DEV Community: mosbat

Reqrea’s 1 Million Passport Exposure Is a Reminder Why Cloud Security Audits Matter

mosbat — Mon, 29 Jun 2026 19:51:42 +0000

Incident

On May 15, 2026, Reqrea, a Japan-based KYC company, reported that more than 1 million passports had been exposed to the public internet via a misconfigured S3 bucket.

This breach impacted over 1 million travelers from around the world. Exposed passports could potentially put all impacted individuals at risk of identity theft or sophisticated social engineering attacks in the future.

This recent incident further confirms my point in the past that AWS misconfigurations remain one of the top cybersecurity vulnerabilities in 2026.

How it was identified

The vulnerability was discovered by security researcher Anurag Sen, who detected that one of the S3 buckets used by the company was accessible to the public without authentication or an authorization process.

Why it matters

KYC platforms and companies handling PII are expected to have strong change control, security governance and regular security audits to prevent such costly mistakes from happening. In this instance, since Reqrea has collected such data, they may face regulatory, contractual, and reputational exposure.

Unfortunately, such cases could potentially harm companies' reputation among customers and partners, which could hurt future sales.

[!NOTE]
The average data breach costs U.S. organizations about USD 10.22 million, according to IBM’s 2025 Cost of a Data Breach Report.

Lesson Learned

Companies handling PII need to adopt "Secure by Design" policy and have strong cloud governance if they want to use cloud solutions.

A good preventive strategy would entail companies bringing in third parties (e.g. consultants) before going live or before getting involved in any activity involving protected data collection or transmission of such data.

Another lesson learned is that delegating KYC to third parties may actually reduce security if the KYC platform itself is insecure.

I can easily point out the fix needed for this vulnerability. However, we have to look at this incident or vulnerability rather as a question of governance and policies first and technical as second.

"We're Too Small to Be Targeted" is Why They Never Saw It Coming

mosbat — Fri, 19 Jun 2026 08:27:54 +0000

A 2025 survey by the UK government, it was found that 41% of micro-businesses and 50% of small businesses have experienced either an attack or a data breach.

In another 2025 study by the University of Maryland, small businesses are at much higher risk of a financial disaster given their limited resources in contrast to big corporations that are already spending millions of US dollars on their cybersecurity posture. In the US, 99% of the companies are considered SMBs (based on US chamber of commerce data).

[!NOTE]
Cybercriminals may find SMBs more attractive as a target compared to big corporations given the low effort required.

Many SMBs view hiring an expert in cybersecurity as high cost, so they rely instead on their undertrained staff to handle cybersecurity. The harsh reality is that cybersecurity is a broad and specialized field that is distinct from the software engineering discipline which makes it hard for someone with a traditional software engineering background to perform proper threat modelling and propose appropriate policies and controls to lower or mitigate common risks. The same can also be said about traditional DevOps Engineers.

Most employees lack training on how to recognize a phishing attack or best practices to protect customer data from accidental leakage or breaches.

Even with cyber insurance, there is no guarantee that an incident will fall under the insurance policy's coverage. Nevertheless, the damage a business can sustain from a data breach can permanently destroy it especially when customer trust is required. All US states have breach notification laws with varying scopes and timing (without unreasonable delay). As for fines, in New York for example, the fine can be $20/record (max USD 250k). In California, the fines can range from USD 2.5k to 7.5k per violation (without cap). The penalties under HIPAA are even bigger going up to USD 1.5m annually.

As a cybersecurity professional coming from a software engineering background, I know that cybersecurity risks are treated as an afterthought for real due to multiple factors starting with business priorities to lack of training and awareness.

SMBs don't actually need to hire an entire team of cybersecurity professionals or pay huge amounts of money to big consulting firms. They can instead hire consultants with scoped engagements.

Companies can treat the costs of obtaining and maintaining ISO 27001 certification and good standing as a marketing cost since clients are becoming more sensitive to the security of their data since we live today in the digital era (soon AI era). Gold is no longer stored in a closet but as numbers in a database on a server.

The cost of cybersecurity consultancy remains minor to the cost of a major data breach as well as PR management and asking your marketing teams and sales to handle the aftermath.

Stop Developing Tools, Focus on Security Governance Instead

mosbat — Sat, 13 Jun 2026 09:54:32 +0000

I have been observing the landscape recently in cybersecurity and the more time I spend on tech communities, the harder it becomes to recognize a pattern.

I see every day and every few minutes something along the lines of "Check out my new cool tool that automates ABC" or "I created a free assessment tool that will check all your controls and tell you XYZ" and so on.

Simple Automation Mindset No Longer Stand Out

Unfortunately, we are still stuck on a mindset during the pre-AI era about how cool automation is and how valuable our coding skills are. However, the blind spot a lot of tech professionals today are missing is that the value proposition of automation no longer helps you stand out.

With AI, generating code or automating certain tasks became so easy that the bar for generating prod ready tools is almost non-existent at this point (except for software that solves complex problems).

Jensen Huang (NVIDIA CEO)

"It is our job to create computing technology such that nobody has to program, and the programming language is human."
— February 2024, World Government Summit in Dubai

Sam Altman (OpenAI CEO)

"I have so much gratitude to people who wrote extremely complex software character-by-character. It already feels difficult to remember how much effort it really took. Thank you for getting us to this point."
— Sam Altman, posted on X (Twitter), March 2026

Dario Amodei (Anthropic CEO)

"I have engineers within Anthropic who say I don't write any code anymore. I just let the model write the code, I edit it."
— Dario Amodei, World Economic Forum in Davos, January 2026

It is naive to think that a trillion+ US dollars industry will disappear overnight or that they will face an obstacle and give up. Those are companies with massive investments so failure is not in their dictionary.

The above doesn't only apply to Software Engineering but also to Cybersecurity as well.

AI Tokens Cost Vs. Hiring Humans

It was already known that AI companies were largely running at a loss for a few years, and now we see that the overall cost of running AI agents has increased dramatically due to high adoption and hunger for compute power (https://www.businessinsider.com/openclaw-ai-demand-token-use-surge-nvidia-pricing-jumps-2026-2). Rumors suggest that we will go back to hiring humans instead of relying on AI but there is a huge flaw in this argument.

AI, like every technology, is always costly and not so efficient at the beginning. It only takes a breakthrough before we see the tokens' prices become a lot cheaper. Therefore, the idea that suddenly tokens prices are going to turn back industries away from AI and into hiring humans like they used to in the past is maybe true for the short term but less likely to remain a reality.

A well-developed LLM can spot vulnerabilities and threats much faster than a human can do no matter how fast they work. A vulnerability that takes a Security Engineer to spot and patch in hours can be done by AI within minutes. This significantly reduces the cost per hour for companies.

[!IMPORTANT]
AI security solutions do require human intervention and maintenance. Companies still need AI Security and Governance specialists.

The Market Is Flooded with SIEM Solutions and Tools

According to an IDC survey, organizations on average are dealing with 10 to 15 security vendors and 60 to 70 security tools (Source: IDC survey, as reported by CrowdStrike, 2024).

If anything, companies are trying to actually slash down the number of tools and even encouraging their internal engineers not to create any additional tools without an internal review process. This is based on my personal observation across multiple industries.

Is it important that you can write a script or create some tool? Of course! The point is that, you need to take into account that when you step into a tech company, your script or tool might work only in the short-term for a problem that the organization may consider not worth buying a SaaS solution for.

From my personal experience in big tech, I had to pause sometimes to think which tool to use since each company had dozens in production (even if they didn't really want them).

Why Security Engineering Mindset Is Better Than Automation

The value of developing a tool to check policy violations is very weak if the architecture itself is flawed.

Quite often, you'll find problems that can be solved by a configuration tweak without writing a single piece of code.

You might, for example, be tempted to restrict access to AWS S3 and develop a service that stands between the customer and the bucket to ensure only authorized access when all you had to do was simply enable pre-signed URLs.

Another example: you could be tempted to develop a tool to revoke access of AI agents when a more pragmatic approach could have been granting AI agents authorization tokens with TTLS instead.

Sometimes, the problem is not collecting regulated data but the lack of secure design. If your organization can fill a gap by simply enabling encryption when a client inputs their data into a form, would you still try to develop a new tool?

Security and Governance

What was discussed above is only part of security and governance; and if I'm to cover every aspect of security and governance, I'd probably need more than just a blog post to cover them.

Security and governance is a broad topic but a cybersecurity professional who is proficient in a few of its aspects can offer more value than an engineer who can write a for loop.

Below is a non-exhaustive list of topics that fall under security and governance:

Policies (with leadership backing)
Compliance (e.g. GDPR, PCI-DSS, ISO 27001, etc...)
Accountability (who owns what)
Standards
Audit processes (verifying controls and compliance)

You can offer an organization a much stronger value proposition, if you can for example advise their dev team on how to handle PII in their code.

When to Develop New Tool

If you wish to develop a new tool, try to ask yourself the following questions:

What problem exactly I'm trying to solve?
Have someone already made something similar?
If I were a client, is the value proposed compelling enough that I'd spend thousands of US dollars for?
Will my tool do something that AI and other LLMs cannot do no matter what?

You can perform a simple smoke test by simply running a search on any search engine of your idea and see if it already exists.

There are genuinely situations where organizations have neither the time nor resources to acquire a new SaaS solution for a specific problem, and you may be asked to solve it using automation or custom script but more often than not, your tool will be replaced later on by a SaaS provider who has signed an SLA with blood, and they have 24/7 dedicated teams for support. SaaS providers need to meet standards and regulations such as the ISO 27001 and have a strong track record.

Conclusion

I must emphasize that I'm not saying that developing tools is wrong or bad. What I'm trying to prompt is change of mindset. The question or challenge of today is no longer "How can I automate this?", but rather, "How can I create systems that are scalable, efficient, resilient and secure".

Just Joined CoderLegion!

mosbat — Fri, 12 Jun 2026 07:24:33 +0000

🚀 Check out my CoderLegion profile & latest post!

🏆 Points: 929 | 🎱 Badges: 21 | 👥 Followers: 5 | 📄 Posts: 6

Latest post: "Why Organizations Are Still Missing Out on Passwordless Adoption"
Read it here: https://coderlegion.com/19940/why-organizations-are-still-missing-out-on-passwordless-adoption

View my full profile: https://coderlegion.com/user/strange-developer

Why Organizations Are Still Missing Out on Passwordless Adoption

mosbat — Mon, 08 Jun 2026 08:14:39 +0000

According to a 2024 study by Ponemon-Sullivan Privacy Report, it was found that around 76% of organizations surveyed in the US haven't adopted passwordless yet.

Given the rapidly evolving landscape of the internet and AI, the lag in adopting passwordless is a concern worthy of highlighting.

Passwords Are Not Enough Anymore

Hackers have figured out long ago, many ways to obtain passwords. All it takes for an account to be compromised, is one vulnerable service running on a server or side channel attacks and the password would already be sold on the dark web for the highest bidder.

Despite the fact that many organizations have raised the baseline password's complexity to comply with the standards and regulations, there are still other challenges:

Password rotation fatigue employees who may not be very tech-savvy (or use password managers), so they resort to workarounds that could compromise their passwords.
How passwords are stored cannot be ignored.
Security level among applications that do use passwords can be inconsistent. This means for example, your banking application might be very secure but this may not be true if you're using the same password for a partner site or service.
Even passwords that are encrypted at rest can be compromised if the encryption algorithm is weak or contain vulnerabilities.
Hackers often use social engineering to try to guess passwords using password cracking tools. Short and predictable passwords can be cracked anywhere in seconds to a few minutes.

What makes relying on passwords only even more risky, is that around 80% of organizations haven't adopted yet zero trust architecture which means that all it takes is one compromised password or account and hackers can install malware to extract others' passwords (APT). This is as per the same study by Ponemon-Sullivan Privacy Report in 2024.

The above scenarios of course assume that users do not have adequate 2FA configured or their 2FA channels are also compromised (e.g. zero-click attacks on mobile devices).

How Does Passwordless Solve The Problem?

Passwordless implementations such as FIDO2 for example significantly reduce the risks associated with passwords handling because the passwordless device itself becomes the authenticator. This can come in the form of BYOD or for example hardware security keys (e.g. Yubikeys are a popular solution).

When you enroll a passwordless compatible device, the device generates private and public keys. The private key which contains the secret (random number) never leaves the device or cannot be extracted. In addition the private key is calculated from the web service domain alongside the secure secret generated.

[!TIP]
Since the private key uses the web service domain alongside the secret, this makes phishing attacks much harder.

Since each login uses a different random challenge signed with the private key, replay attacks become useless.

Some passwordless authenticators may also be compatible with biometric authentication such as face recognition or finger prints which reduces theft risks.

Examples of passwordless solutions:

FIDO2 (Fast Identity Online) -> Most secure
OTP (One Time Password)
Biometric Authentication.
Magic Links (one-time links)
Mobile App-Based
Third-Party Identity Providers (e.g. Azure AD, Okta and Ping Identity)
Certificates and Tokens
Physical Tokens

Why Organizations Are Lagging Behind?

The main challenge organizations still face in passwordless's adoption is account recovery. If passwords are phased out without having reasonably secure options for account recovery, there is a significant risk of access loss.

Other factors contributing to the slow adoption such as legacy systems and employees getting overwhelmed with the change.

No Standard Account Recovery Solution

As of today, organizations are implementing different procedures for account recovery. For example, some organizations would require the employee to come personally to the workplace in order to restore access. Others provide for example hotlines where they get asked different challenge questions and need to execute one extra step to restore their access.

Why Organizations Need to Prioritize Passwordless

Since secrets never leave the device in case of FIDO2, it's much harder for attackers to extract the secrets and use them.

[!NOTE]
While most passwordless compatible devices are secure, this doesn't mean that side channel attacks are impossible. For instance, during testing, NinjaLab found a vulnerability (EUCLEAK) in the cryptographic library that made it possible for them to clone the key. Yubico advised users to either upgrade or purchase newer, patched version of Yubikeys.

Transitioning the organization to passwordless standards requires both technical expertise and most importantly the backing of leadership and dedicated effort when it comes to dealing with legacy systems. Quite often, organizations would try instead to deprecate incompatible systems in favor of building or buying licenses for compatible ones.

OWASP's Duty to Human Rights: Why AI Security Matters for Human Dignity

mosbat — Wed, 03 Jun 2026 22:00:00 +0000

AI's Rapid Growth and Lack of Regulation

AI security is not only about protecting passwords and secrets, but it's about ensuring human safety first and foremost just as in software security in general.

We have seen recent years how AI has been rapidly expanding and similar to the internet at the beginning, the legal and regulatory bodies were still catching up; we are seeing at the moment a similar pattern taking place. Despite the fact that we have seen new standards and frameworks (e.g. NIST AI RMF) addressing the need for more responsible and safe AI usage, there are still a lot of concerns about which direction AI is going while corporations are rapidly pushing AI development to race the regulators instead of coordinating with regulators on what's acceptable and what not.

We have seen recently several instances where AI solutions have been used recklessly by certain organizations without proper controls or testing which led to several tragic incidents and loss of lives.

[!NOTE]
A perfect example of AI-caused loss of lives is Tesla's autopilot fatal crashes which so far led to 467 crashes, 54 injuries and 14 deaths. This is according to NHTSA's updated findings.
Read the full PBS article on NHTSA's investigation

OWASP & AI

According to OWASP AI Testing Guide, human oversight is required to ensure safety and security of any AI-based products or solutions. This is implemented by having several human-in-the-loop checkpoints for any critical AI decisions as well as proper monitoring and logging of any human intervention.

In addition, there have been rising concerns of bias since LLMs can be biased depending on what training data they have been fed. This is why it must be ensured that LLMs are tested against bias. Check OWASP Top 10 for LLM Applications

Overconfidence Challenge

Overconfidence in AI will remain one of the biggest challenges to address since a lot of organizations jumped into the AI wagon without assessing the organization's AI maturity and without structured governance framework and policies in place.

AI models and LLMs do make mistakes and do have flaws and over-reliance on AI, especially in sensitive situations, could lead to catastrophic consequences.

While AI has definitely made it easier for malicious actors to compromise software, we should not forget that OWASP has a duty as well to prevent AI from being used in ways that may violate human rights or compromise human dignity.

Will the EU AI Act address the long sought after answers?

What do you think that we as cybersecurity practitioners can do to fill in the gaps and go above and beyond to prevent AI from ever being used in a way that could compromise safety and human life?

Why Platform Governance and Transparency Matter for Developers and Freelancers

mosbat — Sat, 23 May 2026 15:22:13 +0000

In this post, I'm sharing my personal experience with Reddit's moderation and shadow bans, not as a personal grudge but as an example why Developers and Freelancers should pay attention to each platform's governance, moderation and transparency policies because when your visibility and reputation are tied to third party platforms, you want to assess the risks associated with those platforms to your professional presence and your ability to reach your audience.

I left Reddit for many years and rarely engaged with it as a platform since it forced users to disable their VPN or sign up and share their data.

One day, I wanted to give it another shot after seeing some interesting content. I signed up again and began participating in technical discussions.

I kept posting from time to time absolutely and purely technical comments.

I began to notice over time that my posts or comments were not getting views or replies at all. While this doesn't bother me that much, I found after a couple of weeks that all my posts had 1 view. This situation raised my suspicion, so I began doing research on the matter.

Lo and behold, I realized that I was actually shadow banned and there was no warning, no violations, nothing... I was not using bots or VPN or anything out of the ordinary.

I learned later after doing further research that moderators can easily trigger Reddit's auto ban system by reporting someone even if there is no reason.

Now, the question is, why would someone go out of their way to report my account specifically. Yep, you guessed it! In practice, there’s no way to know; Reddit provides no transparency about who reported you or why, which leaves users guessing whether they did something wrong or not.

Imagine that every time you want to post something, you need to go through each subreddit's "Rules" and also Reddit's own policies and terms which are enforced inconsistently; this often feels like a legal exercise.

On Reddit,in some cases, you can post inflammatory content and get little to no moderation but my neutral technical posts were hidden.

Despite the fact that Reddit has an "Appeal" system, the time it takes Reddit to review your appeal can take anywhere from 1 week to several months; at the same time, if you create a new account, you risk getting banned again for having an alternative account.

Reddit's ban system is a perfect example of failed distributed moderation system where a moderator can ban your whole account because they dislike your presence or disagree with your opinion.

Reddit relies heavily on volunteers to moderate posts or comments, and they are often overworked and burnt out.

At the same time, Reddit laid off around 5% of their workforce in recent years.

Reddit's system is unique and bizarre in a bad way because on one end, moderators can flag your entire account for bans, not just their own subreddit, on the other hand, Reddit claim that the system is fair, distributed and decentralized.

While Reddit's moderation and ban policies can be broken, this is not unique to Reddit as other large tech platforms like LinkedIn, Facebook (Meta), Twitter (X) and others also have poor user experience when it comes to moderation; this made me more cautious about relying on a single platform for visibility or professional networking.

Lessons learned:

Don't treat big platforms as neutral parties; they are private companies with opaque policies and guidelines.
Don't put all your eggs in one basket. Diversify your presence to multiple platforms and don't be scared to try new ones.
As a rule of thumb, if your content can be hidden or removed by someone other than you, treat the platform as an amplifier rather than your primary go-to place to gain visibility.
Obtain your own domain, learn how to build your own site (easy with AI for people who don't like frontend).

As a cloud and security consultant, I now treat every hosted platform as a temporary amplifier, not a permanent foundation for my professional presence.

Disclaimer:
This is based on my personal experience on Reddit and reflects my subjective view of its moderation and appeal processes, not a legal or technical audit of the platform.

Diversity and Inclusion Are Officially Dead in Tech

mosbat — Wed, 04 Mar 2026 04:22:47 +0000

According to a study by Edward J.W. Park, published in 1999 in Qualitative Sociology, the tech industry have always had a problem with racism where white candidates always received more favorable treatment.

If you are a person of color or identify as non-white, you will learn in this article about the sad trajectory that tech is going and potential solutions. If you felt imposter syndrome by countless rejections, this article might help you feel better. Please note that while rejections due to discrimination are real, it's not always the case and there could be many more factors that come into play such as market saturation, skills gap or simply vacancies being canceled or frozen.

If you identify as white and this topic resonates with you, you'll learn how to hold your peers accountable for discrimination and recognize stereotypes and biases. I will not shy away from using term "White" because I have strong belief that white privilege does exist and have seen it throughout the years globally.

Few years ago, there was a serious attempt for the first time ever by corporations to be more diverse and inclusive by implementing DEI programs. while these programs were far from perfect, they enabled more people of color to get a fair chance and to grow.

Last year, unfortunately, many corporations specially in the US rolled back all their DEI programs citing financial reasons without offering any meaningful alternatives.

There is a strong narrative among the majority in Western nations that people of color had been given opportunities not based on merits but based on quotas. According to study, this narrative doesn't hold merit and instead appeals to confirmation bias.

If you're a minority or person of color, and you suddenly notice that organizations have become toxic or you're being treated unfairly, you are not imagining it. Between mass layoffs, market panic and also reversal of DEI programs, what you experience is how things used to be before DEI towards minorities and people of color including women who have always struggled to get fair opportunities in tech.

The problem becomes even more pronounced the more senior you become because unless you fit their stereotype of the low skilled labor, you'll face huge resistance and lots of rejections specially in organizations where leadership have severe lack of diversity.

If you go to LinkedIn and browse through the people in leadership positions in most tech companies specially in Western countries, you'll rarely find minorities or people of color in leadership positions. I do not have unfortunately the data but based on general trends and my own observations, I concluded this as the reality.

If you are a minority or person of color, you'll always be held to much higher standards for the same role that a white applicant got in just 1 hour interview with low effort.

There is nothing wrong with you, the problem has more to do with the hiring managers and recruiters who have untreated biases; you may ask, why would they bother calling you if they perceive you as low skilled?

If you look at the call back rates, it's actually much lower compared to white applicants in the market. Those who called you, did so because they want to seem fair but without disclosing the fact that they're exercising a double standard (which is illegal in most states). This helps them reject your job application without feeling guilty. At the same time, they do this sometimes to protect themselves legally. The whole interview process for you is about building a case to reject your job application.

For me for instance, when I used to get a rejection, I used to ask for a feedback and many times, the feedback seemed to be either untrue or made up. There were genuine cases where the hiring manager had very high standards for the role but most of the feedback I received was subjective and projecting certain stereotypes that are not based on objective factors.

**
What's The Solution?

Honestly speaking, unless we see DEI coming back with more energy and more effort, I'd recommend that you seek self employment and be extra cautious and selective about companies you'd like to work with. Ideally, via networking and making connections you might meet a hiring manager or client who is like minded or with whom you have positive rapport or relationship with.

You have a better chance landing projects as a freelancer than finding an employer who will give you fair treatment without DEI.

**
The Consequences Are Severe for Western Tech

The tech industry specially in Western countries still have a long way to go to address all of those challenges to create a more fair and equitable workplace environment that is blind to skin color, nationality or biases. Western companies are expected to struggle in the long-term if those issues remain unresolved or if policy makers won't create policies that are enforced and hold people accountable for not following them or abusing them.

According to Chicago University study, talents mis-allocation have led to a cost of 16$ trillion dollars and roughly 6 million jobs loss over 20 years. Another study in 2024, concluded that homogeneous teams are 66% less likely to outperform and persistent bias exacerbates skill gap that is costing the UK economy GBP 63 billion per year; and this is even more pronounced in AI/cybersecurity fields.

Racism and discrimination not only hurts minorities and people of color but have a long-lasting negative consequences on the entire economy if left unaddressed.

Will policy makers and corporations recognize the threat of bias and create meaningful enforceable frameworks or will talents find opportunities elsewhere?

What are your thoughts?

Why Software Developers/Engineers Don’t Matter Anymore

mosbat — Sun, 28 Sep 2025 13:44:34 +0000

Many Devs today share the sentiment that it doesn't matter anymore how well you write code or how well you can iterate a binary tree. This has become specially true with all the AI autocomplete tools made by AI developers.

It seems as if AI developers put all their strength on replacing us instead of solving real world problems. After all, how else could they market or sell their products to the greedy CEOs and investment bankers.

I spent a good several months doing research on the topic and figuring out how much impact the autocomplete tools have effectively made many roles redundant.

Do not buy the lie that those tools were made to help us be more efficient. It is all about paying less wages and hiring less people since machines and robots don't complain and can work faster than us.

At the same time, there is a clear narrative being pushed indirectly by AI Developers that AGI is coming soon and that we humans are no longer needed. All of this to boost the stock prices but without real substance or value.

While we cannot underestimate the impact of the autocomplete tools made by AI Developers, we need to understand what AI could and cannot do actually.

AI's Fatal Flaw Scientifically

What we call today AI, is nothing more than pattern recognition combined with math aimed at predicting or giving the likelihood of an input matching a certain category which depends on LLM (Large Language Model).

Understanding that AI is about statistical models and math, helps you understand that AI will never be able to deal with unique or new problems (which are almost infinite).

No matter how much money AI Developers will throw to market their Sci-fi themed autocomplete, it is not going to change science.

If your Self Driving car saw a human dressed up on Halloween, is it going to understand that this is a human if it wasn't explicitly trained for this specific scenario?

You begin to understand that AI is only good at dealing with problems involving pattern recognition given specific data or highly repetitive tasks such chat bots for common customer service problems. Even with this, the implementing organization still needs to train AI to handle their specific problem domains which also costs money.

Still, Autocomplete Tools Wrecked Software Development

Several factors have impacted Devs' lives very negatively as a result of the tools and the way how capitalism works.

The IT labor market was based on a pre-AI market where you needed lots of coders to write the software pieces and put them together or integrate them with other tools. This required a huge number of Developers who were good at writing sound clean code.

The post-AI market and supply/demand macroeconomics now made it unnecessary to hire as many Developers as in the past.

It is very logical that corporations will seek efficiency. If you hire few Developers who know how to use AI tools to generate all the boilerplate code, why do you need to hire coders if just 1 or 2 Devs will suffice?

The real problem arised from corporations silently adopting AI autocomplete tools without informing in advance the public of such changes. Otherwise, the number of Computer Science graduates would have been way less as people will begin to seek other fields that are less saturated.

The current dynamics hurt both Senior and Junior Devs permanently and the next decade will be full of pain for a lot of us as we try to adapt to the new reality and re-skilling to seek roles that have less impact by AI.

Why Not Focus On System Design and Architecture?

If you are thinking this way (which companies now pressuring us to on job interviews), you are not wrong. However, you are still missing the point.

How many software architects do you actually need? Yes, you don't need 200 Devs who are good at SD.

Even Software Architects Won't Survive The Purge

As existing wanted to be coders are now adapting suddenly to the increased focus on architecture and design, the architect role is under real threat as all the SWE are now deep learning SD and architecture.

This means, that those who studied architecture and got paid a decent wage despite the demand that was already low, they are now going to be buried even deeper under the rubble.

Mass Layoffs Aftermath

Another significant factor that will ruin SWE career, is that the market demand on SWE was highly influenced by big tech players who were already highly picky and selective in their recruitment processes.

As 10s of thousands of highly qualified SWEs are laid off and struggling to find jobs, the market has become even more competitive than before.

So even for companies that are still hiring Devs, it is normal to expect them now to post all roles as "Senior ..." since they could afford now to be more picky and selective.

So when you are applying as a Frontend Dev to your local coffee shop, you are competing with an ex-big tech Devs who are highly qualified, got exposed to big technologies (even if they are less likely going to use it in startups).

SWE Job Interviews Torture Candidates Without Real Purpose

Your local coffee shop startup will have Devs who are still stuck on the big tech hiring practices; they will ask you questions even if you have tons of experience and tons of certifications.

The practice of whiteboard testing should truly be abolished for Senior Devs specially if you have certifications for the skills that they care about. Unfortunately, the industry is still stuck on over scrutinizing candidates and dwelling on their cultural fit just to write a bunch of if statements and for loops.

Today, expect this to get even worse than before because whoever is now in hiring position, can afford to be selective, picky, test and re-test and project their ego with full force regardless of your level of skill.

In the past, it was possible for Senior Devs to push back against assessments that come out as disrespectful specially for highly experienced and qualified candidates. Now it's impossible because we have a broken market where Devs are still stuck on big tech hiring practices for local coffee shop startup and a huge influx of candidates available (laid off by big tech).

“AI Hype” Is Not a Hype

A lot of people are saying that it's a hype including Devs. This is nothing more than wishful thinking. It is naive to ignore what the autocomplete AI tools have achieved so far.

AI IS NOT A HYPE.

If you want to survive, you need to look for skills that cannot be automated.

A balanced approach is to instead focus on how to retrain yourself to focus on roles that are in high demand and cannot be automated.

Have AI Developers exaggerated? Absolutely, this had been confirmed by recent research. However, this doesn't mean we can ignore what these autocomplete tools have been able to achieve.

The CEOs and investment bankers don't care about our opinions. They care about the bottom line and how much less wages to be spent on human labor.

How Future Looks Like and Is There Hope?

The future, is something you define for yourself. If you are still looking for the cozy and comfortable job, Software Development is no longer that job. You are now no different from account executives in a company just doing paperwork and getting paid to survive.

You are now easy to replace with cheap and more skilled labor.

Do not get distracted by the "New" requirements of SWE. It's now a race to the bottom as 100s of thousands of Devs are going down that rabbit hole.

Creativity and problem solving are vague terms used loosely by companies' PR to make themselves look nice despite laying off 1000s of people who had families to feed without even a chance to re-skill or change roles.

Focus on roles in the industry where automation doesn't work or have everyday unique problems that no AI can learn or recognize.

Which ones? I'm not going to tell you any specific role because that's the problem today with media. You need to do your research and figure it out on your own.

YOU MUST READ THIS! Call to Action! Against Weaponisation of AI

mosbat — Fri, 21 Feb 2025 13:06:58 +0000

We have witnessed recently many damning reports by several investigative journalists several big tech companies including Amazon, Google having military contracts where their AI models are being used by certain state militaries around the globe.

The Threat

This is a very big and dangerous threat to humanity on a global scale and it is our duty as Devs to say No to weaponisation of AI.

We as Devs must work together to stop this madness before it goes out of hand. This is a huge threat to all humanity and must be stopped.

To understand the solution, we must understand the problem. Big tech companies leverage data they mined over decades on the internet either directly or indirectly to build their LLM models. Then, what they do is that they try to customize it in certain contexts to make it usable by military. However, this task does require probably a bit of effort on their end depending on the data collected. While their data scientists can filter out the ethical and moral constraint that might prevent AI from accepting prompts that are harmful or violent, they still need a lot of processing power to make the LLM suitable for military use.

The solution:

One way, how we as Devs can make it difficult for them to use LLMs for military use is to try to feed the internet as much as possible data is anti-war by publishing a massive number of texts all over the internet against war and against prompts that can be used for military.

This will make it near impossible with the current technology to use the LLMs for war.

Think of the LLM as a growing organism, we can manipulate it to prevent it from accepting or understanding certain content or even teach it to be against such content.

This might require a lot of help and resources to override the internet and make it difficult for companies to use LLMs for military.

> This is a call to action. If you are not scared enough, then you're probably sleeping. This is not about conflicts or wars, this is about humanity. We can't allow AI to be used for war.

Why Test Driven Development

mosbat — Mon, 30 Dec 2024 21:18:09 +0000

Many Devs I worked with in the past, do not like writing the unit tests in advance. They would rather finish writing the function quickly and worry about testing later.

I only learned the hard way when working on my hobby projects, why TDD is a game changer.

Writing unit tests or integration tests, not only help you spot bugs early on; but it also enables you to strictly follow the acceptance criteria for the features or assert the expected behavior in case you're fixing a bug.

More often than not, the requirements aren't fully clear at the beginning of the project or the beginning phases. As you go further during the development process, changes happen very quickly; but you don't want your functions to behave as they please, do you?

When you write the unit tests, it helps you understand what changes need to be made without having to rewrite everything from scratch. This doesn't mean that the unit tests will have edge cases that aren't well covered. You'd still have to figure out what are the edge cases and add unit tests for them once you've confirmed the expected behavior of your application for those specific edge cases.

Just to inspire you, I got a simple scenario from ChatGPT on how notorious it is to catch bugs without unit tests:

Imagine we have the following function:

public class ShoppingCart {
    public double calculateTotalPrice(double[] prices, double discountThreshold, double discount) {
        double total = 0.0;

        // Sum up the prices
        for (double price : prices) {
            total += price;
        }

        // Apply discount if total is above threshold
        if (total > discountThreshold) {
            total -= total * discount;
        }

        return total;
    }
}

Now imagine we were asked to calculate the discount based on the rounded total instead of total we had in the original function:


public class ShoppingCart {
    public double calculateTotalPrice(double[] prices, double discountThreshold, double discount) {
        double total = 0.0;

        // Sum up the prices
        for (double price : prices) {
            total += price;
        }

        // Apply discount based on rounded total
        if (total > discountThreshold) {
            total = Math.round(total * 100.0) / 100.0;  // Round to 2 decimal places before applying discount
            total -= total * discount;
        }

        return total;
    }
}

Even though the rounding change might have seemed small, it introduces several edge cases that we didn't account for, such as the situation when we are rounding values that won't hit 100.

From the initial phase, everything seems fine; but if you run this in production, you'll begin getting complains pretty soon!

Those errors or problems can be caught early on if you had some unit tests:

import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertEquals;

public class ShoppingCartTest {

    @Test
    public void testCalculateTotalPriceWithDiscount() {
        ShoppingCart cart = new ShoppingCart();

        // Test case where the discount should be applied
        double[] prices = {50.0, 60.0};
        double discountThreshold = 100.0;
        double discount = 0.1;  // 10% discount

        double expected = (50.0 + 60.0) - (50.0 + 60.0) * 0.1;
        double actual = cart.calculateTotalPrice(prices, discountThreshold, discount);

        assertEquals(expected, actual, 0.01);  // Tolerance for floating-point comparisons
    }

    @Test
    public void testCalculateTotalPriceNoDiscount() {
        ShoppingCart cart = new ShoppingCart();

        // Test case where the discount should NOT be applied
        double[] prices = {30.0, 40.0};
        double discountThreshold = 100.0;
        double discount = 0.1;

        double expected = 30.0 + 40.0;  // No discount applied
        double actual = cart.calculateTotalPrice(prices, discountThreshold, discount);

        assertEquals(expected, actual, 0.01);  // Tolerance for floating-point comparisons
    }
}

As your application keeps growing, you'll run into more edge cases depending on the complexity of the application and components' dependencies on each other.

To guarantee that your application is running as intended, you'd have to always work hard on writing as many unit tests as possible to catch errors or problems early on.

Worst case scenario, a unit test fails after making a change and you'd have to go back to your product owner to further discuss what needs to be done. Otherwise, it's still better than receiving complains for wrong or missing discounts from your customer!

Top 5 Things Devs Overlook When Joining a New Company/Team

mosbat — Fri, 27 Dec 2024 18:10:28 +0000

You maybe got excited for getting a job offer during the terrible job market. However, you might want to consider key things before considering quitting your current job as the new offer might not be as good as it seems; below are top 5 things that the hiring managers and recruiters won't talk about.

Disclaimer:
None of the issues I'm mentioning below are related to any people I'm working with at the current moment.

1- "Diversity,Equality and Inclusion", but we don't actually believe in it

You may wonder why I put this at the top since we have been hearing companies telling us that they are DEI for many years.

Unfortunately, 15 years ago, when I used to search for jobs, companies used similar terms such as "EOE" which meant Equal Opportunity Employer. Unfortunately, what hasn't changed is the fact that companies still use those terms as marketing labels without actually implementing them or enforcing them in their hiring process and employees' conduct at job.

A friend of mine, joined a company who claimed to be DEI, but he got not only discriminated against, bullied and harassed; but on top of that, they forced him to quit when he raised the issue to HR (HR are not your friends).

So if you're a minority, you would want to assess to what extent the organization you're joining is actually minorities' friendly.

You can ask the following questions during the job the interview, if the hiring manager dodges the questions, changes the topic or doesn't address them well, it's a red flag:

Can you give me examples of how your company implements diversity, equality and inclusion policies?
Does your policy explicitly state that racism, xenophobia, homophobia, etc... are forbidden and punishable?
Can you give me an example of how your company handles harassment, bullying or discriminatory behavior?
How many of the senior managers are of different nationalities or have diverse backgrounds?
How many of the team members are of diverse backgrounds?

Even if you're not a minority, you should still take the above questions seriously because if the above questions aren't answered properly, it means that the workplace will be toxic even to you.

2- "We treat each other like family", but we will fire you eventually

This is one of the most difficult topics that the employers and their HR are not willing to talk about or tell you.

Many companies have a very high turnover rate because they fire employees for the smallest reasons. This is specially true if those in charge have authoritarian management style or moody unorganized managers. Unorganized management is a different topic from a bias manager or manager who doesn't like you for personal reasons.

The reason that a company with a high turnover rate is undesirable to most people, is because of several factors:

Unrealistic expectations.
They want to look good to their managers by firing employees as cost reduction.
Focus on finding better candidates for the same salary instead of focusing on growing their existing employees.
Company is financially unstable.
Senior management constantly changing or getting replaced.

There are many other factors that could lead to a high turnover rate but obviously, what's the point of signing a contract and spending another year looking for a new job?!

One extremely important issue you need to ask about, is whether you're replacing someone because if this is the case, it means that they are going to fire an existing employee or the job wasn't that interesting so the previous Dev/Employee left.

3- "We are looking for an autonomous Engineer", but we suffer from OCD and trust issues

This one is very common where they claim that they're looking for an autonomous Engineer but in reality, there will be someone watching you all the time and questioning why a task took 1 day more than usual.

It's very hard unfortunately to determine whether or not there is a micromanagement culture before joining the company because obviously they don't like to talk about it; this might be related also to unrealistic expectations from employer side.

If your manager is redoing your code shortly after you without a good reason, it indicates many issues including but not limited to micro-management and mistrust. This could happen specially if the manager wasn't involved in the hiring process.

You truly don't want to work with a team or company that doesn't trust their own employees and not willing to tolerate letting their employees make mistakes; because a good manager/company doesn't care about the mistake but rather cares more about how you try to handle the mistake responsibly.

You can try to ask the manager for example "You said that you're looking for someone who could work independently, can you give me examples of how you facilitate this?", if they give you vague or unclear answers, it means that they have a micro-management culture.

4- "We follow Scrum principles", but our favorite employee can do 20 story points every sprint and everyone else is doing boring uninteresting tasks.

This unfortunately a prevalent issue where they don't truly implement scrum framework; so you end up in a situation where few favorite people are given an excessive amount of work and claiming all the awards and others are under loaded or given boring uninteresting tasks.

This one might be easier to figure out, you can ask them for example:
"Can you give me an example of how you distribute the work/tasks?". While Scrum is not strict on how it's implemented, use your own judgement to determine whether or not they are really distributing the tasks fairly.

5- "We have work-life balance", but you have to get up at 7 AM to the factory b***!

If you worked with big tech, this may have never been an issue since truly, big tech companies have sorted out this question long-time ago by addressing the difference between an intellectual creative job and assembly lines in a factory role.

Unfortunately, lots of companies don't truly think this way. If the managers are boomers, there is a high chance that they are still wearing their factory boots to write their C based application.

You need to ask about this early on. A good company will have a clear on-call scheme that is well defined as certain hours during which you need to be available instead of being asked to be on your desk 9-5.

Good companies don't care whether you're on your desk but care about you coming to meetings, finishing your tasks during the sprint and communicating any blockers clearly and promptly.

If the company has a culture where everyone is expected to be behind their desk 9-5, it indicates again that they have an authoritarian work style and potentially office politics.

Unfortunately, many companies still don't try to fix all of those issues or address them properly. Most people who are affected by the above issues are also people of minority since even if hired, are still treated with double standards depending on the company or team you're working with.

You may ask before the interview for a copy of the company employee's handbook which should address all of the above issues. If the company doesn't have an employee's handbook, it's a big red flag.

You need to be very careful before signing a contract and perform your due diligence. Ask all of the questions; if they become dodgy or don't like it that you're asking those questions, it's also a red flag.

By the end of the day, your mental health and well being is the most important thing that you should never ignore.

While even good companies may have some problems above, the degree to which they have it will differ. Some will be severe and others will be mild. What really matters, is if you're feeling satisfied and fulfilled.

If you have other points or you'd like to mention similar experiences, please comment!