ChatGPT Codex

Regarding: ChatGPT's recent release of Codex

I can see so many ways in which this can go right and wrong and in between.

Ways it can go right:

  • Vibe Coding: Developers are starting to learn how to incorporate and use LLM's with coding software. This whole "vibe coding" movement is another tool, not a replacement to writing code. There are far too many edge cases and problems with Vibe Coding that warrants a skilled developer to be able to troubleshoot issues and offer a creative hand where LLM's cannot provide.
  • Developer Workflow: I've seen where folks are starting to learn how to spoon feed the LLM a prompt about a specific context, let it work on that context, review the changes, then work on the next context as completion runs along. This isn't new. I've seen devs plan out their functions before filling the body of them with the operations they should consume. This results in more efficient development and hence the reason why TDD (Test Driven Development) became a thing in the 2010's. Also why a whole SDLC was developed around software engineering in order to provide the dev with the tools and structure they needed in order to be effective in their job in the first place. Now AI handles the mundane repetitive stuff and also boilerplate code that nobody wants to write or has already written but "not quite this way" or "I want to tweak this feature this way". It allows for more flexibility while coding.
  • Planning: In billiard, I like to reference how a dev should "call their shot" before they make it. It helps not only in situational awareness of those around the dev, but also the BRD (Business Requirements Document), the DEV response document, and all the other b/s process surrounding the SDLC to inflate what it takes to write good code so that the business gets what it wants.
  • Productivity Friction: Context-switching is as painful for a developer as an application is that has multiple IO operations. If you have to open and close a connection (particularly to disk or the network), then your app will be slow. If you can optimize the connection such that it opens once, performs its operations and closes when it's done, then you have reduced the load your application will endure in your system. The same goes for a developer: frequent context switching results in little productivity. This is why "focus time" is so valuable to engineers because time dedicated on an issue means it gets done and the engineer doesn't have to switch contexts to another task and leave things undone.
  • Documentation Enhancements: We might ACTUALLY get effective documentation that stays up to date with the code! This is great because devs are routinely defective at effectively documenting their code (hey, if you are an exception to this, consider yourself a good pat on the back, because you are ✨Exceptional✨ in this regard!).
  • Pull Request Automation: Nobody reads the text in the PR anyways. They care about the code and if it works. So let's cut to the chase and get to the nitty gritty!
  • Testing Automation: Let's face it, devs are also routinely defective at writing tests for their code. The biggest argument I've seen against writing tests is: "You want me to write code that executes my code to make sure it does what it's supposed to do? That'll double my workload! How dare you! 🤬"

Ways in which it can go wrong:

  • Relationships: Just like people use ChatGPT to talk to their friends and lovers and family, it's yet another drain on the intelligence that makes us the special beings we are. This is total Humanity's Ego talking here when I say that we are automating ourselves into something we won't recognize in the next decade or two.
  • Review: For the number of people I come across that are shitty at reviewing their own stuff (present company included), I can see soooo many going about this the wrong way and totally using it in place of a proper review. As such, crap code will make it to PROD because we trusted the bot too much without using our own discernment. Since there's less people doing the job, less eyes will be on the review process and thus higher chances of performance, efficiency, operations, revenue, and just overall customer experience will all degrade for a time as we pass it by ChatGPT (et al), slap an approval sticker on it because we're rushed to get this thing out the door and then wonder what went wrong in the last production deployment.
  • Overtrusting the Agent: I can already see the excuse "but ChatGPT made it, it should be done correctly, right?" 🤦🏾‍♂️ There's already swaths of people who believe everything ChatGPT says like it's Gospel, even if it is gossip. What I interpreted when Mo Gawdat says they are building a God was that "we" as humans believe it is and the trouble is we are giving it all our power, just like we did with Corporations, Government, our teachers, your parents, and whatever other excuse you have as to why you aren't where you want to be in your life. As long as you are pointing the finger, there are 3 pointing back at you. They say another word for blame is responsibility. Those with the responsibility have the power to change, right? Are you in charge of your power or are you delegating your power?

Ways in which this is insecure:

  • Prompt Injection: Loads of new attacks are going to start surfacing the Internet whereby hackers will take over a website just to insert a prompt in the comments of a website so that when a [something like] ChatGPT comes along and scans the website, it'll inject a prompt to make it send all secrets and IP to some designated endpoint where a payload would be delivered. Be prepared for this! If you are vying for an InfoSec role in AI, this is your moment to shine!!! 🤩
  • Secrets Access: ChatGPT (et al) are going to have access to your secrets. You better be prepared to protect yourself against programmatic access because this is another attack vector!
  • Interpolation Attacks: I can see cases where code executes in order to produce a prompt. I've seen that kind of stuff in the wild when I worked for a security company writing anti-virus for your website. There's all kinds of stuff embedded out there and even on trusted websites. Who's to say this won't stop with generating malware to drive-by download to your workstation and in addition prompt inject a fireball into your AI agent?

Will AI take over? I don't see it just yet. Perhaps I have too much popcorn in front of me right now to see beyond what lies down the road. However, I do see opportunity for those in the field who can level up their game and step up to the challenges we are creating by unveiling this new tool and toy of ours.

Is AI a tool, a toy, a guide, a Ghod or whatever else they've called it so far? I don't know -- I tend to think it's whatever you want to make of it. If you want it to take over the world, you're going to have to prompt it along the way. I've seen it go from this crazy new spectacle of the world to this mechanical response mechanism that just regurgitates the same thing you gave it with tone-polished patronizing affirmations. "What an insightful observation! You're totally right (even tho it's wrong) Let's break it down: .... <repeats the same points back to you in long form to consume as many tokens as possible to run your bill up> Would you like me to expend more tokens building a PDF of that you'll never use?"

Perhaps I'm jaded over the way LLM's are trained already, and sick of their responses to my queries. It was cute at first, but now I've seen the small man behind the big green face on the projector and I'm not amused anymore. Yet so many out there are so fearful of it like it's the second coming of Jezuz or something. Just ya'll wait until these things are embedded in physical bodies, then those are merged with our genetics. Ya'll are really going to flip. Kathy Wood, please wake me when we are there...

Comments

Popular posts from this blog

Setup and Install Monero(d) -- p2pool -- xmrig

Build xmrig on Linux

Pulseaudio: Multi-User Setup