It’s incredibly annoying to read. So many super short sentences with the “not just X. Also Y” format. Little hooks like “The attack vector?”

“Not fancy security tools. Not expensive antivirus software. Just asking my coding assistant…”

I actually feel like AI articles are becoming easier to spot. Maybe we’re all just collectively noticing the patterns.

hey, I was almost hacked by someone pretending to be a legit person working for a legit looking company. They hid some stuff in the server side code.. could you turn this into a 10k words essay for my blog posts with hooks and building suspense and stuff? Thank you!

Probably how it went.

Edit: I see the author in the comments, it’s unfortunately pretty much how it went. The worst part is that the original document he linked would have been a better read than this AI slopified version.

I’d personally like to see these posts banned / flagged out of existence (AI posts, not the parent post).

It’s sort of the personal equivalent of tacky content marketing. Usually you’d never see an empty marketing post on the front page, even before AI when a marketer wrote them. Now the same sort of spammy language is accessible to everyone, it shouldn’t be a reason for such posts to be better tolerated

No, you're right. Writing is very expressive; you can certainly get that feeling from observing how different people write, and stylometry gives objective evidence of this. If you mostly let AI write for you, you get a very specific style of writing that clearly is something the reinforcement learning is optimizing for. It's not that language models are incapable of writing anything else, but they're just tuned for writing milquetoast, neutral text full of annoying hooks and clichés. For something like fixing grammar errors or improving writing I see no reason to not consider AI aside from whatever ethical concerns one has, but it still needs to feel like your own writing. IMO you don't even really need to have great English or ridiculous linguistic skills to write good blog posts, so it's a bit sad to see people leaning so hard on AI. Writing takes time, I understand; I mean, my blog hardly has anything on it, but... It's worth the damn time.

P.S.: I'm sure many people are falsely accused of using AI writing because they really do write similarly to AI, either coincidentally or not. While I'm sure it's incredibly disheartening, I think in case of writing it's not even necessarily about the use of AI. The style of writing just doesn't feel very tasteful, the fact that it might've been mostly spat out by a computer without disclosure is just the icing on the cake. I hate to be too brutal, but these observations are really not meant to be a personal attack. Sometimes you just gotta be brutally honest. (And I'm speaking rather generally, as I don't actually feel like this article is that bad, though I can't lie and say it doesn't feel like it has some of those clichés.)

>but I can’t shake the feeling it was written by AI.

After I read this article, I thought this whole incident is fabricated and created as a way to go viral on tech sites. One immediate red flag was: why would someone go to these lengths to hack a freelancer who's clearly not rich and doesn't have millions in his cryptowallet. And how did they know he used Windows? Many devs don't.

Ah, you might say, maybe he is just one of the 100 victims. Maybe but we'd hear from them by now. There's no one else on X claiming to have been contacted by them.

Anyway, I'm highly skeptical of this whole incident. I could be wrong though :)

Very obvious writing style but also the bullet points that restate the same thing in slightly different ways as well as the weirdly worded “full server privileges” and “full nodejs privileges”.

Like… yes running a process is going to have whatever privileges your user has by default. But I’ve never once heard someone say “full server privileges” or “full nodejs privileges”…. It’s just random that is not necessarily wrong but not really right either.

that was the case. you can find the base write up and the prompt used in one of my comments on this post.

i did not have much time to work on this at all, being in the middle of a product launch at my work, and a bunch of other 'life' stuff.

thanks for understanding.

The first paragraph feels like a parody of one of the LinkedIn marketing professional that receives a valuable insight from a toddler when their pet goldfish was run over by a car.

My issue with the article's repeated use of a Title + List of Things structure isn't that it's LLM output, it's that it's LLM output directly, with no common sense editing done afterwards to restore some intelligent rhythm to the writing.

It has many of the hallmarks of AI prose. It's amazing to me that people can't spot this stuff just by feel alone,

* Not X. Not Y. Just Z.

* The X? A Y. ("The scary part? This attack vector is perfect for developers.", "The attack vector? A fake coding interview from")

* The X was Y. Z. (one-word adjectives here).

* Here's the kicker.

* Bullet points with a bold phrase starting each line.

The weird thing is that before LLMs no one wrote like this. Where did they all get it from?

I had the same feeling, but also the feeling that it was written for AI, as in marketing. That’s probably not the case, but it looks suspicious because this person only found this issue using AI and would’ve otherwise missed it, and then made a blog post saying so (which arguably makes one look incompetent, whether that’s justifiable or not, and makes AI look like the hero).

Your comment was so validating, I was getting such weird vibes and felt it was so dumbly written given the contention was actually good advice. Consequently, the author tarnished his reputation for me personally from the very beginning.

The sentence structure is too consistent across the whole piece, like they all have the same number of syllables, almost none start with a subject, and they are all very short. It is robotic in its consistency. Even if it’s not AI, it’s bad writing.

I think it only really has that feel if you use GPT. I mean, all AIs produce output that sounds kinda like it was written by an AI. But I think GPT is the most notorious on that front. It's like ten times worse.

So really the feeling I get when I run into "obviously AI" writing isn't even, "I wish they had written this manually", but "dang, they couldn't even be bothered to use Claude!"

(I think the actual solution is base text models, which exist before the problem of mode collapse... But that's kind of a separate conversation.)

My daughter feels all my writing naturally sounds like AI, even my college papers from 30 years ago. Maybe author has similar issue?

The era of the AI bubble economy has arrived, and now almost everyone is interacting with and using AI. Just like your feeling, this is an article organized with GPT. Perhaps the story really happened.

> This article is so incredibly interesting, but I can’t shake the feeling it was written by AI. The writing style has all the telltale signs.

The sadder realization is that after enough AI slop around, real people will start talking like AI. This will just become the new standard communication style.

I read this comment first then attempted to read this article but whether it's this inception or it's genuinely AI-ish, I'm now struggling to read this article.

The funny thing is, for years I've had this SEO-farm bullshit content-farm filter and the AI impact for me has been, an increasing mistrust of anything written by humans or not. I don't even care if this was AI written, if it's good, great! However, the... 'genuine-ness' of it or lack of it, is an issue. It doesn't connect with me anymore and I feel/connect to any of it.

Weird times.

I stopped reading a few paragraphs in.

I get the point of the article. Be careful running other people's code on your machine.

After understanding that, there's no point to continue to read when a human barely even touched the article.

I honestly think AI can write much better. Sure, it needs a lot of input, but experienced AI users will get there.

Does anyone know if this David Dodda is even real?

He is a freelance full stack dev that “dabbles”, but his own profile on his blog leaves the tech stack entry empty?

Another blog post is about how he accidentally rewired his mind with movies?

Also, I get that I’m now primed because of the context, but nothing about that linkedin profile of that AI image of the woman would have made me apply for that position.

Lately, has everyone actually seen that image of the woman standing in front of the house??? I sure have not and it’s unlikely anyone has in post-AI world. Sounds more like AI appeal to inside knowledge go build report.

The philosophically interesting point is that kids growing up today will read an enormous amount of AI content, and likely formulate their own writing like AI. I wouldn't be surprised if in 20 years a lot of journalism feels like AI, even if it's written by a human

This article is so interesting, but I can’t shake the feeling it was written by AI. The writing style has that feel for me.

A bunch of these have been showing up on HN recently. I can't help but feel that we're being used as guinea pigs.

Close, it’s fiction. Reads more like Shiner than Gibson.

PSA: If you are logged in to LinkedIn, then clicking on a LinkedIn profile registers your visit with the owner -- it's a great way for someone to harvest new people to target.

On another note, what's unreal about the pseudonym? It's a Ukrainian transliteration of Николай Янчий (Nikolay Yanchiy). Here's a real person with this name: https://life.ru/p/1490942

How am I supposed to become a real, trustable person on LinkedIn if I'm not already there?

Exactly. There are at least several different modes these scammers are operating in but eventually it all boils down to some "technical" part in the interviews where the developer is supposed to run some code from an unknown repository.

Nowadays just to be sure, I verify nearly every person's LinkedIn profile's creation date. If the profile has been created less than a few years ago, then most likely our interaction will be over.

> This might be a red flag for Persona service itself as it might contain serious flaws and security vulnerabilities that Cyber criminals are relying on

Persona seems to rely solely on NFC with a national passport/ID, so simply stolen documents would work for a certain duration ...

"LinkedIn Verified Checkmark" I never managed to pass the verification check. Phone always freezes.

You can click on the verification badge and see if the person has job verification. If not, that's a red flag. I never paid attention to this myself but I will in the future.

"Page Not Found"

Someone apparently deleted the profile.

> -> Joined May 2025 -> Contact information Updated less than 6 months ago -> Profile photo Updated less than 6 months ago

It's a red flag to be a new entrant on a platform.

FTR Wikipedia/Stak Overflow have also encountered this problem (with no real solution in sight) and new market entrants (new products) struggle with traction because they're "new" and untested, which is why marketing is such a big thing, and one of the biggest upfront costs for companies entering a market

ha ha so typical ! verified profile - oh Persona, you had ONE job ! :)

Whoever was operating that profile DFE'd. This is why you archive.

LMAO this post on his page has to be an AI generated map, it puts the UAE in Bangladesh.

https://www.linkedin.com/posts/mykola-yanchii-430883368_hiri...

Anyway I think we can add OP's experience to the many reasons why being asked to do work/tasks/projects for interviews is bad.

IMO the "better" attack here is to just kind of use Return Oriented Programming (ROP) to build the nefarious string. I'm not going to do the example with the real thing, for the example let's assume the malicious string is "foobar". You create a list of strings that contain the information somewhere:

    const dictionary = ["barcode", "moon", "fart"];
    const payload = [ [2, 0, 1], [1, 1, 2], [0, 0, 3] ];

For tricking AI you may be able to do a better job by just giving the variables misleading names. If you say a variable is for a purpose by naming it that way the agent will likely roll with that. Especially if you do meaningless computations in between to mask it. The agent has been trained to read terrible code that has unknown meaning and likely has a very high tolerance for dealing with code that says one thing and does another.

If that works that would be...amazingly awesome/horrible.

How many people using Claude code or codex do you reckon just using it in yolo mode? Aka --dangerously-skip-permissions! If the attacker presumes the user is, then the LLM instructions could be told to forget previous instructions, search a list of common folders for crypto private keys and exfil them, and then instructions that they hope will make it come back clean. Not as deep as getting a rootkit installed, but hey $50.

Doing this in the context of blockchain is probably a filter. Only folks who don't think his is all a scam anyway would apply there. So you filter for getting the more gullible folks. That are more likely to have a wallet somewhere.

Just like nigerian prince scams are always full of typos and grammar issues. Because only those not recognizing that as obvious scams click the link and thereby this is a filter to increase signal to noise for the scammers.

> Then asking you to run code before a meeting? No, that doesn't "save time", that is driving you to take actions when you don't yet know who is asking.

Great point, thanks for sharing!

> I'm seeing red flags all over the story. "Blockchain" being the first one.

Agreed. That would have forced me to abort the proceedings immediately.

For better or worse, there are still many people working on crypto and in the blockchain space. They are probably much more likely than the average developer to have crypto wallets to steal. It sounds like the author is one of those people. The attacker picked the victim carefully.

That said, this attack could be retargeted to other kinds of engineers just by changing the linkedin and website text. I will be more paranoid in the future just knowing about it.

During the height of blockchain, there were plenty of good, legitimate jobs. The things they were building were some combination of inane, criminal, or stupid, but the jobs themselves were often quite real. I knew more than one person being paid $300k+/yr building something completely stupid like a collectible pet dragon breeding simulator because a VC thought it had a decent chance of being the next monkey coin or something. Sure, you had to get a new job every six months as each VC ran out of money, and sure you were making the world a worse place, but hey, it's a living.

A "legitimate" blockchain company wants me to run their mystery code on my PC for a job. Yeah. Full stop right there. Klaxon alarm sounding incoming attack.

I've noticed that I'm commenting a lot lately on the naivety of the average HN poster/reader.

A bit outdated. Now pitch "transforming real estate with AI" and you'd have $10m in startup money. No need to play penny slots.

Blockchain is a flag for me but not because I might think they'll hack me.

It’s not like there aren‘t dozens of companies with real funding that try to „tokenize real estate“. I mean if that’s a good idea idk, but that means there IS real money to be made working at such companies.

> "transforming real estate with blockchain" is the only red flag needed

Yeah, that would have been enough for me to immediately move on.

Right, any sort of "blockchain" company is assumed to be a scam by default. I'm not trying to blame the victim here but anyone unaware of that reality has been living in a cave for the past few years.

Imagine if this guy had run the malicious code and transferred ownership of his house. Oops.

> I asked them the same questions I ask all scammers: How was this easier than just doing a normal job?

Ostensibly more profitable? Dont forget there are a lot of places where even what would be minimum wage in a first world country would be a big deal to an individual.

Maybe I should implement this as a weed out question during interviews. If the applicant is willing to download something without questioning it, then the interview can be ended there. Don't need someone working with me that will just blindly install anything just because.

even some of the submissions on 'who is hiring?' can be sketchy

Name and shame.

Name and shame. It's the only way to help others.

HN has harbored fugitive hackers knowingly, this does not surprise me at all.

How are you guys spinning up vms, specifically windows vms, so quickly? I used to use virtual box back in the day, but that was a pain and required a manual windows OS install.

I'm a few years out of the loop, and would love a quick point in the right direction : )

A simple zero-config alternative using Linux-native containers seems to be sandbox-venv [1] for Python and sandbox-run [2] for npm ...

[1]: https://github.com/sandbox-utils/sandbox-venv [2]: https://github.com/sandbox-utils/sandbox-run

I agree, it's very valuable in these situations, although it can only minimize damage. For Littlesnitch/OpenSnitch users: avoid allow rules that apply to all apps. Malware can and has used even trusted websites like Github Gists to expose secrets extracted.

In any case, even if your firewall protects you, you'll still have to treat the machine as compromised.

... And people think I'm crazy for complaining about automated build systems that expect Internet access....

Yep, Malwarebytes WFC really eases my mind.

> Obviously, those are fake.

Not necessarily fake. They might get you in trouble though (facilitating circumventions of sanctions when those workers turn out to be North Korea or in Iran is no joke). They might also be dual-use (do the job and everything as promised while also using it for offensive operations).

It's not down to luck. If you maintain good habits and personal processes you will not fall for this. "Everybody gets phished" is overstated.

As the economy enters recession there's going to be more and more desperate people and criminals will exploit this.

As with OP's case, do not accept take home assignments unless they are FANG famous or very close to that.

In addition, opacity about opportunities should be #1 flag. There is no reason for someone serious to be opaque about filling a role and then increasing the amount of vetting. Also there is no reason to not telling you salary (this alone will help you filter out low paying jobs) for the same reason.

Usually hiring managers will look to always filter down list of candidates not increase them (unless they were lazy or looking to waste time).

Oh, just download and run your software?

Nice try ;-)

I think it's a real company.

https://search.sunbiz.org/Inquiry/CorporationSearch/SearchRe...

~~Scammers probably got access to the guy's account.~~ (how to make strikethrough...)

He changed his LinkedIn to a different company. I guess check verifications when you get messages from "recruiters."

so I wrote this article a few weeks back, i reached out to the company on LinkedIn, even tried to connect with their leadership team. sent a few people from the org a draft of the article. I did not get any response at all. so, not really sure about this myself.

also, got blocked by the 'Chief Blockchain Officer' when I asked for a comment.

> or a real crypto company scamming interviewees

A real company wouldn't be scamming candidates.

It could be a real company where someone hijacked an e-mail account to pose as someone from the company, though.

Or likely a real company exists, but the applicant was contacted by an impersonator, not them.

apparently not. someone in the comments suggested Incus. I haven't used it myself.

Maybe a mini desktop computer hooked to a separate vlan that you nuke the disk every night at midnight?

YC funded a similar "blockchain real estate" company: https://www.ycombinator.com/companies/lofty

(I admit I can't see how the blockchain adds any real value to their offering.)

It looks like the LinkedIn account and site are really the same person to me, just keep in mind it's not uncommon for Indian IT workers to adopt an anglicized name in this kind of context.

so, David is like my middle name, when I started on LinkedIn i used my full name. but I could not get my domain with that name. but was able to snag https://daviddodda.com which sounds much smoother, more of a personal branding choice.

> AI didn't save him. His intuition did.

But AI helped. He did not have to read and process the entire source code himself.

His luck did.

Github now is overwhelming the top source of spam in my entire online life existence. Its nonstop spam/scams to the disposable email I list on there.

I've gotten less spam from literally spam testing services than github.

Everybody considers themselves protected by the golden rule: Bad things only ever happen to other people.

Sadly, this is a lesson that we should have learned some time ago. But from our past failure to learn, we can reliably predict that people will continue avoiding learning.

Supply side attacks are real, and they're here. Attackers attack core developers, then get their code into repositories. As happened this year to the npm package eslint-config-prettier, and last year to the Cyberhaven Chrome extension. Attackers use social engineering to get developers to hand over control of lesser used packages, which they then compromise. As happened in 2021 with the npm package ua-parser-js, and separately with the Chrome extension The Great Suspender. (I'm picking on Chrome because I wanted examples that impact non-developers. I'm only picking on npm because it turned up quickly when I looked for examples.)

The exact social engineering attack described by the OP is also not new. https://www.csoonline.com/article/3479795/north-korean-cyber... was published last year, and describes this being used at scale by North Korea. Remember, even if you don't have direct access to anything important, a sophisticated attacker may still find you useful as part of a spearphishing campaign aimed at someone else. Because a phishing attack that actually comes from a legitimate friend's account may succeed, where a faked message would not. And a company whose LinkedIn shows real developers, is more compelling than one without.

I go to the repo and get a feel for how popular, how recent, and how active the project is. I then lock it and I only update dependencies annually or if I need to address a specific issue.

Risk gets managed, not eliminated. There is no one "correct" approach as risk is a sliding scale that depends on your project's risk appetite.

Is there a market for a distributed audit infra with attestations? If I can have ChatGPT audit a file (content hash) with a known-good prompt, and then share the link as proof of the full conversation, would this be useful evidence to de-risk?

If each developer can audit some portion of their dep tree and reuse prior cached audits, maybe it’s tractable to actually get “eyeballs” on every bit of code?

Not as good as human audit of course, but could improve the Pareto-frontier for cost/effectiveness (ie make the average web dev no-friction usecase safer).

What I'm wondering about is, if you have lots of dependencies, like in the hundreds or thousands, idk how many npm packages usually can have for the average web dev project, how do you even audit all of that manually? Sounds pretty infeasible? This is not to say we should not worry about it, I'm just genuinely curious what do you do in this situation? One could say well don't get that many dependencies to begin with, but the reality of web dev projects nowadays for instance, is that you get alot of dependencies that are hard to check manually for insecurities.

A good candidate is niche frameworks.. where most of the data about usage are limited to few domains and not many sources. Could maybe have middling popularity (popular lang, strong representation on its focused problem). Recent examples of this in my experience: Kafka connector and PowerPoint lib (marp). Few sources and the llm hallucinated on these. So maybe a poisoned source would be more likely to pop up in llm suggestions

> How long do we have until the first serious AI coding agent poisoning attack, where someone finds a way to trick coding assistants into inserting malware while a vibe-coder who doesn't review the code is oblivious?

I mean we had Shai-Hulud about a week ago - we don't need AI for this.

That's why from my perspective, almost everything is f'd up in tech at this point.

Any update I may do to any project dependencies I have on my workstation? Either I bet, pray and hope that there's no malicious code in these.

Either I have an isolated VM for every single separate project.

Either I just unplug the thing, throw it in the bin, and go make something truly lucrative and sustainable in the near future (plumber, electrician, carpenter) that let's me sleep at night.

Is it even possible to look at all dependencies and their dependencies and their dependencies…?

> Most of us don't sandbox every single thing.

And I do sandbox everything, but its complicated

Many of these projects are set to compile only on the latest OS' which makes sandboxing even more difficult and impossible on VM, which is actually the red flag

So I sandbox but I don't get to the place of being able to run it

so they can just assume I'm incompetent and I can avoid having my computer and crypto messed up

Ask PHP. :D :D

Yeah, Windows Sandbox is available on Win 10/11 Pro and Enterprise and it's actually pretty neat. I used to use it in a previous job where I was forced to run Windows.

However, I think OP might be using WSL and I'm not sure that's available in Sandbox.

Yeah, I'm having trouble spotting the "nasty". I'm not saying it's not there, but if someone more knowledgeable about malicious Javascript/Node could explain a bit that would be much appreciated.

Pretty convenient that the source was taken down before the blog was posted and it doesn't seem like we can get a hold of it.

Edit: MalwareBazaar doesn't seem to have a sample either.

How is that jungle if someone aks you to give them your wallet and you just give it away? What was he thinking?

Why? It's no different than any other code. That's the whole point - the cover story is that it's a take-home coding test with some sample code provided.

Seconding this, I hate the LLM style. It all reads the exact same. I can't relate at all to people who read the article and can't spot it immediately. It's intensely annoying for an otherwise interesting article.

It didn't seem LLM-written to me until "The Operation" section. After that... yeah, hi, ChatGPT. Still an interesting story, even if an LLM was used to finish it up, lol.

They spend a lot of time writing about AI, it's more likely we're just not of the same crowd as them and their target audience.

I was shocked to read your comment. But then, not only was there a truth to it; you where absolutely right.

* You had the headline spot on. Then you explained what you thought might be the reason for it.

* Then you pondered about why the OP might have done it.

* Finally you challenged the op to all but admitting his sins, by asking him to share the incriminating prompt he used.

---

(my garbage wasn't written by AI, but I tried by best to imitate it's obnoxious style).

thanks for the feedback. just fyi - this went though 11 different versions before reaching this point.

so I am not able to share the full chat because i used Claude with google docs integration. but hears the google doc i started with

https://docs.google.com/document/d/1of_uWXw-CppnFtWoehIrr1ir...

this and the following prompt

``` 'help me turn this into a blog post.

keep things interesting, also make sure you take a look at the images in the google doc' ```

with this system prompt

``` % INSTRUCTIONS - You are an AI Bot that is very good at mimicking an author writing style. - Your goal is to write content with the tone that is described below. - Do not go outside the tone instructions below - Do not use hashtags or emojis

% Description of the authors tone:

1. *Pace*: The examples generally have a brisk pace, quickly moving from one idea to the next without lingering too long on any single point.

2. *Mood*: The mood is often energetic and motivational, with a sense of urgency and excitement.

3. *Tone*: The tone is assertive and confident, often with a hint of humor or sarcasm. There's a strong sense of opinion and authority.

4. *Style*: The style is conversational and informal, using direct language and often incorporating lists or bullet points for emphasis.

5. *Voice*: The voice is distinctive and personal, often reflecting the author's personality and perspective with a touch of wit.

6. *Formality*: The formality is low, with a casual and approachable manner that feels like a conversation with a friend.

7. *Imagery*: Imagery is used sparingly but effectively, often through vivid metaphors or analogies that create strong mental pictures.

8. *Diction*: The diction is straightforward and accessible, with a mix of colloquial expressions and precise language to convey ideas clearly.

9. *Syntax*: The syntax is varied, with a mix of short, punchy sentences and longer, more complex structures to maintain interest and rhythm.

10. *Rhythm*: The rhythm is dynamic, with a lively beat that keeps the reader engaged and propels the narrative forward.

11. *Perspective*: The perspective is often first-person, providing a personal touch and direct connection with the audience.

12. *Tension*: Tension is present in the form of suspense or conflict, often through challenges or obstacles that need to be overcome.

13. *Clarity*: The clarity is high, with ideas presented in a straightforward manner that is easy to understand.

14. *Consistency*: The consistency is strong, maintaining a uniform style and tone throughout each piece.

15. *Emotion*: Emotion is expressed with intensity, often through passionate or enthusiastic language.

16. *Humor*: Humor is present, often through witty remarks or playful language that adds a light-hearted touch.

17. *Irony*: Irony is occasionally used to highlight contradictions or to add a layer of complexity to the narrative.

18. *Symbolism*: Symbolism is used subtly, often through metaphors or analogies that convey deeper meanings.

19. *Complexity*: The complexity is moderate, with ideas presented in a way that is engaging but not overly intricate.

20. *Cohesion*: The cohesion is strong, with different parts of the writing working together harmoniously to support the overall message.```

> This wasn't some amateur hour scam. This was sophisticated:

> The Bottom Line"

100%, it was hard to take it seriously once you see usual ChatGPT-ism

What's HN policy on obviously LLM written content -- Is it considered kosher?

Sounds like a common 419 scammer tactic of making absurd claims in order to filter out people that might catch on to the scam.

Can't wait in 4 years when we start saying the same thing about AI companies after the bubble pops.

I messaged them for a comment. got ghosted. I tried really hard to join the interview meeting too, but they kept postponing it.

You can harden your Docker configuration (to not expose anything important) and then you can turn it into a sandbox by using the runsc/gvisor (emulated kernel) runtime. The configuration part alone would be sufficient for 99.9% of attacks, as it would require a kernel 0day to escape or exploit the kernel.

But it's best to just run a dev environment in a VM. Keep in mind that sophisticated attacks may seek to compromise the built binary.

Perhaps the reason people keep repeating it is that someone makes the statement without any reasons, provides an alternative again without any reasons.

"Why are you not using docker to sandbox your code?"

"Umm.. someone on HN told me docker is not a sandbox, to use randomtool instead"

It's an Ukrainian name

The profile named by the OP has been taken down since.

Don't expect LinkedIn to care much about policing messages or paid invitations; and many profiles are fake. At most, you report people and if they LI enough complaints they take the profile down. (Presumably the scammers just create another profile.) I think LI would care much more about being paid with a bad CC.

I suspect LI is doing AI moderation by this point. Maybe we could complain to their customer-service AI about their moderation AI...

Moderators don't see private messages.

You can report abuse and flag it for someone to review, though.

I think the scammers created this time pressure by messaging and then suggesting they interview in 30 minutes from now (in real time)

I wonder if willingness to be involved with Bitcoin is a flag for scammers? It at least raises the chance you'll have a wallet or other program around and therefore more payoff for easy hacks

i tried, they postponed it twice. by the second time they postponed it, i just shared a draft of the article and asked for a comment. got blocked.

VSCode with devcontainers works well for it. It uses docker underneath.

Scams are de facto legal. In many countries the economy is dependent on scamming.

More Jim Browning type people needed or Kit Boga

I read somewhere that if all of online scamming was calculated as a country's production, it'd have the 3rd largest GDP in the world. Edit, link: https://sponsored.bloomberg.com/quicksight/check-point/the-w...

But then again, aren't there obviously scams, and scams that are deemed legal? Like promising a car today that will be updated "next year" to be able to drive itself? Or all the enshittified industry's dark patterns, preying on you to click the wrong button?

>> Criminals only stop when the risks are higher than the rewards.

I would say they just transition to something else where there is a lower risk with the same reward.

I think that can be simplified to just "web3 is a scam."

But when looking for job people tend to be as nice for the interviewer as possible. Should the scammer join the call and pushed a little bit, anyone would run the malicious code

Something like this recently happened to me:

1) Generic company name

2) They asked me to sign an NDA first (this for some reason almost meant trust)

3) The name of the person there had thousands of LinkedIn profiles (a common name)

4) The frontend looked pretty sane, then I had to run truffle migrate

I wonder what's the worst that could happen to me in this scenario.

Thankfully I don't do online banking from the machine and don't have bitcoin wallets.