Gemini cli is literally the worse agentic cli tool that I've tried and Google won't let you use your credentials with any other.
It lacks obvious features that all the others have, crashes constantly, breaks so badly you lose work at least once a week, is seldom updated, and worse was recently crippled even further intentionally.
Google has had load issues forever. Their most recent solution has been to throttle CLI users to the point that it's almost useless. The only way to get decent service is to pay per query with the API now.
I cancelled my Ultra plan and went to ChatGPT. They still let you chose your preferred tool. Meanwhile, Googles forums and github are filled with wailing and gnashing of teeth, but Google customer service policy is the same as it was when they just did search: reproachful silence.
>in principle, cybersecurity is advantage defender
I disagree.
The defender must be right every single time. The attacker only has to get lucky and thanks to scale they can do that every day all day in most large organizations.
My understanding of defense in depth is that it is a hedge against this. By using multiple uncorrelated layers (e.g. the security guard shouldn’t get sleepier when the bank vault is unlocked) you are transforming a problem of “the defender has to get it right every time” into “the attacker has to get through each of the layers at the same time”.
It is a hedge, that said it only reduces the probability of an event and does not eliminate it.
To use your example, if the odds of the guard being asleep and the vault being unlocked are both 1% we have a 0.0001 chance on any given day. Phew, we're safe...
Except that Google says there are 68,632 bank branch locations in the US alone. That means it will happen roughly 7 times on any given day someplace in America!
Now apply that to the scale of the internet. The attackers can rattle the locks in every single bank in an afternoon for almost zero cost.
The poorly defended ones have something close to 100% odds of being breached, and the well defended ones how low odds on any given day, but over a long enough timeline it becomes inevitable.
To again use your bank example. if we only have one bank, but keep those odds it means that over about 191 years the event will happen 7 times. Or to restate that number, it is like to happen at least once every 27 years. You'll have about 25% odds of it happening in any 7 year span.
For any individual target, it becomes unlikely, but also still inevitable.
From an attackers perspective this means the game is rigged in their favor. They have many billions of potential targets, and the cost of an attack is close to zero.
From a defenders perspective it means realizing that even with defense in depth the breach is still going to happen eventually and that the bigger the company is the more likely it is.
Cyber is about mitigating risk, not eliminating it.
Well, the attacker has something to lose too. It's not like the defender has to be perfect or else attacks will just happen, it takes time/money to invest in attacking.
The cost to your average ransomware crew can be rounded down to zero, because it's pretty darn close. They use automated tools running on other peoples computers and utilizing other peoples connectivity. The tools themselves for most RaaS (ransomware as a service) affiliates are also close to zero cost, as they pay the operator a percentage of profits.
The time is a cost, but at scale any individual target is a pretty minor investment since it's 90%+ automated. Also, these aren't folks that are otherwise highly employable. The opportunity cost to them is also usually very low.
The last attacker I got into a conversation with was interesting. Turns out, he was a 16 year old from Atlanta GA using a toolkit as an affiliate. He claimed he made ~100k/year and used the money on cars and girls. I felt like he was inflating that number to brag. His alternative probably would have been McDonalds, and as a minor if he got caught it would've been probation most likely. I told him to come to the blue team, we pay better.
At the end of the day, that guy is spending all of his finite hacking time setting up and maintaining these exploits and stolen infra. His marginal cost of breaching you is 0 if you're already vulnerable to the exact same exploit he already set up, but that's a big if, and someone else spent their finite time making toolkits. Otherwise you'd expect everything on the Internet that has any kind of vuln to be breached already.
Anyway I'm curious about the 16yo. Is it that he has special skills, or is it just that minors will do that dirty work for cheaper, given lower consequences and fewer other opportunities?
> m curious about the 16yo. Is it that he has special skills, or is it just that minors will do that dirty work for cheaper, given lower consequences and fewer other opportunities?
I was only able to keep him talking for about 20 minutes, so I can only speculate, but he was using off the shelf RaaS tools that he had modified to make more convincing. I actually got him talking by pointing out that a trick he'd done with the spoofed email headers from "coinbase" was clever, so he was definitely skilled for someone so young. He also had done his homework and knew a bit about me.
It's likely he was recruited just because he was too young for prison, but that he was relatively successful because he was clever.
Serious professionals use one or more spending models to determine budget.
My favorite is the Gordon-Loeb model[0], but there are others that are simpler and some that are more complex. Almost none that imply the budget should naively grow in lockstep with prevelence linearly.
I think TFA doesnt really mean to imply that it should, merely that there is a likley mismatch.
I'm just some guy on hackernews, but I actually did try this on my DGX Spark. I went back to Gemma 4 after a few rounds. My orchestration model kept having to send the Qwen model back to fix mistakes that Gemma wouldn't have made. I wound up with less working code per hour due to the mistakes.
Technically, I use OpenWebUI with Ollama, so I used the weights below, but it should be the same.
I'd be super interested to hear about your workflow with OpenWebUI. I haven't figured out how to use it for anything other than the basic chatbot UI. I haven't been able to hook anything else into it
What I said above was a bit confused. What I've actually done is connect OpenCode and OpenWebUI both to Ollama. I just use OpenWebUI to manage the models and for testing/etc. Once you have it working it's very nice. You can pull a new model just by typing the name and waiting while it downloads, etc.
Connecting Ollama to OpenCode and OpenWebUI is relatively trivial. In OpenWebUI there's a nice GUI. In OpenCode You just edit the ~/.config/opencode/opecode.json to look something like this. The model names have to match the ones you seen in OpenWebUI, but the friendly "name" key can be whatever you need to be able to recognize it.
What a cool idea. How does it work? AFAIK The human brain at least does sparse backprop and has SOME neural circuits that feed-backward, so how do you manage it without anything?
Thanks! I have other ideas, following Jeff Hawkins's Thousand Brains Project, but in this one I'm trying to get to cortical columns from the other side, from "standard" deep neural networks.
The short version: each layer trains itself independently using Hinton's Forward-Forward algorithm. Instead of propagating error gradients backward through the whole network, each layer has its own local objective: "real data should produce high activation norms, corrupted data should produce low ones." Gradients never cross layer boundaries. The human brain is massively parallel and part of that is not using backprop, so I'm trying to use that as inspiration.
You're right that the brain has backward-projecting circuits. But those are mostly thought to carry contextual/modulatory signals, not error gradients in the backprop sense. I'm handling cross-layer communication through attention residuals (each layer dynamically selects which prior layers to attend to) and Hopfield memory banks (per-layer associative memory written via Hebbian outer products, no gradients needed).
The part I'm most excited about is "sleep". During chat, user feedback drives reward-modulated Hebbian writes to the memory banks (instant, no gradients, like hippocampal episodic memory). Then a /sleep command consolidates those into weights by generating "dreams" from the bank-colored model and training on them with FF + distillation. No stored text needed, only the Hopfield state. The model literally dreams its memories into its weights.
Still early, training a 100M param model on TinyStories right now, loss is coming down but I don't have eval numbers yet.
The idea is that the brain uses what the authors refer to as "feedback alignment" rather than backprop. Even if it turns out not to be literally true of the brain, the idea is interesting for AI.
I also love the idea of grafting on the memory banks. It reminds me of early work on DNC's (Differentiable Neural Computer's). I tried to franken-bolt a DNC onto an LLM a few years back and mostly just earned myself headaches. :)
It's fun to see all the wild and wacky stuff other folks like myself are tinkering with in the lab.
I partially agree. I can see the before and after difference in colleague's code. It's night and day.
They're doing things now that they either flat out could not do before, or if they did it would be an giant mess (I realize they still can't really do it now, AI is doing it for them).
It lacks obvious features that all the others have, crashes constantly, breaks so badly you lose work at least once a week, is seldom updated, and worse was recently crippled even further intentionally.
Google has had load issues forever. Their most recent solution has been to throttle CLI users to the point that it's almost useless. The only way to get decent service is to pay per query with the API now.
I cancelled my Ultra plan and went to ChatGPT. They still let you chose your preferred tool. Meanwhile, Googles forums and github are filled with wailing and gnashing of teeth, but Google customer service policy is the same as it was when they just did search: reproachful silence.
https://github.com/google-gemini/gemini-cli/discussions/2297...
reply