SED News: Anthropic’s Mythos, Supply Chain Hacks, and the AI Spending Surge

hello and welcome to sed news as i'm sure some of you know already this is a different format of software engineering daily where sean and i i've got sean with me i should say say hi sean as usual hey hey gregor hey everyone hey often forget to let sean say hello yes we are here slightly different format where we touch on some of the main headlines in tech we then go into a bigger topic in the middle and then we take a fun spin look at hacker news highlights that sean and i have picked up over the last couple of weeks so as we often do though a bit of a catch-up i think Sean and I have both been wrapped up in conferences over the last couple of weeks. So yeah, exactly. Yeah. So where have you been and how was it going? So I was in Las Vegas recently for Cloud Next, which was fun. I'd never actually been to Cloud Next, even though I worked at Google. I worked in Google Cloud and I partnered with them a number of times. But for whatever reason, I just never ended up at Cloud Next. But it was good. And then I was actually supposed to be in India this week. But thankfully, that trip got postponed because I would have been back to back to back because I leave for Boston for IBM Think Sunday night. So there's a kind of a lot going on. We're thick into the spring event season anyway, with like May, June, and so forth. So you're in San Francisco, where I live. So how are things going? How are you enjoying it so far? Yeah, absolutely. No, it's nice to be back. I think last time I was in SF was end of 2024, actually. So yeah, been a while in tech terms, but really nice to be back. Always like the weather here. Nice change from Singapore. I was at Stripe Sessions, which has grown enough. So it's in Moscone West, which is like the sort of second largest, I think, probably venue in SF. So yeah, really awesome production. I think just to call out one little detail, I'm not sure if people watch the Stripe podcast. I'm sure many of you do. It's called Cheeky Pint and it has John or Patrick Collison sitting in a mock Irish pub, having a pint of Guinness with a guest. And they had actually put together like a full mock up of that set in the venue and people could go in and get free pints of free little mini pints of Guinness. I just thought and again, in a mock Irish pub, I thought that was an amazing detail. Yeah, that's cool. Yeah, very cool. But yeah, it's exhausting. As I think, you know, Sean, going to conferences, I was on the Superbase booth for quite a few hours each day. So by getting to talk to an amazing bunch of people, some of them SED Daily listeners as well, which is always fun, get to meet them in person. I was going to mention that at Cloud Next, I met one of the fans of the show that works for IBM and came up and let me know that they listen. But one of the things I wanted to share with you was that they say, I don't listen to every episode anymore, but I always make it a point to listen to the SED News episodes that they really listen. Oh, I like that. Yeah. So it's always nice. You never know, like we're speaking out to the ether, you don't always get the feedback. So it's always nice to hear people are finding these shows fun. That's awesome. That's really great to hear that. So yeah, if anyone is listening, it was great to meet you. And equally, I met a whole bunch of people that maybe weren't listeners or are, I didn't ask, I didn't make it known to every single person that I was that random voice on SE Daily. But yeah, I just had some amazing conversations, really smart people in the Bay area. They come from all over the world and they congregate here. And I think that's amazing. And so obviously, yeah, recording this from my hotel room in a nice makeshift setup of the microphone that I use normally, but it's propped up in an ice bucket, but it seems to be working. So great. Well, moving to the headlines. So we've got a few things to touch on, especially with the last two weeks, there's been quite a few meaty headlines. And so these are not from like, say, the last 24 hours. Like we wanted to dig up some things from the last couple of weeks that given that it is conference season, I don't know about you, Sean, but I basically can't focus on anything else when I'm at a conference. And so I end up missing literally all the news for a week anyway. So this is quite good to catch up. That's not why you need an AI agent doing your processing your newsfeed at all times. Definitely need a post-conference agent to basically just pick up all the pieces of my life that have gone on hold for the last three, four days. but moving into the headlines the first one there will be a couple of security ones here there are quite a few sort of security headlines actually touching across different areas so first one is mythos so this is a large model that was released by i say released we'll get to the release part in a second but released by anthropic basically saying that this was a security focused model that could effectively exploit virtually any system especially legacy systems these really deep-seated very very critical bugs that have probably been sitting in legacy software for almost decades and suddenly these can be almost zero-dayed and obviously these legacy systems do sit in some pretty important places but yeah effectively mythos it can they say autonomously discover previously unknown vulnerabilities in every major operating system and browser it can carry out multi-step cyber attacks, like that humans would take days, if not weeks. I think a 27-year-old flaw in OpenBSD was one of their standout that they were talking about. But yeah, let's talk about the rollout of that. They're saying that it's going to be very controlled because obviously the power of this model, especially in the wrong hands, would be pretty terrible. So I think they're saying that they're only releasing it to major tech and financial firms. I think they mentioned Amazon, Apple, Microsoft, JPMorgan, Chase. So they're calling this Project Glasswing. So the idea being patch critical vulnerabilities before the bad actors, now that they're aware of this, can go exploit them. It's a funny one. So it's almost chicken and egg. Do you release the model or do you keep it back? And I think there's maybe also a bit of, someone analogized it to the luxury fashion. It's the Birkin bag of AI models, right? It's like scarcity, right? I like that. I don't know that it, maybe it's part of some grand launch strategy marketing ploy, but even if it's not, like if you tell everyone it's too powerful to make it available, it's terrifying. And then you only let the biggest companies use it. Like it ends up driving, I think, a lot of demand because people want the thing that they can't have a lot of times. Yeah, absolutely. We touched on last month, SED News, where politics comes in to the, especially the two big players, Anthropic and OpenAI. And it comes in here as well. Anthropic is still feuding, if you like, with the Pentagon over refusing to let its just normally available models be used for autonomous weapons and surveillance. So do they then release that to the US government? Because it would seem a bit strange that, okay, this crazy, powerful security model can be released to someone like Amazon, but it cannot be released to the US government. I mean, that seems strange, but if you just forget who the president of the United States is for a second. Yeah. So I don't know what you thought of that, Sean. Yeah, I don't know. I haven't heard as much about the political story around Anthropoc the last few weeks. It's like maybe there's just so many things going on that it's been a little bit buried in my newsfeed. But I think certainly like historically that would seem a little bit strange. It's like, hey, we trust these large corporations, but we don't trust the U.S. government with this. or trust our own government with this. But I don't know all the ins and outs there. But I think Anthropic has been pretty good at having a certain philosophy about controls around models, even delaying launches of models because they haven't met their security bar and so forth or their certain guardrail expectations. And they stood behind this philosophy as a company like multiple times. So just following their track record, The assumption that I would make here is like their intention is still true to that vision, even though I think as an outsider, it does look funny because like we said, there's all these analogies around fashion. And if we tell everybody also that it's like too dangerous to use and that all it does is make people like want it even more. So like, what is the ultimate goal and intention behind this? It seems primarily the good intention, glass half full perspective is like, hey, we created this thing before some bad actor might create it. And we're going to give it to key players so that they could patch things ahead of someone being able to exploit it. Yeah, absolutely. And there was rumblings that a contractor, it was sort of all unnamed, a contractor of one of the companies that had been given access had then passed this on to effectively the dark web and the access to this model was now available. Anthropic, I think, absolutely refuted this and said that they had not seen any evidence whatsoever that people that were not supposed to have access were indeed accessing it. But yeah, there's always going to be motives for someone saying that they do in fact have access to this. For example, just simply charging someone money and then running away. Yeah, yeah. So we don't know, but these very unverified claims are running around as well. Yeah. We haven't seen the skyfall yet, basically. Yeah, we haven't seen the skyfall yet. I mean, that's a good measurement. It's like, is suddenly all these major websites going down because someone has access to this and exploiting them. I do think that the finding of the 27-year-old flaw in OpenBSD is pretty staggering. You just think about the amount of security engineers and engineers that have looked at that over the years, and then only to have an AI model kind of figure it out. It's a humbling moment for humanity. It's like the Gary Kasparov losing to IBM Deep Blue or the work that DeepMind did to beat the world's Go champions. And now it's like, okay, well, now we have a model that can find flaws and open source that essentially thousands of really, really gifted engineers have looked at and handcrafted and have kind of been blind to it. That's a really good point. And it's also, I guess, that so much of this legacy software, well, engineers, no matter how smart they are, they're just not going back and like combing over all the code that was written 27 years ago. So this is- Yeah, you probably assume it works, right? You assume it works. And unfortunately, that also means, yeah, you assume if something was a problem, especially after 27 years, it would have been discovered. And obviously that is clearly not the case. So yeah, good call out. We'll see how this develops, how accesses through this project Glasswing, like how is that rolled out? Who else gets access? I think that'll be interesting once you move away from say the hyperscalers, like who actually is supposedly allowed to use this model. So yeah, we'll see how that goes. Moving on to, this was the Context.ai breach, which one of the main recipients of bad news on that front was Vercel, effectively. So effectively what happened here was an attack chain started when Context.ai, an employee there, was infected with Luma Stealer malware after downloading what they thought to be Roblox game cheats. So I mean, this is why I just think that people that are on the other side of the coin that wish to do malicious things, they do think of pretty ingenious ways to get people to install things. This could have been for that person's child, for example, who knows? But anyway, this harvested credentials, included things like Google Workspace and like Datadog and that kind of thing. And then the attacker used compromised OAuth tokens from Context.ai and then managed to pivot into a Vercel employee's Google Workspace account and then into Vercel's internal systems. And yeah, this certainly lit up on our screens at Superbase because I think a lot of people know that our dashboard that all our users use is actually on Vercel. So we suddenly jumped into action and had to do a whole ton of credential rotations. If I just looked at all the steps, all the list of things had to be done, that was like a good chunk of our front-end team's day just coming through that. So that's why it's great to have a team that can just jump in and do that. But this must have affected tons and tons and tons of people. So it's just... Oh yeah. I think it's like the classic human hack of, hey let's dangle something out that somebody might want like roblox game cheats or you go back to the early 2000s what you had the like anacorga cornicova virus like where it was like supposedly pictures of this tennis player that people were attracted to and then inevitably some subset of people are going to download or click on the thing and then that's far too obvious now you definitely couldn't get away with just photos of somebody yeah yeah i think the thing here you see a lot of times in these reports is as a consequence, like Versailles now defaulting new environment variables to be classified sensitive. So they're encrypted at rest automatically. And it's kind of, I think in all these circumstances, you worked in security for a long time. It's like, why wasn't that the default from the start? And this is often the case in these kinds of exploits is like we saw this as well with Snowflake when it was where a contractor got access to like an account that they had access to through Snowflake and that didn require two factor authentication and a bunch of other stuff. And then that allowed them to get access to some subset of data. And it wasn't necessarily that Snowflake was explicitly vulnerable, but this person actually had proper access, but there was no two factor authentication on by default. And And then the reaction from Snowflake was to make it so that two-factor authentication becomes the default. And that was forced on everybody. It's like, well, we could have had that in there in the first place. So, and this comes up over and over and over again. And it's simply, I think companies consistently fail to make secure by default the actual default. It's kind of a simple concept, but it's missed over and over again. I'm not sure why that is. And perhaps there's just like not enough of a financial reason until that financial reason is a news headline. or it's just something that we tend to miss. Yeah, I think certainly now, I guess just from the pure security perspective, but security, I've often said, security is just sort of flaws in how humans operate, whether it's like fail to protect or that kind of thing. I wonder at Vercel, for example, like was this on the roadmap and it just, it was going to come in two months. It's that kind of thing, like when is the moment that it was too late to implement this? And I'm sure this was not a small lift for them to need to implement it. So they've probably done, I can imagine it is sitting on a roadmap somewhere on their side. And it was just, maybe they were just going through all the checks and balances of like, okay, what's it actually going to take to do this and make sure that no customers are affected, downtime, et cetera. Downtime, I think is usually probably the thing that gets in the way of, okay, how are we going to do this in a zero downtime manner? And then bang, you get hit with like, who could have predicted that somebody three arms length away would download some Roblox fake cheats. And then that's what leads through these supposed layers that you thought you had. I guess the advice there is if you're very aware of some major thing that should be especially encrypted across your platform, basically you should just drop everything and move on to that. Yeah, I mean, it could be like in these roadmap conversations. I think that sometimes it's easy for teams to potentially put punt on some of those security features because they're not necessarily revenue generating features. And that's what comes down to like, oh, we invest time and resources in this thing where we know it's going to drive revenue. And it's very unlikely that we have this security exploit. We can deal with this later and then it can get kicked down the road over and over again. I don't know necessarily the story of Vercel, but I just think having been part of product organizations and some of that decisioning and the story that we consistently see at these companies that do get exploited, it seems to be the case that it's kind of always fairly easy to make the argument that like, oh, we can deal with this later until it becomes a thing. Yeah. And this has happened before, as some listeners will know what I'm about to say. But the kicker here is that, again, Delve was the compliance company that had issued certifications for Context AI. Delve positioned itself like a Vanta. The only slightly minor detail there is that they were forging a lot of their compliance certificates, unlike Vanta. And after we did that episode, I think it was last month, we looked at Delve. I did look into the whistleblower nature of it. And there's a whole website where someone's documented everything and calls that the founders have gone on defending, saying no, no. And almost like in a very, I would say, dismissive way, like don't be ridiculous, this is just complete false. And then suddenly it's just all very clear that this is real, that they are forging everything. So it could be that somebody on that whistleblower side or just somebody, a bit of a vigilante, is thinking, well, we're going to show Delve how bad this could get. We're just going to target companies that were using Delve. I'm not saying that that's been confirmed by any means. It just seems interesting that we've now seen two major breaches over the last, I guess, two months, both of which Delve were the compliance people. Yeah, I mean, it's a small sample size, so I think I'll hold off on my tinfoil hat and call it a conspiracy theory for a little bit. But if we're five months from now and every month we've reported another Delve-related data breach, then I will join your circle of conspiracy theorists. Yes, well, you never know. We'll keep tallies and see how we know at the end of the year. Go for Delve conspiracy count. Most AI frameworks started with voice and bolted on video as an afterthought. Vision Agents by Stream was built video first from day one. It's an open source Python framework that lets you build real-time voice and video AI agents in minutes, not months. With 25-plus integrations for models like OpenAI, Gemini, and Claude, sub-500 millisecond latency on Stream's global edge network, and support for YOLO, Roboflow, and custom CV models, you get a production-ready stack without the infrastructure headache. Whether you're building coaching tools, multimodal assistance, or real-time security pipelines, Vision Agents handles the hard parts. Get started free at visionagents.ai. In mobile application security, good enough is a risk. GuardSquare uses advanced, multi-layered code hardening techniques and automated runtime application self-protection and mobile application security testing, combined with real-time threat monitoring to deliver the highest level of mobile app security. Discover how GuardSquare brings all these together to provide mobile app security for your Android and iOS apps without compromise at www.guardsquare.com. You know Fidelity is a financial services leader, but did you know that Inside Fidelity is a community of technologists working together to shape the future of finance and tech? Fidelity is always investing in tomorrow, from emerging tech to cutting-edge tools that will transform what comes next. Their technologists are encouraged to keep learning so they can expand their skill sets, explore new ground, and stay ahead of this rapidly evolving industry. And right now, Fidelity is hiring technologists to join their team. Fidelity technologists get the best of both worlds. Startup energy that's grounded in the stability of a financial institution. That means support, resources, and amazing benefits. Bring your skills to a culture where you're empowered to dream big and build the tech that drives an organization and makes a real impact on people's lives. Find out more at tech.fidelitycareers.com. That's tech.fidelitycareers.com. Fidelity is an equal opportunity employer. So moving away from security, these were more of a macro headline that, again, has touched, especially like financial news, layoffs, unfortunately, again. And so the two standout companies were Snap and Meta. What's interesting, I guess, is more the communication around the why. I think commentators are always digging in on the whys. And the whys are usually derived from, especially these public companies, it's from the public statements that they put out, maybe as part of earnings calls and this kind of thing. So Snap is famously unprofitable. So Evan Spiegel said that they were hitting this critical moment where they really have to do something to make the company a profitable one. and doubling down on AI and their specs product. And that led to 1,000 job cuts, which apparently is sort of roughly 16% of the workforce. They basically had a lot of pressure from investors to start massively improving their financial performance. And they do look a bit strange, quite frankly, next to a lot of their, when I say peers, companies that might have IPO'd around the same time, Meta being one of them, but we'll come back to Meta in a second. But yeah, not being profitable in this era, I guess, for the age of the company, yeah, I can see why they're getting some heat from investors. It's not to say, I mean, I always feel, I can very publicly say, I very much feel for anyone that's been affected by these layoffs. It's a horrible situation. But I guess from a logical standpoint, it might make sense that at least investors were getting a bit unhappy with the snap performance. Yeah, I mean, I think being a public company in the public market right now is a tough spot to be in a lot of ways. And then on top of that, from an employee perspective, some of these companies, when they announce layoffs, they see stock bumps. So like the stock goes up after saying like, hey, we're laying people off and we're focused on efficiency. And that creates, I think, a certain cascading effect where when maybe the stock is not doing well, then the investors are putting pressure on the company to make a change. And if we're sort of rewarding companies for downsizing, at least from like a stock valuation perspective, then that's the easy decision by a company to make because it's going to positively reflect in the stock. And then on top of that, I think with social media companies in particular, there's a lot of, in terms of historically human capital deployed to like review and curate content. There's just a lot of process there. Like I remember going to Hyderabad when I was at Google in India, and there's a huge amount of people that work there to review all the like YouTube videos and make sure that someone's not putting something up that's awful. So there's a lot of people to do that. And I think all these social media platforms have some version of that. But if they can offload some of that to using AI to do it, then you can do a lot of this stuff in a more efficient way where you're taking out some of the tasks that historically have required a lot of human energy around it is one thing. But I do wonder, broadly speaking, about the future of social media. We have social media companies that are like weighing off humans to build AI that would generate content that are used to be made by humans on their platforms. The feed is increasingly AI generated content. It's served by AI curated algorithms. The humans whose attention is then sold to by AI optimized ad systems, like at some point, like who's this for? like an AI circle of like content to optimization to serving ads. And it's kind of like the human element maybe is the people who are passively consuming this stuff. But like, it's all AI generated content. Like what are you signing up for as a user? Yeah, absolutely. And I mean, we should bring Meta into this as well, being effectively the most popular across a couple of platforms, probably social media company in the world, excluding X, I guess. But Snap said, just to compare and contrast snap said we're doing this they didn't exactly say to double down like well they said they're going to double down on ai and they're going to invest a lot more in this moonshot of the specs products and we've talked a lot about that idea in past episodes meta however saying they're actually doing it and being almost i would say more quote honest and saying like we are doing this to offset the investments that we're making in ai i mean that's a very polite way of saying we're losing money over our ai infrastructure bets all this stuff we need to do something to shore up that and continue to be profitable to look profitable so they yeah they just said so they're they're cutting 10 of its workforce which is much larger in comparison and so it's i believe amounts to about 8 000 employees and also not hire 6 000 roles that were open i mean i can't even fathom that a company has 6 000 open roles but that's just something I can't get my head around. But yeah, I mean, I hate to say I prefer this one, but I just I do appreciate that they're at least being clear that we're doing it to offset the fact that we're losing money somewhere else, which is I think what everybody's been trying to get some of the companies to just admit, which is, are you actually making any money from this capex that you're investing in? Yeah, I mean, I think we're in a place where the world's changing very quickly. And I think a lot of companies feel like the existential threat of what the future might look like. So they have to make fairly big bets in investments to survive this digital transformation that's happening, this paradigm shift around AI. And you want to be part of the winning side of that, which takes investment in a big bet. It's hard to do that as a public company because you're under such scrutiny and people are ultimately looking at how much money you're making, the profitability, the bottom line, while you're also trying to do these innovation bets. And some companies have the luxury of like a really healthy revenue generating business like a google for example where they can spin off innovation arms that are well funded and it doesn't deteriorate essentially their core business but for other companies especially smaller public companies that's hard to do if you have like your core business and then you're also trying to like change as a business like how do you fund the innovation while also protecting and growing the core business, that's a difficult balance to make. So if you want to survive the existential threat, something has to give Yeah exactly So again obviously very sorry to hear anyone potentially listening If you caught up in this unfortunately it looks like this was nothing really to do with anyone's skills, etc. It was just a purely financial thing that is unfortunately seems to be part of the landscape as of the last five years with big tech. So just very briefly, before we move to our main topic, I slightly said this dropped, I believe today, actually, which was that KOTU, which is a huge investor, they've actually got a plan to buy up land for data centers. And the question is why? And I think people are speculating that this is actually for Anthropic. So it's kind of interesting that rather than just invest more money in Anthropic, they've actually just gone straight to the infrastructure themselves or the base of it and just said, well, maybe we'll just buy land and then give that or lease that, I guess, to one of our investees. So that's an interesting strategy there. You know, a lot of companies are trying to sort of pivot their way into being AI companies. Maybe they need to pivot their way into being real estate companies and just like own the land that companies need to build their data centers on. Yeah. And similarly, I think it was yesterday, it's been sort of rumored that Anthropic are going to be doing one more funding round, possibly a $9 billion valuation. Sorry, $900 billion valuation. so not nine hundred yeah no clearly it's the end of the week my brain can't you know remember nine versus 900 and this is again being floated that this is probably the last raise pre-ipo i mean i think that probably was said last time as well but i'm sure this is the last last last final final final you know the documents on the fundraising final final final yes i mean there's a lot of companies that are still private that i can remember talking to interview processes like several years ago and how they're like oh yeah we're 18 months from ipo and this is like five years ago and they've raised multiple rounds since then and stuff so a lot of it depends i think on you want to time the public offering to you know what's happening in the market and then also there's a lot of things that you have to do to get ready to go public too which take time so our main topic today we're really doing just a deep dive i say it's a deep dive but it's both at a high level, a high level deep dive, if that's possible, on what does effectively, we've basically seen about 700 billion in AI capex happen since the sort of AI boom. And I guess here we're just taking a pause and just looking holistically, you know, where are things across a lot of the big players? We do this every so often, SED News, just take a pause and touch a lot of the big names and what they're doing and why. And we feel this is kind of important because of just the speed of which things are moving. So keep kind of saying it, but, you know, a month literally right now is easily what six months might have been pre-AI. So like try and actually get a handle on what this scale even is. It's like, you know, like hyperscaler CapEx actually for 2026 alone has been, you know, reportedly 650 to 700 billion across Amazon, Google, Meta, Microsoft. But that was a Morgan Stanley report that has made this guess, if you like. and like you know in a single week google committed up to 40 billion to anthropic amazon committed 5 billion to anthropic and there was apparently sort of 100 billion in aws spend over a decade nvidia crossed the 5 trillion in market cap level which again is just like i think hard to fathom at all um and so if you think about it like anthropic is now simultaneously backed you know by Google, by Amazon, we've just touched on, it's probably going to be touching a 900 billion valuation. This is just the largest infrastructure investment cycle in the history of technology. It's crazy. So, yeah. Yeah, absolutely. I mean, it's pretty staggering. Like the numbers, like, I still remember the days when, and people still use this terminology, but we were, you know, referring to the unicorn startups that were valued over a billion dollars. And it's like, that started to get silly after more and more companies were valued at over a billion dollars. But that used to be like a big deal to be valued over a billion dollars. And now there's so many companies valued over a billion. It kind of dilutes the idea of like a unicorn and it kind of becomes meaningless. Like we probably need to shift that. Maybe it's a hundred billion dollars or we're going to get to a trillion dollars in terms of valuation. But there's like literally been more money going into AI compute in the last year than entire cloud built out over an entire decade. it's kind of a strange world where we have google and amazon both investing in anthropic but they're also competitive with it it's almost like they're hedging a bet somewhere along the way it's like in case we don't win the model wars like we still have a skin in the game yeah and i mean if we then look at it a little bit more strategically like there is a vertical integration play you know if you want to use that slightly what feels like an archaic term these days vertical integration but If you think of model labs becoming actually infrastructure tenants, so like Anthropics, 100 billion AWS commitment, it sort of means that Claude's training and inference potentially structurally tied to Amazon's chip roadmap. So that would be Tranium and Graviton. Meanwhile, OpenAI, that remains quite, despite some news of them starting to part ways more and more, still deeply integrated with Azure. Google is both an Anthropic investor. and building competing models as you've just touched on sean you know like gemini and that's on its own tpus which we we did a bit on a couple months ago and then meanwhile metas confirmed it will use quote hundreds of thousands of aws graviton chips i think this is the thing like bets do have to be made because it is quite difficult to unwind or just you know shift over the underlying chip infra that these models are being trained on it's not just like i'm going to go run it on my other machine somewhere it's i think analogous to like when apple did move all their hardware off intel onto their own chips like it's just that takes probably like a good year couple years of planning to actually go there this stuff is too big to be fully self-contained within one company so inevitably you're going to get people who are competitive with each other also completely dependent on each other from like chips to cloud infrastructure to the models themselves to like the actual applications and so forth like that that's just inevitable because it's so big it can't be essentially you know self-contained within one company we're well beyond that at this point so if we then take a another leap over to i guess the human side we're again looking at this across multi-facets we have touched on this either last month or two months back really just looking at like what does the hiring landscape look like here but there was some data from true up that you know 67 000 open software engineering positions across 9 000 tech companies which has doubled since mid 2023 which was a low up 30 percent in 2026 and coming back to these conferences we've been at is interesting i did actually get quite a lot of questions from i would say especially you know younger people attending which i love to see and it's great to see you know people still studying or maybe two years out but they were asking me like what do i think about engineering degrees and will engineers be needed and i did just say like absolutely i mean it's just that the concentration of where engineering will sit will be in these companies that are simply doubling down on ai and the you know i guess net consumers of these platforms are maybe going to decrease the reliance on human engineers but i think that is going to be far outweighed by the net increase by these huge players and and all the kind of ecosystem around the huge players needing just more and more engineering i mean there's just a lot of stuff to build right now and it's a lot of experimentation so you need engineers to build it and i think the responsibilities of an engineer and kind of like what day-to-day might look like for an engineer is certainly shifting, but clearly there's, you know, hiring's up 30%. I just think it's not business as usual. It's a little bit different. One thing that's interesting too, is like, you know, IBM, they're tripling their entry level hiring around sort of junior engineers into it's also going after junior. And like one of the topics of conversation has been around, you know, the agentic engineering and what it means to be an engineer is some companies have focused on, hey, we're only going to hire like senior engineers because we want engineers that have some, you know, maturity in their career so that we rely on their judgment when it comes to evaluating what's coming out of the agentic engineering, productivity tools and so forth. And I think IBM and Intuit and a few others are kind of taking a different approach where they're like, hey, like these junior engineers are actually super valuable because they're AI native. They're sort of grew up and are adopting this tools and technologies faster. so we want to invest in them. In some ways I think this is nice to see because I've been a little bit worried about like if everybody's hiring senior engineers like what's the next how do you become a senior engineer in the future and what's that mean for the next you know tranche of users. I think one disconnect though is a lot of the hype around AI and the things that you hear is like there's going to be massive job loss and engineering is going to go away. And we are actually seeing some impact in terms of enrollment into computer science programs. So, you know, what's that mean for the next tranche of people who are going to be entering the industry? And suddenly we have not enough engineers to go around if this sort of hiring trend of 30% increase continues to go up. Absolutely. And I think the role types, there's this slightly new age role called like technical ambassador that apparently, you know, OpenAI are hiring thousands of these. And it's really this sort of bridge between what's being built and then, you know, almost like solutioning with potentially non-technical stakeholders in these companies because the spending power can be so huge, but there's always just that massive gap of like, but what actually is this going to enable us to do? And can you show us like examples? I mean, Applied AI is, I think, that function at Anthropic, for example. And I think there's a lot of new, like forward deployed engineers, which was a concept of Palantir is now like a very popular role. And I think that's a sign of this transitional period that's going on, too, where companies have capital they want to deploy behind AI. It's really strategically important for them, but they don't actually a lot of times know or have the resources and know how to make that thing into something that delivers value to the company. So when they do invest in a particular platform or technology, they kind of need people from that company to come and handhold them to get to a place where they can be successful. Yeah. Final macro area on this. Yes, we're going to go back to security for a couple of minutes. We've talked about this several times, but I don't think it's sometimes you can never talk slightly too much about security. These tools, they are expanding, you know, what we'd call the attack surface faster than actual security tools themselves can keep up. We saw that with the Vercel side of things where basically because they were just going fast with tools like Context AI, but there was basically overbroad OAuth permissions there, you know, and would that have been authorized if we weren't adopting so many, you know, AI tools, but instead like we're saying, oh, but like, I can't move fast unless it has access to everything, especially all the way up to leadership. I'm not talking about Vercel specifically, I don't know the ins and outs there. But I know that leadership generally, I think is just under pressure to say yes, because, you know, if that's the leadership saying no, no, your tools should stay very scoped, and it can't touch your email, and it can't touch your Slack messages, well, then what's the point? I need my tools to know everything. And that's what keeps me ahead of everybody else. So yeah, it's just one of these things where I think it was Cisco's state of AI security 2026. They're saying that 83% of orgs plan to deploy agentic AI, but only 29% report being ready to secure it. So obviously there's quite a disconnect between what people want to do and then having the means to actually keep up on the security side. Yeah, it's a huge challenge right now because these like silos and like swim lanes that companies kind of build up around different parts of their company as they grow, become barriers to AI essentially being intelligent and be able to draw interesting results across disparate data sources and things like that. So you want to give the AI system access to those things, but then you're not necessarily set up in a way to be able to do that successfully. So either you slow down and you try to figure out a way to do that in some way where you can control it. Or you just open things up and then you take on a lot of risk where you might be exposing information that you don't want to expose. And there's so much pressure for companies to be delivering value around AI and be able to press around it and so forth that there's probably a lot of companies kind of bypassing perhaps their normal standard procedures around even vendor procurement and stuff like that It kind of similar to like what we talked about with engineering and the CircleCI report There pressure on engineering organizations to be putting out product faster but not all the validation and verification of the AI-generated code is necessarily there right now. And you either end up not putting out more product because you're spending the time to validate that the thing that you generated quickly is actually working, or you skip that step and you're pushing out a lot of code that then potentially leads to further security problems. To kind of recap, we've basically been trying to highlight here that people always just think of their cloud provider as this mutual infrastructure, but actually it's kind of not. If you look at it, really, we've got this Google-Amazon anthropic triangle with model choices and cloud choices converging. So if you are building AI features, most of us are these days, the infra vendors chip investment will probably shape the model performance so just stay abreast of this because looking at which cloud you sit on and how are the investors embedded with with especially on the infra side i think it's gonna if we come back without being biased but claude is still having a moment right now and it just seems like if you're not using opus for a lot of stuff then you're kind of being left behind so that's something to bear in mind one of the things that kind of relates to across some of the things that we're discussing in this the main topic is we have a lot of money you know some subset of that 700 billion dollars is kind of flowing into these like code generation tools but there's still like a significant gap in like the downstream like validation and testing and i wonder like i know there's some companies working on that but it's always like are we kind of ignoring like the real problem where we're so focused on the code generation and essentially compressing the time to like poc but there's all this work that happens after the poc stage to get that to production and eventually we're going to need some way to accelerate that and also have some confidence that's actually correct in order to take advantage of the speed that we're getting code generated absolutely and then yeah exactly that bottleneck that you've just been touching on sean not to be a dead horse as they say but security that's of unglamorous part but i think the versell breach is a really great example of just it really has to be kept on top of effectively was a bit of a mission for our team to have to scramble within less than 24 hours to do what they had to do to keep things secure and i hope that we don't have one of those per week or something to that effect so i think it is really important that anyone building with with ai just just has this in mind so i guess moving on to what what we often think of as our favorite part of the show hacker news highlights where we get to just bring in something that's maybe piqued our interest from the last couple of weeks. Do you want to kick us off, Sean? What did you come across? I was really hoping I could find like a doom running on a lawnmower or sprinkler system or something like that. But I went in a different direction. So the first one I wanted to mention was, I just thought it was interesting. I love, you know, I come from this background with like my PhD research and so forth. This isn't that complicated, but I just love when people find new ways of sort of representing data in interesting trends and things like that. Like I'm a big fan of the book Freakonomics, which kind of dives into a lot of like these weird numbers. But this is like U.S. gender ratios by Metro, which was posted by N. Sokoloski or something. Sorry, if you're listening, I butchered your name, but it simply shows a breakdown of gender ratios by like state, city and Metro. So, you know, some interesting things there, like Washington, D.C. in the U.S. is the most female heavy city. So there's only 45% male, 55% female. And then the opposite end of the spectrum is like Colorado Springs, where it's like the most male heavy city. So it's a lot of guys walking around in Colorado Springs, apparently it's 55%. And then not too shocking in a lot of ways, like Silicon Valley is pretty male dominant. It's like the third highest rate region in the US. And probably is, there's a lot of engineering jobs here. Engineering typically skews very heavy on the male side. So you end up with a lot of maybe a sort of somewhat male dominated area of the world versus other parts of the world. And then some cities are like 50-50 almost exactly. I find it kind of fascinating why, say, D.C. is actually, I guess that's 55% female and 45% male. Yeah, very fascinating. So I wonder if I can find the same for like European cities or that kind of thing. I wonder if there's any like massive, massive disparities there or something like that. Yeah, I don't know. It'd be interesting to look at it. Yeah, on my side, yeah, I think the first one, one of these kind of feel good developer, just a little blog post by somebody. So the blog itself is MatthewBrunel.com. And this was posted by specx user, user specx could be the same person, who knows. But this was called using coding assistance tools to revive projects you never were going to finish, which I think kind of is fairly self-explanatory. but I think it's just nice that pulling a quote from that Matthew said towards the end you know in my mind there are different buckets for personal projects one is things I do to learn and grow and the other is things I really wish existed this kind of project falls into the second bucket so using AI coding assistance to reify those projects it's sort of a form of wish fulfillment I never would have gotten to but now I can have the project I think I mean sort of now I can have the project that I wasn't able to have before. And one less metaphorical book sitting unread on the bookshelf. A bit of a long quote, but I think we can all identify with that things that we started. And quite frankly, it's not that we didn't want to finish it, but like things get in the way. And we did obviously see that like, oh, this is going to be way more time consuming than I expected. And it would be fun, but I just simply don't have the time. So that's pretty cool. Like we can actually, even if we're not coding day to day, but able to bring these tools and like, I can think of at least like five projects that probably fit that bucket. I just should, quite frankly, like hook up Cloud Code 2 and be like, hey, here's where I was trying to get to finish it off, please. You know, upgrade some packages, secure the whole thing. And there we go. Like, I think that's probably something I'll be doing on a lot of travel I've got for the next couple of weeks. Yeah, I think that there's a, it's almost like a subclass of that second bucket where you have these project ideas that you're like, oh yeah, like I would like to do that. But I just don't even have the time to start it because it's going to take too much time. But now you can kind of prompt your way to doing that fairly quickly. Like I was using Claude to build some games for my son based on ideas that he had. And I certainly could do that. You know, I had the programming skills to do that. But like, you know, it would have taken a reasonable amount of time and energy to crack that out for some little game that he may or may not even play with versus being able to take his ideas and turn it into something and have Claude kind of churn away at it and pump it out. and then have him explore. It's also a good way for him to sort of see how you can turn ideas into something that manifests itself into a computer software or some sort of product or something. What was your second one, Sean? Yeah, so the second one was this headline that came up this week, which was Granite 4.1, which is IBM's 8 billion model, which matched their previous 32 billion mixture of experts model. So they have three different open source models. One's $3 billion, $8 billion, and $30 billion under Apache 2, trained on $15 trillion tokens. I think it made a lot of headlines because they were able to match the performance of the $32 billion model with the $8 billion across nearly every benchmark. It was really the way they were able to do that was they really focused on data quality over the parameter scaling. And they had kind of this five-phase training pipeline to do that. and I think that's really interesting because we've over the last you know year plus when it comes to models a lot of times we talk about like the the limitation of the models like we're running out of data they're training the models on like where are we going to get all this data and I think one of the things that they were able to show with this is that hey we can really actually drastically improve the quality of the model while keeping the model size reasonable if we really focus on data quality and during the training process and during reinforcement learning and so forth they were also really open about some things that went wrong in training and kind of how they fixed that too which i think was you know a little bit different and kind of refreshing yeah that's fascinating and just like again the leaps of progress is just insane so yeah that's really cool so yeah i guess thanks to steve hearing one user for putting that in yeah i think on my side The second one, at least when I found it, okay, it hadn't gotten tons of points. I wonder if this is one of these Hacker News articles where, I'm not sure if it's well known about this, but you can submit an article to Hacker News and it might not do very well. You'll get one, two points or something. But every so often, someone at Hacker News will actually reach out to you and say, we're going to repost this because we think that this is really interesting and that this should actually get more airtime. So it's kind of interesting that happened to one of mine. I posted something about remote controlled telescopes. Like you could bring your telescope to this facility and put it somewhere. And then they would store it and run it and you could remote into it. And yeah, it didn't go anywhere the first time I posted it. And then Agro News said, Hey, we're going to repost it. And it went like to the top, which is kind of interesting. This is, so I think it could be one of those where it's only got 28 points, but it was on the front page. It's called cheating at Tetris. So the website is chalkdustmagazine.com. So, and the user was T-3. nice short name there so i think that so the tldr here is like if you can imagine you get to pick which tetris pieces your opponent must play could you force them to lose basically and so the article works through you know this basically mathematically as you'd expect from so how do you cheat at tetris so you've got these you know i think everyone kind of roughly maybe remembers tetris like all these are shapes that fall from the top of the screen you need to rotate them and the whole point of the game is just if you make a total line that line disappears but if you don't make a complete line it sort of starts to stack up and if you hit the top of the screen so the game over so you know you've got these different piece types like different shapes roughly you could think of them as like the letters i j l o s t z they can be played sort of indefinitely without causing game over so picking just one piece won't work so but if you were to just mix just the s and the and the z blocks since they don't actually fit neatly together they say that the best the player can do is to create separate columns of each but because the board is 10 cells wide fitting exactly five to cell wide columns you always end up with an odd split three of one to the other which causes an imbalance that slowly fills the board so the article goes on to identify which piece combinations can mathematically guarantee a loss regardless of how well the player plays so i do encourage you if you're a tetris fan to go and look at that and It's very hard to explain all the permutations, obviously, on a quick Hacker News highlights section here. But yeah, chalkdustmagazine.com. Go there and you can check out that kind of fun piece. So yeah, I guess looking ahead for the first time in history, Sean and I are probably going to meet in person. It's going to be fun. We're going to grab coffee, hopefully this weekend in SF. But apart from that very exciting event, anything else prediction-wise over the next month, Sean? I don't know. I don't have a really good prediction. I mean, I could go with the lazy one that I did last time, which is we're going to have more security breaches, which I think will actually be the case. But I don't have an out there prediction this week. Yeah, unfortunately, security was hovering in my mind as well. Just like, what do sound like a sort of broken record at this point with that one? But I often just look around the room and see what I'm looking at. For example, I've got a power bank, which I'm aware does have some processing power in it somewhere because of its USB-C capabilities. capabilities so i'm gonna say that somebody hacks doom onto a power bank like a power plug that has you know usbc outputs so someone's like running doom on a power plug or something like that would be kind of fun i guess the one tying back to one of the topics we talked about is the anthropic mythos model is it going to get more widely available by the time we talk next yeah that's a good one that's a good one so yeah maybe i'll just take a bet that you know they open it up to say 10 non-hyperscalers, but the 10 are slightly, people have a lot of opinions about that choice, for example. So let's see how that goes. So thank you everybody for tuning in. Hope this has been helpful and just interesting getting to catch up on what's been going on in tech. So much is happening. So always useful just to have us try and condense it for you and give you a quick summary. So yeah, thanks for listening and we'll catch you next time. Thanks everyone. Cheers. Thank you.