that very simple questions. He wins because he is almost surely correct in his assumptions about you, not matter how much you weasel around it.
I'm sorry you don't understand my answers. Like, at all. Maybe calm down and re-read my responses when you have a clear head? It's all spelled out multiple times.
Why do I read about all the vibe coders claiming to be 20X engineers in LLM threads and replacing many departments. Yet here is not a fking single commercially successful thing here?
Funny also how Loveable and the like are hiring engineers like crazy, yet think engineers are not needed anymore. Why not just vibecode Loveable itself? Oh wait I can tell you why.
You could probably find a good answer anywhere, but the solution is in a more nuanced view.
Some types of programming benefit more from AI tooling than others. For example, prototyping seems to be the most fruitful area. Also, writing small utilities is much easier, to the extent that a two hour job would now take only a few minutes. That's where you get the multiplier posts from.
But working in a large codebase using proprietary libraries is not a solved problem for AI (yet).
It's just that the average engineer does not spend all of their time on things that can be sped up.
Speeding up 1% of your time by a factor 20 simply does not help very much. But for some roles, I'm sure that a 10% net increase in productivity is realistic.
ive seen people using lovable in the wild now, and theyve made things that they are using themselves, and are working on something like a 5-10M CAD/y business serving the oil industry.
I didnt join them because I dont really want to do all the work that comes with owning a business like the accounting. mostly the accounting. i also dont particularly want to be maintaining an extra couple of systems at present. there mught be vibe coding currently, but not vibe operations
they should have the thing up by june at their very slow rate of building with lovable, but theyre not people who would ever frequent HN.
Put "I don't have any experience in software engineering but can vibe code very well" on your resume and see if you get any interest from OpenAI or Anthropic or any one in the long list of companies that have declared software engineering dead and LLMs the future of coding.
It's telling that they will put their own applicants through a dozen rounds of stringent technical interviews, Leetcode exercises, use anti-AI assistance tools and pay their staff $500K or more, all for something they advertise as being easy to vibe code away.
That's a bit dishonest. Obviously, vibe coding is only productive for engineers who actually know what they're doing. Perhaps it is best to consider it a multiplier, not an enabler.
For a reflected XSS? Tell me who is paying that much for such a relatively common bug...
To elaborate, to exploit this you have to convince your target to open a specially crafted link which would look very suspect. The most realistic way to exploit would be to send a shortened link and hope they click on it, that they are logged into discord.com when they do (most people use the app), that there are no other security measures (httponly cookies) etc
No real way to use this to compromise a large amount of users without more complex means
It isn't about the commonality of the bug, but the level of access it gets you on the type or massive scale of the target. This bug you your blog? Who cares. This bug on Discord or AWS? Much more attractive and lucrative.
Yes, but this is not a particularly high access level bug.
Depending on the target, it's possible that the most damage you could do with this bug is a phishing attack where the user is presented a fake sign-in form (on a sketchy url)
I think $4k is a fair amount, I've done hackerone bounties too and we got less than that years ago for a twitter reflected xss
Why would that be the maximum damage ? This XSS is particularly dangerous because you are running your script on the same domain where the user is logged-in so you can pretty much do anything you want under his session.
In addition this is widespread. It's golden for any attacker.
Because modern cookie directives and browser configs neuter a lot of the worst XSS outcomes/easiest exploit paths. I would expect all the big sites to be setting them, though I guess you never know.
I would not be that confident as you can see: on their first example, they show Discord and the XSS code is directly executed on Discord.com under the logged-in account (some people actually use web version of Discord to chat, or sign-in on the website for whatever reason).
If you have a high-value target, it is a great opportunity to use such exploits, even for single shots (it would likely not be detected anyway since it's a drop in the ocean of requests).
Spreading it on the whole internet is not a good strategy, but for 4000 USD, being able to target few users is a great value.
Besides XSS, phishing has its own opportunity.
Example: Coinbase is affected too though on the docs subdomain and there are 2-step, so you cannot do transactions directly but if you just replace the content with a "Sign-in to Coinbase / Follow this documentation procedure / Download update", this can get very very profitable.
Someone would pay 4000 USD to receive 500'000 USD back in stolen bitcoins).
Still, purely with executing things under the user sessions there are interesting things to do.
> some people actually use web version of Discord to chat, or sign-in on the website for whatever reason
Beside this security blunder on Discord’s part, I can see only upsides to using a browser version rather than an Electron desktop app. Especially given how prone Discord are to data mining their users, it seems foolish to let them out of the web sandbox and into your system
Again, here you have not so much sold a vulnerability as you have planned a heist. I agree, preemptively: you can get a lot of money from a well-executed heist!
There is a market outside Zerodium, it's Telegram. Finding a buyer takes time and trust, but it has definitively higher value than 4k USD because of its real-world impact, no matter if it is technically lower on the CVSS scores.
What happens in all these discussions is that we stealthily transition from "selling a vulnerability" to "planning a heist", and you can tell yourself any kind of story about planning a heist.
Also the XSS exploit would have been dead in the water for any sites using CSP headers. Coinbase certainly uses CSP. With this in place an XSS vuln can't inject arbitrary JS.
reply