Charles Wright

I just learned the sad news that Peter Neumann has passed away. Peter Neumann shaped how a generation of security people learned to think about risk. As editor of RISKS Digest, he gave many of us coming up in the 1990s and early 2000s a steady education in the real-world consequences of computer failures. His work made the field more serious, more thoughtful, and more honest. He will be missed. I first met Peter when we both testified at the 1998 Senate Governmental Affairs Committee meeting on Government Security where the L0pht testified. The combination of Peter and the L0pht made the hearing more powerful even if us hackers stole the spotlight. Neumann and the L0pht made the same argument from two different directions. Neumann gave the institutional, systems-engineering view: the country was becoming dependent on brittle, interconnected systems that were never designed for security, reliability, or survivability. The L0pht gave the field evidence: here are the actual flaws, here is how attackers think, here is how cheaply and quickly these systems can fail in practice. Neumann supplied the credibility of a long-time researcher warning that this was not just “hackers breaking into things,” but a structural failure of technology markets, procurement, engineering discipline, and risk management. The L0pht supplied the proof that the warnings were not theoretical. Together, we made the hearing unusually powerful: the academic risk community and the hacker community were telling the Senate the same thing, in different languages, before the rest of the world had fully caught up.

I don't think we (academics) realize how vulnerable we are. I'm not sure how much longer tenure will last in an era when a) we've lost the public trust (for a lot of reasons, b) college/academia is a partisan political issue, and c) college-educated white-collar workers are losing their jobs to AI. We are in an incredibly privileged position relative to others, but that privilege also makes us far more precarious than most academics realize bc it makes us a target--and the threat is not just conservative politicians gunning for us but the much larger group of regular people who don't mind if we get put in our place or start losing our jobs like similar others or being asked to do tasks we don't want to do.

When youthful energy directs itself toward productive paths it’s amazing what can be achieved. When directed toward the wrong paths it’s amazing how tons of hard work and enthusiasm can produce nothing of value. Trying hard and having a just goal isn’t enough. You actually have to be effective in order to make a difference.

Someone builds a project management tool with Claude Code over a weekend. Ships it. Tweets "just replaced Jira." The app works. One user, happy path, localhost. Then two people edit the same record simultaneously, and the data is silently corrupted. They don't know what an optimistic lock is. They never needed to before. The prototype is maybe 1% of what makes software actually work. The other 99% is what you find after real users show up: race conditions, failed transactions, sessions expiring at the wrong moment, a payment webhook that fires twice and charges someone double. AI didn't cover any of that. It built exactly what you asked for. And the confidence is the worst part. "Just need to adjust a few things before we go live." The few things you need to adjust are the product. That's like laying a foundation and telling people you basically built the house. Vibe coding works. For personal tools, throwaway scripts, and prototypes you'll never put in front of paying users, it's genuinely fast and good enough. I use it. But there's a hard ceiling, and it shows up the moment the stakes get real. Agentic engineering is a different discipline. You're not prompting for code. You're decomposing problems, designing system boundaries, writing specs precise enough that the agent doesn't go sideways. You review everything it builds, because it will make mistakes that only look wrong if you know what correct looks like. You guide it. You catch what it misses. If you don't know what a distributed transaction is, the agent won't save you. It'll generate something broken with complete confidence, and you won't know until production. The hard part of software was never writing the first 200 lines. It never was.