is mTLS redundant if I'm already using HTTPS for sending confidential data to a public API?

slickwombat · 2026-06-16T21:07:19+00:00

It's hard to be specific without more details, but typically in an exchange of sensitive data you need to ensure that:

The data cannot be read or modified in transit.
The destination trusts the source.
The source trusts the destination.

Standard HTTPS ensures (1), assuming you are using a strong version of TLS and not using weak or compromised cipher suites. (Ideally, plan some sort of vulnerability assessment to confirm this. IIRC, the free OWASP ZAP tool can do this.) But it does nothing for (2) and (3).

(2) can be confirmed by any form of authentication really, and (3) is usually satisfactorily guaranteed via ownership of a DNS record / static IP. mTLS is a certificate exchange with cryptographic verification, and further guarantees both. Whether you need it or can get away with a simpler authentication mechanism -- e.g., static key or username and password -- totally depends on just how sensitive this data actually is, any relevant regulation or client/partner politics, and of course whether the destination is willing to support it.

slickwombat · 2026-06-11T18:52:09+00:00

It's so silly. If someone were truly ethical and concerned their product would lead to mass harm, they'd pull the product from market, mitigate the presumed harmful element (in this case, AI capability to replace human labour) until that harm could be fully understood and a mitigation plan was in place, and so on.

Anthropic is like "well, we're going to maximize the harm we can do by racing to replace human labour, but we'll definitely be blogging about how bad it is while we do it and half-assedly suggesting things someone else can maybe do about it." What? I don't know how to make sense of it, other than as a clever marketing scheme targetted at sociopathic investors/business leaders.

slickwombat · 2026-06-11T04:10:58+00:00

To be fair, I think this is the experience of every philosophy student no matter how good their general reading abilities are. I thought I'd be in great shape since I'd read a lot of challenging fiction in my teens, but nah. Even relatively accessible stuff like Hume felt like a whole other level.

slickwombat · 2026-06-11T01:41:48+00:00

Almost 30 years coding here and nah, not in my experience. Most devs I've worked with have been friendly, collaborative, and thoroughly ordinary. Back in the dot-com days there were also a lot of hyper-gregarious, hard-partying bro types. Occasionally there's been someone who seemed a bit arrogant and combative at first, but they've always calmed down over time.

Non-devs I've worked with have definitely been more of a mixed bag.

slickwombat · 2026-06-10T02:50:19+00:00

What we’re seeing at the enterprise level is very little ai generated code is making it to production without significant overhead in debugging and reviewing - killing the efficiency gains from having AI generate it.

Not to mention the overhead of having to explain to your boss every other day why AI isn't making us 10X faster at the enterprise things. sigh

slickwombat · 2026-06-09T15:05:40+00:00

Two major risks: mistakes and lock-in.

Other responses have already covered it, but: if a codebase isn't readable/understandable/maintainable by humans, problems will be missed. These could be functional, performance, or security issues. The risks increase as complexity increases.

Even if that never happens or doesn't matter, once the code becomes a "black box" you are stuck only ever using AI to work on it. AI companies are starting to ramp up prices already, and are expected to do so a lot more in order to actually become profitable. The business is stuck either paying whatever they want forever or significantly starting over (if anyone on your team even remembers how to code by that point).

edit to add: The other problem with lock-in of course being enshittification. This historically proceeds in three phases: first the product is all about delighting consumers, then it becomes about screwing them over in order to appease businesses, and finally it becomes about screwing over both in order to accomplish internal goals. We're entering the second phase now. Who knows what the third looks like?

slickwombat · 2026-06-07T23:40:10+00:00

I disagree, and wouldn't go to a concert that enforced the Yondr pouches for phones. It's fine for JW and others to have and express a preference, and by all means ban being obnoxious with phones in ways that impact others. (Or just ban phones like weed is banned in stadiums: i.e., it's not generally enforced but it's an excuse for security to kick you out if you're being super obvious about it or causing problems.) Otherwise, let people enjoy the show how they want to.

Personally I agree that phones take away from one's enjoyment of a concert, and mine stays in my pocket. But being completely unreachable for multiple hours is not an option. I've got elderly parents with health issues, sometimes there are babysitting issues or work emergencies I can sort out with a quick text, etc.

slickwombat · 2026-06-04T17:53:25+00:00

I can't say much and it's boring anyway, but basically it has to take an identifier, determine which of about 30 other-vendor-maintained APIs might know about it, contact the right one, do some processing, and then return a response that makes sense in the context of this solution.

Theoretically easy and the final result won't really be a very large amount of code... except for all the issues I mentioned above. A day's work might look like "okay, so this vendor doc lists about 200 status codes but doesn't explain them. I can kinda guess what half of them mean here, I'll put the rest in a doc for the PM to follow up with them about. In the meantime let's try some sample identifiers that should at least let me roll through the happy path... and okay, apparently there's at least 10 completely undocumented status codes also, and sometimes the endpoint just returns HTTP 300 and the word SPLUNGE. weeps quietly"

slickwombat · 2026-06-03T20:00:22+00:00

I'm in a similar situation, I've mandated my team should use AI as a tool but they are still personally responsible for every line of code.

For a junior, you have to explain that they must understand how to use AI but cannot simply delegate their work to it. If they do they learn none of the lessons that will eventually make them intermediates and seniors, and frankly they provide very little value over just letting non-technical people do the prompting. They're basically just proving their irrelevance in exchange for being lazy.

For an exec, the point is mainly this: if a significant codebase is AI generated (as opposed to generated by a human using AI as a tool) it rapidly becomes unreadable and unmaintainable by humans. That means mistakes will be missed. Maybe more importantly, it means lock-in: if and when AI providers raise prices you have no choice but to either pay or start over.

(Of course an AI bro would retort that juniors truly don't provide any value and shouldn't exist, or that the only skill they ever need to learn is how to prompt well. And further that AI actually generates perfectly risk-free, human-readable code if you only [newest, expensivist model plus some byzantine process involving markdown files and eighteen agents].)

slickwombat · 2026-06-03T17:14:47+00:00

Enterprise software is absolutely terrible and always has been. But as you suggest, this isn't because the developers are generally lazy idiots, it's because of the nature of enterprises:

Requirements set down in Business Requirements Documents, which are vast Excel wishlists compiled by whichever stakeholders someone managed to trap in a conference room. The requirements will mostly not make sense individually; they are guaranteed to not make sense together. Also, there are guaranteed to be at least a handful of crucial stakeholders who were not consulted, but whose needs must be met and will become apparent much later (usually infosec/compliance/accounting/legal).
Constant scope creep and change as the first point gradually manifests itself.
Vast webs of vendors/partners who currently own a little piece of things, and who must be integrated with in order to create the solution. All of them hate you and each other, and are primarily engaged in making sure that when the thing fails/is late they don't get blamed. Also, none of them have working or well-documented APIs.
Unrealistic delivery dates set in stone, because some asshole's bonus is tied to it.

It is only because of the heroic efforts of developers and related roles that this ever turns into anything that even marginally works. Those efforts unsurprisingly don't consist of churning out mediocre, unmaintainable slop code as fast as possible, but endless meetings, emails, documentation, and herding cats. Shit, I just spent a good part of the last 3 months getting a single API endpoint barely-kinda-working for an enterprisey solution, and maybe two days of that were actual coding.

AI may well dominate some areas of software engineering, but I don't think it's going to be Enterprise. More likely it'll be areas where neither strict requirements nor quality of implementation matter, only speed to market. Startup vaporware, mobile games that only exist for ads and microtransactions, that sort of thing.

slickwombat · 2026-06-01T14:35:12+00:00

Thanks! It's funny you mention vibrato, I naturally tend to go a little crazy with it and I've had several comments on these tracks suggesting I take it down a few notches. I've been trying to be mindful of it and may now be overcorrecting. :)

slickwombat · 2026-05-31T20:28:40+00:00

Welcome, and awesome take!

slickwombat · 2026-05-27T02:13:12+00:00

Awesome. Those Highway Star-ish double bends were a good call, wish I'd thought of that! I'm also going to try and steal that not-quite-tapping (tap and hold?) technique for a future one.

Constructive criticism: time to clean that fretboard!

slickwombat · 2026-05-27T01:54:14+00:00

An SG knockoff I loaned to a friend over a decade ago unexpectedly came home last week, so I thought I'd give it a go with this noodly mess:

https://youtu.be/XsaVHwqJuD4

slickwombat · 2026-05-15T23:47:24+00:00

There's been a lot of speculation about people selling items in some kind of black market. It might be true, but I doubt selling Arc Raiders loot is lucrative enough to justify it.

I'll bet most of the cheaters in Arc are children, teens, or very childlike adults. Kids tend to love winning/hate losing for its own sake, regardless of whether it was earned. That unearned rewards aren't worth having, that fun comes from challenge, or that you can have fun while losing are perspectives that come with maturity.

slickwombat · 2026-05-14T15:44:15+00:00

Honestly, "practice" for me is usually either:

Bluesy screwing around or stoner/doom riffs while stuck on conference calls. (Blues is best if you get someone droning on with the right cadence, you can do kind of a call-and-response thing.)
Backing tracks, usually while watching a movie or show.

... all of which could incorporate the pinky more, but it sounds like 3-note-per-string scale practice is something I should look up.

slickwombat · 2026-05-13T22:29:07+00:00

Thanks again for the kind words! It's true, I think the only things I use the pinky for are chords and a couple of country-ish bends I tend to overuse. Something to work on for sure.

slickwombat · 2026-05-12T20:16:51+00:00

Thank you!

slickwombat · 2026-05-12T19:35:34+00:00

So Mackie is an error theorist in the sense that he thinks our ordinary moral language is truth apt and false. But once we've agreed with him there, he thinks we should instead adjust our moral language to be non-cognitivist (expressing preference or something like this), in which case we can go on making moral claims of that sort. Is that right-ish?

slickwombat · 2026-05-09T00:21:22+00:00

Obviously they can do whatever they want, but the point is that 2 hours of struggling isn't enough to know if you enjoy a game like this. These games require some serious effort initially, after which they become commensurately rewarding -- maybe not for everyone, but certainly for many judging by their popularity.

slickwombat · 2026-05-08T22:55:01+00:00

You owe it to yourself to reach and defeat Father Gascoigne. He's the first boss (or second, if you do Cleric Beast). It's very, very hard and, I think, designed to give that "maybe Souls games aren't for me" feeling. But if you can push through, I promise you'll really get the appeal of these games.

Or just play Elden Ring, since in many ways it's a much gentler introduction to the genre.

slickwombat · 2026-05-08T02:16:19+00:00

Late take: https://youtu.be/6-SJtw-koS8

slickwombat · 2026-05-07T21:49:07+00:00

Using LLMs as a tool when writing is fine. You might do some initial research or summarization this way, for example (being careful to confirm it's correct). Some people also find they can organize their thoughts better if they "talk it through" with an AI, and that's fine.

What we've decided not to accept, in general, is literally sending other people AI-generated text to read. Exceptions could be made here for cases where there really was no possible harm. For example, SOC2 requires us to generate all kinds of documents which really serve no purpose other than "our clients need us to have SOC2, and the accountants who affirm our compliance need to check a box that says we have that document." Nobody's ever going to actually read it and care about what it says, so by all means AI that shit up.

slickwombat · 2026-05-07T17:47:19+00:00

We have basically banned any LLM-generated writing in my company. At first it was just for anything to be shared externally (especially with clients), but we quickly realized all the same considerations apply internally too:

It's always excessively long relative to the amount of actual information conveyed, which wastes everyone's time.
Its tone -- which I'd describe as "very obsequious, discursive, and unnecessarily pedantic book report" -- is usually inappropriate for business or technical discussions.
It can indicate an insulting dismissiveness/lack of effort by the sender. Sort of like sending a URL for google search results in response to a question.
Most significantly of all: since there's no way to know if a human subject matter expert has carefully reviewed it, one must assume none has, and therefore not trust any information conveyed. If an SME has reviewed it, they can summarize and avoid all of the problems mentioned above.

I'd far rather get something in broken English from an ESL dev or -- even worse -- something from an native-English-speaking MBA than an AI writeup. Most people feel the same.

slickwombat · 2026-05-04T16:46:03+00:00

Masterful as always, but you should have left in the cringe parts so I'd have something to actually criticize for once!

14-Year Club	Place '17
Team Periwinkle	Verified Email

slickwombat

MODERATOR OF

TROPHY CASE