A low-risk way to dip your toes in is to email a blogger to say that you enjoyed their post or that you found it helpful. The message doesn’t have to have useful information in it, just be sincere. Per OP, often there won’t be a reply but also often it’s much appreciated - particularly by non-mainstream writers.
I’ve been on the creator side with 1M+ followers and the amount of times someone has dropped a kind note like that can be counted on one hand. It’s such a breath of fresh air compared to the hate, criticizing and general unpleasantness that is so pervasive when dealing with online communities - even my own.
As a result, I make it a point to send notes to anyone if I’ve enjoyed their work, because I know how much its meant to me, that I hope to pass along those kind, appreciate feelings.
I get them occasionally - maybe every couple of months or so - and I have nothing like that sort of following.
But I do have a 'say thanks' page on my blog rather than the more usual 'buy me a coffee'. Perhaps people feel less awkward doing it when it's invited! Anyway, I recommend it because the emails are always nice to receive.
I make it a point to 'like' and vote up any decent content because standup comedian Loui CK was convincing when he called for it citing effort and guts to look in the camera while others behind keyboards trash efforts for silly reasons.
Yes, the comment sections are not something I dip into because it's a minefield. The baby gets thrown out with the toxic bath water in that instance but it's much better for mental health.
A woman wrote a glowing review about a book of poetry my late grandfather wrote. After he died and I was combing the internet for references to him, I found her blog & post. I sent her an email sharing the news and to express how nice it was to read her words as I remembered him. She got back to me quickly. Turns out she had met him at some point in her youth through her mother. We ended up trading stories for a few days.
I get dozens of cold emails and LI messages from sales/ recruiting a week. Only about one per year writes "I read your blog and liked your point about xyz." I always take that call. My LI (and HN) profile opens with my blog, so if they did 5 seconds of research they would find it.
The problem is it isn't really people doing that. All it takes is one person to set the process running and forget about it. Soon enough all exploitable systems are exploited if the cost of doing so is low enough.
And not only crime. I think it's going to be a lot of people trying to hustle via mass-automated fake-human interaction -- whether it's sales, influencing/advertising, recruiting, dating, or whatever.
And they're being encouraged towards that: even tech companies with reputations to lose are already aggressively offering to take over as someone goes to write an email or text, and proactively "summarizing" the one-to-one human communications of others. But there will actually be demand for one-to-many fake one-on-one interactions, in the hustle culture, and doing it to strangers will seem no worse than what they've already done: corrupting pre-existing interpersonal relationships.
I sometimes get emails and blog comments like this and always love them. One of my favorites was a comment last year, left on a 15 year old post about building my first gaming PC. I love how the comment said it was a "really fantastic build for the time". Something about "for the time" made me feel so retro :D
Oh I really enjoy it when I get random emails from people that have read my posts and have occasionally mailed maintainers of software projects that it is working perfectly for me. It's always a nice change of pace from bug reports.
As a member of the younger generation, nobody really explained to me how powerful email contact actually is. Anyone who leaves an email somewhere for me to contact them gets a big kudos, anyone who also then replies to my email within 15 minutes is amazing and I always appreciate a direct line of communication.
I do wish IOS would support push mail for private mail servers.... You can't have everything I guess
I don't often email the HN mods, but now and then I'll pitch an idea, and they respond. I usually end it with a big thank you to all of them, because they do thankless work, though I think most here on HN appreciate them for their work, this is an out of the norm community. :)
Even lower risk is to email hn@ycombinator.com with duplicate posts or other issues on this site! It helps, and it gets you a bit over the fear of emailing. ;)
He has always replied to me, and has always been gracious, even when I felt a little too argumentative.
It’s hard being an hotheaded internet keyboard warrior like me when the moderators are going out of their way to remain polite and courteous when disagreeing.
This is why I share my email on my website and on my HN profile: it’s so much easier to see the human in 1:1 conversation.
I'm not sure if this is sarcasm, but I've been blown away by the thoughtful responses I've gotten from dang. They don't always come quickly, but I would expect that given how crazy I assume that inbox is.
I suspect the emails are triaged quickly and there is a low-priority bucket which may or may not ever get a reply. In my experience if there is a clear call to action and addressing the issue will have any sort of meaningful impact, it's unusual to not get a reply.
Also authors. Not the mega superstars of the world but even very bestselling novels as long as you show that you thought about it or actually did read the book
Today I was a few hours into chasing down a very tricky timing-dependent bug with GPT 5.5 and we were starting to go into circles. I noticed Opus 4.8 had showed up in GitHub Copilot so I switched over and pointed it at my notes so far. Another hour of steady progress and it tracked it down to some missing synchronisation in an upstream library which was occasionally corrupting a linked list. N=1 but worth every one of those rather expensive 15x requests today. 15x... yeah.
That's my initial experience, yes. It's hard to compare these things cleanly of course. I went through several new contexts on GPT and it just couldn't get traction -- it became hard to keep it focused on "yes there's clearly a race but what actual persistent state got broken"? It just wanted to change the thread priorities so that the problem didn't occur and kept doubling down on that as the solution. Opus made some missteps too but it responded well to my corrections - 2 or 3 significant ones along the way - and it was prepared to keep digging on my exact goal until it found the real issue.
I think your anecdotes lines up a lot with what I've seen online, I am noticing a lot of codex users in particular appears to have discovered Opus 4.8 seems to make them very happy.
I am going to subscribe to Claude and try this out myself. I'm going to be very honest that I am currently finding codex to be very lacking, not from its generous usage limits but just the sheer number of repeated prompts to prevent its inclinations in getting stuck in a spiral, one which is very hard to get out of once it digs itself into a hole (I've had it refuse instructions despite desperate pleas and starting a new convo appears to fix it and hence why I wasn't sure if this Opus 4.8 issue was of fresh context but it appears to be very capable in ways that codex isn't).
As one of those commenters on the previous post - yep, that theory appears to have been comprehensively trounced. Unless anything comes to light that mythos was applied poorly to curl, the evidence suggests that it’s not uniquely effective vs other AI-assisted approaches. I’ll be interested to see what’s reported in the next curl release.
Curl simply isn't a good data point. It's one of the most picked-over codebases in existence with extensive security testing practices. All the researchers using not-quite-Mythos models have had plenty of time to report bugs up to this point. Daniel may be right that Mythos hasn't been a game changer for curl but the preconditions are different for virtually any other codebase. Perhaps the real marketing here is his own modesty about curl's maturity.
Curl uses all sorts of tools, including AI tools to find bugs. These tools, according to the article found hundreds of bugs including a dozen CVE.
Mythos found one vulnerability. It means the Mythos is just another tool, not the revolution it claims to be.
It is common that when a new tool is introduced that a bunch of bugs are found, with diminishing returns. Mythos finding one vulnerability is consistent to what I would expect for a major update to an existing tool, which Mythos is over existing LLM-based solutions.
This depends on the actual number of undiscovered bugs still in curl. If there is nothing to find then even a 10x better Mythos will find nothing. Also I think the quality of the codebase matters a lot when it comes to finding bugs. Its possible that the curl is so well written that it is relatively straightforward for existing ai tools to find bugs.
But both things can be true. It could be a huge leap (see Firefox’s example) but also find almost nothing in an already well maintained and audited codebase, and that could mean there isn’t much to find.
Okay, but how do we know that all 400 plus hits were actual vulnerabilities? I didn't read too deeply into it so I might've missed something but did someone test and validate each of those vulns to confirm that they were actually vulns?
It's not, really. Curl is an extraordinarily high value target that has already been picked over by well funded security researchers and state-sponsored groups using state of the art tooling for decades. That is not the target for which Mythos is a threat.
The threat isn't high value targets, which already had sophisticated folks picking over the code base using state of the art tools and tests, it's medium to low value targets which can now be picked over by random hackers who barely know anything about security themselves at a cost of a few dollars.
The question is how many security vulnerabilities are actually left in the code after all the recent AI attention. Either Mythos is a nothingburger, or it's substantially more powerful but there's nothing left to do. Even a large amount of C can be correct eventually. Curl has the _potential_ to become a good data point maybe 6-12 months from now - if researchers and new tools find many more vulnerabilities then Mythos is proved to be hype. If they don't, then maybe Mythos is overkill for today's curl and its capabilities are better deployed elsewhere (like Firefox, apparently).
I have a hard time believing that Mythos found the only remaining Curl vulnerability. It is possible, but highly improbable.
And it is not overkill, the proof is that it found that vulnerability. It is like saying the new version of some static analyzer with some new rules is "overkill" because it only found only one more bug than the previous version. Deciding whether it is overkill or not is more about context. Using a very expensive model like Mythos for some little used non-critical software is overkill, but for Curl, it absolutely isn't.
If Mythos found loads of vulnerabilities in Firefox but not in Curl, I wouldn't say that's because of Mythos is so good, but rather that with the release of Mythos, they did some testing that could have been done before using the same tools Curl have used.
> Once the end-to-end pipeline is in place, it’s trivial to swap in different models when they become available. Building this pipeline early helped us find a number of serious bugs using publicly-available models, and it also helped us hit the ground running when we had the opportunity to evaluate Claude Mythos Preview. In our experience, model upgrades increase the effectiveness of the entire pipeline: the system gets simultaneously better at finding potential bugs, creating proof-of-concept test cases to demonstrate them, and articulating their pathology and impact.
We see this exact hypetrain every time a new model is released. Mythos simply hasn't lived up to the "we're all gunna die from the flood of vulnerabilities" hype even slightly. Its slightly better than previous models by all accounts, cool stuff
I've seen literally near word-for-word this exact chain of events multiple times previously
The answer is in the next sentence: "Bun owns its event loop and syscalls." They clearly want to manage their use of threads explicitly, which is not _unusual_ for systems programming but probably less common. Note that `rayon` is different from most of these in that it has nothing to do with async Rust - it's a tool for spreading computation over a thread pool, very popular in non-async projects, but it would also go against their goals here.
Is the poster maybe confusing bandwidth (range of frequencies over which a single board can work) with bandwidth (data transfer speeds in bits per second)?
I saw this the other day and was pretty confused - I prefer to write my own commit messages and wondered if I’d accidentally let the AI do it this time. Nope, just MS changing things behind my back. Sigh.
It's a meaningful difference for SaaS. Most likely an attacker doesn't have access to your running binary let alone source code, and if they probe it like a pentester would it will be noisy and blocked/flagged by your WAF.
reply