Can't wait for the first security incident relating to the fundamentally flawed MCP specification which an LLM will inadvertently be tricked to leak sensitive data.
Increasing the amount of "connections" to the LLM increases the risk in a leak and it gives your more rope to hang yourself with when at least one connection becomes problematic.
Now is a great time to be a LLM security consultant.
> What bothers me more is there are talented people sitting on unemployment right now that can't find a job, yet fake people are getting hired left and right. Something in the industry as a whole is quite broken.
It IS "broken" by design as employers just don't want to go through the effort into finding great candidates (even if they are truly exceptional) and now it is even easier for candidates to cheat it thanks to AI.
The ones claiming to "fix" it aren't fixing anything and are making it worse for both the interviewer and the candidate and are just extracting money from the process.
I wouldn't necessarily say that employers don't want to put in the effort. They put in a lot of effort, but employers direct the effort towards the process rather than the results.
I've been through multiple rounds of interviews with some companies with no end in sight, as many people have. I refer to the endless number of interview rounds as an obsession with process because employers tend to think that the more they evaluate people, the better result they get, regardless of how useful the processes they subject applicants to are. I've generally found people to be going through motions more than anything else, and the additional process is just more work that is not particularly useful to evaluate the candidates. It's still a lot of effort for both the employer and applicants.
That said, I do agree wholeheartedly that they should direct their efforts more towards the result of hiring a good candidate rather than just falling back to blind devotion to some series of processes to weed people out. They should focus on getting the most meaningful bit of information at each round to eliminate the most candidates possible, kinda like a form of optimal experimental design [1] if you are familiar with that term.
Even at small startups, posting engineering jobs will get you hundreds of applications a day. There's simply no way for employers to fairly go through them.
LinkedIn et al make everything worse by making the application process so easy.
If you're a small company, the fix is to outsource the top of your funnel to a recruiting company you trust.
If you're a medium or large company, the fix is to require on-site work.
This isn't really a new problem. I remember back during a previous tech downturn, the small-ish (~200 people) no-name company I worked for also got hundreds of applications a day. Yes, today, fake candidates and AI make it worse, but fundamentally the "huge number of people in the top of the funnel" problem has been a thing for a long time.
> employers just don't want to go through the effort into finding great candidate
The notion that employers can put in the effort to give every candidate a totally fair shot so they can find the best ones is, I think, wrong, let alone the notion that they could but choose not to.
At my last company, we would have needed more people doing application reviews and interviews than we actually had employees if we wanted to do that.
Hell, I remember in college applying for a stock job at the local liquor store. When I went to hand in the application, I was told to put it on the pile- a stack of filled out applications thicker than several of my textbooks put together, suspiciously placed at the edge of a desk right next to a trash can.
> There's simply no way for employers to fairly go through them.
Sure there is. Randomly sample N, filter down to M, go through preliminary interview stages. Depending on how many that leaves you with rinse and repeat.
The important thing here isn't fairness from the perspective of the applicant. It's a process that works reliably for the company and doesn't unfairly waste applicant's time.
If the very first stage (application plus resume) is no longer a reliable signal then accept that fact and rework the process to match.
> Not all attackers break in, some try to walk through the front door.
Now made even easier for fraudsters and including state actors thanks to Generative AI. Also:
> Generative AI is making deception easier, but isn’t foolproof. Attackers can trick parts of the hiring process, like a technical assessment, but genuine candidates will usually pass real-time, unprompted verification tests.
This is why Leetcode / Hackerrank and other (online assessments) OA in the technical interview is unfit for use in the age of AI.
> In the modern era, it’s an organizational mindset.
Security is a way of life for this company, but it would have easily fooled a less security-oriented company and it will just only get worse.
> genuine candidates will usually pass real-time, unprompted verification tests.
I wonder these are similar to the "tests" in Suits, where they (somewhat inadvertently) check whether someone went to Harvard by asking about the food places students typically went to.
Its a pretty standard thing to do when you suspect someone of being not who they say they are. WW2 German spies would claim to be from New York, and OSS or MPs would ask them who the Yankees lead pitcher was. Not really a unique or new way of doing things.
Every time a startup uses an MCP server in their product software offering or even offers their own, I can only see the number of security consultants waiting for a massive payout when an LLM causes a security incident.
Come on that is complete nonsense. Unless you want to board a plane with zero human pilots or believing that energy grids, data centers, and control systems with only AI robots monitoring them instead of humans is the future. (It isn't).
Those who know about AI know that statements like that tell us we are still in the euphoria stage and it is the beginning of how this AI bubble will burst.
There will be a time where open-source will race these "so-called" AI companies to zero to the point where they will be struggling to raise prices or to compete with free.
MCP is a flawed spec and quite frankly a scam.
reply