One hopes not as this stuff would have come up in even a cursory audit of the product - but it’s kinda like Ratings Agencies / Moody’s in 2008 right now until a big breach that occurs post-cert and they lose their credibility.
The number of FISMA-HIGH, ATO’d/RMF’d, security audited government systems I’ve seen with equivalent security issues is…substantially nonzero.
I have come to believe that most security audits, even ones conducted through widely-reputed groups or under strict standards, are much worse than useless.
Audits are a thing that can theoretically be done well/in a value-adding way, but rarely are, for the same reasons that most private-sector security teams I’ve worked with are effective only at generating internal badwill, and ineffective at increasing security above a very low baseline.
I've been trying to figure out what exactly or IT Security Team does. Because all they seem to do is create stupid impediments that actually push people into making work arounds that make everything less secure.
For example, they won't create for me an MS Entra ID App Registration for our internal project Because Security Reasons (they literally won't tell me why). So instead, I use Integrated Windows Authentication, which is about as secure as a hotel bar patron charging to "his" room.
They are insisting everyone start RDPing into a VM in Azure to do development work. Won't be able to get to the new source control system without it. Old system is losing its license, etc, etc. Oh, but the new system is not approved for storing CUI. So... what the actual fuck are our AFSIM developers supposed to do?
These VMs are 1/4 the hardware specs of my laptop in almost every dimension, yet still somehow car 50% more to rent per year than the entire purchase price of my laptop. Plus they are timesharing is in them, 4 developers per VM. It's not like we live in majorly different timezones. We're either all going to be on from 9am - 5pm EST or we're not.
Within these VMs, I have absolutely zero ability to install any software or modify any settings. Even the god damn clock is set to GMT+0 and I can't change it to local time. Sure would be nice if the must visible clock in my visual field accurately portrayed the current time when I have the RDP session running full screen, which is basically the only way to run it without wanting to hammer drill my brains out.
I have heard rumors that a lot of the other developers have started working from their personal devices, because otherwise they are at a complete work stoppage on their work computers due to the cockamamie IT setup. So congratulations, IT Security Team. Good job.
I still want to know why--when we're wanting to run services like Document Intelligence and Azure OpenAI in Azure GCC High, a FedRAMP-High approved environment with these services claiming DoD Impact Level 5 compliance--our IT Security department thinks that can't be used for CUI. They say we need to spend 2 years and $2 million doing some kind of review of Azure itself before it can be approved for CUI. Uhm, no? If it needs that, why would we spend that money and time? Why wouldn't Microsoft be the one to do that?
> I still want to know why--when we're wanting to run services like Document Intelligence and Azure OpenAI in Azure GCC High, a FedRAMP-High approved environment with these services claiming DoD Impact Level 5 compliance--our IT Security department thinks that can't be used for CUI. They say we need to spend 2 years and $2 million doing some kind of review of Azure itself before it can be approved for CUI.
Don't you still have to get program-specific authorization for IL5?
I don't know. I've been a software engineer for 25 years, but this is my first DoD job in 20. We didn't have this when I was a junior developer and I don't have the time to learn about this particular part of the process.
We have plenty of program contracts that require IL5. I think you only need ATO to go to IL6 and above (which would be Secret and would require working in a SIPRNet connected network isolated from our corporate network). For just CUI data, I thought you didn't need special authorization.
What I really need is someone I can trust who can come in and tell me what we should be doing, because whatever our IT Security team is telling me sounds ludicrous. There are a whole host of problems with our IT systems that indicate to me that they don't really know what they are doing.
Edit: note, I'm not talking about certifying our own software for use with CUI. That's a ball of wax that our leadership has told us to defer until next year, since for this particular project we don't have any clients yet. I'm talking about our IT dept won't let us send CUI through existing, should-be-approved services in Azure GCC High right now, even from our laptops inside our CUI-approved corp network.
You need an ATO for any government software, not just IL6 and higher. What you're experiencing is cloud service providers only get a provisional ATO for their services. Full compliance with IL5 isolation requirements involves controls both on Microsoft's side and on your side. They have some rough documentation here (https://learn.microsoft.com/en-us/azure/compliance/offerings...) and here (https://learn.microsoft.com/en-us/azure/azure-government/doc...). If you can figure out what you need to do from reading that, well, you're better qualified than I am. It's complicated. I don't think this is on your IT team. The government makes this hard.
If you've been out of the game a while, things got significantly more difficult ten years ago around the time of the OPM breach. CMMC2 requirements got a lot stricter. The only bright side here is everyone is subject to the same bullshit, so you're not at any competitive disadvantage. I get how frustrating it is. We've all been there. But go easy on your own team. It's just as frustrating for them.
I work with a "global systems integrator" that has IT security policies so insane that it takes 1 to 2 months to onboard a developer and finally get their work laptop set up. Meanwhile, they are basically twiddling their thumbs getting billed out at ~$200/hour, unless they happen to have their own laptop. Some of them just stay working on their own laptops because it's so much more productive.
There have been a bunch. Did any auditor lose a license, credibility, or even a night's sleep? Even accountants aren't held to their standards, and they are supposed to guard the holiest of holiest: shareholder money.
If you sell something to someone and they do computer crimes, you're going to have to prove that you couldn't've known that they're a computer crimer.
It's the same thing with selling general offensive security tools. You have to proactively make it clear that it's for testing and not criminal use. Otherwise, cops are going to assume you're complicit and make things shitty.
Would be fascinated to know if this went through competitive procurement or if it was one of those Hegseth “let’s be lethal and ship broken shit to the warfighter” procurements.
I think they're both actually "We want to have this, but we don't want to pay too much for it just so a CEO can make 10,000x their workers and potentially ALSO still lose money."
How much of the money goes to CEO vs shareholders is something they can work out between themselves.
If the airline goes bankrupt, that just means that the creditors get less than they otherwise expected. That's something to haggle out between creditors and management and shareholders.
(Or do you want to imply that if the shareholders saved money on CEO compensation, they would give the money to ordinary workers?)
It JUST means that the creditors lose money? It doesn't stop the planes flying? It doesn't stop the humans and freight from being transported? The plane maintenance? The airport's budget isn't affected, the airline employees aren't affected?
It's funny how any time something comes along suggesting consumer choice should play a role in a market economy, these types of comments come along to suggest its not their place.
There's no fundamental rule of a capitalist society that consumers have to make their choices out a narrow selection of options provided by corporate oligarchies between the criteria they would prefer to compete on. As a customer, I can choose which airline I want based on whatever criteria I want. Maybe I pick it based on pay ratio between executives and average workers, maybe I pick it based on whichever has the font I like best on their homepage.
This seems like circling around the same problem: AI just misses things sometimes and the things it misses can end up being really important. If you don’t cross-check it, you’ll have a bad time.
I’ve used a couple of different skills libraries for this - most recently “super powers” which builds a detailed markdown plan and then uses TDD for most parts.
Not sure converting to YAML and running an app to track beats Linear tickets or a local cache or markdown if I’m honest but if it works for you and your process that’s great!
Mainly I don’t think everyone building their bespoke solution needs to try and create a product out of it. If it works for you, maybe good enough. Focus on your process before you worry about generalizing these days.
In addition to what folks are saying here about larger code bases and multiple features at once, there’s also the time requirement to be efficient. It takes time to be more efficient with token usage and it may not be worth it for some of these companies so… burn away until we start to get more data and then we’ll check in.
I feel this as well. I’m using these tools to be extremely productive and drive more customer value than ever in shorter timeframes (code. Shipped code and features end to end). But I’m not sure if that means I’ll be extremely valuable in six months, or if I’ll be obsolete when the tools improve enough and founders decide to outsource their thinking to them.
I guess we’ll all just need to be our own founders and grab as much value as possible before the revolution? Haha
As for org flattening: the org structure of most companies - even “cool” or “modern” ones is just gone now. Anything remaining is cultural inertia until money gets tight.
Outside of all of this you have to remember why we’re on this earth and it’s sure as hell not to serve AI or feel pressured to be in front of a screen and max everything.
If you’re productive take your breaks. Be human. Remember that the narrative is not the truth, and you’re doing good work.
You say that, but don’t you think at this point they actually believe some of the stuff they say about safety and the future of humanity? It’s tough in this day and age not to be overly cynical but they did draw a line in the sand at the DoD and that wasn’t for IPO numbers…
The US government in 2026 is openly and cravenly corrupt, and I don't believe anything at face value. The story about the targeting may be real and material, or backwards engineered to fit the reality. OpenAI is aligned with Larry Ellison and Oracle, and given the favor granted to them by the government, I'd look to that relationship first.
> LLMs are breakthrough technologies. The AI products we have today are SaaS products built by companies doing everything they can to find people who will pay for them. Very, very different things.
reply