You have to think hard about the problem and apply individual solutions. Cloudflare didn’t work for the author anyway. Even if they had more intrusive settings enabled it would have just added captchas, which wouldn’t likely have stopped this particular attacker (and you can do on your own easily anyway).

In this case I assume the reason the attacker used the change credit card form was because the only other way to add a credit card is when signing up, which charges your card the subscription fee (a much larger amount than $1).

So the solution is don’t show the change card option to customers who don’t already have an active (valid) card on file.

A more generic solution is site wide rate limiting for anything that allows someone to charge very small amounts to a credit card.

Or better yet don’t have any way to charge very small amounts to cards. Do a $150 hold instead of $1 when checking a new card

As far as cloudflare centralization goes though, you’re not going to solve this problem by appealing to individual developers to be smarter and do more work. It’s going to take regulation. It’s a resiliency and national security issue, we don’t want a single company to function as the internet gatekeeper. But I’ve said the same about Google for years.

None of your solutions seem useful in this case, especially a $150 hold. Site-wide rate limiting for payment processing? Too complicated, high-maintenance, and easy to mess up.

You can't block 100% of these attempts, but you can block a large class of them by checking basic info for the attempted card changes like they all have different names and zip codes. Combine that with other (useful) mitigations. Maybe getting an alert that in the past few hours or days even, 90% of card change attempts have failed for a cluster of users.

>None of your solutions seem useful in this case, especially a $150 hold.

Attackers are going after small charges. That's the reason they're going after these guys in the first place.

>Site-wide rate limiting for payment processing? Too complicated, high-maintenance, and easy to mess up.

And then you give a solution that is 10x as complicated, high maintenance, and easy to mess up.

>You can't block 100% of these attempts, but you can block a large class of them by checking basic info for the attempted card changes like they all have different names and zip codes.

This is essentially a much more complex superset of rate limiting.

A $150 hold would clearly be noticed by the victim, so the attacker wouldn't even try it.

Maybe if my bank emailed me, otherwise I doubt it. Local gas stations routinely use $200 holds and I'd have to go way out of my way to see it happen.

The point is whether every user actually notices it, it's that enough of them do that attackers are specifically looking for the ability to do small charges. If you remove that capability, they will look elsewhere.

Yeah… no it wouldn’t. I’ve watched users have their bank accounts emptied (by accident) because they kept refreshing. A measly £150 isn’t going to register until it’s too late anyway.

There's a reason attackers exploit any site that lets them do small charges, it's because enough users will notice a larger charge.

Whether every user notices it or not, attackers are looking for the ability to do small charges, and if you remove that they'll move on.

1. The entire mission is “risking astronaut’s lives”.

2. NASA employees don’t have criminal immunity.

Who went to jail for the STS deaths?

Who was criminally negligent beyond a reasonable doubt? And how often do you see execs go to jail for product safety issues?

We are nowhere near the capability to launch robots to the moon that can autonomously build or assemble a moon base for any useful definition of moon base.

> We are sending humans to (or around) the moon now, but it may just turn out to be a wasted effort, done solely for the opulence

My 4 year old is extremely excited to watch the launch tonight because it’s manned. I’d say a few billion is worth it if all it does is inspire a new generation of astronauts, engineers, and scientists.

> And neither are we anywhere near the capability to lunch construction workers to the moon which can build or assemble an equivalent moon base with their human labor. So this answer does not satisfy me one bit.

We have the capability to do that. We don’t have the will to do it, but we have the technology. We don’t even have autonomous robots that are capable of building a moon base on earth.

> Your 4 year old could be equally inspired by the amazing photos James Webb has given us, and unlike Artemis, James Webb is providing us with unique data which is inspiring all sorts of new science.

He’s not though. People gather around as a family and watch manned space missions. It’s exciting in a way that a telescope or a probe isn’t.

Indeed, in 1969, as a small child, I watched the Moon landing together with my parents, in Europe, like also the following missions, in the next years.

They have certainly contributed to my formation as a future engineer.

The key here is “could be”. But most four (or in my case, six) year olds can’t really grasp the abstract concepts of what JWST is or the data it’s sending back. For that matter most 40 year olds can’t.

A manned mission on the other hand is tangible in a way a probe isn’t. “See the big round thing in the night sky? There are four people going around it in a spacecraft”.

It isn’t a _complete_ argument in favour of manned missions- that has to account for the risk of the endeavour and reward of the science potential of having people there to react in ways robots can’t. But it’s hard to pretend that the inspiration pretty much everyone feels when they see manned missions is somehow achievable purely by robotic ones.

> neither are we anywhere near the capability to lunch construction workers to the moon which can build or assemble an equivalent moon base with their human labor

Why do you say this? What is the bottleneck you feel we are more than half a decade from?

It’s more like “Player A is better than Player B” coming from a professional player in a smaller league who is certainly qualified to have that opinion.

I think that’s why the author was comparing to to a finished 3D game.

I guess because you see 3D stuff in a 3D game instead of text, people assume that it must be the most complex thing in software? Or because you solve hard math problems in 3D, those functions are gonna be the most loc?

It's a completely different domain, e.g. very different integration surface area and abstractions.

Claude Code's source is dumped online so there's probably a more concrete analysis to be had than "that sounds like too many loc".

It is a different domain but that wasn’t your argument. Your argument was that someone was comparing it to a POC when in fact they were comparing to a finished product.

Also a AAA game (with the engine) with physics, networking, and rendering code is up there in terms of the most complex pieces of software.

They just claimed that you can build a 3D game in 500k loc, thus Claude Code shouldn't use so many loc. They/you didn't render the argument for that.

For example, without looking at the code, the superstition also works in the opposite direction: Claude Code is an interface to using AI to do any computer task while a 3D game just lets you shoot some bad guys, so surely the 3D game must be done in fewer loc. That's equally unsatisfying.

You'd have to be more concrete than "sounds like a lot".

> Claude Code is an interface to using AI to do any computer task

Shouldn't interfaces be smaller than the implementation?

No. We aren't talking about .h vs .c files nor PL interfaces.

A GUI/client can be arbitrarily more or less complex than the things it's GUI'ing.

> A GUI/client can be arbitrarily more or less complex than the things it's GUI'ing.

If it's an interface to ffmpeg, then sure, the GUI could be extremely complicated code.

But that's not what we are talking about, is it? We are talking about an interface to a chatbot that can accept and return chats, accept and return files, and run a selection of internal commands (which include invoking itself recursively).

The interface to this chatbot that has a settings entry for "personality" is still only going to map that to one of a small number of chatbot inputs. Same with basically anything else (read the skills file, etc).

I dunno... maybe 500kSloC for a fancy IRC client is the going rate, but the last time I wrote an interface to a chat client, it was barely 10k lines, not counting the lib*.so that the the program called to interact with the chatbot, with said chatbot supporting file uploads and '/' commands.

Did your IRC client have a sandbox that let other users run commands on your box? I don't think there's enough LoC in the world before I'd let that happen!

> Claude Code is an interface to using AI to do any computer task

Claude Code is quite literally a wrapper around a few APIs. At one point it needed 68GB of RAM to run and requires 11ms to "lay a scene graph" to display a few hundred characters on screen. All links here: https://news.ycombinator.com/item?id=47598488

> while a 3D game just lets you shoot some bad guys, so surely the 3D game must be done in fewer loc.

Yes, most games should be done in fewer loc

Your claim was that they could implement the same app in 50k lines of code.

A cursory glance at the codebase shows that it's not just a wrapper around a few APIs.

Yes, because they've vibed it into phenomenally unnecessary complexity. The mistake you continually make in this thread is to look at complexity and see something that is de facto praiseworthy and impressive. It is not.

I could run a text adventure with a Zmachine emulator under a 6502 based machine and 48k of RAM, with Ozmoo you can play games like Tristam Island. On a Commodore 64, or an Apple II for you US commenters. I repeat the game it's being emulated in a simple computer with barely more processing power than a current keyboard controller.

As the ZMachine interpreter (V3 games at least, enough for the mentioned example), even a Game Boy used to play Pokemon Red/Blue -and Crystal/Sylver/Blue, just slightly better specs than the OG GB- can run Tristam Island with keypad based input picking both selected words from the text or letter by letter as when you name a character in an RPG. A damn Game Boy, a pocket console from 1989. Not straightly running a game, again. Emulating a simple text computer -the virtual machine- to play it. No slowdowns, no-nothing, and you can save the game (the interpreter status) in a battery backed cartridge, such as the Everdrive. Everything under... 128k.

Claude Code and the rest of 'examples' it's what happens when trade programmers call themselves 'engineers' without even a CS degree.

> You can combine that with all the training and inference code, and at the end of the day, a system that literally writes code ends up being smaller than the LibreOffice codebase.

You really need to compare it to the model weights though. That’s the “code”.

>You really need to compare it to the model weights though

Then you'd need to compare the education of any developer in relation to how many LOC their IDE is. That's the "code".

So yea, the analogy doesn't make a whole lot of sense.

> far less performant code than the one before it.

That worked because of rapid advancements in CPU performance. We’ve left that era.

It’s about more than performance. Code is and always has been a liability. Even with agents, you start seeing massive slowdowns with code base size.

It’s why I can nearly one shot a simple game for my kid in 20 minutes with Claude, but using it at work on our massive legacy codebase is only marginally faster than doing it by hand.

The reason it’s not useful as a measure of productivity is because it’s measure of complexity (not directly, but it’s correlated). But it tells you nothing about whether that complexity was necessary for the functionality it provides.

But given that we know the functionality of Claude Code, we can guess how much complexity should be required. We could also be wrong.

>Why does it matter?

If there’s massively more code than there needs to be that does matter to the end user because it’s harder to maintain and has more surface area for bugs and security problems. Even with agents.

The he actual experiment would never make it through IRB and even if it did it’s impossible to filter out the people who spot a fake.

Gina Perry combed through all the available evidence and interviewed some of the participants and came to the conclusion that fewer than half believed it was real.