The home team convenes to discuss the XZ backdoor attack, what great software engineers have in common, how GenAI is changing the face of drug development, and the rise of managed service providers for AI.
A developer discovered a backdoor in XZ, a popular open-source compression utility. Read more about the cyberattack here.
A Microsoft technical report pinpoints 54 attributes of great software engineers.
A new report from The Economist lays out how AI is changing drug development.
Are you sick of hearing about AI? What topics or technologies would you rather hear us talk about? Email us at podcast@stackoverflow.com or DM Ben here.
[intro music plays]
Ben Popper Maximize cloud efficiency with DoiT, the trusted partner in multi-cloud management for thousands of companies worldwide. DoiT’s innovative tools, expert insights, and smart technology make optimization simple. Elevate your cloud strategy and simplify your cloud spend. Visit doit.com. DoiT– your cloud, simplified.
BP Hello! Welcome back to the Stack Overflow Podcast: Home Team Edition. I am Ben Popper, Director of Content here at Stack Overflow, joined as I often am by my colleague and collaborator, Ryan Thor Donovan, Editor of our blog, maestro of the newsletter, and frequent host of the podcast at this point.
Ryan Donovan Frequent, yeah. Regular.
BP Frequent. Ryan, tell me something interesting that's happening in the world of software and technology that has nothing to do with AI. What else is there to talk about?
RD So, security– that's always a fun one. I found out about this one in person. I ran into somebody I know and talked about this backdoor somebody tried to put into open source software, the XZ software package. It's a compression library in Linux-based/Unix-based systems, and somebody tried to push a series of commits to this that would basically give them a backdoor into the compressed files.
BP Woah.
RD So it was basically a small open source software package that had a single primary maintainer who was going through a slow mental health crisis and somebody came in and was able to take advantage of that.
BP Oh, no. Queue relevant XKCD cartoon. Shout out to all the solo maintainers out there. And we need a better way. We need a better way, and in the five years you and I have been here, we have not found it– except to say that we've had two people on. One was the folks from Sigstore who helped make Kubernetes who were creating something, and the other was the gentleman from Deno. And both of them have said that the software supply chain needs to be better secured. Open source folks and maintainers don't have the right resources. Maybe cryptography and transparent chains of custody is one way to do this. That doesn't help us on the exploit side, but just on the lonely maintainer side.
RD Right. And I think this one got caught, luckily, through a series of coincidences, but the article I saw, and we'll share it in the show notes, is a detective story. It's one account coming in with some supporting accounts that are only there to kind of +1 all these commits, and then even the name given on the account might be fake. So it is a lightly coordinated attack. And then they're trying to push it to Debian and that.
BP Yeah, lightly coordinated. I myself have not spent any time on the dark web, but it does seem like sometimes when there's a password leak or a potential exploit, there are loose networks of hackers and hacker groups that know each other and maybe sometimes they say, “Oh, I've got something here that has a little promise. Who's got some time this weekend and wants to get cut in on this?” That sort of feels like a plausible scenario.
RD And it could just be coordinating between sock puppets. Somebody going through VPNs or whatever proxy servers and just starting up new accounts.
BP All right, we've done our security check for the week.
RD Now we can do AI forever.
BP No, we're going to move on to crypto which has rebounded. The meme coins are back. Bitcoin and Ethereum made it back to all-time highs. They're sort of circling around there. They didn't punch through to some big number, but they got back up to where they were and this has led to a strange situation. Sam Bankman-Fried, née SBF, the face of the crypto collapse of two years ago, was just sentenced to 25 years in prison, and ironically, the third party neutral person who is arbitrating the bankruptcy says that because the price of crypto has recovered so much, not only do we have all the money to cover all the depositors and all the debt holders, but we're even paying back the investors, which is great news in that people who lost their life savings hopefully will get it back. Some tragedies cannot be remedied. Some people literally committed suicide after they lost all their money, so you can't take it back. But the judge said something that I thought was so funny. He said that if you take your customer deposits to Vegas, gamble and win big, you still committed a crime. It doesn't matter if you can pay these folks back, you weren't allowed to move their money around and make bets with it. But there is a certain sense of irony to it.
RD I think we had a question in the newsletter that was exactly that. If you use money to gamble and then win and then give the money back, it's still stealing.
BP I myself had some money parked in Gemini, which is the crypto exchange run by the Winklevoss twins. It was paying a primo interest rate and I took most of it out after Three Arrows Capital went belly up, but there was a little bit left. And I got an email from them last week saying that they're finishing up their bankruptcy proceedings, and not only are they going to give me my money back, but all the interest I would have earned in the time that my money has been locked up there. So strange. I had written it off. I was like, “Well, they went bankrupt. Pretty sure I'm never going to see a dime of that again.” But as it turns out, I may.
RD Well, you were still listed as a creditor on their account, so bankruptcy proceeding is in your favor.
BP I guess so. Yeah, exactly. I had a funny talk with a lawyer friend of mine. People are writing in these letters sort of saying, “Well, now that I know you're not bankrupt, I'm glad to be getting my money back, but my coins would now be worth 10 times as much so I'd like that, please.” And it's like, “No, no, no. That's not how it works.” You get to make the claim at one point and then it sticks where it is, because if it went down, it's not like you'd be asking for less. That's just the way it is.
RD I think bless them. Bless them for trying to get more out of it now that the numbers are up, but not how it works.
BP Not how it works. I don't know if we have talked about it on this show because I was away in Iceland for a week, but just shout out to the Neuralink demo of a gentleman who became a paraplegic after an accident, playing chess and playing Civilization and browsing the web and pausing and starting his Spotify all with his mind. If you are willing to get an implant, you can now control your computer with your brain. It's a pretty cool sci-fi scenario.
RD And cool tech. I look forward to Shadowrun becoming a reality. One of my friend’s reaction to it was that this was such a boring dystopia where somebody gets a brain implant and then plays Civilization for eight hours straight. That's the world we are.
BP Hey, now. Hey, now. He's just warming up. Next thing you know, he could have a job as a software engineer. He's just warming up.
RD Of course. First step, first step.
BP He could fulfill the dream of the young generation and become an influencer. Did you see the thing about the guy in the iron lung who became an influencer at the end of his life? It's dark.
RD That guy seemed pretty happy about his life. He was a lawyer. If he had gotten the brain implant, I think he would have been less happy.
BP Yeah, I agree. I'm going to put this in the show notes. This is a technical report from March 7th, 2019. Microsoft Research: “What makes a great software engineer?” There are 54 attributes of great software engineers. Did you know that? People who are passionate about their jobs and continuously improving, who develop and maintain practical decision making models based on theory and experience, who grow their capability to produce software that is elegant, creative, and anticipates needs, who evaluate trade-offs at multiple levels of abstraction from low level technical details to big picture strategies, and who teammates trust and enjoy working with. If you want to know what makes a great software engineer and you feel like a 75-page research report is the best way to find out, I've got some content for you, my friend.
RD Nice. Do they have metrics?
BP It doesn't seem like it's so much of a DORA metric thing as it is a–
RD Metrics or it didn't happen.
BP –interpersonal social skill kind of thing. That's what this one feels like. This is soft skills, it feels like.
RD The TL;DR is, “Don't be a jerk.”
BP Don't be a jerk and be good at your job.
RD Do your job, don't be a jerk.
BP Be motivated to do good work. Exactly. Speaking of not discussing AI, I will discuss it but in the pejorative, which is to say that Ryan and I had a great conversation with some folks from MongoDB and Google Cloud who passed along some interesting statistics. They are out there in the real world working with enterprise clients at the biggest level, all of the biggest companies you can think of, and those folks are saying, “Look, we can't get left behind. We've been told Gen AI, need to have it, improve productivity. Not sure how.” And so they gave me two statistics that I thought were interesting. First off, 80-90% are still just doing demos, toy products, experiments. 5-10% have moved to production. So that's a good initial metric for how far we've come in a year since November. We'll use the launch of ChatGPT as our kickoff date.
RD Sure, the zero hour.
BP Exactly. Zero hour of the oncoming AGI singularity. So everybody's trying it, nobody's deploying it, except for a handful, and of everybody who's working on it, 60% don't have a business use case for it. They're like, “We’ve got to muck around with this but if you ask me to say what the business value it's going to deliver is that justifies all this R&D and engineering time, sorry, don't have a good answer.”
RD It's produced some really great toys so far.
BP I tried to counter that by saying, “Look, there are some consumer-facing applications at scale and I think that people get a lot out of them.” Your ChatGPTs, your Claudes, your Geminis, and then your image generators, and those are now baked into Adobe Photoshop. I think consumers are getting value out of that day in, day out, and millions or tens of millions of consumers are doing it. So that's at scale. The question that remains is, inside of a business organization, what apps or workflows is this going to power and transform in a way that's meaningful, or does it not really have the place that we thought it did? And I think that's the trajillion dollar question.
RD And I think there are still a lot of big companies that have operated at scale without making profits, just living on VC money for a long time, and I wonder how much of this and the AI boom is of that mindset– the zero interest financing mindset where it's like, “We can push some really disruptive technology and change the world and we don't have to worry about a business model quite yet. We can still figure out what's going on.”
BP There was an article in The Economist, which I consider a pretty conservative publication in terms of not getting caught up in hype, that said that AI is making a huge impact in the world of drug discovery. I think the headline was, “Artificial intelligence is taking over drug discovery.” And so that is one area where you could say that adoption is rapid, value is clear, impact is transformative. So I thought that was a good one. And actually their point there was that regulators need to catch up. If we're going to have 10X more viable potentially life-saving medicines, how are we going to get them all approved in time?
RD Right. And with that, I read there was a sort of agreement a bunch of companies signed together to say that we will use the AI biodiscoveries responsibly. We won't be figuring out how to maximize infectious diseases or produce drugs that make you blind.
BP No more gain of function, please. Yeah, exactly. We tried that once, it didn't go well.
RD I'm with you. I think we need some regulations with teeth, enforcement and all that, because just a pinky promise that we're not going to do bad stuff with it doesn't cover everybody.
BP Absolutely. Another thing that came out of the conversation we had with the Google and MongoDB folks that I thought was interesting was that a new class of startups will emerge which are managed service providers for Gen AI. And what they will do is say, “Oh, maybe you have figured out the business use case, but you don't have a team of people internally who can do this stuff.” And there was recently an article in The Wall Street Journal. The competition for AI talent is fierce and the salaries are seven/eight figure. It's the new hotness. So in much the same way that maybe a small startup or even a midsize legacy business would say, “We've got to move to the cloud, but we don't have a big IT department,” there are companies now that will do the data labeling, cleaning and selection for you. There are companies that will do the fine-tuning for you. There are companies that will build the models for you. There are companies that will build and maintain the models for you, and you just get an API wrapper and query goes in, output comes out. There are companies that will do the prompt engineering for you. There are companies that will do it soup to nuts. So I thought that was really interesting. You and I have been on a bunch of podcasts with companies that have grown quite large like DoiT, offering basically to help you manage, control, and optimize your cloud costs. And maybe there will be a future essentially, and maybe DoiT will do this. I think we had them on to discuss it. Companies that are saying, “We're here to help you build, grow, manage, optimize your AI infrastructure and then costs.” Because just like cloud costs, if something gets traction, it might spiral out of control. What you paid last week in terms of tokens could be 10X this week if your product catches on in the market.
RD And I think we're still Wild West a little bit with the AI and I think a lot of stuff is commoditizing. In the piece we did with IBM, they said the reality is that we expect inferencing stacks to commoditize pretty quickly, that this is going to be a thing you buy, you press a button and you don't have to train your own model. And I think that will ultimately be a good thing, but there will probably be a pretty big winner from it.
BP All right, everybody. I want to ask for a little audience participation before I take us to the outro. Two things. One, there's a discussion on Stack Overflow as part of our new discussions feature. A question from Mr. Quibbles is: “What language would be the best beginner language to start with now?” So far, we've got C and C++, Python and Java. Those are the suggestions from the folks in the comments. Tell us what you think the right language is to start with now. Send us an email, podcast@stackoverflow.com, or hop into the discussion, we'll put the link in the show notes, and tell us what you think is the best language. Second– audience engagement bait that I want to leave out there. How sick are you of hearing us talk about Gen AI? How sick are you of having it pushed on you at work or having all conversations about software lead back to this? Would you rather refocus on discussing other tools, technologies and frameworks? And if so, what do you think is the most interesting stuff to talk about right now? We want to know. Consider this a mini dev survey. Podcast-verse, if you are one of the folks who's been listening every week, shoot me a DM on X or email the podcast and say, “Hey, we'd like to hear about these topics, and let's take a chill pill on Gen AI for a few weeks.” I'd like to know what you're interested in and what you want to hear about and maybe we could bring some great guests on in those areas.
[music plays]
BP All right, everybody. It is that time of the show. Let's shout out someone who came on Stack Overflow and was awarded a Lifeboat Badge. Awarded April 1st to Lloyd, “How to convert DateTime to string yyyy-mm-dd.” This is a 10 year old question. Lloyd left a great answer, earned himself a Lifeboat Badge, and has helped 57,000 people, so we appreciate it, Lloyd. I am Ben Popper. I am the Director of Content here at Stack Overflow. You can always find me on X @BenPopper. If you want to engage with us, email us, podcast@stackoverflow.com. And if you enjoy the show, you can leave a rating and a review. It really helps.
RD I'm Ryan Donovan. I edit the blog here at Stack Overflow. You can find it at stackoverflow.blog. And if you want to reach out to me, you can find me on X @RThorDonovan.
BP Thanks for listening, and we will talk to you soon.
[outro music plays]