This is probably an incredibly stupid, off-topic question, but why are their database schemas and logs in English?
Like, when a DeepSeek dev uses these systems as intended, would they also be seeing the columns, keys, etc. in English? Is there usually a translation step involved? Or do devs around the world just have to bite the bullet and learn enough English to be able to use the majority of tools?
I'm realizing now that I'm very ignorant when it comes to non English-based software engineering.
> Or do devs around the world just have to bite the bullet and learn enough English to be able to use the majority of tools?
That is precisely what happens. It is not unusual for code and databases to be written in English, even when the developers are from a non-English speaking country. Think about it: the toolchain, programming language and libraries are all based on English anyway.
Interestingly, in the world of electronics this used to be true too. The first Diode on a circuit board would be marked "D1", no matter which country produced it. Datasheets for components would be in english. Any text on a circuit board would be in english (ie. "Voltage Select Switch" or "Copyright 2025".).
However, a few years back it became common for most datasheets to be available in mandarin and english, and this year most PCB fabrication houses have gained support for putting chinese characters onto a circuit board (requires better quality printing, due to more definition needed for legibility).
Now there are a decent number of devices where the only documentation is only available in mandarin, and the design process was clearly done with little or no english involved.
Not everything changes though - gold plating thickness is measured by the micro-inch. Components often still use 0.1 inch pin spacing. Model numbers of chinese chips often are closely linked to the western chip they replace, the names of registers (in the cpu register sense) are often still english etc.
Like in machining, there's a long history of measuring everything in "thou" (micro-inch sounds proleptic to me, and you'll see "mil" used in the EDA space). All the tooling uses it, standardized components use it (I can drop a 74-series TTL chip from the 1970s in a modern board), and everyone learns it when they start using EDA.
Recently there has been a shift to metric in EDA software, so you'll see often see multiples of 2.54mm, and packages are switching to metric for the fine-pitch stuff. Often you'll have spacing in both units in the same design.
Not every day these days do I encounter a new word: proleptic.
1 the anticipation and answering of possible objections in rhetorical speech.
2 the representation of a thing as existing before it actually does or did so, as in he was a dead man when he entered. Compare with analepsis: the destruction of the Vendôme Column and his part in it are foreshadowed in moments of haunting prolepsis.
> this year most PCB fabrication houses have gained support for putting Chinese characters onto a circuit board
I've yet to see one of these in the wild, but it sounds cool to me and I would like to see it.
There's something of a problem the CJK languages have in not being able to do abbreviations or acronyms, so in Japanese you will occasionally see a couple of Latin letters standing out because that's much shorter than an inconveniently translated word.
> in Japanese you will occasionally see a couple of Latin letters standing out
I mostly encounter this watching anime, and I feel it stands out more than it should. It's not just the sudden shift to an entirely different family of glyphs - the overall typography feels off. There's room for improvement here.
It’s that ugly vertically-stretched serif typeface - the one used on those little gold-coloured “QA” stickers that used to be everywhere on/in consumer goods.
> Components often still use 0.1 inch pin spacing.
This changed with IC SMD packages. It's now mostly even 100-micrometers.
SMD passives seem to be in a state of limbo, but mostly still using inches. Mouser lists resistor size codes as both inch and mm. It's a bit confusing.
In my experience, you usually get English variable names / db schemas, localized chats and tickets, with internal docs, log messages and comments being a mixed bag.
For some kinds of software, localized names make a lot more sense, e.g. when you're dealing with very subtle distinctions between legal terms that don't have direct English equivalents.
Until you start working on a code base made for something local only and with domain specific words. So much joy trying to remember how some word was translated for your code when a user reports a bug or ask for some new feature.
Bonus point when the people who decided to use English words are also all proud of their "DDD" architecture.
I agree. It makes sense when the code needs to handle domain specific words.
Based on my experience in Norway, it is common to use English but there is also not a complete surprise to find code in Norwegian either.
I remember looking at code written by a Norwegian government agency many years ago, and asking why they used Norwegian names for functions and variables. Didn't everyone use English? The answer was that they had so much domain specific terminology that it is not only hard to find English equivalents, it was so ingrained in the business logic that they don't want to risk any confusion and legal consequences. If a function was named validateFoo, then "Foo" had a single shared understanding.
Oh I'm working on a local only project right now and I also feel the pain of badly translated Swedish words. I've spent this week trying to decipher a section of code, trying to map then back to the Swedish concepts.
I've also experienced a similar situation in an English context where the concept is renamed on UI, while everywhere in the code it uses the old name. Then things are starting to mix with each other and then a new concept is introduced with the old name...
Considering Brazil and the Spanish-speaking people whom I've worked with, it's common for English coding to be the norm for the company/project, but many people are far from being proficient in English, so we end up with funny names that are often confusing or nonsense - I've seen an "evaluation service" that is actually a "rating service" (both could translate to the same in Portuguese). They often translate to false cognates too.
There are some business concepts that are very unique to a place (country-specific or even company-specific) with no precise translation to the English-speaking world, and so I sometimes prefer to keep them in their native language.
It might seem less credible to encounter English in a place where it’s less expected, but think of it this way: would a Yandex-developed ClickHouse database be adopted by Chinese devs if everything in it were written in Russian?
There is some merit in asking your question, for there’s an unspoken rule (and a source of endless frustration) that business-/domain-related terms should remain in the language of their origin. Otherwise, (real-life story) "Leitungsauskunft" could end up being translated as "line information" or even "channel interface" ("pipeline inquiry" should be correct, it's a type of document you can procure from the [German] government).
Ironically, I’m currently working in an environment where we decided to translate such terms, and it hasn’t helped with understanding of the business logic at all. Furthermore, it adds an element of surprise and a topic for debate whenever somebody comes up with a "more accurate translation".
So if anything, English is a sign of a battle-hardened developer, until they try to convert proper names.
In my experience, Germany is the most common exception to the "programming is done in English" rule.
In general, these things happen, and are not restricted to pre-Internet times - in fact, I most often see it in random webshit SaaS developed in Europe - things like, say, food delivery - Pyszne.pl and pizzaportal.pl (defunct) come to my mind. Those sites tend to be well-localized, so they seem like local businesses targeting the national market. But then you accidentally look at an URL deep in ordering form, or the ordering form breaks and you pull up dev tools to fix it, and suddenly you realize the SaaS operator is actually German or Swedish or Dutch, and they're just deploying the same platform across the EU, with a really good localization polish.
It isn't uncommon to find german variable names in codebases that predate web 1.0 or linux.
Now that I think about it, german is especially good at creating words by concatination. So "arrival time" should just be the single word "Ankunftszeit" - "ankunftZeit" feels a bit off.
Yup. If languages were characters in a computer RPG, they'd have "special skills" listed on their character cards. Off the top of my head:
- English: verbing and nouning. All languages have ways of introducing new words, but only in English I've seen it accepted as something anyone can casually do in a throwaway manner. Have a noun but want to talk about the (contextually) default action related to the noun? No big deal, just stick an "-ing" or "-ed" to its end and carry on. I adore this feature.
- German: word concatenation you mention, it's a killer feature. And then there's the peculiar grammar that puts the most important verb at the very end of a sentence, giving you stuff like "Gegen die hohen Preise für Gas, Strom und Treibstoff will die Regierung etwas machen", meaning "The government wants to do something about the high prices for gas, electricity and fuel", but structured as "<tone> <stuff> <blah> <blah> <subject> <stuff> do something". So not only you need to listen to the end of a sentence to know what it's about, but you can actually zone out a bit early on, catch the last few words, and still recover the meaning. I'm sure one could write an interesting signal processing take on this.
(If anyone knows examples of such unique/special "skills" for other languages, I'd love to hear about them!)
'Aan die hoge brandstofprijzen zal de regering iets gaan DOEN'.
If I say it in my local dialect, it will sound a lot like German.
Speaking of unique skills, I find French very unique as well. "His life" translates to "sa vie" because vie happens to be female. "what is it" translates to "qu'est-ce que c'est", a _seemingly_ random concatenation of shortened words, in spoken form it is only 3 syllables!
> And then there's the peculiar grammar that puts the most important verb at the very end of a sentence
An American woman visiting Berlin - intent on hearing Bismarck speak - obtained two tickets for the Reichstag visitors' gallery and enlisted an interpreter to accompany her.
Soon after their arrival, Bismarck rose and began to speak. The interpreter, however, simply sat listening with intense concentration. The woman, anxious for him to begin translating, nudged and budged him, to no avail.
Finally, unable to control herself any longer, the woman burst out: "What is he saying!?" "Patience, madam," the interpreter replied. "I am waiting for the verb."
Someone who worked on a non-English environment years ago here: sometimes you do use the local language in some contexts, but, more often than not, you end up using English for the majority of stuff since it's a bit off-putting to mix another language with the English of programming languages and APIs.
Our US company sent me to France to help out with an implementation. The guy I worked with spoke very little English and my French is terrible. Both of us had done Latin, however - so the comments were hilarious as we used that as our common link. One of those projects I'd expect to show on the daily WTF at some point.
I did try my hand at a translation tool, as it was all i18n up proper. Watched one guy blow coffee through his nose when I demo'ed - and the 'BACK' navigation was the French word for a persons back or something like that.
Isn't it true that schoolboys in many countries would learn Latin 100+ years ago? I suppose it would've been used sometimes in international communication?
If you're from Europe knowing Latin definitely gives you a deeper appreciation of a bunch of stuff.
It's a useful way of formalising verb conjugation and tenses which is common across the major European languages. Something they all take for granted but I watch my poor mother's mind melt when she tried learning German as a Chinese speaker. Especially as a lot of these forms are looser and more forgiving in English.
A lot of vocabulary has its origins in Latin and biology and medicine still like to borrow from it.
It's niche but only today I was playing some Mozart on the piano and saw "M. S." where I was meant to cross the hands and I considered for a sec and guessed it must be mano sinistra (forgive the declension) even though I've never learned Italian thanks to Latin.
100+ years is still pretty recent. The immediate predecessor to English as a world language was French. Matter of fact, my country has only dropped French translations from its passport with the most recent design update a decade ago or so.
Latin would have been used pre-Renaissance. Our grandparents might have still had to learn it as a part of an educated person's toolkit, but it was long not intended for communication anymore back then.
> The immediate predecessor to English as a world language was French
From what I remember, there was a divide between Catholicism and Protestantism, where some of the smaller countries that followed Protestantism used German as a common language due to its origins. I think knowledge of German in Norway was something that was expected of students attending the universities until the mid 1900s (due to geopolitical changes)
It's still mandatory (1-2 years) in non-vocational high schools in Croatia, for the stupidest of reasons ("culture" and "you might need it in law or medical higher education").
Lol, I learned it in the 80s - 90s. If you chose to learn Latin & Greek in high school here in Belgium then you're seen as being a top student. It's still a big thing.
It was mandatory at the schools I attended from 7 to 14, which was in the 90s, although this was at what British people call "prep/public schools", a group of a few hundred fancy fee-paying schools. Most people dropped it at 14 (GCSEs), and almost everyone dropped it by 16 (A Levels)
I've been working on a project for the former Polish state telco and the codebase was mostly Java EE as written in the mid-00's. Since you cannot really be productive in Java without an IDE, standard English conventions for naming have been pushed onto the devs from early on - a getter must start with `get` or `is` if the return type is boolean, class names have to contain standardized postfixes corresponding to the design pattern used, such as `AbstractFactoryBean` etc. But since few people spoke English back then, they ended up with awful hybrid names such as `getCennikSluchawkiKeySet` or `OfertaManagerPrzylaczeProxy`.
A lot of software design from the English world centers around "design patterns." And these "design patterns" have advanced nomenclature and often make things more convoluted then necessary. The whole concept of these "patterns" are actually an arbitrary style that got invented in the English speaking world. In non-english countries people program in ways that are more straightforward.
First, we create an AbstractFactory to generate objects that conform to our standardized output structure, ensuring extensibility in case "Hello, World!" ever needs additional variants. The Singleton manages our PrintManager, enforcing a single, controlled point of access to the output stream while Double-Checked Locking ensures thread-safe initialization. Dependency Injection provides our PrintHandler with a flexible logging system, allowing it to notify an Observer whenever "Hello, World!" is printed. The Mediator coordinates between components to ensure the PrintHandler doesn’t have direct dependencies on the OutputStrategy.
To maintain optimal efficiency, a Flyweight is used for the "Hello, World!" string, preventing redundant memory allocation. The Proxy regulates access to the print function, ensuring only authorized modules can invoke it. The Composite structure organizes potential multiple output streams, making it easy to expand the system beyond just console printing. A Factory of Factories, or MetaFactory, oversees creation of our AbstractFactories to maintain consistency and scalability.
Before execution, Encapsulation hides implementation details while Cohesion ensures the PrintHandler remains single-responsibility. Loose Coupling ensures that changing one component won’t break the system. Interfaces dictate behavior, and Abstract Classes provide reusable codebases. Dynamic Dispatch selects the appropriate OutputStrategy at runtime.
To enhance modularity, a Decorator wraps the PrintHandler for additional formatting options, an Adapter ensures compatibility with different logging frameworks, a Memento preserves state in case a rollback is needed, and a Facade simplifies access for higher-level modules. The Chain of Responsibility delegates different logging levels, while the Command Pattern encapsulates the printing request for possible queuing or delayed execution.
By adhering to Open-Closed, we can extend our print functionality without modifying core logic. Liskov Substitution ensures all output strategies remain interchangeable. Interface Segregation ensures smaller, focused contracts. Dependency Inversion prioritizes abstractions over concrete implementations.
Finally, SOLID principles uphold scalability, reusability, and maintainability. UML diagrams map out relationships, Sequence flows depict interactions, and Design Contracts enforce constraints, ensuring the system remains adaptable.
After all this, we simply call PrintManager.getInstance().print("Hello, World!"); and marvel at our masterpiece.
This is very much a Java phenomenon. These things do have value .. when correctly applied. But sometimes it's like seeing someone make a gadget with fifty different types of bolts rather than one or two simply because they want to use all the bits of their socket set.
No it’s from a book called design patterns. It forever influenced a huge number of American programmers to think about programming in a very specific way following very specific patterns.
I’m working for a company that’s doing things in typescript using IOC and dependency injection everywhere. It pervades the minds of Americans such that they walk and talk like a parrot parroting that book.
What Americans don’t realize is that those patterns are arbitrarily made up. It’s as arbitrary and localized as the Japanese having to bow for politeness. There’s nothing intrinsically hugely beneficial for following this style. In fact, modern languages push against it. Languages like golang and rust are examples. Even JavaScript was an example although recent es6 syntax makes patterns more easier now
I think you will find most Java programmers were using these patterns before they came across the book. The language naturally leads you in that direction. The book just put a name on them.
This is a bit environment dependent is my impression. Like France and Japan both have enough people shitty at English to generate either translations or home grown programming learning material to fight against this barrier. But my impression is that, like, a German programmer isn't getting far in life without being comfy reading stuff in English
Many non-English-language countries end up with most people who've been through higher education knowing at least some English, not only so they can handle sources but also so they can talk internationally to any other country as well as consume American media.
It's also a status symbol.
The smaller the language pool is the stronger this effect is. Japan is large enough that it's less guaranteed. Places like India and Indonesia that have a lot of internal languages end up using English as a lingua franca (+) as well.
Not literally required, because languages typically support UTF-8 source files, but it would be difficult to use most popular software libraries without being able to at least read English.
Actually, most "most popular software libraries" have either translated docs, or guides in a non-English language.
Furthermore, modern browsers can translate text on the fly. Some (like Yandex.Browser [1] not_an_ad) can even translate videos on the fly.
Sure, most of them have docs in some non-English languages, but rarely all of them. And things like StackOverflow answers, bug reports and discussions, tutorials, and blog posts tend to be mostly in English. Autotranslate works to some extent but can be misleading or confusing when dealing with specialized terms that aren't well represented in its corpus. My Japanese coworkers certainly need to be able to comprehend written English.
Sure docs for massively popular libraries are translated but think about using autocomplete, reading the actual library code, or even just reading other code in your organization. I have to imagine it would be difficult without any English proficiency.
A lot would probably be loan words anyway, and they're words many English speakers would also need to learn. Array, socket, database, loop, float, function, etc.
If the stack overflow examples are in English, you might as well use it. That's also why JavaScript is maybe a better choice than Typescript even if Typescript is better.
Probably at least some, because most tools’ documentation are not going to be in your language – at least that’s how it is here in Japan. That said plenty of Japanese engineers who have very low English skill.
It’s harder to learn for sure. Majority of the resources are in English and it’s harder to internalise the keywords. But it’s definitely possible to program without knowing English.
You don't need to know that the keywords are actually english words. So to start the first program on a floppy on a C64 you would type
load "*",8,1
and back then I didn't understand what load means any more than I understood what ,8,1 means, I just knew that if I press this sequence of letters it will start summer olympics.
> But like, you can’t program Java without English right?
Sure you can, if you know Java, which is its own language distinct from any natural language.
Conversely, you can't program in Java if you know English, but not Java.
> A for-loop has to be written in English??
No, it has to be written in Java. It's true that Java keywords are mostly themselves borrowed from English (often by way of C++ or other computer languages rather than directly) with a use in Java that has some connection to the meaning in English, so its probably easier to learn Java if you already know English (even before considering that there is probably more and better documentation in English than other languages), but that's not the same as English being a requirement for programming Java.
A for loop and other syntax keywords are barely the only English people have to understand in programming. One could say that these could just as well be arbitrary symbols, and programmers would just memorize them. But think of all the concepts named in English such as exception, factory, facade, adapter, interface, iterator, needle, haystack, constructor, queue... you name it. Not to mention documentation. So yeah, some English is mandatory, even if we're not able to communicate properly. In some projects though it's not uncommon to use local language for the domain while still keeping technical concepts in English, like getAnniversaire() or PersonneTable.
Yes, for Java in particular you need to know the various English keywords. At least I don’t think anyone has written a non-English Java variant that compiles to the JVM just as Java would.
If you know another language than English, try Microsoft Excel in that other language. And even if not, just for fun install a non-English version of Excel.
They translated the keywords. Even if you've programmed in proper programming languages for years without knowing English, all the regular keywords to get stuff done you will know in English. And you won't be able to do a single thing in Excel coz none of the keywords work.
One good thing I guess: You can honestly say when they ask you "hey, you know how to program computers, right? Can you help me with this problem in Excel" and you can honestly say: Nope, can't, no idea how that works. See it doesn't even have a simple IF.
It's like names of Pokemons. Every kids know that Bulbasaur is grass-poison typed and evolves into Ivysaur at Level 16. You have to memorize them all to be a good player and that's a whole load of nonsense! But that's not relatively huge undertaking, and nothing remotely like the full language.
Yes, but you don't need to know what "for" and "while" mean in your language, you just need to know their behavior. The same way Arnold Schwarzenegger was acting without knowing much English - everything was phonetically spelled for him in early roles.
I learned Pascal before I learned many English words like "if". You don't need to know what "if" or "for" mean to remember those keywords or to know what they do.
Almost all software engineers learn a passing amount of English - truly localized programming environments are quite esoteric and not really available for most mainstream use cases I can think of.
Depending on the company culture and policy, the most common thing to see is a mix of English variable and function names with native-language comments. Occasionally you will see native-language variable and function names. This is much more common in Latin character set languages (especially among Spanish and Portuguese speakers) in my experience; almost all Chinese code seems to use approximately-English variable and function names.
I've also seen a codebase with a mix of English and Portuguese variable/function names and comments. In that particular case, the Portuguese variable/function names were basically treated as technical debt, with a gradual ongoing transition to consistent English naming.
When I interact with it by asking it a question in Spanish, the parts between the <think> ... </think> are in English before it goes on to answer in Spanish.
Give it a try in your favourite language.
I went on to ask it if it "thinks" in English, Spanish or Chinese but it just gives the pat answer that, being an LLM, it doesn't think in any language.
> Or do devs around the world just have to bite the bullet and learn enough English to be able to use the majority of tools?
I'm a native English speaker, but from looking at various code bases written by people who aren't, I gather that it's basically this. It wasn't too long ago that one couldn't even reliably feed non-ASCII comments to a lot of compilers, let alone variable and function names.
I've been doing SWE for 10+ years in Poland and I encountered non-English language in code precisely once - in a German project, lol.
Some guys do leave Polish comments here and there, or in commit messages or in other docs/jira tickets/whatever - but in db schema, variables, properties, methods etc? Never, ever.
English is 100% a requirement for every developer job offer I've ever encountered in Poland. Not necessarily a very high level for programmers (if you don't speak directly with the client), but you wouldn't get an offer at all if you're very far below B1.
I mean we're kind of an outsourcing hub so it makes sense.
Even some of our companies outsource further to the east so you really can't avoid it.
"Or do devs around the world just have to bite the bullet and learn enough English to be able to use the majority of tools?"
Yes, that's what we did and do.
Depending on the project, I do use german variable names and comments at times, but stopped using all special characters like öüäß, they mess things up, despite in theory should just work fine.
Nowdays even chrome dev tools come in german, but experience shows, translated programming tools (or any software really) usually just have the UI a bit translated. But any errors you encounter or any advanced stuff will be in english anyway. And if you google issues of your translated UI, you won't find much, so better just use the original version.
So english it is.
(And it is the lingua franca in most parts of the world anyway)
Your country's biggest SW company is SAP, world infamous for their German column names, haha. Pretty sure it's the most widely used product in the world with non-English internals that people actually interact with - I'm sure there's some Realtek firmware with billions of installs that's in Chinese but barely anyone has to look at that.
From what I’ve seen, code usually comes in one of two languages: English or French. Somehow everyone but the French speaks enough English to write code!
Worked for a french company once. The code was in English, but the comments were in French. I guess this happens, because all the language keywords are English, so it might be strange to mix and match langauges there. But comments were fair game.
Ah interesting! I've definitely seen some French code somewhere with the variable names being all French as well, so it really was strange to see them be mixed.
I'm from Sweden (okay not same thing as China due to english being more common here) but I always code in english. Even if it is a script just for myself I will use english for variable names etc
I do that as well and also in almost all my personal documents on most (but not all) topics. All the books and most online forums I read are in English. I rather have documents uniformly in Swedish English (en-SE?) than some Swenglish mess of Swedish mixed with English words.
It also helps on the rare occasions some random notes evolve into a proper project that will have to be in English eventually anyway. There is no need for an extra translation step between initial idea and final product. All my vague hobby gamedev ideas are in English for instance.
I am European, however I have worked with developers from various parts of Asia and South America. English is usually a second language, however most developers are fairly fluent using it as a spoken or written language. Also, most development resources are written in English, so all developers know how to read it. Programming languages and their standard libraries are also written in English. It's the lingua franca worldwide, so we are all happy to use it in the technical context.
As a Turkish developer, I can say that all developers learn at least some English in order to be able to grasp documentation and also programming languages since syntactic elements are in English too.
That said, many developers might still prefer Turkish for naming DB tables, fields, variables, types and so forth if that’s the preference of the team. It wouldn’t be an exceptional situation. It’s quite easy too since Turkish also uses a Latin alphabet. May not be as easy or preferable in Chinese.
In Germany I've seen both. Whenever possible I push for having everything in English. Code comments, general documentation, databases, etc simply because the german developers know English but the non-german developers sometimes don't know German. It also puts everyone at roughly the same language level since we don't have many English natives.
PS: I remember quite a while back when Wargaming's World of Tanks became a big thing they had to translate everything from Russian to English because they wanted to get foreign developers involved as well. Never heard of the reverse happening.
Unless they're using a programming language that isn't English-based (for example, Russian 1С system uses Russian keywords and the whole codebase is usually in Russian), then most of the code stays English.
This way, you don't have to change keyboard layout while writing code.
Anyway, you're forced to learn some English when doing any real software development.
Anecdotally, a lot of 1C developers are not proficient in anything else because they don't need English in the main field, platform docs included, and can only get scarce translated versions of anything else. And blogs in Russian, which are not plenty and not always correct.
This makes some of their infra work and common misconceptions a little bit ... esoteric. So, English is crucial not just to do the job but to get best practices and CS info in general. It really helps a lot.
> Or do devs around the world just have to bite the bullet and learn enough English to be able to use the majority of tools?
That's how it goes, at least around Europe. People know English as a technical jargon (similar to legal French and Latin in English) and can juggle enough to get around documentation, but I've been in companies where I was the only fluent English speaker (and we're talking startup stuff). That gave ma a bunch of cool opportunities though, being pulled in every other meeting as the designated translator.
I remember when Adobe Flash Player would report bugs in Polish language, because my Windows was Polish. Googling the bug message was problematic, because most discussion is done in the international, English language. So the next time I was installing Windows, I made sure to choose English as the language. The same goes for browsers and pretty much everything else.
I write code in english and user (andmin, ops, app user) messages in the appropiate language.
As programming languages keywords and APIs are written in english, it just looks better to keep it that way for identifiers and internal doc, the other way causes a dissonance for me which feels unconfortable.
> Or do devs around the world just have to bite the bullet and learn enough English to be able to use the majority of tools?
Not only that. All of the code I (not a native English speaker) write, even if only I will ever see it, is in English - comments too. And I'm pretty confident all my colleagues do that too.
Might be different for languages with large population of native speakers (Croatian is just a few mil so we're more exposed to it), but you still can't avoid using English for tools / libs / docs / research papers / stack overflow...
There basically isn't non English software engineering.
English is the universal language in programming and software engineering, much like Latin was the universal scholarly language in the past. Sometimes even to the extent that the language starts leaking from the code and technical documents, reports, etc. are being written in English, often just because the people working close to the software are more familiar with the terminology in English than in their native language.
Curiously that wasn't always the case, if you bought a compiler and IDE in the 90s or 2000s from Microsoft or a few others, you'd get an environment that's fully translated to the local language. Granted, those translations frequently made almost no sense at all, but the words were all decidedly Not-English. You could also go out and buy translated books and references.
Even when you install e.g. Debian today and select Not-English as the system language, you might be surprised to see that GCC actually has i18n'd error messages, at least for some languages. Same for coreutils. I doubt anyone uses that intentionally, and they're probably not very up to date, but it does exist... kinda.
I'm a native Hebrew speaker, I wouldn't even think to put Hebrew into my code, similar to how I won't use emoji or other non-ascii characters, except Hebrew in particular is even worse since it's RTL, and mixing it into LTR code would be a pain in pretty much every text editor.
I do occaisonally find code with variable names in other languages, but it's very rare, for the most part if you want to code, English is the way.
I've also seen a few devs who used Hebrew variable names but spelled in English (`shalom` instead of שלום).
That's pretty much it. Even stuff developed in other countries tends to be in English. For example, Lua was created in Brazil but it's primarily in English. Or Ruby, it was created by a japanese dev but I don't think it really supported japanese for a while.
It's very uncomfortable to switch languages during development. Think how often you would need to switch languages if you use Chinese for column names and such. English has been the second language for Chinese for the past 30 or so years. I started to learn Enginse from Grade 4, and nowadays they started in kindergarten.
Because DeepSeek researchers are Elite, English is like very very easy and common for top Chinese students. They just use it, and feel nothing wrong about it.
EU - while exceptions exist, my experience generally has been that devs working in English are virtually always much better devs than their peers working in the native language of the land. Likewise, most business projects I've worked on were entirely English on the inside, even when the UI was e.g. german-only. I've also seen a few projects where the business domain is so thoroughly native-tongue (typically when the business domain is a projection of the local bureaucracy) that you couldn't name business entities in English if you tried. Those can end up with a somewhat weird hodgepodge, where the code and comments and such are still English, just the names of the entities aren't.
I write all of my code in english. Even if it's just for me. I am a native german speaker.
It just makes things A LOT easier in terms of debugging, researching, reading examples from documentation, etc etc. I don't even understand my (boomer) colleagues who straight up refuse to learn english and get angry when they can't find solutions with german search input
The Soviet Union is the only country I know that programmed extensively in non-English languages. The Soviets had a Russian-language implementation of ALGOL 68. They also, as best I understand, still use a Russian version of a language called 1C.
Most Chinese open source code I've seen is written in English, with English variable names, but comments in Chinese Unicode glyphs (in between all the buffer overflows and other general carelessness).
Don't forget Shenzhen is a stone's throw away from Hong Kong where English is widely spoken.
Thank you everyone, this was responsibly disclosed to DeepSeek and published after the issue was remediated, we got acknowledgment from their team today on our contribution.
- Dev infra, observability database (open telemetry spans)
- Logs of course contain chat data, because that's what happens with logging inevitably
The startling rocket building prompt screenshot that was shared is meant to be shocking of course, but most probably was training data to prevent deepseek from completing such prompts, evidenced by the `"finish_reason":"stop"` included in the span attributes.
Still pretty bad obviously and could have easily led to further compromise but I'm guessing Wiz wanted to ride the current media wave with this post instead of seeing how far they could take it. Glad to see it was disclosed and patched quickly.
> but most probably was training data to prevent deepseek from completing such prompts, evidenced by the `"finish_reason":"stop"` included in the span attributes
As I understand, the finish reason being “stop” in API responses usually means the AI ended the output normally. In any case, I don't see how training data could end up in production logs, nor why they'd want to prevent such data (a prompt you'd expect to see a normal user to write) from being responded to.
> [...] I'm guessing Wiz wanted to ride the current media wave with this post instead of seeing how far they could take it.
Security researchers are often asked to not pursue findings further than confirming their existence. It can be unhelpful or mess things up accidentally. Since these researchers probably weren't invited to deeply test their systems, I think it's the polite way to go about it.
This mistake was totally amateur hour by DeepSeek, though. I'm not too into security stuff but if I were looking for something, the first thing I'd think to do is nmap the servers and see what's up with any interesting open ports. Wouldn't be surprised at all if others had found this too.
Seems that you're right! Also, not that I doubted they were using OpenAI, but searching for `"finish_reason"` on the web all point to openai docs. Personally, I wouldn't say it's a very common attribute to see in logs generally.
> Now that you've generated your first chat completion, let's break down the response object. We can see the finish_reason is stop which means the API returned the full chat completion generated by the model without running into any limits.
Regarding how training data ends up in logs, it's not that far fetched to create a trace span to see how long prompts + replies take, and as such it makes sense to record attributes like the finish_reason for observability purposes. However the message being incuded itself is just amateur, but common nonetheless.
The OpenAI API is basically the gold-standard for all kinds of LLM companies and tools, both closed and open source, regardless of whether the underlying model is trained on OpenAI or not.
Not just the gold-standard, but also a de-facto standard - most of the proprietary and OSS tools I've seen that let you configure LLMs only implement support for OpenAI-compatible endpoints.
AFAIK, Opensource Elasticsearch does not offer any form of authentication upon installation for many years but ClickHouse does and in fact I'm often surprised at how many authentication mechanisms were introduced over the years and can be easily configured:
- Password authentication (bcrypt, sha256 hashes)
- Certificate authentication (Fantastic for server to server communication)
- SSH key authentication (Personally, this is my favourite - every database should have this authentication mechanism to make it easy for Dev to work with)
Not very popular but LDAP and Http Authentication Server are also great options.
I also wonder how DeepSeek engineers deployed their ClickHouse instance. When I deployed using yum/apt install, the installation step literally ask you to input a default password.
And if you were to set it up manually with ClickHouse binary, the out-of-the-box config seal the instance from external network access and the default user is only exposed to localhost as explained by Alex here - https://news.ycombinator.com/item?id=42871371#42873446.
Does DeepSeek have a bug bounty program I'm not aware of with a clearly defined scope? It appears that Wiz took it upon themselves to probe and access DeepSeek's systems without permission and then write about it.
If you do this and the company you're conducting your "research" on hasn't given you permission in some form, you can get yourself in a lot of hot water under the CFAA in the USA and other laws around the world.
Please don't follow this example. Sign up for a bug bounty program or work directly with a company to get permission before you probe and access their systems, and don't exceed the access granted.
Posturing huh? Nice. That was intended to be helpful. Go read the CFAA. What they did is, believe it or not, illegal. I didn't make the law, and many think the CFAA is ridiculous, but that's how it works. If you even access a computer system beyond what you've been granted it's a CFAA violation with stiff penalties.
>The Department of Justice today announced the
revision of its policy
regarding charging violations of the Computer Fraud and Abuse Act (CFAA).
The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
You're correct, this is not so black and white as you originally established. Glad you came around!
And yes, it's posturing if you wax on from such a pedestal without even reading the first paragraph of the article, which addresses your legitimate concerns.
They left open a publicly exposed database... I'm sure they informed the company about this before publishing their post. Why are you blaming Wiz for this?
I agree to your comment, but also there's probably an unspoken gentleman's agreement that DeepSeek fixed the issue and won't pursue legal action against Wiz, since they were helpful and didn't do anything malicious.
I did the same a while ago, an education platform startup had their web server misconfigured, I could clone their repo locally because .git was accessible. I immediately sent them an email from a throwaway account in case they wanted to get me in trouble and informed them about the configuration issues. They thanked me for the warning and suggestions, and even said they could get me a job at their company.
The CFAA is a US law. Assuming you break it, in order for that to matter, an American prosecutor needs to find time to prosecute you for doing so. Does Deepseek have any American presence at all?
Likewise, there may be Chinese laws were violated. However, outside of China they are a moot point.
And that's why you run models locally. Or if you want a remote chat model, use something stateless like AWS Bedrock custom model import to avoid having stored chats on the server.
Not many non-gamers have hardware capable of running such a model locally - never mind the skills.
For most people, bash is not a tool for interacting with the computer, it is how they express their frustration with the computer (sometimes leaving damaged keyboards).
I have DeepSeek-R1 1.5b running on a Raspberry Pi 5.
I have DS-R1 14b Q6 running on my old AM4 Ryzen with a AMD GPU, without issues.
My primary workstation is running 32B Q8 and without issues. And it's simple!
That's not the DeepSeek R1 model that they're offering via the API on these servers. That's a Qwen model that's been fine-tuned on output from the big R1 model.
DeepSeek-R1-Distill-Qwen-1.5B, DeepSeek-R1-Distill-Qwen-7B, DeepSeek-R1-Distill-Qwen-14B and DeepSeek-R1-Distill-Qwen-32B are derived from Qwen-2.5 series, which are originally licensed under Apache 2.0 License, and now finetuned with 800k samples curated with DeepSeek-R1.
DeepSeek-R1-Distill-Llama-8B is derived from Llama3.1-8B-Base and is originally licensed under llama3.1 license.
DeepSeek-R1-Distill-Llama-70B is derived from Llama3.3-70B-Instruct and is originally licensed under llama3.3 license.
The amount of vitriol in these comments is the really surprising data. I've seen the same on Twitter. I can only put it down to the financial pain DeepSeek inflicted on many US retail investors by wiping almost $700 billion off NVidia's stock price. I think a lot of folks didn't see it coming and it hurt them right where it matters most: In the wallet. The anger out there is very real.
It's also deeply damaging to the western ego, especially one rooted in American exceptionalism.
But also one those of us actually working on foundational AI saw coming a mile away when most of the top research of late has been happening in Chinese labs, not American or European ones.
Can't wait to see what this boneheaded President's tarrif on TSMC does to this situation.
Well to be honest most of this on start came from US so the general surprise is understendable. But of course it would be foolish and arrogant assume that for whole progress forever.
I don't understand the rage. This is good for everyone. Competition is what drives innovation and they even open sourced it! If you want to outdo them, learn from them. Don't just try to cry louder, it's embarrassing for everyone.
> Can't wait to see what this boneheaded President's tarrif on TSMC does to this situation.
Can you please provide a source? Genuinely curious as this would be fatal to the US economy. Imagine working 2 years to get out from Covid chip shortages only to hammer progress down with tariffs.
Many stocks aren't grounded in reality. They're essentially Memecoins: Classic Edition™ now.
Tesla barely even sells but the stock just won't go down. Boeing orders have fallen massively and they're posting massive losses each quarter, and management shows zero desire to improve the situation. But the stock has basically stabilized since the initial catastrophes.
Some people like to complain that the stock market is very short termist, and valuations never reflect what happens in the long term. And here you complain that the stock market doesn't focus solely on short term pain, but is looking to some potential futures.
People saw how much cheaper it was to train DeepSeek v3, and assumed this reduced NVidia's TAM. I think this doesn't make much sense.
a) For inference, cheaper and faster compute will increase total inference spend, because the end-user products will work better and people will use them more.
b) For training, the big labs will continue to spend because we have yet to see diminishing returns to scale - in fact, we have in the past year unlocked a new dimension to scale up training-time compute - doing more RL after pre-training to improve reasoning capabilities. Since current SOTA models are not yet smart enough for all the tasks people want to use them for, this means that any efficiency gains will be used to further improve performance. In the current competitive environment, even with DeepSeek's work, it's near-impossible to imagine OpenAI, Anthropic, Google, or Meta deciding to cut the compute budget for training their next model by an order of magnitude. They will still incorporate DeepSeek's techniques into their next model, but use them to squeeze even more performance out of the compute they have, and will keep purchasing as much compute as NVidia will sell them. Expect this trend to continue until there are no more returns to scale anymore.
Any data center project currently under way or with plans to open within the next year or two has already place orders with NVidia or will do so very soon. Due to demand and lead times, you have to order to critical parts and systems today if you want to have half a chance of receiving them a year from now. Hardware supply lines are long and complex. I like to say that you cannot run a compiler and end-up with a warehouse full of chips.
The next fundamental reality has to do with competition.
Suppose company A foolishly decides to build a data center with only 10% of the chips they originally wanted based on the hype around DeepSeek. In the meantime, company B sticks to the plan and, perhaps, decide to take add the 90% of chips data center A did not take.
The net result will be the company A will be absolutely destroyed by company B. They will have nearly twice the compute capacity, which will translate to a huge competitive advantage across many fronts.
In other words, the selloff is, at best, ill informed. Market forces caused FUD. The smart one's took it as an absolutely massive buying opportunity. All you have to do now is wait.
Because all this with the stock price has nothing to do with reality.
Everyone just starts repeating the same things until people believe them as fact.
The "sell off" was basically nothing. Who cares that the NVDA went back to the price it was in October then bounced in the after market one day.
It is a complete non-story. Even at the bottom of the "sell off" it was still up 20% from the end of summer.
Listening to any news makes people less informed about the world in 2025.
We are way past Gell-Mann amnesia. That was for the newspaper. "The news" in 2025 is really a strange kind of mass confusion engine. The more news a person consumes the more confused they are about the world.
To be fair, the problem (if we are going to call it a problem) might be more fundamental than that.
The reality is that your average "civilian" stock investor, speaking in very generalized terms, is supremely ignorant.
I don't say this as a pejorative BTW. I am supremely ignorant of the inner workings of the pharmaceutical industry. Because of this, I do not invest in that sector. I have no way to understand any of it at a depth sufficient for me to make informed decisions. I'd be throwing darts at a board.
That is precisely the situation with lots of investors in the chips, electronics and software worlds. They don't know what they are doing. They have no clue whatsoever about the business cycles and realities of making these things, selling them, bringing them to market, competitive landscapes, implementation, etc.
And so, they are blind and reactive. If they stay in panic mode, we might very well see NVidia stock get down to $100. Frankly, I am actually rooting for that. I want all of these fools to get off the stock. And I want to load-up on it some more. They don't understand business (in general) enough to understand the relationship between DeepSeek and data centers, planned and future. They don't even stop to think about the reality that nobody in business who isn't a fool is going to use an AI service in China or developed by China. If they are hyperventilating about TikTok, I cannot even imagine what it would be like if all AI queries go to servers in China or are answered by models trained in China. I love China for all they have achieved, but it is no secret that they are not an open society at the level of most western societies.
I think we just have to wait until the sheep stop running before sanity will return to the field. They are getting hurt very badly. It's sad to watch.
The stock price had assumptions baked in about the number of units expected to be sold. DeepSeek cut that hardware estimate by as much as 45x. That is that absolute obvious correlation between that model being very efficient to train and NVDA dropping 18%.
I don’t get it. The labs have regularly made improvements that dramatically lower the cost of training an equal-performing model. When they do this, they also train a larger model with even higher performance. This time, DeepSeek did the first part but didn’t do the second. Now every lab in the world will throw their compute into the effort to replicate and beat DeepSeek’s model with larger scale. It’s not like everyone is just going to say “well I guess AI is smart enough now, no point improving it anymore!” and stop building bigger training clusters.
If anything, r1 makes even more GPU demand likely, since it mitigated or at least delayed the risk AI hit a dead end (in which case, ceasing development may actually make sense).
It still doesn't make sense to me. If the money for training is still there, wouldn't companies that can afford it use the efficiency gains and also scale up models?
Unless AI is a bubble, and it pops, I can't see the demand for compute going down.
I think AI is a bubble. The amount of compute for inference is vastly overestimated, because a lot of caching is coming. It's driven by maniacal statements like Sam Altman's insistence that we must spend Trillions on compute, to achieve AGI, and it's more important than anything else.
Project Stargate is some large fraction of that, and of course Softbank is no stranger to losing money on overestimating demand (for example, WeWork). To be fair, China has a lot of overestimation of demand too (for example Evergrande). The other is that rapid competition leads to overinvestment by all parties.
Which is great for us, we'll have loads of cheap compute and hopefully a bunch more carbon free energy supply, assuming that the AI stuff all ends in tears (for now).
Yep! Shareholders and capitalists overinvesting in stuff is great if it leaves behind great infrastructure. They take the risk and the public benefits.
Can someone explain how DeepSeek cut that estimate? Their (fast) API is always down, and the third-party providers on OpenRouter are more expensive than Claude.
I think there was a growing awareness of NVidia's vulnerability and I think that, while I don't agree with his conclusions, Jeffrey Emanuel's excellent piece from the 25th added significantly to that momentum:
It's probably the lack of understanding the market... Most people thought there was a ban (issued by the US in 2022) against China being able to utilize the H100 Nvidia graphics cards to prevent them from using AI (for the obvious purpose of oppressing their people). If anything, export controls need to be looked at and probably tightened as this is a glaring loop hole.
There are probably exceptional situations for each, but the US is far more for these things than against, to an extent that is unique and unprecedented. And that has improved lives and secured freedom not just for Americans but for many people around the world. Your negative take on the US isn’t convincing for me, as it is uncritical. Who champions free speech more, for example?
I can understand your argument, but I also understand why the US would try to ban an oppressive regime who specifically use technology like AI for ubiquitous surveillance, behavior monitoring and social credit, facial recognition systems that can identify Uyghurs and alert authorities, internet monitoring (they arrest people every day for writing banned words on WeChat for example)... I think it's probably fine if they make the equipment themselves, but US probably shouldn't be supporting this type of activity.
Sorry for the whataboutism, but the US looks more and more hypocrite when they sell themselves as the paragons of democracy and free trade, ready to save the world from authoritarian China but are fine selling AI and AI hardware (and armament, but that's another matter...) to Israel's oppressive regime which clearly uses it to persecute and kill innocent Palestinians.
It's all just dirty politics, in the end none of the people in power care if selling such technology feeds a monster or not, as long as they get their bags of money.
I think the difference in your comment is that China is doing this to their own citizens. Israel is oppressing their enemy, who have voted for Hamas to be the leader of their government, which stated intent is to destroy Israel... Big difference.
Yup, and as soon as Hamas were elected, the liberal world refused to deal with them. Never mind how convenient Hamas have been for Likud over the past few decades.
It looks incredibly hypocritical to much of the world, and I can see why.
> but surveys indicated that an overwhelming majority of residents of Gaza supported Hamas even after the mass murder and rape of October 7.
I'm not sure what result you expected. True or not, claims of atrocities committed by your government are always uncertain in practice - people will argue whichever way depending on their goals and beliefs (like we're doing here just now), so even if you believe them, unless you've actually seen them first-hand, they're always somewhat abstract considerations. Meanwhile, the fundamental reality for people in Gaza is that they're being bombed left and right by some outsiders. So when more outsiders come asking them whether they still like their government - government who, other than committing atrocities in what they sell as defensive war, are also responsible for keeping food, water and power flowing while bombs dropped by outsiders keep raining down your streets, does anyone expect majority to say "no, we don't like our government - please keep bombing us until we find a better one"?
I bet if you polled the population of Iraq of Afghanistan in the middle of US invasions of either, you'd get similar results supporting the evil government too.
Dropping ordnance on people has a way of skewing their responses in political polls away from what you'd expect in a stable democracy.
> surveys indicated that an overwhelming majority of residents of Gaza supported Hamas
Come on, nearly half of the inhabitants of Gaza are/were under 18. "Surveys" cannot make collective punishment legal, or annexation and ethnic cleansing for that matter. I'd say outright cutting off a whole population from food and going on TV to rant about how even the babies are terrorists isn't self-defense or security. If anything it's with a second set religious extremists that needs Hamas just like Hamas needs them. And in similar fashion, they use "Israel" as a shield for what they want, despite the Israelis who do respect human rights and international law, and get threatened for it.
> You’re trying to separate Hamas from everyday people in Gaza
They are separate. Each person is responsible for their actions. You can't speak of democracy and then casually ignore this.
I mentioned the surveys to indicate the complicity of the civilian population in Hamas’s actions. Often people claim the residents of Gaza didn’t vote for Hamas since the last election was in 2006. But the surveys reveal that most of them do support them and their religious terrorism.
> "Surveys" cannot make collective punishment legal, or annexation and ethnic cleansing for that matter.
What do you mean by annexation given that the entire region, including Jerusalem, the West Bank, and Gaza were occupied by Jewish people long before Islamic Arabs were in the area?
What do you mean by ethnic cleansing given that Gaza’s population has grown rapidly over time, given Israel announces targets ahead of time, and given that most of Gaza’s residents still live? Israel could level all of Gaza but they haven’t done anything even remotely close to that. Even the highest claimed counts of deaths in Gaza would amount to a couple percent of the population. That doesn’t seem very successful for an ethnic cleansing.
> outright cutting off a whole population from food
Food and aid which Hamas stole and sold for money to fund terrorism to kill Israelis, all aided by UNRWA.
> Each person is responsible for their actions.
Right and Hamas was voted in by everyday people and still has their broad support despite terrorism, murder, and rape.
Your impassionate argument in favor of an ethnic cleansing with bombs, starvation and lack of sanitation lies in stark contrast to this outrage about the Uyghurs' culture being erased with development and draconian imprisonment for suspected extremism, while at the same time, the West Bank was reduced to a patchwork of ghettos with draconian checkpoints where life is cheap if you are suspected to be an extremist.
On the one hand, the slaughter of teenagers today in Gaza is justified because of the sins of their forefathers in electing Hamas, on the other, it's a genocidal atrocity that beards can only be so long in Xinjiang.
The US is only more righteous for supporting America's Greatest Ally at the cost of the lives of it citizens, of those of Arab countries and, now with the TikTok ban, to its founding principles, in your world.
I think you're raising an important point that I acknowledge, and I need to process that more. But my immediate thought is to note that the two situations are very different to me. Uyghurs are indigenous to Xinjiang (more than anyone else), and Islamic Arabs in Gaza or the West Bank are not indigenous to the region around Israel (Jewish people are, while Gaza's residents are outsiders since Islamic Arabs aren't indigenous to the region). The CCP/PRC is erasing Uyghur life in Xinjiang and forcing their population growth downward, while Islamic Arabs living in Israel have full protection of the law, can practice their religion and culture freely, gain wealth, have families without forced sterilization or abortion, and live without the threat of the state kidnapping their children. There's no evidence of Uyghurs broadly supporting terrorist attacks, while there's evidence of Gaza residents overwhelmingly supporting things like repeated rocket attacks.
There's more but basically there are enough differences that the situations can be treated differently. But at the same time, I do hope for a different, peaceful solution. Surveys show Islamic Arabs are generally quite happy under Israel, but that won't work for those in West Bank or Gaza perhaps. You are right that teenagers who aren't supportive of terrorism don't deserve violence. A two state solution still seems like the best idea, but Hamas has still not shown support for it, even though it would mean peaceful coexistence and could lead to a rebuilding of Gaza and West Bank.
What you call "Islamic Arabs" makes no sense. They are as native as the Jewish people. Mostly because they're nor more or less "Arab" than the Jewish people. Religion is what separates them, not race. Also, your argument ignores time. Even it it were true, for how many centuries have these "Islamic Arabs" been there? Why are they any less "from there" than Jewish people?
And there is an overwhelming support for the war in Gaza from Israelis, that many consider a gross violation of international law going beyond war crimes into genocide territory. If that is shown to be the case would Israelis deserve what they get in response? I doubt you'd agree.
Every genocide, every occupation and every conflict has its own historical conflict. You need to examine you own massive biases here, adjust your view to international law and human rights and you'd see the massive injustice here that is fueling the conflict and will continue to until its addressed.
Israel is not securing its own safe future here, there is no military solution here. Hamas will rebuild itself if it hasn't already because the crime they have committed and the people they have murdered will only boost the recruitment of Hamas and other paramilitary groups. This has always been the way the world over. Jewish history is itself has examples of this.
And I've never see a good faith attempt from Israel wrt this conflict that hasn't been completely derailed by the Israeli extremists and hardliners.
Israel have the right to defend their country of course, but Palestinians have the right to fight occupation under international law. They are massively repressed around the world - try support Palestinian rights in the US right now.
Anyone can be labelled a terrorist. I would label the IDF a terrorist organisation due to their methods, their justifications for the many human rights abuses and killings ring very hollow. They also encourage and support their own fundamentalists - aka settlers - to commit crimes.
Lastly I think anyone who commits war crimes should be brought to the ICC; Israel has shown it is incapable of broadly prosecuting theses crimes and obviously the PA cant either. It is Israels fault if they kill civilians and I don't buy any of their justification as they've been shown again and again to be untrustworthy. I believe they will be found guilt of genocide in the end, and the countries who supplied them with the weapons and tech will be guilty of enabling a genocide - there's plenty of evidence that the state department in the US has brushed knowledge of human right abuses and war crimes under the carpet for political and ideological reasons.
> You mentioned America as an examplar of demcracy further up, while in truth it is an extremely flawed model of democracy
I disagree with your framing, as does your source. The index you shared does not paint America as "extremely flawed", but just flawed (and even so, almost at the score of getting their highest rank). So adding the word "extremely" is your editorial take. However, their rating system is not transparent - it's not clear who they surveyed or what questions they asked. It's also clear this rating system is only somewhat correct in scoring countries - for example both Canada and Australia are democracies but have notable restrictions on free speech, a core principle of a free society and any democracy - but they were ranked higher than the US.
> Anyone can be labelled a terrorist.
Labels can be misused, but what actually happened? Has Israel been shooting rockets indiscriminately into Gaza? No, but people in Gaza have been doing that for a few decades now. In fact, the rocket attacks got a lot worse after Israel left Gaza in 2005. Is that not terrorism?
> It is Israels fault if they kill civilians
How can it be when they're pursuing terrorists who choose to use human shields on purpose? Israel has been careful to announce targets ahead of time and has gone above and beyond what any other country would to avoid civilian casualties. But in this situation, which was created by Hamas and their supporters, a country that wishes to protect itself from attacks can't achieve zero civilian deaths. That's unrealistic for any conflict, but especially this one.
Against Islamic fundmentalist terrorism commited by Uyghur extremist.
Rotating a bunch of Uyghurs through a few months of "reeducation/reradicalization" classes with minimal fatalities and pouring billions to improve regional infra + gdp is orders of magnitude more magnanimous than what happened/is happening in Gaza, or what's left it. It's delulu to think otherwise. It's more kids gloves than US prison industrial complex. And it more or less comprehensively solved the Uyghur extremism and attacks in PRC (100s of attacks over the years with 1000+ fatalities). Muslim world is far better off that PRC has successfully implemented securitization technology to deradicalize, because they have the most to gain from it, that's why there's broad support from Muslim leadership. PRC figured out how to actually eliminate radical terrorism without droning weddings, so of course a bunch of security cameras and Chinese lessons and first world infra has no equivalence to US funding Israel to murder and maim kids and turning most of Gaza into rubble.
Annexation by a violent dictatorship, cultural suppression, forced reeducation of hundreds of thousands of children separated from their parents, forced sterilizations, forced abortions, labor camps, and large number of deaths isn’t magnanimous. It’s genocide under international law. It is wild that you’re even defending this.
> PRC has successfully implemented securitization technology
Is that the best euphemism you could come up with?
> that's why there's broad support from Muslim leadership
I’m not even sure who you’re talking about, but having military or economic ties distorting things isn’t the same as support. Find me a quote of an Arab leader explicitly supporting the genocide of Uyghurs by the CCP.
> PRC figured out how to actually eliminate radical terrorism without droning weddings
This is a hilarious rebranding of what the CCP/PRC actually did, which is thousands of times worse and larger in scale than the few drone incidents you’re talking about.
It absolutely does not qualify as genocide. Hence it's never been categorized as genocide by UN, unless you subscribe to Mike Pompeo's version international law. UN already recognize XJ as PRC, annexation is over, it's fully incorporated and legally part of soverign PRC soil for decades. There's more Uyghurs now then when campaign started (and ended)... at most it's cultural genocide, which unfortunately (or fortunately for everyone including west) ... is internationally permissible (no law against). Frankly some overdue cultural genocide to eliminate fundmentalism on 1% population to end decades of fundmental islamic terrorism is completely justifiable. It would be downright negligent and immoral not to, certainly more ethical than what US or ISR methods which you seem to play down.
There aren't 100,000s children seperation. Parents rotate through reeducation for a few months, temporary seperation in interim, family reunited after. Entire program lasted ~4 years, even if you take peak US propaganda, 1/12 of Uyghurs is roughly life time internment for US blacks, except US minorities will end up up rotating through prison industrial complex for longer. Flip side of PRC enforcing family planning on previously exempt minorities is US banning abortions. No labour camps, just very generous rural labour transfer programs where they make multiple times current income. It's like if US had a jobs program that gave bottom quantile 50th percentile wages. Nor large number of deaths... barely any. Even peak retarded US propaganda doesn't pretend so. So yes, compared to Israel or US military actions, it's downright magnanimous.
>euphemism
It's not euphism, it's "safe city" technology, i.e. huawei surveillance for export. And countries are buying. Because you know, it's better than mowing the lawn with bombs, or spending a decade trying doing whatever the fuck GWOT was failing at that just ended up with (conservatively) 100,000s of dead muslims.
> having military or economic ties distorting
Except MENA has much closer military and economic ties with US... yet they still overwhelmingly side with PRC narrative over XJ. Entire excuse MENA leaders in PRC pocket is economically illiterate and geopolitcly stupid. There's isn't a quote of Arab leaders supporting genocide of Uyghurs, because none of them except occasionally Turkey recognize is Genocide. They recognize XJ securitization as deradicalization and antiterrorism effort, which it is, because it stopped both. And they endorse it, because they have most to gain from working deradicalization efforts. Which US does not have model for. Nor Israel. Well maybe Israel if they just keep murdering kids every few leap years.
>thousands of times worse and larger
My guy if you think US only responsible for a few drones, and Israel killed less Muslisms that PRC did in XJ, or if you think top is worse than bottom in pic below then you have some screws loose. Ultimately PRC did what US failed, fraction of the cost, and fraction of the lives, while adding 12x Afghan GDP per capita. Thinking that's 1000s worse and larger is delulu American math.
Even just forced sterilization and abortions, which you admitted and rebranded as “enforcing family planning”, is genocide under international law.
> Parents rotate through reeducation for a few months, temporary seperation in interim, family reunited after.
Your few months claim is false. But let’s say it isn’t - are you really claiming this is okay? “Yea they just kidnap your children for a few months”. You clearly don’t have kids to minimize what this is and what it would do to the parents and children.
> Nor large number of deaths... barely any
Barely any that China admits. Of course they kept the area locked down, kept international agencies away, and admit nothing to keep the lie going. But numerous survivors have corroborated programs of torture and killings. You have to be naive or a CCP shill to think there were “barely any deaths”.
Sorry but you’re outing yourself here with this unfactual take that a few web searches easily disprove.
No, genocide is conditional on intention to destroy. Which PRC policy isn't. It's just boring family planning that always applied to Han, that minorities historically got to opt out due to affirmative action, now equally applied to Uyhghurs with 3+ kids. Meanwhile Uyghur population contiues to increase, and family planning still limits Uyghurs and minorities to 3 kids like every other ethnic group, aka positive TFR / mathematically impossible to actually eliminate a minority. Hence it's retarded to think this satisfies definition for genocide, and why US propaganda campaign failed so hard. Because anyone except the most brain rot liberal world ordertard realize it's coercize integration/sinicization but not genocide. If PRC wanted to actually genocide Uyghurs, with their industrial capacity, they can do it in a weekend, instead they spent trillions retraining the populous and subsidize regions QoL. It's stupid to think it's genocide for the simple reason reducing 55 PRC minorities to 54 looks bad for Xi's hagiography.
>few months claim is false
Except it's true, most gets put through a few months of patriotic education to scare them from fundemental salafisim/salafijihadism. PRC doesn't have the money to waste interning million+ like US prison industrial complex forever because jailing people is profitable. I didn't say it was "OK", I just said a few months of scaring people straight at "don't be bad muslim camp" is much better/expedient/ethical than bombs. It's not minimizing, it's acknowledging that's better than kids spending years being afraid of the blue sky because some drone operator on CONUS can end you any time. And frequently do. Besides Han migrant parents are away from their kids for years, Uyghur kids can handle a few months living with relatives while their parents learn how to raise them to not commit terroism or go do a factory rotation in another province and bring home a years wage in a few months.
>Barely any
Barely any that US intelligence or anyone can find, barely any that even US propaganda under Pompeo didn't try to spin mass deaths because again it would have been absurd to even try. By survivors you mean atrocity propagandist begging for VISAs, idiots like Sayragul Sauytbay who "did not personally see violence" at the camps in 2018 to "inmates were flayed, raped by guards in front of other prisoners, and given injections that made them infertile" in 2019. You would have be naive to believe obvious attrocity propaganda. And even more delusional than a CIA shill to believe there were extreme deaths like scale of Gaza or GWOT since even POMPEO's CIA propaganda DOESN'T try to spin mass death. Like the most retarded anti-CCP/PRC "thinktanks" estimate for deaths is single digit thousands throughout XJ internment phase... for reference ~4000 prisoners die in US prisons every year i.e. the 4 years of XJ "reeduction" statistically killed less than US prisons during same time period.
So let that settle in, your positions are literally more ridiculous than what lying Pompeo is willing to propagandize. Claiming otherwise is not just not factual but delusional beyond even already delusional propaganda. It's outing the sheer unhingedness of your worldview, which TBH explains how you think XJ is worse atrocity than GWOT or Gaza when XJ is objectively one of the most "humane" integration campaigns in human history. Humane =/= clean, just historically when integrating a minority, much more blood was shed and destruction was wrought over much longer period of time, and the minority populations generally weren't still growing while per capita GDP roughly doubles, oh and terrorist attacks basically eliminated for 1350 million people... which you seem to think is important enough for 10 million large Israel to rationalize their response.
I am not convinced by your framing and some of the factual claims you have made. I am able to find sources that disagree. But in an effort to be curious - do you have any sources of your own (like news articles or research or documents or videos or whatever) that support the things you're claiming here and in your other messages?
Nvidia has the Blackwell B200, its latest GPU card. Huawei's offering is called Ascend 910C. Huawei's future offering to compete against the Nvidia Blackwell B200 is called Ascend 920C.
I'm sure some people did actually get hurt by NVIDIA's stock dropping, but it's also important to keep the size of the effect in perspective: NVIDIA's stock is back to where it was in September of last year, and still up almost 1900% from 5 years ago and up 103% from a year ago.
NVIDIA's stock has been super bubbly—all DeepSeek did was set off itchy investor trigger fingers that were already worried about its highly inflated price.
Every intelligent colleague is an interesting mix of 'sour but intrigued'
Personally, I know I've lost a lot of street cred amongst certain work circles in recent history as far as my thoughts of 'shops should pursue local LLM solutions[0]' and the '$6000 4-8 tokens/second local LLM box' post making the rounds [1] hopefully gives orgs a better idea of what LLMs can do if we keep them from being 100% SAASlike in structure.
I think a big litmus test for some orgs in near future, is whether they keep 'buying ChatGPT' or instead find a good way to quickly customize or at least properly deploy such models.
[0] - I mean, for starters, a locally hosted LLM resolves a LOT of concerns around infosec....
[1] - Very thankful a colleague shared that with me...
Also American pride. China is on track to outpace the US in technical, military and economic dominance.
A lot of people want to poke at Chinese weakness wherever it’s exposed because Americans are used to being the best and also unconscious racism. When Japan was about to overtake the US the US pulled some similar moves and that is partly what’s responsible for japans current economic funk. It’s unlikely these moves will work on China.
+1. I also enjoy the "China be stealin' ur data and personal info" angle. As if the incumbents haven't already done that, and are still doing it, as their core business practices.
This whole thing should be an eye-opener to most people.
To ask an honest question, who gives a crap if a Chinese company manages to grab data that many of the usual Silicon Valley suspects have had all along and have been incrementally updating? How is this a "threat".
To pile on another gripe, why the hell does every single media outlet point out the "Tienanmen Square" question?
The whole thing has just become embarrassing. I honestly can't fathom what worse China could do with my personal info than the likes of say, Meta. I'm not saying I would enjoy it, but I just don't see how it could be more harmful than the Silicon Valley status quo.
Given how closely major US tech companies are now affiliated and partnered with the US Federal government, arguably the direct potential threat from them to US citizens may well be higher than from across a very big pond.
People trot out "I'd rather our guys spy on me than them" a lot, but that's putting a lot of faith in your local government. Conversely, who do you think has more to fear from their logged prompts on DeepSeek, US or Chinese citizens?
DeepSeek is more affiliated and partnered with the CCP than US companies are with the US government. Their LLM includes literal government mandated censorship and propaganda. Their CEO met with the premier the other day. And obviously the CCP will be using this tech for military applications very soon. But Chinese citizens themselves will also be further controlled and suppressed through the extensive use of AI and robotics by their own ruling dictatorship.
Tbh their censorship is pretty superficial. I asked about the Tiananmen square events in Russian and it answered in full detail. ChatGPT refuses to talk about "sensitive" topics in any language.
I'm not seeing any vitriol or comments that are outside the norm, except people defending DeepSeek and throwing accusations left and right for seemingly no reason at all. That's the actually surprising data.
In my opinion, it is not vitriol as much as unfiltered recognition of the significant issues and risks that have become a part of DeepSeek’s story: the Chinese government injecting propaganda into LLMs, the threat of apps from adversaries in US app stores (like TikTok and DeepSeek), the disregard for user privacy (their database was open to the Internet with no authentication and no encryption of data), the misleading claim of quoting the cost of a single final run (which amounts to market manipulation of nvidia stock), the theft of OpenAI’s assets that they’ve not admitted to, the likely evasion of sanctions, and so on.
Did you even read the article? It's about the backend of deepseek.com being completely unprotected to the point where all the prompts users typed in are being exposed to the public. The fact that these people are supposed to be competent leads most to believe this is a backend for the CCP to spy on users. Competent or not, I would not use that system for anything. If anything, one might host it locally and use it in that way. Regardless, deepseek.com has serious security issues.
Did Snowden lose his citizenship? No. The US cannot revoke his citizenship per its laws. He fled to Russia and took an oath of citizenship there in 2022. But he didn’t renounce his US citizenship either.
Say someone says drink the cup of wiper fluid or I will shoot you, so you drink the wiper fluid. In a literal sense, you chose to drink the wiper fluid. I think most people would understand that you were forced to drink the wiper fluid.
Yea that might be it. But that doesn't strike me as unusual either. There are many situations where a criminal charged with a lot less has to surrender documents as a condition of being allowed out on bail while they await trial, if they're considered a flight risk. In Snowden's case, he knew he was going to face a lengthy criminal process and would be detained, so he (perhaps correctly) chose to leave before he made his revelations and before his movement was restricted.
it’s a FREE LLM chat interface, that doesn’t require you to enter your real name or credit card information. Who cares? It’s not a government website or a tax software application.
Obviously i am disappointed regarding this, but people really blow this out of proportion imo. Rumor is this was a side project for some employees at a hedge fund. you think they specialize in security and software application best practices? i’m not exactly surprised that it’s insecure.
The really crazy thing is that anyone gives ANY company sensitive data to train on. regardless of which country the service is running in. That’s what’s actually crazy.
It seems fair since all the other AI's scraped copyrighted information, images, video online and from pirated books, etc. without ever asking anyone first.
That's pretty much the same mistake as in VW recent "We know where you parked" hack. [0] So while I don't really want to say anything nice about VW, the mistake is no something that only happens to side projects.
This is also something that keeps affecting "smart" software engineers with projects, that don't realise they've got misconfigured S3 buckets, or have Firebase or Mongodb etc. wide open to the world. We've seen so many companies that absolutely should know better be in this area.
The reality is that cloud providers make it easy to deploy infrastructure without much thought. You need skilled domain specific IT Architects working together to ensure that an organization's cloud presence is efficient and secure. That discipline and rigor is often dismissed or underappreciated because it forces you to slow down and decreases agility.
Some organizations have some form of Enterprise Architecture group that governs technology and ensures that there is discipline though the maturity and scope varies. I would say most organizations are completely devoid of that type of supervision and oversight.
> I would say most organizations are completely devoid of that type of supervision and oversight.
It's unfortunately far too counter to "move fast and break stuff" that startup space tends to be enamored of, because they tend to want you to do things safely and try to avoid a "Front page of the New York Times" type of security event.
Sure wish it meant more than it does. Sorry that "Front page of the NYT" phrase is one I've been using since back when everyone would have expected it to be the death of a company!
No he is right, hardware manufacturers treat software as a line item and just part of the BOM. Typically just contracted out (although some are trying to change that) Thats why its typically mediocre from companies outside of SV.
You need a software first agile mentality from the leadership of the company on downwards and these legacy companies just dont have it.
VW realized that software was important years ago and founded a dedicated software-only company called Cariad to specialize in it. They went ham recruiting traditional software folks for high salaries (in European terms). I know a few people who moved Bay area -> Europe to work for them and they have a couple west coast offices where you'd expect for the people who don't want to move.
It's been an absolute disaster, with billions of dollars spent to produce delayed, buggy software.
The problem with hardware companies is they’re bad at software because the disciplines are so different that what works for one doesn’t work for the other.
The problem with software companies is they’re bad at hardware for the same reason.
User experience companies can be good at both. Maybe not as good at hardware as a hardware company, maybe not as good at software as software companies.
Apple’s the obvious example, but Google, Garmin, heck even Starbucks are also good examples. Start with the user experience, build hardware of software or whatever else is needed. Specializing in a tool has value, but limits you to that tool.
The complexity is a symptom of it being a side-project, not evidence that it isn't. As a reminder, today's cars are still vulnerable to remote takeover via malformed songs on the radio because of shitty can-bus practices combined with buffer overflows in those side projects.
Safety-critical firmware is scrutinized fairly well (not because it's not a side project, but because of regulatory constraints combined with the small scope allowing the car manufacturers to treat it as a fungible good), but other software is not, even broken feedback loops interacting with that firmware.
Automotive software is worse than you can possibly imagine. It is literally some of the most broken code I have seen in my entire career and that is the industry norm. Shockingly poor. In fairness, the constraints placed on automotive software production ensure this outcome. There is no room for good practice.
If I could walk everywhere the rest of my life, I would.
'DeepSeek is the side project of a bunch of quants'
I doubt it very much that it only was that and not massivly backed by the Chinese state in general.
As with OpenAI, much of this has to do with hype based speculation.
In the case of OpenAI they played with the speculations, that they might have AGI locked up in their labs already and fueled those speculations.
The result, massive investment (now in danger).
And China and the US play a game of global hegemony. I just read articles with the essence of, see China is so great, that a small sideproject there can take down the leading players from the west! Come join them.
It is mere propaganda to me.
Now deepseek in the open is a good thing, but I believe the Chinese state is backing it up massivly to help with that success and to help shake the western world of dominance. I would also assume, the chinese intelligence services helped directly with Intel straight out of OpenAI and co labs.
This is about real power.
Many states are about to decide which side they should take, if they have to choose between West and East. Stuff like this heavily influences those decisions.
I don't buy this, simply because if the Chinese government were to back an effort, it wouldn't be Deepseek.
Alibaba has Qwen. Baidu, Huawei, Tencent, etc all have their own AI models. The Chinese government would most likely push one of these forward with their backing, not an unknown small company.
Unless of course, they want to sell the "small underdog" story.
I don't claim it is all staged. The researchers seem genuine. But they can be good researchers and still said yes at some point to big government help, if smart chinese government employes recognized their potential.
doesn't even need to be a side project, or by a bunch of quants. a bunch of AI researchers working on this as their primary job would still have no real idea about what it takes to secure a large-scale world-usable internet service.
> This kinda does support the 'DeepSeek is the side project of a bunch of quants' angle
Can we stop with this nonsense ?
The list of author of the paper is public, you can just go look it up. There are ~130 people on the ML team, they have regular ML background just like you would find at any other large ML labs.
Their infra cost multiple millions of dollar per month to run, and the salary of such a big team is somewhere in the $20-50M per year (not very au fait of the market rate in china hence the spread).
This is not a sideproject.
Edit: Apparently my comment is confusing some people. Am not arguing that ML people are good at security. Just that DS is not the side project of a bunch of quant bros.
A bunch of ML researchers who were initially hired to do quant work published their first ever user facing project.
So maybe not a side project, but if you have ever worked with ML researchers before, lack of engineering/security chops shouldn't be that surprising to you.
> A bunch of ML researchers who were initially hired to do quant work
Very interesting! I'm sure you have a source for this claim?
This myth of DS being a side project literally started from one tweet.
DeepSeek the company is funded by a company whose main business is being a hedge fund, but DeepSeek itself from day 1 has been all about building LLM to reach AGI, completely independent.
This is like saying SpaceX is the side-project of a few caremaking bros, just because Elon funded and manages both. They are unrelated.
Again, you can easily google the name of the authors and look at their background, you will find people with PhD in LLM/multimodal models, internships at Microsoft Research etc. No trace of background on quant or time series prediction or any of that.
From the mouth of the CEO himself 2 years ago: "Our large-model project is unrelated to our quant and financial activities. We’ve established an independent company called DeepSeek, to focus on this." [0]
It's really interesting to see how after 10 years debating the mythical 10x engineer, we have now overnight created the mythical 100x Chinese quant bro researcher, that can do 50x better models than the best U.S. people, after 6pm while working on his side project.
TDLR Highflyer started very much as exclusive ML/AI focused quant investment firm, with a lot of compute for finance AI and mining. Then CCP cracked down on mining... then finance, so Liang probably decided to pivot to LLM/AGI, which likely started as side project, but probably not anymore now the DeepSeek has taken off and Liang just met with PRC premiere a few days ago. DeepSeek being independent company doesn't mean DeepSeek isn't Liang's side project using compute bought with hedge fund money that is primarily used for hedgefund work, cushioned/allowed to get by with low margins by hedgefund profits.
That's a fair distinction. IMO should still be categorized as side project in the sense that it's Liang's pet project, the same way Jeff Bezos spend $$$ on his forever clock with seperate org but ultimately with Amazon resources. DeepSeek / Liang fixating on AGI and not profit making or loss-making since hardware / capex deprecation is likely eaten by High Flyer / quant side. No reason to believe DeepSeek spent 100ms to build out another compute chain from High Flyer. Myth that seasoned finance quants using 20% time to crush US researchers is false, but reality/narrative that a bunch of fresh out of school GenZ kids from tier1 PRC universities destroying US researchers is kind of just as embarassing.
The carmaking bro predates SpaceX. He had a BMW in college and got a supercar in 1997. While he wasn’t a carmaker yet he got started with cars earlier.
First ever? Their math, coding, and other models have been making a splash since 2023.
The mythologizing around deepseek is just absurd.
"Deepseek is the tale of one lowly hedgefund manager overcoming the wicked American AI devils". Every day I hear variations of this, and the vast majority of it is based entirely in "vibes" emanating from some unknown place.
What I find amusing is that this closely mirrors the breakout moment OpenAI had with ChatGPT. They had been releasing models for quite some time before slapping the chatbot interface on it, and then it blew up within a few days.
It's fascinating that a couple of years and a few competitors in, the DeepSeek moment parallels it so closely.
Models and security are very different uses of our synapses. Publishing any number of models is no proof of anything beyond models. Talented mathematicians and programmers though they may be.
OP means to say public API and app being a side project, which likely it is, the skills required to do ML have little overlap to skills required to run large complex workloads securely and at scale for public facing app with presumably millions of users.
The latter role also typically requires experience not just knowledge to do well which is why experiences SREs have very good salaries.
DeepSeek isn’t a side project or just a bunch of quants - these are part of the marketing that people keep repeating blindly for some reason. To build DeepSeek probably requires at least a $1B+ budget. Between their alleged 50,000 H100 GPUs, expensive (and talented) staff, and the sheer cost of iterating across numerous training runs - it all adds up to far, far more than their highly dubious claim of $5.5M. Anyone spending that amount of money isn’t just doing a side project.
The client facing aspect isn’t the problem here. This linked article is talking about the backend having vulnerabilities, not the client facing application. It’s about a database that is accessible from the internet, with no authentication, with unencrypted data sitting in it. High Flyer, the parent company of Deep Seek, already has a lot of backend experience, since that is a core part of the technologies they’ve built to operate the fund. If you’re a quantitative hedge fund, you aren’t just going to be lazy about your backend systems and data security. They have a lot of experience and capability to manage those backend systems just fine.
I’m not saying other companies are perfect either. There’s a long list of American companies that violate user privacy, or have bad security that then gets exploited by (often Chinese or Russian) hackers. But encrypting data in a database seems really basic, and requiring authentication on a database also seems really basic. It would be one thing if exposure of sensitive info required some complicated approach. But this degree of failure raises lots of questions whether such companies can ever be trusted.
> Anyone spending that amount of money isn’t just doing a side project.
You're reciting a bunch of absolute numbers, without any sort of context at all. $5M isn't the same for every company. For example, in 2020, it seems High Flyer spent a casual $27M on a supercomputer. They later replaced that with a $138M new computer. $5.5M sounds like something that could be like a side-project for a company like that, whose blood and sweat is literally money.
> But this degree of failure raises lots of questions whether such companies can ever be trusted.
This, I agree with though. I wouldn't trust sending my data over to them. Using their LLMs though, on my own hardware? Don't mind if I do, as long as it's better, I don't really mind what country it is imported from.
> that could be like a side-project for a company like that, whose blood and sweat is literally money.
From the mouth of Liang Wenfeng, co-founder of both High Flyer and DeepSeek, 18 months ago:
"Our large-model project is unrelated to our quant and financial activities. We’ve established an independent company called DeepSeek, to focus on this."
> To build DeepSeek probably requires at least a $1B+ budget. Between their alleged 50,000 H100 GPUs, expensive (and talented) staff, and the sheer cost of iterating across numerous training runs - it all adds up to far, far more than their highly dubious claim of $5.5M.
This is not fair. Is OpenAI, for example, including the CEO paycheck for the model training costs?
There's a sliding scale. On one end is "Include the CEO's paycheck"; on the other is "include nothing except the price tag on the final, successful training run".
Neither end is terribly useful. Unfortunately, the $5.5M number is for the latter.
Parent is (I assume) talking about the entire budget to get to DeepSpeek V3, not the cost of the final training run.
This includes salary for ~130 ML people + rest of the staff, company is 2 years old.
They have trained DeepSpeek V1, V2, R1, R1-Zero before finally training V3, as well as a bunch of other less known models.
The final run of V3 is ~6M$ (at least officially...[1]), but that does not factor the cost of all the other failed runs, ablations etc. that always happen when developing a new model.
You also can't get clusters of this size with a 3 weeks commitment just to do your training and then stop paying for it, there is always a multi-month (if not 1 year) commitment because of demand/supply. Or, if it's a private cluster they own it's already a $200M-300M+ investment just for the advertised 2000 GPUs for that run.
I don't know if it really is $1B, but it certainly isn't below $100M.
[1] I personally believe they used more GPUs than stated, but simply can't be forthcoming about this for obvious reason. I have of course not proof of that, my belief is just based on scaling laws we have seen so far + where the incentives are for stating the # of GPUs. But even if the 2k GPUs figure is accurate, it's still $100M+
H100s can cost about $30k. There was an interview with a CEO in the space speculating that they have about 50,000 H100s. That's $1.5bn. Presumably they got volume discounts, though given the export bans they might have had to pay a premium on that discount to buy them secondhand. If it were H800s, that would be ~half the price, which is still high hundreds of millions for the chips alone.
Is that true? No idea. But there isn't zero evidence.
Some academic projects have a lot of funding and what they are researching is some top tier stuff.
But the software? Absolute disaster.
When people say DeepSeek is a side project, this is what I assume they mean. It's different when a bunch of software engineers make something with terrible security because it's their main job. With bunch of academics (and no offense to academics), software is not their main job. You could be working on teaching them how to use version control.
I'm sure you were just mislead by all the people including Anthropic's Dario parroting this claim, but even Dario already said he was wrong to say that and semi analysis already clarified it was a misunderstanding of their claim, which was 50,000 H series, not 50,000 H100.
No. I don’t think so. I think if you took many engineers and sat them at a computer and asked them to stand up a whole dev staging prod system they wouldn’t be able to do it.
I certainly would not, or it would take me a significant amount of time to do properly. I have been a full stack dev for 10 years. Now take that one step further to someone whose only interaction with a development is numpy, pandas, julia, etc…
You are, in typical HN style, minimising the problem into insignificance.
This is /not/ a “stick it behind an aws load balancer and on one of their abstracted services that does 99% of the work for you” - that would be less difficult.
E: love how this is getting ratioed by egotistical self confessed x10 engineers no doubt. Some self reflection is needed on your behalf. Just because /you/ think you would be capable, does not mean that the plethora of others would be able to.
What likely happened here is an ingress rule was set up wrongly on iptables or equivalent.. something many of your fellow engineers would have no clue about. An open dev database is rather normal if you want something out of the door quickly, why would you worry about an internal accessible only tool’s security if you trust your 10 or so staff. Have a think about the startups you have worked in (everyone here is a startup pro, just like you are - remember!) and what dire situation your mvp was in behind its smoke and mirrors PowerPoint slide deck.
Yes this was disastrous for PR. No it is not a problem solved in its entirety entirely by learned engineering experts like yourself.
I would consider it table stakes for an intermediate level engineer at a big company (which would have well defined processes for doing this safely) or a senior at any other company (on the assumption some of that infra has to be set up from scratch). If 10 years of experience hadn’t taught me this yet, I would personally be concerned how I’m spending my energy. I am roughly at the 10y mark, and I would estimate I have been competent enough to build a public facing application without embarrassing public access issues on my own for at least 4 years. Even before that, I would have known what to be scared of / seek help on for at least 7 years. I guess I could be more unusual than I think, but the idea that at 10 years anyone would be ok not knowing how to approach such a routine task is baffling to me.
HN is a bubble. The expectation that your colleagues are /experts like you/ is unrealistic. To stand something up like this, which is entirely on bare metal - this is a task many would find challenging if they are entirely honest with themselves and put their egos to the side. Your typical swe thinks that nothing is impossible.
There was a recent comment which said along the lines of “I used to watch figure skating, seeing them race around and spin, and think no big deal. It was only when I went on ice that I realised how difficult and impressive what they were doing was” - this is exactly the trap SWEs are most guilty of. — /this/ is what you learn as a staff level.
everything you say is true, but I don't think any of it actually applies to being able to safely deploy user facing systems. I would certainly not trust myself to do all possible aspects of setting up a user facing system completely from scratch (ie nothing but a libc on linux or whatever) I would not trust myself to write correct crypto, for example. But I have a good sense of what I can trust myself to build relatively safely. And of course i'm not claiming that "knowledge of where to trust myself" is by any means flawless. But Even in college I made applications for people that were exposed to the public internet. But I was very aware of what I felt I could trust myself to do and what I needed to rely on some other system for. In my case I delegated auth to "sign in with google" and relied on several other services for data storage. There were features that I didn't ship because I didn't trust myself to build them safely, and I was working alone. Now I would not necessarily expect every CS student to be able to do this safely, but a healthy understanding of one's own current limitations and being willing to engineer around that as a constraint is pretty achievable, and can get you very far.
You are talking to the ice skaters.
They expect you to do up your laces. Setting a password on a database is a something I would expect of any company capable of asking for a credit card.
I don’t understand this comment? Is it unusual to request something like this? OP’s comment was saying that all 1000 or so (and hundreds of thousands of others) of his colleagues would be able to do this if asked?
I don’t know if you are in agreement with me or not
I am agreeing with your premise of asking a random s/w technician to deploy an app fairly securely would be problematic and then generalized it to include many tasks related to s/w engineering.
That's not a matter of battle hardened experience. Publicly exposing database management endpoints that allow arbitrary execution is a *massive* no-no that even a junior developer with zero experience should be able to sense is a bad idea.
I don't get the discussions around side project and they're ML engineers, not security experts. Why are you excusing a company for a serious security leak.
If you're releasing a major project into the wild, expect serious attention and have the money, you get third parties involved to test for these things before you launch.
Now can we get back to discussing the real conspiracy theories. This is clearly a disinformation piece by BigAI to add FUD around the Chinese challenger :-)
> I don't get the discussions around side project and they're ML engineers, not security experts. Why are you excusing a company for a serious security leak.
No one is here as far as I can tell. But if you've ever been a software engineer who is required to work with someone purely from an ML lab and/or academia, you'll quickly discover that "principled software engineering" just isn't really something they consider an important facet of software. This is partly due to culture in academia, general inexperience (in the software industry) and deeply complicated/mathematical code really only needing to be read by other researchers who already "get it", to a degree.
Not an excuse but rather an explanation for _why_ such an otherwise impressive team might make a mistake like that.
Yeah, you're right, I was conflating the excusing bit.
I haven't worked with serious ML engineers, but having worked in large webdev there's usually a team involved in these projects, including senior none devs who would ensure the correct checks and balances are in place before go live. Does this not happen in ML projects? (of course there are always exceptions and unknowns that will slip through, I don't know if that was the case here, or something else)
> Yeah, you're right, I was conflating the excusing bit.
No worries. :)
> Does this not happen in ML projects?
Consistently? No. At the level of e.g. OpenAI/Anthropic? It is mandatory. These are not just research labs, they're product (ChatGPT, Claude) companies. These American companies have done a reasonable job at hiring for all sorts of skillsets to keep things well rounded.
Perhaps DeepSeek hasn't learned this lesson yet... Or, well - it could be far more complicated than that. Speculating is only so useful with so little information.
How do we know for sure that DeepSeek is not actually trained on Nvidia chips? Did someone outside of China replicated the training from scratch (Spending $6M)?
They themselves said it was trained on NVIDIA chips, so I’m not sure where you got that it wasn’t. It was trained on the less capable versions sold for the Chinese market.
I see, thank you for pointing that out. Then I’d rephrase, how do we know for sure that it wasn’t trained on the most advanced Nvidia chips? Did anyone outside of China replicated the training?
that's why i never use my strong passwords in many chinese websites(in fact, i tend not to use passwords in any website)
i suggest you guys don't do that also
this industry in china is so young, many devs and orgs don't understand what will happened if they shutdown the firewall or expose their database on the internet without a password
they just, can't think of it, need someone to remind them
I didn't understand your comment first, because I use a password manager which generates a unique and complicated password for each website I setup an account for. So I never reuse any password. So if one one those sites gets hacked and my password is potentially exposed, it doesn't matter, because I only use that password there.
I would recommend that. Bitwarden is a pretty good open-source password manager. You can install it as a plugin in your browser, so it can fill out your password for you so you don't have to manually copy and paste.
The second Big Tech was threatened by significant competition (DeepSeek), this competition is "stealing"(lol), and is under heavy hacking attacks (main online inference portal).
There you have, the real face of Big Tech. Extinguishing the competition by locking a service behind a portal provided for free, then starting to milk the users, is not enough for them... they will also fight dirty, really dirty.
This argument seems fallacious: the stock was "hit" before security issues emerged. It's hard to say how this recent news will affect the stock, directly and indirectly through eventual damage that follows. Imagine that the security issues were 1000 times worse: you could still write the same comment, but the reputation of DeepSeek and by extension all Chinese AI and software would be so badly hurt that long term any Chinese success would be downplayed, having lesser effect on stock market. If Nvidia stock would recover or not is more nuanced, because market is speculative, and if a bubble is burst, even if what pierced it turns out to be fake/irrelevant, the bubble is no longer there (a new one may need a lot of time and effort to grow).
Can't fault hackers for taking a look at a website that goes from "virtually unknown" to "extremely popular and headline news globally" practically over night. If nothing else, the probability of low-hanging fruit in something that is barely battle-tested is high.
You can fault them for disclosure practices though :-)
> Wiz Research has identified a publicly accessible ClickHouse database belonging to DeepSeek, which allows full control over database operations, including the ability to access internal data. The exposure includes over a million lines of log streams containing chat history, secret keys, backend details, and other highly sensitive information.
>The Wiz Research team immediately and responsibly disclosed the issue to DeepSeek, which promptly secured the exposure.
It seems like Wiz told deepseek and deepseek secured this vuln?
Probably they are rather suggesting that there are a lot of unscrupulous western companies with a lot to lose who might have an interest in convincing certain people to skip responsible disclosure
Maybe, but having dev services outside of VPN is pretty nuts, not much effort needed to find that. Wouldn't expect a company with such budgets be that careless, I'm sure it's only the tip of the iceberg.
I'm not sure why you think why this discovery has to be some sort of "effort in trying to tarnish DeepSeek". Deepseek is the #1 downloaded app and and the media can't stop talking about it. That means a lot more people are looking into the app and possibly finding vulnerabilities, no conspiracy needed.
Responsible disclosure normally means you wait up to 90 days so they can fix it, before you disclose it to the public. In this case, it was fixed immediately, so they disclosed it to the public immediately.
Which is another thing it seems Chinese corporations do better than American ones.
I, for one, think this is a valuable piece of information and somewhat interesting analysis. You can take the cynical point of view that this was released just to tarnish their reputation or you can assume that it's security researchers publishing an important discovery just like they've always done whether it's for OpenAI, Microsoft Copilot, or any other AI or non AI product.
We all agree this kind of leak should be disclosed. However normally security researchers don't just leaks specific URL and etc. This may be what the parent is referring to.
you're absolute right, so much garbage propaganda in many languages.
For Apple we have tv news that usually promotes new Apple or OpenAI products (wtf!!) that are trying to tarnish DeepSeek on the privacy level...
No words about all those garbage software siphoning off the web (without respecting neither copyright nor privacy)
I don't know about 1-4 and 5 seems an honest mistake.
Is there a source for the misleading GPU count? Dario cites Dylan Patel, and pt 4 cites Alexander Wang, but these are just claims so far.
As far as censorship regarding Chinese history, does it matter? The other models have other areas that are censored. Is anyone planning to use LLMs to look up historical facts anyway?
Stealing IP? That's rich coming from AI companies that mined the entire public internet. Did they get permissions from copyright holders in every instance?
And if DeepSeek did evade particular US sanctions whose only justification seems to be to prop up US's economic hegemony over the rest of the world (unlike sanctions against weapons, invasions and human rights violations), then good for them.
Kinda like how your comment was grey within 1 minute, despite stating an objective truth.
Sure, this is to be expected given the billions and billions of dollars at stake but like - that money is gone lol. DeepSeek isn't going back in the bottle, nor is open source AI in general.
The comment isn't wrong, but the implication is at deep seek is somehow special and is getting undue attention from hackers. Any app that skyrockets from nowhere to number one in the app store overnight will have the attention of probably hundreds of thousands of hackers.
> the implication is at deep seek is somehow special and is getting undue attention from hackers
... It is special.
There was over a trillion dollars wiped from tech stocks lol, in a massive win for consumers and the planet. You can't say this is like Flappy Bird or something.
The stock market does all sorts of silly things. If the stocks recover in 2 weeks to where they were, will that be deep seek erasing $1T and tech re-earning $1T? Or deep seek doing nothing?
> The stock market does all sorts of silly things.
For sure. This one was pretty clear though. It's exactly what you'd expect when a moat evaporates overnight.
Even if tech stocks recover in 2 weeks (doubt) an open source model comparable to o1 with a 50x efficiency gain is still not just another app. Which means there will be bad actors with a special interest in spreading narratives on every relevant forum...
With the various ways people setup their dev environment + docker, I imagine there are probably a lot of guides that show you how to set it up insecurely (because it assumes you're connecting from your local network) with a small asterisk at the end saying not to set it up in production like that. Very easy for an LLM to misunderstand.
> More critically, the exposure allowed for full database control and potential privilege escalation within the DeepSeek environment, without any authentication or defense mechanism to the outside world.
Not only that, this was a "production-grade" database with millions of users using it and the app was #1 on the app store and ALL text sent there in the prompts was logged in plain-text?
I agree this is really bad but far from unbelievable. I am only 23 and already my SSN and even my freaking DNA have both been leaked by major publicly traded companies.
Did they ever make promises as to confidentiality? What if providing all chat logs with users is just part of their open source / shānzhài attitude ? :)
Why is ClickHouse exposing unauthenticated database access at port 9000 to the public? Is this the default behavior or did DeepSeek open it up for dev purposes?
ClickHouse does not allow external connections by default.
If someone wants to configure an unauthenticated access from the Internet, they have to do the following extra steps:
- enable listening to the wildcard address;
- remove IP filtering for the default user;
- set up a no-password authentication;
It is possible to ignore and turn off all guardrails that the system has by default, but it needs extra efforts. However, it's possible that someone copy-pasted a wrong configuration file from somewhere without knowing what is inside, or do something like - listen to localhost, but expose ports from Docker.
A use case for direct database access exists, and is acceptable, assuming you set up a readonly user, grant access to specific tables, limit queries by complexity, and limit total usage by quotas. This is demonstrated by the following public services:
In this way, ClickHouse can be used to implement public data APIs (which is probably not what DeepSeek wanted).
ClickHouse has a wide range of security and access control restrictions: authentication methods with SSL certificates; SSH keys; even simple password-based auth allows bcrypt and short-living credentials; integration with LDAP and Kerberos; every authentication method can be limited on a network level; full Role-Based Access Control; fine-grained restrictions on query complexity and resource consumption, user quotas.
But still, according to Shodan, there are 33,000 misconfigured ClickHouse servers on the Internet: https://www.shodan.io/search?query=clickhouse This can be attributed to a high popularity of ClickHouse (it is the most widely used analytic DBMS).
When you use ClickHouse Cloud, which is a commercial cloud service based on the open-source ClickHouse database (https://clickhouse.com/cloud), it ensures the needed security measures, improving strong defaults even more: TLS, stong credentials, IP filtering; plus it allows private link, data encryption with customer keys, etc.
Thanks for your insight. I got ratioed to fuck for trying to defend the standpoint that this is an unusual expectation of a regular engineer to stand this up correctly.
e.g. "You are, in typical HN style, minimising the problem into insignificance" and "love how this is getting ratioed by egotistical self confessed x10 engineers". This is the sort of thing commenters here are asked to edit out of their comment, and when they don't, it's correct to downvote them (even though your underlying points may otherwise be correct).
> You aren’t supposed to have it on a public subnet.
That's an incredibly bad assumption. To have defaults assume that you are on a protected network (what does that even mean? like what permissions are assumed just because you are on the same network? admin?) is just bad practice.
I don't have personal experience but from a quick google it looks like default setup is to accept connections on localhost only [0], and there's a default user without capability to run SQL statements. They would have had to open remote connections and enable SQL capability for the default user (it looks like this is the first step to creating other users, the 3rd step is, removing SQL capability for default user.) [1]:
1. Enable SQL-driven access control and account management for the default user.
2. Log in to the default user account and create all the required users. Don’t forget to create an administrator account (GRANT ALL ON *.* TO admin_user_account WITH GRANT OPTION).
3. Restrict permissions for the default user and disable SQL-driven access control and account management for it.
> By default, the ClickHouse server provides the default user account which is not allowed using SQL-driven access control and account management but has all the rights and permissions. The default user account is used in any cases when the username is not defined, for example, at login from client or in distributed queries
This seems... very antiquated as a default? Clickhouse is relatively modern, first released in 2016, long after people were finding unauthenticated MongoDB servers left and right. Why not design it that starting a server requires at least a user-provided password in a config file? And then, even if that password was shared amongst all DeepSeek devs, at least it wouldn't be publicly accessible.
I suspect this is a docker container hijacking host firewall rules which is a common pitfall. Of course there should be an ingress and others, but it is also common to roll out a VPS in a hurry. No bad intentions from any side, just lack of practice.
Uh, I don't know, but cannot DeepSeek do that, for starters? Being located in a different country than the service you are attacking doesn't really make you immune to being sued.
If random security researcher does this kind of disclosure, fine.
But if serious company that seems to offer services to seemingly plenty of serious customers acts this way, I'd not want to be their customer, if they seem to have such a cavalier attitude, disclosing stuff without even a sniff of "we notified the company about the breach".
Please don't take HN threads into nationalistic flamewar. It's not what this site is for, and destroys what it is for, regardless of which country you have a problem with.
We didn't rate limit you. But I think you're underestimating the flamewar effect of a comment that begins "I honestly don't need to know more than: It's run from $Country".
Because you can download the models yourself and run them on your own hardware bypassing all of those concerns. Also, I would be far more worried what my government might do with my chat logs then a foreign one.
Not being a fan of CCP, I wonder how many times you did ask ChagGPT about CCP? Why bother suddenly? Should it matter for a Chinese model which is genuinely good in every other aspect?
Don't take it personally, please. Just measuring my internal self which I inherited by coexisting many years with a similar regime.
I'm kind of old for HN. I (sort of) know what happened.
I'm concerned about later generations and about this information getting deleted.
I also think there's a clear risk of a currently democratic country becoming communistic within the the next 20-40 years. Inevitably, mass murder follows.
So I want what happened preserved in the day-to-day-consciousness, not deleted/censored.
As a Canadian, I don't particularly care what the Chinese government knows about me. They represent zero threat to me, and honestly I'm rational enough to know that they don't particularly care what I'm up to.
US companies, on the other hand...did you miss where all of the tech oligarchs lined up in an obsequious little row to proselytize before the newly anointed king? When they all went on a spree in advance to show their deference to his "vision", including simply pathetic podcast appearances?
China has a lot of problems, but compared to what the United States has become, it looks positively harmless in comparison. Anyone who doesn't think the cabal of criminal administrative officials aren't going to completely annihilate your rights -- always with some "emergency" reason -- is blissfully detached from reality. It is currently the most dangerous nation on this planet.
I didn't assume you were American. But there is 100% chance that you share an enormous amount of information with American firms, given that they have exponential more of a global reach. And if you're in Europe, the US literally represents more of a threat to you than China does.
As to communism, thanks for the patronizing noise however the choice isn't between communism or a profoundly corrupt, lawless "democracy" where a nuclear armed, mega-military egotistical megalomaniac thinks "might makes right" and casually talks about manifest destiny.
This is probably an incredibly stupid, off-topic question, but why are their database schemas and logs in English?
Like, when a DeepSeek dev uses these systems as intended, would they also be seeing the columns, keys, etc. in English? Is there usually a translation step involved? Or do devs around the world just have to bite the bullet and learn enough English to be able to use the majority of tools?
I'm realizing now that I'm very ignorant when it comes to non English-based software engineering.
> Or do devs around the world just have to bite the bullet and learn enough English to be able to use the majority of tools?
That is precisely what happens. It is not unusual for code and databases to be written in English, even when the developers are from a non-English speaking country. Think about it: the toolchain, programming language and libraries are all based on English anyway.
Interestingly, in the world of electronics this used to be true too. The first Diode on a circuit board would be marked "D1", no matter which country produced it. Datasheets for components would be in english. Any text on a circuit board would be in english (ie. "Voltage Select Switch" or "Copyright 2025".).
However, a few years back it became common for most datasheets to be available in mandarin and english, and this year most PCB fabrication houses have gained support for putting chinese characters onto a circuit board (requires better quality printing, due to more definition needed for legibility).
Now there are a decent number of devices where the only documentation is only available in mandarin, and the design process was clearly done with little or no english involved.
Not everything changes though - gold plating thickness is measured by the micro-inch. Components often still use 0.1 inch pin spacing. Model numbers of chinese chips often are closely linked to the western chip they replace, the names of registers (in the cpu register sense) are often still english etc.
> Not everything changes though - gold plating thickness is measured by the micro-inch
Considering how much manufacturing and science etc. has fully migrated to metric, even in the US, this seems bizarre to me.
Like in machining, there's a long history of measuring everything in "thou" (micro-inch sounds proleptic to me, and you'll see "mil" used in the EDA space). All the tooling uses it, standardized components use it (I can drop a 74-series TTL chip from the 1970s in a modern board), and everyone learns it when they start using EDA.
Recently there has been a shift to metric in EDA software, so you'll see often see multiples of 2.54mm, and packages are switching to metric for the fine-pitch stuff. Often you'll have spacing in both units in the same design.
Not every day these days do I encounter a new word: proleptic.
1 the anticipation and answering of possible objections in rhetorical speech.
2 the representation of a thing as existing before it actually does or did so, as in he was a dead man when he entered. Compare with analepsis: the destruction of the Vendôme Column and his part in it are foreshadowed in moments of haunting prolepsis.
> this year most PCB fabrication houses have gained support for putting Chinese characters onto a circuit board
I've yet to see one of these in the wild, but it sounds cool to me and I would like to see it.
There's something of a problem the CJK languages have in not being able to do abbreviations or acronyms, so in Japanese you will occasionally see a couple of Latin letters standing out because that's much shorter than an inconveniently translated word.
> in Japanese you will occasionally see a couple of Latin letters standing out
I mostly encounter this watching anime, and I feel it stands out more than it should. It's not just the sudden shift to an entirely different family of glyphs - the overall typography feels off. There's room for improvement here.
> the overall typography feels off
It’s that ugly vertically-stretched serif typeface - the one used on those little gold-coloured “QA” stickers that used to be everywhere on/in consumer goods.
> Components often still use 0.1 inch pin spacing.
This changed with IC SMD packages. It's now mostly even 100-micrometers.
SMD passives seem to be in a state of limbo, but mostly still using inches. Mouser lists resistor size codes as both inch and mm. It's a bit confusing.
yeah, PCBs are a muddled mix. I've seen footprint drawings which use metric for some dimensions and imperial for others!
In my experience, you usually get English variable names / db schemas, localized chats and tickets, with internal docs, log messages and comments being a mixed bag.
For some kinds of software, localized names make a lot more sense, e.g. when you're dealing with very subtle distinctions between legal terms that don't have direct English equivalents.
I have worked in a couple places where some of the code was not in English, and it was incredibly annoying, like an affectation.
As a Swede I sometimes encounter new programmers using Swedish instead of English and it's incredibly jarring.
It's a little bit better if only the comments are in Swedish but it's still annoying...
Luckily it's very rare.
Until you start working on a code base made for something local only and with domain specific words. So much joy trying to remember how some word was translated for your code when a user reports a bug or ask for some new feature.
Bonus point when the people who decided to use English words are also all proud of their "DDD" architecture.
I agree. It makes sense when the code needs to handle domain specific words.
Based on my experience in Norway, it is common to use English but there is also not a complete surprise to find code in Norwegian either.
I remember looking at code written by a Norwegian government agency many years ago, and asking why they used Norwegian names for functions and variables. Didn't everyone use English? The answer was that they had so much domain specific terminology that it is not only hard to find English equivalents, it was so ingrained in the business logic that they don't want to risk any confusion and legal consequences. If a function was named validateFoo, then "Foo" had a single shared understanding.
Oh I'm working on a local only project right now and I also feel the pain of badly translated Swedish words. I've spent this week trying to decipher a section of code, trying to map then back to the Swedish concepts.
I've also experienced a similar situation in an English context where the concept is renamed on UI, while everywhere in the code it uses the old name. Then things are starting to mix with each other and then a new concept is introduced with the old name...
Fun times.
Considering Brazil and the Spanish-speaking people whom I've worked with, it's common for English coding to be the norm for the company/project, but many people are far from being proficient in English, so we end up with funny names that are often confusing or nonsense - I've seen an "evaluation service" that is actually a "rating service" (both could translate to the same in Portuguese). They often translate to false cognates too.
There are some business concepts that are very unique to a place (country-specific or even company-specific) with no precise translation to the English-speaking world, and so I sometimes prefer to keep them in their native language.
It might seem less credible to encounter English in a place where it’s less expected, but think of it this way: would a Yandex-developed ClickHouse database be adopted by Chinese devs if everything in it were written in Russian?
There is some merit in asking your question, for there’s an unspoken rule (and a source of endless frustration) that business-/domain-related terms should remain in the language of their origin. Otherwise, (real-life story) "Leitungsauskunft" could end up being translated as "line information" or even "channel interface" ("pipeline inquiry" should be correct, it's a type of document you can procure from the [German] government).
Ironically, I’m currently working in an environment where we decided to translate such terms, and it hasn’t helped with understanding of the business logic at all. Furthermore, it adds an element of surprise and a topic for debate whenever somebody comes up with a "more accurate translation".
So if anything, English is a sign of a battle-hardened developer, until they try to convert proper names.
In the wild I've seen a company returning a JSON key "ankunftTime" in one of their APIs
In my experience, Germany is the most common exception to the "programming is done in English" rule.
In general, these things happen, and are not restricted to pre-Internet times - in fact, I most often see it in random webshit SaaS developed in Europe - things like, say, food delivery - Pyszne.pl and pizzaportal.pl (defunct) come to my mind. Those sites tend to be well-localized, so they seem like local businesses targeting the national market. But then you accidentally look at an URL deep in ordering form, or the ordering form breaks and you pull up dev tools to fix it, and suddenly you realize the SaaS operator is actually German or Swedish or Dutch, and they're just deploying the same platform across the EU, with a really good localization polish.
Speaking on Polish websites,
function czyWybranoPsa() {
var isPies = false; var bil_dod_psy_arr = [17, 18, 19]; // psa, psa-asystenta, psa-przewodnika
$(".bilet_dodatkowy").each(function(idx, elem) { if (bil_dod_psy_arr.indexOf(parseInt($(elem).val())) > -1) { isPies = true; } });
return isPies; }
;)
Anyone remember T_PAAMAYIM_NEKUDOTAYIM?
No, but thanks :
https://news.ycombinator.com/item?id=33829645
Google tells me that "ankunft" means arrival in German. Is that correct?
Correct, it's "arrival time".
It isn't uncommon to find german variable names in codebases that predate web 1.0 or linux.
Now that I think about it, german is especially good at creating words by concatination. So "arrival time" should just be the single word "Ankunftszeit" - "ankunftZeit" feels a bit off.
Yup. If languages were characters in a computer RPG, they'd have "special skills" listed on their character cards. Off the top of my head:
- English: verbing and nouning. All languages have ways of introducing new words, but only in English I've seen it accepted as something anyone can casually do in a throwaway manner. Have a noun but want to talk about the (contextually) default action related to the noun? No big deal, just stick an "-ing" or "-ed" to its end and carry on. I adore this feature.
- German: word concatenation you mention, it's a killer feature. And then there's the peculiar grammar that puts the most important verb at the very end of a sentence, giving you stuff like "Gegen die hohen Preise für Gas, Strom und Treibstoff will die Regierung etwas machen", meaning "The government wants to do something about the high prices for gas, electricity and fuel", but structured as "<tone> <stuff> <blah> <blah> <subject> <stuff> do something". So not only you need to listen to the end of a sentence to know what it's about, but you can actually zone out a bit early on, catch the last few words, and still recover the meaning. I'm sure one could write an interesting signal processing take on this.
(If anyone knows examples of such unique/special "skills" for other languages, I'd love to hear about them!)
Dutch
'Aan die hoge brandstofprijzen zal de regering iets gaan DOEN'.
If I say it in my local dialect, it will sound a lot like German.
Speaking of unique skills, I find French very unique as well. "His life" translates to "sa vie" because vie happens to be female. "what is it" translates to "qu'est-ce que c'est", a _seemingly_ random concatenation of shortened words, in spoken form it is only 3 syllables!
> And then there's the peculiar grammar that puts the most important verb at the very end of a sentence
An American woman visiting Berlin - intent on hearing Bismarck speak - obtained two tickets for the Reichstag visitors' gallery and enlisted an interpreter to accompany her.
Soon after their arrival, Bismarck rose and began to speak. The interpreter, however, simply sat listening with intense concentration. The woman, anxious for him to begin translating, nudged and budged him, to no avail.
Finally, unable to control herself any longer, the woman burst out: "What is he saying!?" "Patience, madam," the interpreter replied. "I am waiting for the verb."
Yes, and this is the context: https://github.com/denysvitali/sbb-api-rs/blob/master/src/mo...
Literally the arrival time of the train
Someone who worked on a non-English environment years ago here: sometimes you do use the local language in some contexts, but, more often than not, you end up using English for the majority of stuff since it's a bit off-putting to mix another language with the English of programming languages and APIs.
Our US company sent me to France to help out with an implementation. The guy I worked with spoke very little English and my French is terrible. Both of us had done Latin, however - so the comments were hilarious as we used that as our common link. One of those projects I'd expect to show on the daily WTF at some point.
I did try my hand at a translation tool, as it was all i18n up proper. Watched one guy blow coffee through his nose when I demo'ed - and the 'BACK' navigation was the French word for a persons back or something like that.
LLMs seem pretty great at helping with the translation like this. I asked chatgpt about "back" and it gave me tons of options.
https://chatgpt.com/share/679b43af-e770-800a-92ee-b27bd87194...
Isn't it true that schoolboys in many countries would learn Latin 100+ years ago? I suppose it would've been used sometimes in international communication?
I learned Latin in the 90s-00s
If you're from Europe knowing Latin definitely gives you a deeper appreciation of a bunch of stuff.
It's a useful way of formalising verb conjugation and tenses which is common across the major European languages. Something they all take for granted but I watch my poor mother's mind melt when she tried learning German as a Chinese speaker. Especially as a lot of these forms are looser and more forgiving in English.
A lot of vocabulary has its origins in Latin and biology and medicine still like to borrow from it.
It's niche but only today I was playing some Mozart on the piano and saw "M. S." where I was meant to cross the hands and I considered for a sec and guessed it must be mano sinistra (forgive the declension) even though I've never learned Italian thanks to Latin.
100+ years is still pretty recent. The immediate predecessor to English as a world language was French. Matter of fact, my country has only dropped French translations from its passport with the most recent design update a decade ago or so.
Latin would have been used pre-Renaissance. Our grandparents might have still had to learn it as a part of an educated person's toolkit, but it was long not intended for communication anymore back then.
> The immediate predecessor to English as a world language was French
From what I remember, there was a divide between Catholicism and Protestantism, where some of the smaller countries that followed Protestantism used German as a common language due to its origins. I think knowledge of German in Norway was something that was expected of students attending the universities until the mid 1900s (due to geopolitical changes)
My high school ( late 00s) had Latin classes for some students on the live sciences track.
It's still mandatory (1-2 years) in non-vocational high schools in Croatia, for the stupidest of reasons ("culture" and "you might need it in law or medical higher education").
I was offered it in the 90s in school.
Lol, I learned it in the 80s - 90s. If you chose to learn Latin & Greek in high school here in Belgium then you're seen as being a top student. It's still a big thing.
It was mandatory at the schools I attended from 7 to 14, which was in the 90s, although this was at what British people call "prep/public schools", a group of a few hundred fancy fee-paying schools. Most people dropped it at 14 (GCSEs), and almost everyone dropped it by 16 (A Levels)
Yep, myself as well. I've heard non-English programmers who've worked with non-English codebases call them "very weird".
I've been working on a project for the former Polish state telco and the codebase was mostly Java EE as written in the mid-00's. Since you cannot really be productive in Java without an IDE, standard English conventions for naming have been pushed onto the devs from early on - a getter must start with `get` or `is` if the return type is boolean, class names have to contain standardized postfixes corresponding to the design pattern used, such as `AbstractFactoryBean` etc. But since few people spoke English back then, they ended up with awful hybrid names such as `getCennikSluchawkiKeySet` or `OfertaManagerPrzylaczeProxy`.
From famous examples, ;)
function czyWybranoPsa() {
var isPies = false; var bil_dod_psy_arr = [17, 18, 19]; // psa, psa-asystenta, psa-przewodnika
$(".bilet_dodatkowy").each(function(idx, elem) { if (bil_dod_psy_arr.indexOf(parseInt($(elem).val())) > -1) { isPies = true; } });
return isPies; }
A lot of software design from the English world centers around "design patterns." And these "design patterns" have advanced nomenclature and often make things more convoluted then necessary. The whole concept of these "patterns" are actually an arbitrary style that got invented in the English speaking world. In non-english countries people program in ways that are more straightforward.
Can you provide an example?
First, we create an AbstractFactory to generate objects that conform to our standardized output structure, ensuring extensibility in case "Hello, World!" ever needs additional variants. The Singleton manages our PrintManager, enforcing a single, controlled point of access to the output stream while Double-Checked Locking ensures thread-safe initialization. Dependency Injection provides our PrintHandler with a flexible logging system, allowing it to notify an Observer whenever "Hello, World!" is printed. The Mediator coordinates between components to ensure the PrintHandler doesn’t have direct dependencies on the OutputStrategy.
To maintain optimal efficiency, a Flyweight is used for the "Hello, World!" string, preventing redundant memory allocation. The Proxy regulates access to the print function, ensuring only authorized modules can invoke it. The Composite structure organizes potential multiple output streams, making it easy to expand the system beyond just console printing. A Factory of Factories, or MetaFactory, oversees creation of our AbstractFactories to maintain consistency and scalability.
Before execution, Encapsulation hides implementation details while Cohesion ensures the PrintHandler remains single-responsibility. Loose Coupling ensures that changing one component won’t break the system. Interfaces dictate behavior, and Abstract Classes provide reusable codebases. Dynamic Dispatch selects the appropriate OutputStrategy at runtime.
To enhance modularity, a Decorator wraps the PrintHandler for additional formatting options, an Adapter ensures compatibility with different logging frameworks, a Memento preserves state in case a rollback is needed, and a Facade simplifies access for higher-level modules. The Chain of Responsibility delegates different logging levels, while the Command Pattern encapsulates the printing request for possible queuing or delayed execution.
By adhering to Open-Closed, we can extend our print functionality without modifying core logic. Liskov Substitution ensures all output strategies remain interchangeable. Interface Segregation ensures smaller, focused contracts. Dependency Inversion prioritizes abstractions over concrete implementations.
Finally, SOLID principles uphold scalability, reusability, and maintainability. UML diagrams map out relationships, Sequence flows depict interactions, and Design Contracts enforce constraints, ensuring the system remains adaptable.
After all this, we simply call PrintManager.getInstance().print("Hello, World!"); and marvel at our masterpiece.
This is very much a Java phenomenon. These things do have value .. when correctly applied. But sometimes it's like seeing someone make a gadget with fifty different types of bolts rather than one or two simply because they want to use all the bits of their socket set.
No it’s from a book called design patterns. It forever influenced a huge number of American programmers to think about programming in a very specific way following very specific patterns.
I’m working for a company that’s doing things in typescript using IOC and dependency injection everywhere. It pervades the minds of Americans such that they walk and talk like a parrot parroting that book.
What Americans don’t realize is that those patterns are arbitrarily made up. It’s as arbitrary and localized as the Japanese having to bow for politeness. There’s nothing intrinsically hugely beneficial for following this style. In fact, modern languages push against it. Languages like golang and rust are examples. Even JavaScript was an example although recent es6 syntax makes patterns more easier now
> No it’s from a book called design patterns
I think you will find most Java programmers were using these patterns before they came across the book. The language naturally leads you in that direction. The book just put a name on them.
September 17, 1987 "Using Pattern Languages for Object-Oriented Programs"
https://c2.com/doc/oopsla87.html
The book was published in 1994 with examples in C++ and Smalltalk.
Java was released in 1995.
Yes oop was and still is religiously followed by many. But during that time it was new and thought of as revolutionary.
In the English-speaking world, what you're describing is referred to as "enterprise software".
See e.g. FizzBuzz Enterprise Edition https://github.com/EnterpriseQualityCoding/FizzBuzzEnterpris...
Dumb question, but it would then seem that you have to know English to program??
This is a bit environment dependent is my impression. Like France and Japan both have enough people shitty at English to generate either translations or home grown programming learning material to fight against this barrier. But my impression is that, like, a German programmer isn't getting far in life without being comfy reading stuff in English
Many non-English-language countries end up with most people who've been through higher education knowing at least some English, not only so they can handle sources but also so they can talk internationally to any other country as well as consume American media.
It's also a status symbol.
The smaller the language pool is the stronger this effect is. Japan is large enough that it's less guaranteed. Places like India and Indonesia that have a lot of internal languages end up using English as a lingua franca (+) as well.
(+) latin term!
Kinda. Some of them know all the English words in the programming language they code in, and not much else.
Subset of the english language, is the right term I believe.
(someone who had to learn english to do programming)
Not literally required, because languages typically support UTF-8 source files, but it would be difficult to use most popular software libraries without being able to at least read English.
Now I want to program in Mandarin and be l33t
https://mariusbancila.ro/blog/2019/05/16/cpp-is-fun/
Actually, most "most popular software libraries" have either translated docs, or guides in a non-English language. Furthermore, modern browsers can translate text on the fly. Some (like Yandex.Browser [1] not_an_ad) can even translate videos on the fly.
[1] https://yandex.ru/project/browser/streams/technology (RU only)
Sure, most of them have docs in some non-English languages, but rarely all of them. And things like StackOverflow answers, bug reports and discussions, tutorials, and blog posts tend to be mostly in English. Autotranslate works to some extent but can be misleading or confusing when dealing with specialized terms that aren't well represented in its corpus. My Japanese coworkers certainly need to be able to comprehend written English.
Sure docs for massively popular libraries are translated but think about using autocomplete, reading the actual library code, or even just reading other code in your organization. I have to imagine it would be difficult without any English proficiency.
A lot would probably be loan words anyway, and they're words many English speakers would also need to learn. Array, socket, database, loop, float, function, etc.
If the stack overflow examples are in English, you might as well use it. That's also why JavaScript is maybe a better choice than Typescript even if Typescript is better.
Probably at least some, because most tools’ documentation are not going to be in your language – at least that’s how it is here in Japan. That said plenty of Japanese engineers who have very low English skill.
It’s harder to learn for sure. Majority of the resources are in English and it’s harder to internalise the keywords. But it’s definitely possible to program without knowing English.
But like, you can’t program Java without English right? A for-loop has to be written in English?? I’m so confused haha
You don't need to know that the keywords are actually english words. So to start the first program on a floppy on a C64 you would type
load "*",8,1
and back then I didn't understand what load means any more than I understood what ,8,1 means, I just knew that if I press this sequence of letters it will start summer olympics.
> But like, you can’t program Java without English right?
Sure you can, if you know Java, which is its own language distinct from any natural language.
Conversely, you can't program in Java if you know English, but not Java.
> A for-loop has to be written in English??
No, it has to be written in Java. It's true that Java keywords are mostly themselves borrowed from English (often by way of C++ or other computer languages rather than directly) with a use in Java that has some connection to the meaning in English, so its probably easier to learn Java if you already know English (even before considering that there is probably more and better documentation in English than other languages), but that's not the same as English being a requirement for programming Java.
A for loop and other syntax keywords are barely the only English people have to understand in programming. One could say that these could just as well be arbitrary symbols, and programmers would just memorize them. But think of all the concepts named in English such as exception, factory, facade, adapter, interface, iterator, needle, haystack, constructor, queue... you name it. Not to mention documentation. So yeah, some English is mandatory, even if we're not able to communicate properly. In some projects though it's not uncommon to use local language for the domain while still keeping technical concepts in English, like getAnniversaire() or PersonneTable.
Yes, for Java in particular you need to know the various English keywords. At least I don’t think anyone has written a non-English Java variant that compiles to the JVM just as Java would.
If you know another language than English, try Microsoft Excel in that other language. And even if not, just for fun install a non-English version of Excel.
They translated the keywords. Even if you've programmed in proper programming languages for years without knowing English, all the regular keywords to get stuff done you will know in English. And you won't be able to do a single thing in Excel coz none of the keywords work.
One good thing I guess: You can honestly say when they ask you "hey, you know how to program computers, right? Can you help me with this problem in Excel" and you can honestly say: Nope, can't, no idea how that works. See it doesn't even have a simple IF.
Example: https://easy-excel.com/excel-in-other-languages/excel-formul...
It's like names of Pokemons. Every kids know that Bulbasaur is grass-poison typed and evolves into Ivysaur at Level 16. You have to memorize them all to be a good player and that's a whole load of nonsense! But that's not relatively huge undertaking, and nothing remotely like the full language.
Yes, but you don't need to know what "for" and "while" mean in your language, you just need to know their behavior. The same way Arnold Schwarzenegger was acting without knowing much English - everything was phonetically spelled for him in early roles.
Or when Kennedy said in Berlin "ich bin ein Berliner" reading from a cue card that said "bear-leaner" :)
I imagine you could have a non-English toolchain, it's just uncommon. You may have to write a bunch of it yourself.
Come to think of it, I wonder if there are language concepts that don't map to English that artificially restrict what we can program?
For example would programming U->D, R->L in Chinese (vs L->R, U->D in English) result in easier to read programs somehow?
Would being able to program using iconography (like a bunch of FE languages) result in more "screens" of text to aid understanding?
I learned Pascal before I learned many English words like "if". You don't need to know what "if" or "for" mean to remember those keywords or to know what they do.
for all intents and purposes, yes.
relying on machine-translated documentation or limiting yourself to only using libraries written in your native language would be a huge impediment.
Almost all software engineers learn a passing amount of English - truly localized programming environments are quite esoteric and not really available for most mainstream use cases I can think of.
Depending on the company culture and policy, the most common thing to see is a mix of English variable and function names with native-language comments. Occasionally you will see native-language variable and function names. This is much more common in Latin character set languages (especially among Spanish and Portuguese speakers) in my experience; almost all Chinese code seems to use approximately-English variable and function names.
I've also seen a codebase with a mix of English and Portuguese variable/function names and comments. In that particular case, the Portuguese variable/function names were basically treated as technical debt, with a gradual ongoing transition to consistent English naming.
Not only that, DeepSeek "thinks" in English!
When I interact with it by asking it a question in Spanish, the parts between the <think> ... </think> are in English before it goes on to answer in Spanish.
Give it a try in your favourite language.
I went on to ask it if it "thinks" in English, Spanish or Chinese but it just gives the pat answer that, being an LLM, it doesn't think in any language.
I assume that there is a prompt that asks the LLM to generate its thoughts. This prompt is probably in English.
interestingly that hasn't been my experience. did you use their web interface or the API?
https://ibb.co/chYPXNDw
> Or do devs around the world just have to bite the bullet and learn enough English to be able to use the majority of tools?
I'm a native English speaker, but from looking at various code bases written by people who aren't, I gather that it's basically this. It wasn't too long ago that one couldn't even reliably feed non-ASCII comments to a lot of compilers, let alone variable and function names.
I've been doing SWE for 10+ years in Poland and I encountered non-English language in code precisely once - in a German project, lol. Some guys do leave Polish comments here and there, or in commit messages or in other docs/jira tickets/whatever - but in db schema, variables, properties, methods etc? Never, ever. English is 100% a requirement for every developer job offer I've ever encountered in Poland. Not necessarily a very high level for programmers (if you don't speak directly with the client), but you wouldn't get an offer at all if you're very far below B1.
I mean we're kind of an outsourcing hub so it makes sense. Even some of our companies outsource further to the east so you really can't avoid it.
"Or do devs around the world just have to bite the bullet and learn enough English to be able to use the majority of tools?"
Yes, that's what we did and do.
Depending on the project, I do use german variable names and comments at times, but stopped using all special characters like öüäß, they mess things up, despite in theory should just work fine.
Nowdays even chrome dev tools come in german, but experience shows, translated programming tools (or any software really) usually just have the UI a bit translated. But any errors you encounter or any advanced stuff will be in english anyway. And if you google issues of your translated UI, you won't find much, so better just use the original version.
So english it is.
(And it is the lingua franca in most parts of the world anyway)
Your country's biggest SW company is SAP, world infamous for their German column names, haha. Pretty sure it's the most widely used product in the world with non-English internals that people actually interact with - I'm sure there's some Realtek firmware with billions of installs that's in Chinese but barely anyone has to look at that.
From what I’ve seen, code usually comes in one of two languages: English or French. Somehow everyone but the French speaks enough English to write code!
Worked for a french company once. The code was in English, but the comments were in French. I guess this happens, because all the language keywords are English, so it might be strange to mix and match langauges there. But comments were fair game.
Ah interesting! I've definitely seen some French code somewhere with the variable names being all French as well, so it really was strange to see them be mixed.
I'm from Sweden (okay not same thing as China due to english being more common here) but I always code in english. Even if it is a script just for myself I will use english for variable names etc
I do that as well and also in almost all my personal documents on most (but not all) topics. All the books and most online forums I read are in English. I rather have documents uniformly in Swedish English (en-SE?) than some Swenglish mess of Swedish mixed with English words.
It also helps on the rare occasions some random notes evolve into a proper project that will have to be in English eventually anyway. There is no need for an extra translation step between initial idea and final product. All my vague hobby gamedev ideas are in English for instance.
I am European, however I have worked with developers from various parts of Asia and South America. English is usually a second language, however most developers are fairly fluent using it as a spoken or written language. Also, most development resources are written in English, so all developers know how to read it. Programming languages and their standard libraries are also written in English. It's the lingua franca worldwide, so we are all happy to use it in the technical context.
As a Turkish developer, I can say that all developers learn at least some English in order to be able to grasp documentation and also programming languages since syntactic elements are in English too.
That said, many developers might still prefer Turkish for naming DB tables, fields, variables, types and so forth if that’s the preference of the team. It wouldn’t be an exceptional situation. It’s quite easy too since Turkish also uses a Latin alphabet. May not be as easy or preferable in Chinese.
In Germany I've seen both. Whenever possible I push for having everything in English. Code comments, general documentation, databases, etc simply because the german developers know English but the non-german developers sometimes don't know German. It also puts everyone at roughly the same language level since we don't have many English natives.
PS: I remember quite a while back when Wargaming's World of Tanks became a big thing they had to translate everything from Russian to English because they wanted to get foreign developers involved as well. Never heard of the reverse happening.
Unless they're using a programming language that isn't English-based (for example, Russian 1С system uses Russian keywords and the whole codebase is usually in Russian), then most of the code stays English.
This way, you don't have to change keyboard layout while writing code.
Anyway, you're forced to learn some English when doing any real software development.
Anecdotally, a lot of 1C developers are not proficient in anything else because they don't need English in the main field, platform docs included, and can only get scarce translated versions of anything else. And blogs in Russian, which are not plenty and not always correct.
This makes some of their infra work and common misconceptions a little bit ... esoteric. So, English is crucial not just to do the job but to get best practices and CS info in general. It really helps a lot.
> Or do devs around the world just have to bite the bullet and learn enough English to be able to use the majority of tools?
That's how it goes, at least around Europe. People know English as a technical jargon (similar to legal French and Latin in English) and can juggle enough to get around documentation, but I've been in companies where I was the only fluent English speaker (and we're talking startup stuff). That gave ma a bunch of cool opportunities though, being pulled in every other meeting as the designated translator.
I remember when Adobe Flash Player would report bugs in Polish language, because my Windows was Polish. Googling the bug message was problematic, because most discussion is done in the international, English language. So the next time I was installing Windows, I made sure to choose English as the language. The same goes for browsers and pretty much everything else.
I write code in english and user (andmin, ops, app user) messages in the appropiate language.
As programming languages keywords and APIs are written in english, it just looks better to keep it that way for identifiers and internal doc, the other way causes a dissonance for me which feels unconfortable.
> Or do devs around the world just have to bite the bullet and learn enough English to be able to use the majority of tools?
Not only that. All of the code I (not a native English speaker) write, even if only I will ever see it, is in English - comments too. And I'm pretty confident all my colleagues do that too.
Might be different for languages with large population of native speakers (Croatian is just a few mil so we're more exposed to it), but you still can't avoid using English for tools / libs / docs / research papers / stack overflow...
The languages and frameworks and documentation are often in English. The code has a good chance of also being in English as a result.
See also: aviation.
There basically isn't non English software engineering.
English is the universal language in programming and software engineering, much like Latin was the universal scholarly language in the past. Sometimes even to the extent that the language starts leaking from the code and technical documents, reports, etc. are being written in English, often just because the people working close to the software are more familiar with the terminology in English than in their native language.
Curiously that wasn't always the case, if you bought a compiler and IDE in the 90s or 2000s from Microsoft or a few others, you'd get an environment that's fully translated to the local language. Granted, those translations frequently made almost no sense at all, but the words were all decidedly Not-English. You could also go out and buy translated books and references.
Even when you install e.g. Debian today and select Not-English as the system language, you might be surprised to see that GCC actually has i18n'd error messages, at least for some languages. Same for coreutils. I doubt anyone uses that intentionally, and they're probably not very up to date, but it does exist... kinda.
I'm a native Hebrew speaker, I wouldn't even think to put Hebrew into my code, similar to how I won't use emoji or other non-ascii characters, except Hebrew in particular is even worse since it's RTL, and mixing it into LTR code would be a pain in pretty much every text editor.
I do occaisonally find code with variable names in other languages, but it's very rare, for the most part if you want to code, English is the way.
I've also seen a few devs who used Hebrew variable names but spelled in English (`shalom` instead of שלום).
That's pretty much it. Even stuff developed in other countries tends to be in English. For example, Lua was created in Brazil but it's primarily in English. Or Ruby, it was created by a japanese dev but I don't think it really supported japanese for a while.
It's very uncomfortable to switch languages during development. Think how often you would need to switch languages if you use Chinese for column names and such. English has been the second language for Chinese for the past 30 or so years. I started to learn Enginse from Grade 4, and nowadays they started in kindergarten.
However, I suspect it's a honey pot.
Because DeepSeek researchers are Elite, English is like very very easy and common for top Chinese students. They just use it, and feel nothing wrong about it.
>Or do devs around the world just have to bite the bullet and learn enough English to be able to use the majority of tools?
Yes, coding in english is the standard.
That's my experience working in Asia. All the comments were in Japanese though
Thanks god everyone accepted that otherwise the fragmentation will be insane.
I worked at a Chinese company for a while and they used Chinese in meetings but English in the code base.
EU - while exceptions exist, my experience generally has been that devs working in English are virtually always much better devs than their peers working in the native language of the land. Likewise, most business projects I've worked on were entirely English on the inside, even when the UI was e.g. german-only. I've also seen a few projects where the business domain is so thoroughly native-tongue (typically when the business domain is a projection of the local bureaucracy) that you couldn't name business entities in English if you tried. Those can end up with a somewhat weird hodgepodge, where the code and comments and such are still English, just the names of the entities aren't.
I write all of my code in english. Even if it's just for me. I am a native german speaker.
It just makes things A LOT easier in terms of debugging, researching, reading examples from documentation, etc etc. I don't even understand my (boomer) colleagues who straight up refuse to learn english and get angry when they can't find solutions with german search input
The Soviet Union is the only country I know that programmed extensively in non-English languages. The Soviets had a Russian-language implementation of ALGOL 68. They also, as best I understand, still use a Russian version of a language called 1C.
https://en.wikipedia.org/wiki/Non-English-based_programming_...
Most Chinese open source code I've seen is written in English, with English variable names, but comments in Chinese Unicode glyphs (in between all the buffer overflows and other general carelessness).
Don't forget Shenzhen is a stone's throw away from Hong Kong where English is widely spoken.
[dead]
Thank you everyone, this was responsibly disclosed to DeepSeek and published after the issue was remediated, we got acknowledgment from their team today on our contribution.
were these "dev" domains holding real production data? the blog post does not clear it for me.
Interesting to note:
- Dev infra, observability database (open telemetry spans)
- Logs of course contain chat data, because that's what happens with logging inevitably
The startling rocket building prompt screenshot that was shared is meant to be shocking of course, but most probably was training data to prevent deepseek from completing such prompts, evidenced by the `"finish_reason":"stop"` included in the span attributes.
Still pretty bad obviously and could have easily led to further compromise but I'm guessing Wiz wanted to ride the current media wave with this post instead of seeing how far they could take it. Glad to see it was disclosed and patched quickly.
> but most probably was training data to prevent deepseek from completing such prompts, evidenced by the `"finish_reason":"stop"` included in the span attributes
As I understand, the finish reason being “stop” in API responses usually means the AI ended the output normally. In any case, I don't see how training data could end up in production logs, nor why they'd want to prevent such data (a prompt you'd expect to see a normal user to write) from being responded to.
> [...] I'm guessing Wiz wanted to ride the current media wave with this post instead of seeing how far they could take it.
Security researchers are often asked to not pursue findings further than confirming their existence. It can be unhelpful or mess things up accidentally. Since these researchers probably weren't invited to deeply test their systems, I think it's the polite way to go about it.
This mistake was totally amateur hour by DeepSeek, though. I'm not too into security stuff but if I were looking for something, the first thing I'd think to do is nmap the servers and see what's up with any interesting open ports. Wouldn't be surprised at all if others had found this too.
Seems that you're right! Also, not that I doubted they were using OpenAI, but searching for `"finish_reason"` on the web all point to openai docs. Personally, I wouldn't say it's a very common attribute to see in logs generally.
https://platform.openai.com/docs/api-reference/introduction
Right there in the docs:
> Now that you've generated your first chat completion, let's break down the response object. We can see the finish_reason is stop which means the API returned the full chat completion generated by the model without running into any limits.
Regarding how training data ends up in logs, it's not that far fetched to create a trace span to see how long prompts + replies take, and as such it makes sense to record attributes like the finish_reason for observability purposes. However the message being incuded itself is just amateur, but common nonetheless.
> not that I doubted they were using OpenAI
The OpenAI API is basically the gold-standard for all kinds of LLM companies and tools, both closed and open source, regardless of whether the underlying model is trained on OpenAI or not.
Not just the gold-standard, but also a de-facto standard - most of the proprietary and OSS tools I've seen that let you configure LLMs only implement support for OpenAI-compatible endpoints.
open exposed clickhouse is this decade's open exposed elasticsearch so common in the past
AFAIK, Opensource Elasticsearch does not offer any form of authentication upon installation for many years but ClickHouse does and in fact I'm often surprised at how many authentication mechanisms were introduced over the years and can be easily configured:
- Password authentication (bcrypt, sha256 hashes) - Certificate authentication (Fantastic for server to server communication) - SSH key authentication (Personally, this is my favourite - every database should have this authentication mechanism to make it easy for Dev to work with)
Not very popular but LDAP and Http Authentication Server are also great options.
I also wonder how DeepSeek engineers deployed their ClickHouse instance. When I deployed using yum/apt install, the installation step literally ask you to input a default password.
And if you were to set it up manually with ClickHouse binary, the out-of-the-box config seal the instance from external network access and the default user is only exposed to localhost as explained by Alex here - https://news.ycombinator.com/item?id=42871371#42873446.
Which was originally the open exposed mongo server, then mysql/phpmyadmin, then exposed ftp, and then exposed telnet.
We move on and upwards, but never really stop making the same mistakes do we.
open exposed S3 bucket is this decade's open exposed S3 bucket so common in the past
Shows how old I am. Thought we were still in the "exposed ElasticSearch" era.
I was sure this was Elastic, you are not alone.
Does DeepSeek have a bug bounty program I'm not aware of with a clearly defined scope? It appears that Wiz took it upon themselves to probe and access DeepSeek's systems without permission and then write about it.
If you do this and the company you're conducting your "research" on hasn't given you permission in some form, you can get yourself in a lot of hot water under the CFAA in the USA and other laws around the world.
Please don't follow this example. Sign up for a bug bounty program or work directly with a company to get permission before you probe and access their systems, and don't exceed the access granted.
Going throwaway account for this.
Wiz folks are notoriously shady. They cross the line a ton. They did this to Amazon and Microsoft to make a name among other. Super unethical.
Their product isn't terrible but their sales people are just terrible. Completely off-putting. Most of them are idiots from zscaler.
Your posturing is unwarranted. Literally in the first paragraph:
> The Wiz Research team immediately and responsibly disclosed the issue to DeepSeek, which promptly secured the exposure
FWIW, this is Mark Maunder, CEO of Defiant / Wordfence. I wouldn't write him off as some random guy on the internet.
https://www.linkedin.com/in/markmaunder
Posturing huh? Nice. That was intended to be helpful. Go read the CFAA. What they did is, believe it or not, illegal. I didn't make the law, and many think the CFAA is ridiculous, but that's how it works. If you even access a computer system beyond what you've been granted it's a CFAA violation with stiff penalties.
Quite the posturing with that last sentence
omg dude it literally says that in the code: https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
https://www.justice.gov/opa/pr/department-justice-announces-...
>The Department of Justice today announced the revision of its policy regarding charging violations of the Computer Fraud and Abuse Act (CFAA).
The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.
AIUI "policy" is not "law," and are subject to the whims of the current leadership in the DoJ
Then again, it's my opinion that "law" isn't "law" if one has enough lawyers
You're correct, this is not so black and white as you originally established. Glad you came around!
And yes, it's posturing if you wax on from such a pedestal without even reading the first paragraph of the article, which addresses your legitimate concerns.
You're not replying to the original poster. It's a different commenter.
Thank you, my mistake!
Would a law specific to the United States apply when you're probing a Chinese company?
They left open a publicly exposed database... I'm sure they informed the company about this before publishing their post. Why are you blaming Wiz for this?
I agree to your comment, but also there's probably an unspoken gentleman's agreement that DeepSeek fixed the issue and won't pursue legal action against Wiz, since they were helpful and didn't do anything malicious.
I did the same a while ago, an education platform startup had their web server misconfigured, I could clone their repo locally because .git was accessible. I immediately sent them an email from a throwaway account in case they wanted to get me in trouble and informed them about the configuration issues. They thanked me for the warning and suggestions, and even said they could get me a job at their company.
The CFAA is a US law. Assuming you break it, in order for that to matter, an American prosecutor needs to find time to prosecute you for doing so. Does Deepseek have any American presence at all?
Likewise, there may be Chinese laws were violated. However, outside of China they are a moot point.
They're publicly accessible URLs.
DeepSeek & users that had data exposed here should be thanking Wiz.
lol
written like someone who has never litigated even a traffic light
Yes but they’re chinese so it’s okay /s
They are getting DoS’d by us gov too so they were only trying to help /s
Can you imagine executing arbitrary SQL queries via your web browser? :D
Complete database control and potential privilege escalation within the DeepSeek environment without ANY authentication...
Ironic - I bet if you ask deepseek r1 how to set up clickhouse it would tell you the right way to do it.
And that's why you run models locally. Or if you want a remote chat model, use something stateless like AWS Bedrock custom model import to avoid having stored chats on the server.
Not many non-gamers have hardware capable of running such a model locally - never mind the skills.
For most people, bash is not a tool for interacting with the computer, it is how they express their frustration with the computer (sometimes leaving damaged keyboards).
I have DeepSeek-R1 1.5b running on a Raspberry Pi 5. I have DS-R1 14b Q6 running on my old AM4 Ryzen with a AMD GPU, without issues. My primary workstation is running 32B Q8 and without issues. And it's simple!
That's not the DeepSeek R1 model that they're offering via the API on these servers. That's a Qwen model that's been fine-tuned on output from the big R1 model.
Source?
https://huggingface.co/deepseek-ai/DeepSeek-R1-Distill-Qwen-...
DeepSeek-R1-Distill-Qwen-1.5B, DeepSeek-R1-Distill-Qwen-7B, DeepSeek-R1-Distill-Qwen-14B and DeepSeek-R1-Distill-Qwen-32B are derived from Qwen-2.5 series, which are originally licensed under Apache 2.0 License, and now finetuned with 800k samples curated with DeepSeek-R1. DeepSeek-R1-Distill-Llama-8B is derived from Llama3.1-8B-Base and is originally licensed under llama3.1 license. DeepSeek-R1-Distill-Llama-70B is derived from Llama3.3-70B-Instruct and is originally licensed under llama3.3 license.
https://arxiv.org/abs/2501.12948
Wow all the gamers with mad LLM skillz.
Pretty sure gamers are mentioned because those are the usual demo that has GPUs with enough memory outside of people in the ML industry.
So you’re in the demo scene as well? Yay
You could also use models that run on nvidia’s trusted execution environment.
Nvidia naming it “trusted” doesn’t mean I trust it.
Good finding. I don't see its timeline usually discussed in other Ethical hacking and responsible disclosures.
The amount of vitriol in these comments is the really surprising data. I've seen the same on Twitter. I can only put it down to the financial pain DeepSeek inflicted on many US retail investors by wiping almost $700 billion off NVidia's stock price. I think a lot of folks didn't see it coming and it hurt them right where it matters most: In the wallet. The anger out there is very real.
It's also deeply damaging to the western ego, especially one rooted in American exceptionalism.
But also one those of us actually working on foundational AI saw coming a mile away when most of the top research of late has been happening in Chinese labs, not American or European ones.
Can't wait to see what this boneheaded President's tarrif on TSMC does to this situation.
Well to be honest most of this on start came from US so the general surprise is understendable. But of course it would be foolish and arrogant assume that for whole progress forever.
I don't understand the rage. This is good for everyone. Competition is what drives innovation and they even open sourced it! If you want to outdo them, learn from them. Don't just try to cry louder, it's embarrassing for everyone.
> Can't wait to see what this boneheaded President's tarrif on TSMC does to this situation.
Can you please provide a source? Genuinely curious as this would be fatal to the US economy. Imagine working 2 years to get out from Covid chip shortages only to hammer progress down with tariffs.
Just Googled this (from yesterday): https://www.yahoo.com/tech/trump-promises-high-semiconductor...
https://www.businessinsider.com/trump-taiwan-chip-tariffs-nv...
Hopefully it's just posturing, but either way it's utterly asinine yet about par for the course what I would have expected from this administration.
The hit on NVidia's stock price makes no sense to me.
DeepSeek uses H100s and H800s. They'll likely have reasons to buy more now, and America will want to compete even harder, buying more chips.
American companies are still way ahead as well, but they're just getting more competition. This will be healthy.
Many stocks aren't grounded in reality. They're essentially Memecoins: Classic Edition™ now.
Tesla barely even sells but the stock just won't go down. Boeing orders have fallen massively and they're posting massive losses each quarter, and management shows zero desire to improve the situation. But the stock has basically stabilized since the initial catastrophes.
Well, you can't have it both ways:
Some people like to complain that the stock market is very short termist, and valuations never reflect what happens in the long term. And here you complain that the stock market doesn't focus solely on short term pain, but is looking to some potential futures.
I wouldn't call Tesla's and especially Boeing's problems "short term".
People saw how much cheaper it was to train DeepSeek v3, and assumed this reduced NVidia's TAM. I think this doesn't make much sense.
a) For inference, cheaper and faster compute will increase total inference spend, because the end-user products will work better and people will use them more.
b) For training, the big labs will continue to spend because we have yet to see diminishing returns to scale - in fact, we have in the past year unlocked a new dimension to scale up training-time compute - doing more RL after pre-training to improve reasoning capabilities. Since current SOTA models are not yet smart enough for all the tasks people want to use them for, this means that any efficiency gains will be used to further improve performance. In the current competitive environment, even with DeepSeek's work, it's near-impossible to imagine OpenAI, Anthropic, Google, or Meta deciding to cut the compute budget for training their next model by an order of magnitude. They will still incorporate DeepSeek's techniques into their next model, but use them to squeeze even more performance out of the compute they have, and will keep purchasing as much compute as NVidia will sell them. Expect this trend to continue until there are no more returns to scale anymore.
It's even more fundamental than that.
Any data center project currently under way or with plans to open within the next year or two has already place orders with NVidia or will do so very soon. Due to demand and lead times, you have to order to critical parts and systems today if you want to have half a chance of receiving them a year from now. Hardware supply lines are long and complex. I like to say that you cannot run a compiler and end-up with a warehouse full of chips.
The next fundamental reality has to do with competition.
Suppose company A foolishly decides to build a data center with only 10% of the chips they originally wanted based on the hype around DeepSeek. In the meantime, company B sticks to the plan and, perhaps, decide to take add the 90% of chips data center A did not take.
The net result will be the company A will be absolutely destroyed by company B. They will have nearly twice the compute capacity, which will translate to a huge competitive advantage across many fronts.
In other words, the selloff is, at best, ill informed. Market forces caused FUD. The smart one's took it as an absolutely massive buying opportunity. All you have to do now is wait.
Because all this with the stock price has nothing to do with reality.
Everyone just starts repeating the same things until people believe them as fact.
The "sell off" was basically nothing. Who cares that the NVDA went back to the price it was in October then bounced in the after market one day.
It is a complete non-story. Even at the bottom of the "sell off" it was still up 20% from the end of summer.
Listening to any news makes people less informed about the world in 2025. We are way past Gell-Mann amnesia. That was for the newspaper. "The news" in 2025 is really a strange kind of mass confusion engine. The more news a person consumes the more confused they are about the world.
To be fair, the problem (if we are going to call it a problem) might be more fundamental than that.
The reality is that your average "civilian" stock investor, speaking in very generalized terms, is supremely ignorant.
I don't say this as a pejorative BTW. I am supremely ignorant of the inner workings of the pharmaceutical industry. Because of this, I do not invest in that sector. I have no way to understand any of it at a depth sufficient for me to make informed decisions. I'd be throwing darts at a board.
That is precisely the situation with lots of investors in the chips, electronics and software worlds. They don't know what they are doing. They have no clue whatsoever about the business cycles and realities of making these things, selling them, bringing them to market, competitive landscapes, implementation, etc.
And so, they are blind and reactive. If they stay in panic mode, we might very well see NVidia stock get down to $100. Frankly, I am actually rooting for that. I want all of these fools to get off the stock. And I want to load-up on it some more. They don't understand business (in general) enough to understand the relationship between DeepSeek and data centers, planned and future. They don't even stop to think about the reality that nobody in business who isn't a fool is going to use an AI service in China or developed by China. If they are hyperventilating about TikTok, I cannot even imagine what it would be like if all AI queries go to servers in China or are answered by models trained in China. I love China for all they have achieved, but it is no secret that they are not an open society at the level of most western societies.
I think we just have to wait until the sheep stop running before sanity will return to the field. They are getting hurt very badly. It's sad to watch.
The stock price had assumptions baked in about the number of units expected to be sold. DeepSeek cut that hardware estimate by as much as 45x. That is that absolute obvious correlation between that model being very efficient to train and NVDA dropping 18%.
I don’t get it. The labs have regularly made improvements that dramatically lower the cost of training an equal-performing model. When they do this, they also train a larger model with even higher performance. This time, DeepSeek did the first part but didn’t do the second. Now every lab in the world will throw their compute into the effort to replicate and beat DeepSeek’s model with larger scale. It’s not like everyone is just going to say “well I guess AI is smart enough now, no point improving it anymore!” and stop building bigger training clusters.
If anything, r1 makes even more GPU demand likely, since it mitigated or at least delayed the risk AI hit a dead end (in which case, ceasing development may actually make sense).
It still doesn't make sense to me. If the money for training is still there, wouldn't companies that can afford it use the efficiency gains and also scale up models?
Unless AI is a bubble, and it pops, I can't see the demand for compute going down.
I think AI is a bubble. The amount of compute for inference is vastly overestimated, because a lot of caching is coming. It's driven by maniacal statements like Sam Altman's insistence that we must spend Trillions on compute, to achieve AGI, and it's more important than anything else.
Project Stargate is some large fraction of that, and of course Softbank is no stranger to losing money on overestimating demand (for example, WeWork). To be fair, China has a lot of overestimation of demand too (for example Evergrande). The other is that rapid competition leads to overinvestment by all parties.
https://www.wsj.com/tech/ai/sam-altman-seeks-trillions-of-do...
Which is great for us, we'll have loads of cheap compute and hopefully a bunch more carbon free energy supply, assuming that the AI stuff all ends in tears (for now).
Yep! Shareholders and capitalists overinvesting in stuff is great if it leaves behind great infrastructure. They take the risk and the public benefits.
They would scale things up slightly slower.
And money 5 years from now is simply worth less to markets than money 7 years from now.
Eli Whitney thought he could reduce slavery by making cotton processing 45x more efficient...
Can someone explain how DeepSeek cut that estimate? Their (fast) API is always down, and the third-party providers on OpenRouter are more expensive than Claude.
I think there was a growing awareness of NVidia's vulnerability and I think that, while I don't agree with his conclusions, Jeffrey Emanuel's excellent piece from the 25th added significantly to that momentum:
https://youtubetranscriptoptimizer.com/blog/05_the_short_cas...
The nvidia bubble went too far and was about to burst anyway. I started to buy puts a year ago. The DeepSeek was just a convenient catalyst.
Arbitrage opportunities :)
It's probably the lack of understanding the market... Most people thought there was a ban (issued by the US in 2022) against China being able to utilize the H100 Nvidia graphics cards to prevent them from using AI (for the obvious purpose of oppressing their people). If anything, export controls need to be looked at and probably tightened as this is a glaring loop hole.
> export controls need to be looked at and probably tightened as this is a glaring loop hole
US is the prominent trade freedom proponent champion until it does not suits them
Also US is the prominent democracy proponent champion until it does not suits them
And also US is the free speech freedom champion until it does not suits them
"US" is not a monolithic mind.
There are probably exceptional situations for each, but the US is far more for these things than against, to an extent that is unique and unprecedented. And that has improved lives and secured freedom not just for Americans but for many people around the world. Your negative take on the US isn’t convincing for me, as it is uncritical. Who champions free speech more, for example?
I can understand your argument, but I also understand why the US would try to ban an oppressive regime who specifically use technology like AI for ubiquitous surveillance, behavior monitoring and social credit, facial recognition systems that can identify Uyghurs and alert authorities, internet monitoring (they arrest people every day for writing banned words on WeChat for example)... I think it's probably fine if they make the equipment themselves, but US probably shouldn't be supporting this type of activity.
Sorry for the whataboutism, but the US looks more and more hypocrite when they sell themselves as the paragons of democracy and free trade, ready to save the world from authoritarian China but are fine selling AI and AI hardware (and armament, but that's another matter...) to Israel's oppressive regime which clearly uses it to persecute and kill innocent Palestinians.
It's all just dirty politics, in the end none of the people in power care if selling such technology feeds a monster or not, as long as they get their bags of money.
I think the difference in your comment is that China is doing this to their own citizens. Israel is oppressing their enemy, who have voted for Hamas to be the leader of their government, which stated intent is to destroy Israel... Big difference.
How many people alive in Gaza today voted for Hamas?
What an incredibly awful comment to make after so many kids have gotten blown to bits by Israel as some sort of justification.
Same sorts of stuff were said about Irish people during the Troubles btw.
Yup, and as soon as Hamas were elected, the liberal world refused to deal with them. Never mind how convenient Hamas have been for Likud over the past few decades.
It looks incredibly hypocritical to much of the world, and I can see why.
[flagged]
> but surveys indicated that an overwhelming majority of residents of Gaza supported Hamas even after the mass murder and rape of October 7.
I'm not sure what result you expected. True or not, claims of atrocities committed by your government are always uncertain in practice - people will argue whichever way depending on their goals and beliefs (like we're doing here just now), so even if you believe them, unless you've actually seen them first-hand, they're always somewhat abstract considerations. Meanwhile, the fundamental reality for people in Gaza is that they're being bombed left and right by some outsiders. So when more outsiders come asking them whether they still like their government - government who, other than committing atrocities in what they sell as defensive war, are also responsible for keeping food, water and power flowing while bombs dropped by outsiders keep raining down your streets, does anyone expect majority to say "no, we don't like our government - please keep bombing us until we find a better one"?
I bet if you polled the population of Iraq of Afghanistan in the middle of US invasions of either, you'd get similar results supporting the evil government too.
Dropping ordnance on people has a way of skewing their responses in political polls away from what you'd expect in a stable democracy.
> surveys indicated that an overwhelming majority of residents of Gaza supported Hamas
Come on, nearly half of the inhabitants of Gaza are/were under 18. "Surveys" cannot make collective punishment legal, or annexation and ethnic cleansing for that matter. I'd say outright cutting off a whole population from food and going on TV to rant about how even the babies are terrorists isn't self-defense or security. If anything it's with a second set religious extremists that needs Hamas just like Hamas needs them. And in similar fashion, they use "Israel" as a shield for what they want, despite the Israelis who do respect human rights and international law, and get threatened for it.
> You’re trying to separate Hamas from everyday people in Gaza
They are separate. Each person is responsible for their actions. You can't speak of democracy and then casually ignore this.
I mentioned the surveys to indicate the complicity of the civilian population in Hamas’s actions. Often people claim the residents of Gaza didn’t vote for Hamas since the last election was in 2006. But the surveys reveal that most of them do support them and their religious terrorism.
> "Surveys" cannot make collective punishment legal, or annexation and ethnic cleansing for that matter.
What do you mean by annexation given that the entire region, including Jerusalem, the West Bank, and Gaza were occupied by Jewish people long before Islamic Arabs were in the area?
What do you mean by ethnic cleansing given that Gaza’s population has grown rapidly over time, given Israel announces targets ahead of time, and given that most of Gaza’s residents still live? Israel could level all of Gaza but they haven’t done anything even remotely close to that. Even the highest claimed counts of deaths in Gaza would amount to a couple percent of the population. That doesn’t seem very successful for an ethnic cleansing.
> outright cutting off a whole population from food
Food and aid which Hamas stole and sold for money to fund terrorism to kill Israelis, all aided by UNRWA.
> Each person is responsible for their actions.
Right and Hamas was voted in by everyday people and still has their broad support despite terrorism, murder, and rape.
Your impassionate argument in favor of an ethnic cleansing with bombs, starvation and lack of sanitation lies in stark contrast to this outrage about the Uyghurs' culture being erased with development and draconian imprisonment for suspected extremism, while at the same time, the West Bank was reduced to a patchwork of ghettos with draconian checkpoints where life is cheap if you are suspected to be an extremist.
On the one hand, the slaughter of teenagers today in Gaza is justified because of the sins of their forefathers in electing Hamas, on the other, it's a genocidal atrocity that beards can only be so long in Xinjiang.
The US is only more righteous for supporting America's Greatest Ally at the cost of the lives of it citizens, of those of Arab countries and, now with the TikTok ban, to its founding principles, in your world.
I think you're raising an important point that I acknowledge, and I need to process that more. But my immediate thought is to note that the two situations are very different to me. Uyghurs are indigenous to Xinjiang (more than anyone else), and Islamic Arabs in Gaza or the West Bank are not indigenous to the region around Israel (Jewish people are, while Gaza's residents are outsiders since Islamic Arabs aren't indigenous to the region). The CCP/PRC is erasing Uyghur life in Xinjiang and forcing their population growth downward, while Islamic Arabs living in Israel have full protection of the law, can practice their religion and culture freely, gain wealth, have families without forced sterilization or abortion, and live without the threat of the state kidnapping their children. There's no evidence of Uyghurs broadly supporting terrorist attacks, while there's evidence of Gaza residents overwhelmingly supporting things like repeated rocket attacks.
There's more but basically there are enough differences that the situations can be treated differently. But at the same time, I do hope for a different, peaceful solution. Surveys show Islamic Arabs are generally quite happy under Israel, but that won't work for those in West Bank or Gaza perhaps. You are right that teenagers who aren't supportive of terrorism don't deserve violence. A two state solution still seems like the best idea, but Hamas has still not shown support for it, even though it would mean peaceful coexistence and could lead to a rebuilding of Gaza and West Bank.
What you call "Islamic Arabs" makes no sense. They are as native as the Jewish people. Mostly because they're nor more or less "Arab" than the Jewish people. Religion is what separates them, not race. Also, your argument ignores time. Even it it were true, for how many centuries have these "Islamic Arabs" been there? Why are they any less "from there" than Jewish people?
And there is an overwhelming support for the war in Gaza from Israelis, that many consider a gross violation of international law going beyond war crimes into genocide territory. If that is shown to be the case would Israelis deserve what they get in response? I doubt you'd agree.
Every genocide, every occupation and every conflict has its own historical conflict. You need to examine you own massive biases here, adjust your view to international law and human rights and you'd see the massive injustice here that is fueling the conflict and will continue to until its addressed.
Israel is not securing its own safe future here, there is no military solution here. Hamas will rebuild itself if it hasn't already because the crime they have committed and the people they have murdered will only boost the recruitment of Hamas and other paramilitary groups. This has always been the way the world over. Jewish history is itself has examples of this.
And I've never see a good faith attempt from Israel wrt this conflict that hasn't been completely derailed by the Israeli extremists and hardliners.
[flagged]
You mentioned America as an examplar of demcracy further up, while in truth it is an extremely flawed model of democracy:
https://en.wikipedia.org/wiki/The_Economist_Democracy_Index
There are better models of democracy around.
Israel have the right to defend their country of course, but Palestinians have the right to fight occupation under international law. They are massively repressed around the world - try support Palestinian rights in the US right now.
Anyone can be labelled a terrorist. I would label the IDF a terrorist organisation due to their methods, their justifications for the many human rights abuses and killings ring very hollow. They also encourage and support their own fundamentalists - aka settlers - to commit crimes.
Lastly I think anyone who commits war crimes should be brought to the ICC; Israel has shown it is incapable of broadly prosecuting theses crimes and obviously the PA cant either. It is Israels fault if they kill civilians and I don't buy any of their justification as they've been shown again and again to be untrustworthy. I believe they will be found guilt of genocide in the end, and the countries who supplied them with the weapons and tech will be guilty of enabling a genocide - there's plenty of evidence that the state department in the US has brushed knowledge of human right abuses and war crimes under the carpet for political and ideological reasons.
> You mentioned America as an examplar of demcracy further up, while in truth it is an extremely flawed model of democracy
I disagree with your framing, as does your source. The index you shared does not paint America as "extremely flawed", but just flawed (and even so, almost at the score of getting their highest rank). So adding the word "extremely" is your editorial take. However, their rating system is not transparent - it's not clear who they surveyed or what questions they asked. It's also clear this rating system is only somewhat correct in scoring countries - for example both Canada and Australia are democracies but have notable restrictions on free speech, a core principle of a free society and any democracy - but they were ranked higher than the US.
> Anyone can be labelled a terrorist.
Labels can be misused, but what actually happened? Has Israel been shooting rockets indiscriminately into Gaza? No, but people in Gaza have been doing that for a few decades now. In fact, the rocket attacks got a lot worse after Israel left Gaza in 2005. Is that not terrorism?
> It is Israels fault if they kill civilians
How can it be when they're pursuing terrorists who choose to use human shields on purpose? Israel has been careful to announce targets ahead of time and has gone above and beyond what any other country would to avoid civilian casualties. But in this situation, which was created by Hamas and their supporters, a country that wishes to protect itself from attacks can't achieve zero civilian deaths. That's unrealistic for any conflict, but especially this one.
>against Uyghur Muslims
Against Islamic fundmentalist terrorism commited by Uyghur extremist.
Rotating a bunch of Uyghurs through a few months of "reeducation/reradicalization" classes with minimal fatalities and pouring billions to improve regional infra + gdp is orders of magnitude more magnanimous than what happened/is happening in Gaza, or what's left it. It's delulu to think otherwise. It's more kids gloves than US prison industrial complex. And it more or less comprehensively solved the Uyghur extremism and attacks in PRC (100s of attacks over the years with 1000+ fatalities). Muslim world is far better off that PRC has successfully implemented securitization technology to deradicalize, because they have the most to gain from it, that's why there's broad support from Muslim leadership. PRC figured out how to actually eliminate radical terrorism without droning weddings, so of course a bunch of security cameras and Chinese lessons and first world infra has no equivalence to US funding Israel to murder and maim kids and turning most of Gaza into rubble.
Annexation by a violent dictatorship, cultural suppression, forced reeducation of hundreds of thousands of children separated from their parents, forced sterilizations, forced abortions, labor camps, and large number of deaths isn’t magnanimous. It’s genocide under international law. It is wild that you’re even defending this.
> PRC has successfully implemented securitization technology
Is that the best euphemism you could come up with?
> that's why there's broad support from Muslim leadership
I’m not even sure who you’re talking about, but having military or economic ties distorting things isn’t the same as support. Find me a quote of an Arab leader explicitly supporting the genocide of Uyghurs by the CCP.
> PRC figured out how to actually eliminate radical terrorism without droning weddings
This is a hilarious rebranding of what the CCP/PRC actually did, which is thousands of times worse and larger in scale than the few drone incidents you’re talking about.
It absolutely does not qualify as genocide. Hence it's never been categorized as genocide by UN, unless you subscribe to Mike Pompeo's version international law. UN already recognize XJ as PRC, annexation is over, it's fully incorporated and legally part of soverign PRC soil for decades. There's more Uyghurs now then when campaign started (and ended)... at most it's cultural genocide, which unfortunately (or fortunately for everyone including west) ... is internationally permissible (no law against). Frankly some overdue cultural genocide to eliminate fundmentalism on 1% population to end decades of fundmental islamic terrorism is completely justifiable. It would be downright negligent and immoral not to, certainly more ethical than what US or ISR methods which you seem to play down.
There aren't 100,000s children seperation. Parents rotate through reeducation for a few months, temporary seperation in interim, family reunited after. Entire program lasted ~4 years, even if you take peak US propaganda, 1/12 of Uyghurs is roughly life time internment for US blacks, except US minorities will end up up rotating through prison industrial complex for longer. Flip side of PRC enforcing family planning on previously exempt minorities is US banning abortions. No labour camps, just very generous rural labour transfer programs where they make multiple times current income. It's like if US had a jobs program that gave bottom quantile 50th percentile wages. Nor large number of deaths... barely any. Even peak retarded US propaganda doesn't pretend so. So yes, compared to Israel or US military actions, it's downright magnanimous.
>euphemism
It's not euphism, it's "safe city" technology, i.e. huawei surveillance for export. And countries are buying. Because you know, it's better than mowing the lawn with bombs, or spending a decade trying doing whatever the fuck GWOT was failing at that just ended up with (conservatively) 100,000s of dead muslims.
> having military or economic ties distorting
Except MENA has much closer military and economic ties with US... yet they still overwhelmingly side with PRC narrative over XJ. Entire excuse MENA leaders in PRC pocket is economically illiterate and geopolitcly stupid. There's isn't a quote of Arab leaders supporting genocide of Uyghurs, because none of them except occasionally Turkey recognize is Genocide. They recognize XJ securitization as deradicalization and antiterrorism effort, which it is, because it stopped both. And they endorse it, because they have most to gain from working deradicalization efforts. Which US does not have model for. Nor Israel. Well maybe Israel if they just keep murdering kids every few leap years.
>thousands of times worse and larger
My guy if you think US only responsible for a few drones, and Israel killed less Muslisms that PRC did in XJ, or if you think top is worse than bottom in pic below then you have some screws loose. Ultimately PRC did what US failed, fraction of the cost, and fraction of the lives, while adding 12x Afghan GDP per capita. Thinking that's 1000s worse and larger is delulu American math.
https://pbs.twimg.com/media/GBEy7HyaUAA3V7c.jpg
Let's just say if to Obama who got Nobel Peace prize trying to bring peace in the middle east, then Xi and Chen deserves 10.
> It absolutely does not qualify as genocide
Even just forced sterilization and abortions, which you admitted and rebranded as “enforcing family planning”, is genocide under international law.
> Parents rotate through reeducation for a few months, temporary seperation in interim, family reunited after.
Your few months claim is false. But let’s say it isn’t - are you really claiming this is okay? “Yea they just kidnap your children for a few months”. You clearly don’t have kids to minimize what this is and what it would do to the parents and children.
> Nor large number of deaths... barely any
Barely any that China admits. Of course they kept the area locked down, kept international agencies away, and admit nothing to keep the lie going. But numerous survivors have corroborated programs of torture and killings. You have to be naive or a CCP shill to think there were “barely any deaths”.
Sorry but you’re outing yourself here with this unfactual take that a few web searches easily disprove.
Last effort reply.
> is genocide under international law
No, genocide is conditional on intention to destroy. Which PRC policy isn't. It's just boring family planning that always applied to Han, that minorities historically got to opt out due to affirmative action, now equally applied to Uyhghurs with 3+ kids. Meanwhile Uyghur population contiues to increase, and family planning still limits Uyghurs and minorities to 3 kids like every other ethnic group, aka positive TFR / mathematically impossible to actually eliminate a minority. Hence it's retarded to think this satisfies definition for genocide, and why US propaganda campaign failed so hard. Because anyone except the most brain rot liberal world ordertard realize it's coercize integration/sinicization but not genocide. If PRC wanted to actually genocide Uyghurs, with their industrial capacity, they can do it in a weekend, instead they spent trillions retraining the populous and subsidize regions QoL. It's stupid to think it's genocide for the simple reason reducing 55 PRC minorities to 54 looks bad for Xi's hagiography.
>few months claim is false
Except it's true, most gets put through a few months of patriotic education to scare them from fundemental salafisim/salafijihadism. PRC doesn't have the money to waste interning million+ like US prison industrial complex forever because jailing people is profitable. I didn't say it was "OK", I just said a few months of scaring people straight at "don't be bad muslim camp" is much better/expedient/ethical than bombs. It's not minimizing, it's acknowledging that's better than kids spending years being afraid of the blue sky because some drone operator on CONUS can end you any time. And frequently do. Besides Han migrant parents are away from their kids for years, Uyghur kids can handle a few months living with relatives while their parents learn how to raise them to not commit terroism or go do a factory rotation in another province and bring home a years wage in a few months.
>Barely any
Barely any that US intelligence or anyone can find, barely any that even US propaganda under Pompeo didn't try to spin mass deaths because again it would have been absurd to even try. By survivors you mean atrocity propagandist begging for VISAs, idiots like Sayragul Sauytbay who "did not personally see violence" at the camps in 2018 to "inmates were flayed, raped by guards in front of other prisoners, and given injections that made them infertile" in 2019. You would have be naive to believe obvious attrocity propaganda. And even more delusional than a CIA shill to believe there were extreme deaths like scale of Gaza or GWOT since even POMPEO's CIA propaganda DOESN'T try to spin mass death. Like the most retarded anti-CCP/PRC "thinktanks" estimate for deaths is single digit thousands throughout XJ internment phase... for reference ~4000 prisoners die in US prisons every year i.e. the 4 years of XJ "reeduction" statistically killed less than US prisons during same time period.
So let that settle in, your positions are literally more ridiculous than what lying Pompeo is willing to propagandize. Claiming otherwise is not just not factual but delusional beyond even already delusional propaganda. It's outing the sheer unhingedness of your worldview, which TBH explains how you think XJ is worse atrocity than GWOT or Gaza when XJ is objectively one of the most "humane" integration campaigns in human history. Humane =/= clean, just historically when integrating a minority, much more blood was shed and destruction was wrought over much longer period of time, and the minority populations generally weren't still growing while per capita GDP roughly doubles, oh and terrorist attacks basically eliminated for 1350 million people... which you seem to think is important enough for 10 million large Israel to rationalize their response.
I am not convinced by your framing and some of the factual claims you have made. I am able to find sources that disagree. But in an effort to be curious - do you have any sources of your own (like news articles or research or documents or videos or whatever) that support the things you're claiming here and in your other messages?
Huawei has B200 competitive inference chips coming.
Nvidia has the Blackwell B200, its latest GPU card. Huawei's offering is called Ascend 910C. Huawei's future offering to compete against the Nvidia Blackwell B200 is called Ascend 920C.
I'm sure some people did actually get hurt by NVIDIA's stock dropping, but it's also important to keep the size of the effect in perspective: NVIDIA's stock is back to where it was in September of last year, and still up almost 1900% from 5 years ago and up 103% from a year ago.
NVIDIA's stock has been super bubbly—all DeepSeek did was set off itchy investor trigger fingers that were already worried about its highly inflated price.
Every intelligent colleague is an interesting mix of 'sour but intrigued'
Personally, I know I've lost a lot of street cred amongst certain work circles in recent history as far as my thoughts of 'shops should pursue local LLM solutions[0]' and the '$6000 4-8 tokens/second local LLM box' post making the rounds [1] hopefully gives orgs a better idea of what LLMs can do if we keep them from being 100% SAASlike in structure.
I think a big litmus test for some orgs in near future, is whether they keep 'buying ChatGPT' or instead find a good way to quickly customize or at least properly deploy such models.
[0] - I mean, for starters, a locally hosted LLM resolves a LOT of concerns around infosec....
[1] - Very thankful a colleague shared that with me...
Obviously a lot of people are long Nvidia stock, and based on the comments are in the denial stage of grief.
"This is good for Nvidia" is the 2025 version of "this is good for bitcoin"
Also American pride. China is on track to outpace the US in technical, military and economic dominance.
A lot of people want to poke at Chinese weakness wherever it’s exposed because Americans are used to being the best and also unconscious racism. When Japan was about to overtake the US the US pulled some similar moves and that is partly what’s responsible for japans current economic funk. It’s unlikely these moves will work on China.
[dead]
+1. I also enjoy the "China be stealin' ur data and personal info" angle. As if the incumbents haven't already done that, and are still doing it, as their core business practices.
This whole thing should be an eye-opener to most people.
To ask an honest question, who gives a crap if a Chinese company manages to grab data that many of the usual Silicon Valley suspects have had all along and have been incrementally updating? How is this a "threat".
To pile on another gripe, why the hell does every single media outlet point out the "Tienanmen Square" question?
The whole thing has just become embarrassing. I honestly can't fathom what worse China could do with my personal info than the likes of say, Meta. I'm not saying I would enjoy it, but I just don't see how it could be more harmful than the Silicon Valley status quo.
> How is this a "threat".
Given how closely major US tech companies are now affiliated and partnered with the US Federal government, arguably the direct potential threat from them to US citizens may well be higher than from across a very big pond.
People trot out "I'd rather our guys spy on me than them" a lot, but that's putting a lot of faith in your local government. Conversely, who do you think has more to fear from their logged prompts on DeepSeek, US or Chinese citizens?
I think you missed my point, or I wasn't clear enough. Your point is exactly the one I was trying to make. I think I must re-examine my articulation.
I wasn't arguing against you, rather extending your argument for further effect. Should've prefixed with "Indeed, ...", sorry.
DeepSeek is more affiliated and partnered with the CCP than US companies are with the US government. Their LLM includes literal government mandated censorship and propaganda. Their CEO met with the premier the other day. And obviously the CCP will be using this tech for military applications very soon. But Chinese citizens themselves will also be further controlled and suppressed through the extensive use of AI and robotics by their own ruling dictatorship.
Tbh their censorship is pretty superficial. I asked about the Tiananmen square events in Russian and it answered in full detail. ChatGPT refuses to talk about "sensitive" topics in any language.
> Their CEO met with the premier the other day.
Remind me of the list of US tech CEOs who were at (and paid for!) the inauguration?
> DeepSeek is more affiliated and partnered with the CCP...
Given what we know about the PRISM program, it's a distinction without much difference.
> Their CEO met with the premier the other day.
While I agree with you overall ... have you heard of Mar a Largo?
> How is this a "threat".
It is a threat to WallStreet and Silicon Valley. It just broke the illusion that they're kings of tech.
> why the hell does every single media outlet point out the "Tienanmen Square" question?
Sour grapes, but also the media cannot report anything about China without showing its anti-China bias.
I'm not seeing any vitriol or comments that are outside the norm, except people defending DeepSeek and throwing accusations left and right for seemingly no reason at all. That's the actually surprising data.
In my opinion, it is not vitriol as much as unfiltered recognition of the significant issues and risks that have become a part of DeepSeek’s story: the Chinese government injecting propaganda into LLMs, the threat of apps from adversaries in US app stores (like TikTok and DeepSeek), the disregard for user privacy (their database was open to the Internet with no authentication and no encryption of data), the misleading claim of quoting the cost of a single final run (which amounts to market manipulation of nvidia stock), the theft of OpenAI’s assets that they’ve not admitted to, the likely evasion of sanctions, and so on.
Did you even read the article? It's about the backend of deepseek.com being completely unprotected to the point where all the prompts users typed in are being exposed to the public. The fact that these people are supposed to be competent leads most to believe this is a backend for the CCP to spy on users. Competent or not, I would not use that system for anything. If anything, one might host it locally and use it in that way. Regardless, deepseek.com has serious security issues.
I'm wary of engaging in false equivalence, but people seem to have really forgotten the revelations of the Snowden episode.
which was what?
https://en.wikipedia.org/wiki/PRISM
If you rat out the government doing unconstitutional things, you lose your citizenship.
Did Snowden lose his citizenship? No. The US cannot revoke his citizenship per its laws. He fled to Russia and took an oath of citizenship there in 2022. But he didn’t renounce his US citizenship either.
Say someone says drink the cup of wiper fluid or I will shoot you, so you drink the wiper fluid. In a literal sense, you chose to drink the wiper fluid. I think most people would understand that you were forced to drink the wiper fluid.
What the above user is thinking of is how Snowden's passport validity was reportedly revoked in 2013, right after he had landed in Moscow.
Yea that might be it. But that doesn't strike me as unusual either. There are many situations where a criminal charged with a lot less has to surrender documents as a condition of being allowed out on bail while they await trial, if they're considered a flight risk. In Snowden's case, he knew he was going to face a lengthy criminal process and would be detained, so he (perhaps correctly) chose to leave before he made his revelations and before his movement was restricted.
Yes. :-) And I commented below, earlier this evening. Scroll down and we can argue about whether what they did is legal or not.
it’s a FREE LLM chat interface, that doesn’t require you to enter your real name or credit card information. Who cares? It’s not a government website or a tax software application.
Obviously i am disappointed regarding this, but people really blow this out of proportion imo. Rumor is this was a side project for some employees at a hedge fund. you think they specialize in security and software application best practices? i’m not exactly surprised that it’s insecure.
The really crazy thing is that anyone gives ANY company sensitive data to train on. regardless of which country the service is running in. That’s what’s actually crazy.
In whose hands do you think your personal data is more secure? Google or DeepSeek?
Do we have to choose? I'm doing fine without either.
Both can suck.
"The amount of vitriol in these comments is the really surprising data"
No it isn't (well it probably is too). This is the rather naff nation state bollocks in play.
You have either or both of "some bigger boys found a more efficient way of doing something I thought I was good at" and "I've wet myself".
sigh
It seems fair since all the other AI's scraped copyrighted information, images, video online and from pirated books, etc. without ever asking anyone first.
Ugh. I know I’ve got at least some keys in those logs. Thankfully nothing too intense
Hopefully this is a lesson not to trust your sensitive private data with a public service?
I've been redacting my keys before sending config to chatgpt, it's a pain but I guess this shows it's worth the effort.
Yeah I avoid it too but I know I missed some during rapid copy pasting.
This kinda does support the 'DeepSeek is the side project of a bunch of quants' angle.
Seems like the kind of mistake you would make if you are not used to deploying external client facing applications.
That's pretty much the same mistake as in VW recent "We know where you parked" hack. [0] So while I don't really want to say anything nice about VW, the mistake is no something that only happens to side projects.
[0] https://www.spiegel.de/international/business/we-know-where-...
This is also something that keeps affecting "smart" software engineers with projects, that don't realise they've got misconfigured S3 buckets, or have Firebase or Mongodb etc. wide open to the world. We've seen so many companies that absolutely should know better be in this area.
The reality is that cloud providers make it easy to deploy infrastructure without much thought. You need skilled domain specific IT Architects working together to ensure that an organization's cloud presence is efficient and secure. That discipline and rigor is often dismissed or underappreciated because it forces you to slow down and decreases agility.
Some organizations have some form of Enterprise Architecture group that governs technology and ensures that there is discipline though the maturity and scope varies. I would say most organizations are completely devoid of that type of supervision and oversight.
> I would say most organizations are completely devoid of that type of supervision and oversight.
It's unfortunately far too counter to "move fast and break stuff" that startup space tends to be enamored of, because they tend to want you to do things safely and try to avoid a "Front page of the New York Times" type of security event.
Has being on the front page of the NYT for a software bug or leak killed any companies?
I think they correctly believe security failures are at most a short term PR problem as far as the market is concerned.
Sure wish it meant more than it does. Sorry that "Front page of the NYT" phrase is one I've been using since back when everyone would have expected it to be the death of a company!
Software is unfortunately a side-project for most auto makers :)
With the amount of complexity found in modern car's pre-packaged software I'd not be so sure.
No he is right, hardware manufacturers treat software as a line item and just part of the BOM. Typically just contracted out (although some are trying to change that) Thats why its typically mediocre from companies outside of SV.
You need a software first agile mentality from the leadership of the company on downwards and these legacy companies just dont have it.
VW realized that software was important years ago and founded a dedicated software-only company called Cariad to specialize in it. They went ham recruiting traditional software folks for high salaries (in European terms). I know a few people who moved Bay area -> Europe to work for them and they have a couple west coast offices where you'd expect for the people who don't want to move.
It's been an absolute disaster, with billions of dollars spent to produce delayed, buggy software.
Oh no they did write that one piece of software, which was successful until it wasn't.
https://venturebeat.com/offbeat/how-volkswagen-used-software...
Damn that last sentence was a heck of a plot twist.
As someone who worked in a software startup founded by a hardware company, it was very predictable.
Agile workflow for making cars? No.
Agile workflow for frequently updating non-critical software in devices that happen to be cars? Sure.
The problem with hardware companies is they’re bad at software because the disciplines are so different that what works for one doesn’t work for the other.
The problem with software companies is they’re bad at hardware for the same reason.
User experience companies can be good at both. Maybe not as good at hardware as a hardware company, maybe not as good at software as software companies.
Apple’s the obvious example, but Google, Garmin, heck even Starbucks are also good examples. Start with the user experience, build hardware of software or whatever else is needed. Specializing in a tool has value, but limits you to that tool.
OK, I'll bite. How is selling shitty coffee in large quantities a good example of either software or hardware excellence?
> software first agile mentality
I can release a website with a list of known bugs. Do any govt allow release of cars with known bugs?
There's a wide spectrum of possible bugs. I would hazard that every car ever sold was sold with known bugs.
As long as you're reasonably confident that the bugs don't pose a safety issue I don't see the problem.
Having been in automotive software development and testing for over a decade now, I assure you, it's so very much worse than even that.
The complexity is a symptom of it being a side-project, not evidence that it isn't. As a reminder, today's cars are still vulnerable to remote takeover via malformed songs on the radio because of shitty can-bus practices combined with buffer overflows in those side projects.
Safety-critical firmware is scrutinized fairly well (not because it's not a side project, but because of regulatory constraints combined with the small scope allowing the car manufacturers to treat it as a fungible good), but other software is not, even broken feedback loops interacting with that firmware.
Automotive software is worse than you can possibly imagine. It is literally some of the most broken code I have seen in my entire career and that is the industry norm. Shockingly poor. In fairness, the constraints placed on automotive software production ensure this outcome. There is no room for good practice.
If I could walk everywhere the rest of my life, I would.
There are many examples of experienced teams doing stupid things like exposing databases that I don't really think this is a valid conclusion to draw.
Right, just about 4 months ago Meta was fined for storing passwords in plain text:
https://news.ycombinator.com/item?id=41678840
The joke is these companies build systems that can tell them how to implement better security, they simply don't care.
Clearly it could never be enough to draw that conclusion but it might be very weak evidence in one direction
If something is an intelligence operation, they aren't going to screw up basic database security.
'DeepSeek is the side project of a bunch of quants'
I doubt it very much that it only was that and not massivly backed by the Chinese state in general.
As with OpenAI, much of this has to do with hype based speculation.
In the case of OpenAI they played with the speculations, that they might have AGI locked up in their labs already and fueled those speculations. The result, massive investment (now in danger).
And China and the US play a game of global hegemony. I just read articles with the essence of, see China is so great, that a small sideproject there can take down the leading players from the west! Come join them.
It is mere propaganda to me.
Now deepseek in the open is a good thing, but I believe the Chinese state is backing it up massivly to help with that success and to help shake the western world of dominance. I would also assume, the chinese intelligence services helped directly with Intel straight out of OpenAI and co labs.
This is about real power.
Many states are about to decide which side they should take, if they have to choose between West and East. Stuff like this heavily influences those decisions.
(But btw. most don't want to have to choose)
I don't buy this, simply because if the Chinese government were to back an effort, it wouldn't be Deepseek.
Alibaba has Qwen. Baidu, Huawei, Tencent, etc all have their own AI models. The Chinese government would most likely push one of these forward with their backing, not an unknown small company.
Unless of course, they want to sell the "small underdog" story.
I don't claim it is all staged. The researchers seem genuine. But they can be good researchers and still said yes at some point to big government help, if smart chinese government employes recognized their potential.
To corroborate the side project angle, their sdks are quite literally taken from openai:
doesn't even need to be a side project, or by a bunch of quants. a bunch of AI researchers working on this as their primary job would still have no real idea about what it takes to secure a large-scale world-usable internet service.
> This kinda does support the 'DeepSeek is the side project of a bunch of quants' angle
Can we stop with this nonsense ?
The list of author of the paper is public, you can just go look it up. There are ~130 people on the ML team, they have regular ML background just like you would find at any other large ML labs.
Their infra cost multiple millions of dollar per month to run, and the salary of such a big team is somewhere in the $20-50M per year (not very au fait of the market rate in china hence the spread).
This is not a sideproject.
Edit: Apparently my comment is confusing some people. Am not arguing that ML people are good at security. Just that DS is not the side project of a bunch of quant bros.
A bunch of ML researchers who were initially hired to do quant work published their first ever user facing project.
So maybe not a side project, but if you have ever worked with ML researchers before, lack of engineering/security chops shouldn't be that surprising to you.
> A bunch of ML researchers who were initially hired to do quant work
Very interesting! I'm sure you have a source for this claim?
This myth of DS being a side project literally started from one tweet. DeepSeek the company is funded by a company whose main business is being a hedge fund, but DeepSeek itself from day 1 has been all about building LLM to reach AGI, completely independent.
This is like saying SpaceX is the side-project of a few caremaking bros, just because Elon funded and manages both. They are unrelated.
Again, you can easily google the name of the authors and look at their background, you will find people with PhD in LLM/multimodal models, internships at Microsoft Research etc. No trace of background on quant or time series prediction or any of that.
From the mouth of the CEO himself 2 years ago: "Our large-model project is unrelated to our quant and financial activities. We’ve established an independent company called DeepSeek, to focus on this." [0]
It's really interesting to see how after 10 years debating the mythical 10x engineer, we have now overnight created the mythical 100x Chinese quant bro researcher, that can do 50x better models than the best U.S. people, after 6pm while working on his side project.
[0]: https://www.chinatalk.media/p/deepseek-from-hedge-fund-to-fr...
See this earlier interview from 2020.
https://www.pekingnology.com/p/ceo-of-deepseeks-parent-high-...
TDLR Highflyer started very much as exclusive ML/AI focused quant investment firm, with a lot of compute for finance AI and mining. Then CCP cracked down on mining... then finance, so Liang probably decided to pivot to LLM/AGI, which likely started as side project, but probably not anymore now the DeepSeek has taken off and Liang just met with PRC premiere a few days ago. DeepSeek being independent company doesn't mean DeepSeek isn't Liang's side project using compute bought with hedge fund money that is primarily used for hedgefund work, cushioned/allowed to get by with low margins by hedgefund profits.
Yes, see my analogy with Elon.
The point is, the team actually doing the DeepSeek work are working on this as their exclusive project, have been hired exclusively for this etc.
They aren't doing this on the side of their main quant job, and destroying U.S. researchers just as a hobby as the myth would have us believe.
That's a fair distinction. IMO should still be categorized as side project in the sense that it's Liang's pet project, the same way Jeff Bezos spend $$$ on his forever clock with seperate org but ultimately with Amazon resources. DeepSeek / Liang fixating on AGI and not profit making or loss-making since hardware / capex deprecation is likely eaten by High Flyer / quant side. No reason to believe DeepSeek spent 100ms to build out another compute chain from High Flyer. Myth that seasoned finance quants using 20% time to crush US researchers is false, but reality/narrative that a bunch of fresh out of school GenZ kids from tier1 PRC universities destroying US researchers is kind of just as embarassing.
Just to be pedantic, spaceX predates tesla
The carmaking bro predates SpaceX. He had a BMW in college and got a supercar in 1997. While he wasn’t a carmaker yet he got started with cars earlier.
A valid response to my initial comment which was a bit tongue in cheek.
However, i'm not sure that them being LLM researchers compared to quant researchers changes the dynamic of their relaxed security posture.
> However, i'm not sure that them being LLM researchers compared to quant researchers changes the dynamic of their relaxed security posture.
It does not indeed, but that's not the part I was commenting on.
First ever? Their math, coding, and other models have been making a splash since 2023.
The mythologizing around deepseek is just absurd.
"Deepseek is the tale of one lowly hedgefund manager overcoming the wicked American AI devils". Every day I hear variations of this, and the vast majority of it is based entirely in "vibes" emanating from some unknown place.
What I find amusing is that this closely mirrors the breakout moment OpenAI had with ChatGPT. They had been releasing models for quite some time before slapping the chatbot interface on it, and then it blew up within a few days.
It's fascinating that a couple of years and a few competitors in, the DeepSeek moment parallels it so closely.
Models and security are very different uses of our synapses. Publishing any number of models is no proof of anything beyond models. Talented mathematicians and programmers though they may be.
well security isn't their job to begin with
> This is not a sideproject.
OP means to say public API and app being a side project, which likely it is, the skills required to do ML have little overlap to skills required to run large complex workloads securely and at scale for public facing app with presumably millions of users.
The latter role also typically requires experience not just knowledge to do well which is why experiences SREs have very good salaries.
None of that has anything to do with "deploying external client facing applications"
You're right. It has nothing to do with the second sentence of the two sentence post it replies to.
?? The point is, the ML researchers aren’t experts at deploying secure infrastructure.
??????
This wasn't narrow minded folks doing this. Shit happens.
It doesn't say much.
Data breaches from unsecured or accidentally-public servers/databases are not unusual among much larger entities than DeepSeek.
DeepSeek isn’t a side project or just a bunch of quants - these are part of the marketing that people keep repeating blindly for some reason. To build DeepSeek probably requires at least a $1B+ budget. Between their alleged 50,000 H100 GPUs, expensive (and talented) staff, and the sheer cost of iterating across numerous training runs - it all adds up to far, far more than their highly dubious claim of $5.5M. Anyone spending that amount of money isn’t just doing a side project.
The client facing aspect isn’t the problem here. This linked article is talking about the backend having vulnerabilities, not the client facing application. It’s about a database that is accessible from the internet, with no authentication, with unencrypted data sitting in it. High Flyer, the parent company of Deep Seek, already has a lot of backend experience, since that is a core part of the technologies they’ve built to operate the fund. If you’re a quantitative hedge fund, you aren’t just going to be lazy about your backend systems and data security. They have a lot of experience and capability to manage those backend systems just fine.
I’m not saying other companies are perfect either. There’s a long list of American companies that violate user privacy, or have bad security that then gets exploited by (often Chinese or Russian) hackers. But encrypting data in a database seems really basic, and requiring authentication on a database also seems really basic. It would be one thing if exposure of sensitive info required some complicated approach. But this degree of failure raises lots of questions whether such companies can ever be trusted.
> Anyone spending that amount of money isn’t just doing a side project.
You're reciting a bunch of absolute numbers, without any sort of context at all. $5M isn't the same for every company. For example, in 2020, it seems High Flyer spent a casual $27M on a supercomputer. They later replaced that with a $138M new computer. $5.5M sounds like something that could be like a side-project for a company like that, whose blood and sweat is literally money.
> But this degree of failure raises lots of questions whether such companies can ever be trusted.
This, I agree with though. I wouldn't trust sending my data over to them. Using their LLMs though, on my own hardware? Don't mind if I do, as long as it's better, I don't really mind what country it is imported from.
> that could be like a side-project for a company like that, whose blood and sweat is literally money.
From the mouth of Liang Wenfeng, co-founder of both High Flyer and DeepSeek, 18 months ago:
"Our large-model project is unrelated to our quant and financial activities. We’ve established an independent company called DeepSeek, to focus on this."
https://www.chinatalk.media/p/deepseek-from-hedge-fund-to-fr...
It's a side project called DeepSeek .
5.5M is a single latest training run, if they would rent gpu-s in the cloud - from the paper.
> To build DeepSeek probably requires at least a $1B+ budget. Between their alleged 50,000 H100 GPUs, expensive (and talented) staff, and the sheer cost of iterating across numerous training runs - it all adds up to far, far more than their highly dubious claim of $5.5M.
This is not fair. Is OpenAI, for example, including the CEO paycheck for the model training costs?
There's a sliding scale. On one end is "Include the CEO's paycheck"; on the other is "include nothing except the price tag on the final, successful training run".
Neither end is terribly useful. Unfortunately, the $5.5M number is for the latter.
>To build DeepSeek probably requires at least a $1B+ budget.
Zero evidence that the above statement is true, and weak evidence (authors' claims) that it is false. Have you read their papers even?
https://arxiv.org/html/2412.19437v1#abstract https://arxiv.org/pdf/2501.12948
Parent is (I assume) talking about the entire budget to get to DeepSpeek V3, not the cost of the final training run.
This includes salary for ~130 ML people + rest of the staff, company is 2 years old. They have trained DeepSpeek V1, V2, R1, R1-Zero before finally training V3, as well as a bunch of other less known models.
The final run of V3 is ~6M$ (at least officially...[1]), but that does not factor the cost of all the other failed runs, ablations etc. that always happen when developing a new model.
You also can't get clusters of this size with a 3 weeks commitment just to do your training and then stop paying for it, there is always a multi-month (if not 1 year) commitment because of demand/supply. Or, if it's a private cluster they own it's already a $200M-300M+ investment just for the advertised 2000 GPUs for that run.
I don't know if it really is $1B, but it certainly isn't below $100M.
[1] I personally believe they used more GPUs than stated, but simply can't be forthcoming about this for obvious reason. I have of course not proof of that, my belief is just based on scaling laws we have seen so far + where the incentives are for stating the # of GPUs. But even if the 2k GPUs figure is accurate, it's still $100M+
H100s can cost about $30k. There was an interview with a CEO in the space speculating that they have about 50,000 H100s. That's $1.5bn. Presumably they got volume discounts, though given the export bans they might have had to pay a premium on that discount to buy them secondhand. If it were H800s, that would be ~half the price, which is still high hundreds of millions for the chips alone.
Is that true? No idea. But there isn't zero evidence.
Some academic projects have a lot of funding and what they are researching is some top tier stuff.
But the software? Absolute disaster.
When people say DeepSeek is a side project, this is what I assume they mean. It's different when a bunch of software engineers make something with terrible security because it's their main job. With bunch of academics (and no offense to academics), software is not their main job. You could be working on teaching them how to use version control.
> Between their alleged 50,000 H100 GPUs
I'm sure you were just mislead by all the people including Anthropic's Dario parroting this claim, but even Dario already said he was wrong to say that and semi analysis already clarified it was a misunderstanding of their claim, which was 50,000 H series, not 50,000 H100.
H800s, right?
You think they deliberately left their DB open to the internet, without a password? Why?
No, I did not claim that it was purposeful. But they did leave their DB open to the internet without a password. And that seems really negligent.
For an ops person yes, for a ML engineer (basically an academic) I'd be more surprised if it was secured to be honest.
[dead]
how many people in the world are used to deploying external client facing applications?
Hundreds of thousands. My employer alone probably has 1000.
No. I don’t think so. I think if you took many engineers and sat them at a computer and asked them to stand up a whole dev staging prod system they wouldn’t be able to do it.
I certainly would not, or it would take me a significant amount of time to do properly. I have been a full stack dev for 10 years. Now take that one step further to someone whose only interaction with a development is numpy, pandas, julia, etc…
You are, in typical HN style, minimising the problem into insignificance.
This is /not/ a “stick it behind an aws load balancer and on one of their abstracted services that does 99% of the work for you” - that would be less difficult.
E: love how this is getting ratioed by egotistical self confessed x10 engineers no doubt. Some self reflection is needed on your behalf. Just because /you/ think you would be capable, does not mean that the plethora of others would be able to.
What likely happened here is an ingress rule was set up wrongly on iptables or equivalent.. something many of your fellow engineers would have no clue about. An open dev database is rather normal if you want something out of the door quickly, why would you worry about an internal accessible only tool’s security if you trust your 10 or so staff. Have a think about the startups you have worked in (everyone here is a startup pro, just like you are - remember!) and what dire situation your mvp was in behind its smoke and mirrors PowerPoint slide deck.
Yes this was disastrous for PR. No it is not a problem solved in its entirety entirely by learned engineering experts like yourself.
Oh here. A comment from ClickHouse saying there is a legitimate reason why this will have been configured this way and happened https://news.ycombinator.com/item?id=42873446
I would consider it table stakes for an intermediate level engineer at a big company (which would have well defined processes for doing this safely) or a senior at any other company (on the assumption some of that infra has to be set up from scratch). If 10 years of experience hadn’t taught me this yet, I would personally be concerned how I’m spending my energy. I am roughly at the 10y mark, and I would estimate I have been competent enough to build a public facing application without embarrassing public access issues on my own for at least 4 years. Even before that, I would have known what to be scared of / seek help on for at least 7 years. I guess I could be more unusual than I think, but the idea that at 10 years anyone would be ok not knowing how to approach such a routine task is baffling to me.
HN is a bubble. The expectation that your colleagues are /experts like you/ is unrealistic. To stand something up like this, which is entirely on bare metal - this is a task many would find challenging if they are entirely honest with themselves and put their egos to the side. Your typical swe thinks that nothing is impossible.
There was a recent comment which said along the lines of “I used to watch figure skating, seeing them race around and spin, and think no big deal. It was only when I went on ice that I realised how difficult and impressive what they were doing was” - this is exactly the trap SWEs are most guilty of. — /this/ is what you learn as a staff level.
everything you say is true, but I don't think any of it actually applies to being able to safely deploy user facing systems. I would certainly not trust myself to do all possible aspects of setting up a user facing system completely from scratch (ie nothing but a libc on linux or whatever) I would not trust myself to write correct crypto, for example. But I have a good sense of what I can trust myself to build relatively safely. And of course i'm not claiming that "knowledge of where to trust myself" is by any means flawless. But Even in college I made applications for people that were exposed to the public internet. But I was very aware of what I felt I could trust myself to do and what I needed to rely on some other system for. In my case I delegated auth to "sign in with google" and relied on several other services for data storage. There were features that I didn't ship because I didn't trust myself to build them safely, and I was working alone. Now I would not necessarily expect every CS student to be able to do this safely, but a healthy understanding of one's own current limitations and being willing to engineer around that as a constraint is pretty achievable, and can get you very far.
You are talking to the ice skaters. They expect you to do up your laces. Setting a password on a database is a something I would expect of any company capable of asking for a credit card.
Depending on your perspective, that's either very concerning or a great business opportunity for this decade's Heroku to enter the fray.
This is definitely not something hosted on a P/SaaS.
> I think if you took many engineers and sat them at a computer and asked them to ...
There are many in the software engineering field which could not satisfy a request of this nature, for any reasonable form of "asked them to".
It sorta sounds like their AI would've done it better, yeah...
I don’t understand this comment? Is it unusual to request something like this? OP’s comment was saying that all 1000 or so (and hundreds of thousands of others) of his colleagues would be able to do this if asked?
I don’t know if you are in agreement with me or not
I am agreeing with your premise of asking a random s/w technician to deploy an app fairly securely would be problematic and then generalized it to include many tasks related to s/w engineering.
So we're good. :-)
How many people in the world drink coffee? I don't understand your question.
The subtext was probably "Even among professional programmers, few know what it takes to safely expose a new system to the public internet."
A lot? They can go scoop up people from any number of SaaS startups or hire an external 3rd party to do a security audit.
We're not talking some poor college students here.
That's not a matter of battle hardened experience. Publicly exposing database management endpoints that allow arbitrary execution is a *massive* no-no that even a junior developer with zero experience should be able to sense is a bad idea.
A million or more, be serious.
I am and I'm quite sure I'm not that big of a deal
Another example of DeekSeek copying straight from OpenAI's playbook [1] [2]
[1] https://www.reuters.com/technology/cybersecurity/openais-int...
[2] https://openai.com/index/march-20-chatgpt-outage/
Where's the download link?
I wonder if this is the "cyberattack" DeepSeek was talking about?
I don't get the discussions around side project and they're ML engineers, not security experts. Why are you excusing a company for a serious security leak.
If you're releasing a major project into the wild, expect serious attention and have the money, you get third parties involved to test for these things before you launch.
Now can we get back to discussing the real conspiracy theories. This is clearly a disinformation piece by BigAI to add FUD around the Chinese challenger :-)
> I don't get the discussions around side project and they're ML engineers, not security experts. Why are you excusing a company for a serious security leak.
No one is here as far as I can tell. But if you've ever been a software engineer who is required to work with someone purely from an ML lab and/or academia, you'll quickly discover that "principled software engineering" just isn't really something they consider an important facet of software. This is partly due to culture in academia, general inexperience (in the software industry) and deeply complicated/mathematical code really only needing to be read by other researchers who already "get it", to a degree.
Not an excuse but rather an explanation for _why_ such an otherwise impressive team might make a mistake like that.
Yeah, you're right, I was conflating the excusing bit.
I haven't worked with serious ML engineers, but having worked in large webdev there's usually a team involved in these projects, including senior none devs who would ensure the correct checks and balances are in place before go live. Does this not happen in ML projects? (of course there are always exceptions and unknowns that will slip through, I don't know if that was the case here, or something else)
> Yeah, you're right, I was conflating the excusing bit.
No worries. :)
> Does this not happen in ML projects?
Consistently? No. At the level of e.g. OpenAI/Anthropic? It is mandatory. These are not just research labs, they're product (ChatGPT, Claude) companies. These American companies have done a reasonable job at hiring for all sorts of skillsets to keep things well rounded.
Perhaps DeepSeek hasn't learned this lesson yet... Or, well - it could be far more complicated than that. Speculating is only so useful with so little information.
How do we know for sure that DeepSeek is not actually trained on Nvidia chips? Did someone outside of China replicated the training from scratch (Spending $6M)?
They themselves said it was trained on NVIDIA chips, so I’m not sure where you got that it wasn’t. It was trained on the less capable versions sold for the Chinese market.
I see, thank you for pointing that out. Then I’d rephrase, how do we know for sure that it wasn’t trained on the most advanced Nvidia chips? Did anyone outside of China replicated the training?
that's why i never use my strong passwords in many chinese websites(in fact, i tend not to use passwords in any website)
i suggest you guys don't do that also
this industry in china is so young, many devs and orgs don't understand what will happened if they shutdown the firewall or expose their database on the internet without a password
they just, can't think of it, need someone to remind them
I didn't understand your comment first, because I use a password manager which generates a unique and complicated password for each website I setup an account for. So I never reuse any password. So if one one those sites gets hacked and my password is potentially exposed, it doesn't matter, because I only use that password there.
I would recommend that. Bitwarden is a pretty good open-source password manager. You can install it as a plugin in your browser, so it can fill out your password for you so you don't have to manually copy and paste.
Never forget honeypots.
The second Big Tech was threatened by significant competition (DeepSeek), this competition is "stealing"(lol), and is under heavy hacking attacks (main online inference portal).
There you have, the real face of Big Tech. Extinguishing the competition by locking a service behind a portal provided for free, then starting to milk the users, is not enough for them... they will also fight dirty, really dirty.
Poorly secured or not it still managed to hit your favourite stock. The execs at NVIDIA still haven’t recovered from the bloodbath.
This argument seems fallacious: the stock was "hit" before security issues emerged. It's hard to say how this recent news will affect the stock, directly and indirectly through eventual damage that follows. Imagine that the security issues were 1000 times worse: you could still write the same comment, but the reputation of DeepSeek and by extension all Chinese AI and software would be so badly hurt that long term any Chinese success would be downplayed, having lesser effect on stock market. If Nvidia stock would recover or not is more nuanced, because market is speculative, and if a bubble is burst, even if what pierced it turns out to be fake/irrelevant, the bubble is no longer there (a new one may need a lot of time and effort to grow).
So much effort in trying to tarnish DeepSeek the last 24hrs
Can't fault hackers for taking a look at a website that goes from "virtually unknown" to "extremely popular and headline news globally" practically over night. If nothing else, the probability of low-hanging fruit in something that is barely battle-tested is high.
You can fault them for disclosure practices though :-)
> Wiz Research has identified a publicly accessible ClickHouse database belonging to DeepSeek, which allows full control over database operations, including the ability to access internal data. The exposure includes over a million lines of log streams containing chat history, secret keys, backend details, and other highly sensitive information.
>The Wiz Research team immediately and responsibly disclosed the issue to DeepSeek, which promptly secured the exposure.
It seems like Wiz told deepseek and deepseek secured this vuln?
Are you saying this report was falsified, or that the press should keep things like this secret?
It would be very nice if the press didn't just fall over itself trying to be a free PR agency for OpenAI.
Probably they are rather suggesting that there are a lot of unscrupulous western companies with a lot to lose who might have an interest in convincing certain people to skip responsible disclosure
The vulnerability was fixed before the disclosure, so that's a non-issue here.
Elsewhere perhaps, this seems like a pretty standard/legit security flaw in a new application which is found and hopefully quickly closed.
If your information is sensitive, do not use an LLM by public API - absolutely all of your data is being stored and processed. For all of them.
Maybe, but having dev services outside of VPN is pretty nuts, not much effort needed to find that. Wouldn't expect a company with such budgets be that careless, I'm sure it's only the tip of the iceberg.
One more proof that AGI is not near
I'm not sure why you think why this discovery has to be some sort of "effort in trying to tarnish DeepSeek". Deepseek is the #1 downloaded app and and the media can't stop talking about it. That means a lot more people are looking into the app and possibly finding vulnerabilities, no conspiracy needed.
Not to mention the same thing happened to OpenAI and basically the same effort went into shaming them: https://www.theverge.com/2024/7/3/24191636/openai-chatgpt-ma...
edit: snip, misinfo, I'm illiterate. Sorry!
> instead of following responsible disclosure practices
They literally did, though? They were resolved before publishing.
What are you talking about? They did follow responsible disclosure.
No idea why this is downvoted.
Responsible disclosure normally means you wait up to 90 days so they can fix it, before you disclose it to the public. In this case, it was fixed immediately, so they disclosed it to the public immediately.
Which is another thing it seems Chinese corporations do better than American ones.
I, for one, think this is a valuable piece of information and somewhat interesting analysis. You can take the cynical point of view that this was released just to tarnish their reputation or you can assume that it's security researchers publishing an important discovery just like they've always done whether it's for OpenAI, Microsoft Copilot, or any other AI or non AI product.
>https://news.ycombinator.com/item?id=42871371#42872454
We all agree this kind of leak should be disclosed. However normally security researchers don't just leaks specific URL and etc. This may be what the parent is referring to.
I think that was a shameless self promotion. A lot of PR and free traffic by taking a low hanging fruit. Nothing else. But they did some good though.
you're absolute right, so much garbage propaganda in many languages. For Apple we have tv news that usually promotes new Apple or OpenAI products (wtf!!) that are trying to tarnish DeepSeek on the privacy level... No words about all those garbage software siphoning off the web (without respecting neither copyright nor privacy)
It would be incredibly immature and naive to presume that the data fed to this service is not going to be data mined by the CCP.
Downvoted - because of course the CCP wouldn't want all of this data, that's preposterous. What would they even do with it? /S
[flagged]
I don't know about 1-4 and 5 seems an honest mistake.
Is there a source for the misleading GPU count? Dario cites Dylan Patel, and pt 4 cites Alexander Wang, but these are just claims so far.
As far as censorship regarding Chinese history, does it matter? The other models have other areas that are censored. Is anyone planning to use LLMs to look up historical facts anyway?
Stealing IP? That's rich coming from AI companies that mined the entire public internet. Did they get permissions from copyright holders in every instance?
And if DeepSeek did evade particular US sanctions whose only justification seems to be to prop up US's economic hegemony over the rest of the world (unlike sanctions against weapons, invasions and human rights violations), then good for them.
Yep.
Kinda like how your comment was grey within 1 minute, despite stating an objective truth.
Sure, this is to be expected given the billions and billions of dollars at stake but like - that money is gone lol. DeepSeek isn't going back in the bottle, nor is open source AI in general.
The comment isn't wrong, but the implication is at deep seek is somehow special and is getting undue attention from hackers. Any app that skyrockets from nowhere to number one in the app store overnight will have the attention of probably hundreds of thousands of hackers.
> the implication is at deep seek is somehow special and is getting undue attention from hackers
... It is special.
There was over a trillion dollars wiped from tech stocks lol, in a massive win for consumers and the planet. You can't say this is like Flappy Bird or something.
The stock market does all sorts of silly things. If the stocks recover in 2 weeks to where they were, will that be deep seek erasing $1T and tech re-earning $1T? Or deep seek doing nothing?
The damage was done, if it was 100% based on truth or how fast they recover has nothing to do with it.
> The stock market does all sorts of silly things.
For sure. This one was pretty clear though. It's exactly what you'd expect when a moat evaporates overnight.
Even if tech stocks recover in 2 weeks (doubt) an open source model comparable to o1 with a 50x efficiency gain is still not just another app. Which means there will be bad actors with a special interest in spreading narratives on every relevant forum...
>Which means there will be bad actors with a special interest in spreading narratives on every relevant forum
Which brings us neatly to OpenAI
A data point on self-hosting being preferable, or using an alternate gpu cloud host who can run the model privately/semi-privately for you.
It’s a feature, not a bug !
This is totally expected when you use AI to build your infrastructure.
I was going to say the opposite, ironic because an LLM would have told them not to do that if they were working closely with one.
With the various ways people setup their dev environment + docker, I imagine there are probably a lot of guides that show you how to set it up insecurely (because it assumes you're connecting from your local network) with a small asterisk at the end saying not to set it up in production like that. Very easy for an LLM to misunderstand.
> More critically, the exposure allowed for full database control and potential privilege escalation within the DeepSeek environment, without any authentication or defense mechanism to the outside world.
Not only that, this was a "production-grade" database with millions of users using it and the app was #1 on the app store and ALL text sent there in the prompts was logged in plain-text?
Unbelievable.
I agree this is really bad but far from unbelievable. I am only 23 and already my SSN and even my freaking DNA have both been leaked by major publicly traded companies.
Plus Volkswagen and Subaru in the last few weeks ...
Plus Volkswagen and Subaru in the last few weeks
Both Volkswagen and Subaru have leaked his DNA in the last few weeks? Dude gets around.
VW is the people's wagon - where do you think those people come from?
On top of SSN and DNA, also the location of the DNA has been leaked.
heeheehee;) i REALLY like cars
You leaked your DNA on which companies?
Is it so strange to have logs in plain text? In my experience most logs at companies are in plain text. Only passwords are usually encrypted.
Did they ever make promises as to confidentiality? What if providing all chat logs with users is just part of their open source / shānzhài attitude ? :)
[edit: Nevermind, see below]
The direct disclosure of urls and ports is insane. Wonder if they would be as irresponsible if it was MSFT, OpenAI, Anthropic, etc.
PS: Not defending DeepSeek for bad practices, but still. Nothing irresponsible here.
PS2: It is marked as resolved, I went directly to the vulns due to the title of the post.
It’s been disclosed and resolved. What’s the concern here?
Why is ClickHouse exposing unauthenticated database access at port 9000 to the public? Is this the default behavior or did DeepSeek open it up for dev purposes?
ClickHouse does not allow external connections by default.
If someone wants to configure an unauthenticated access from the Internet, they have to do the following extra steps:
- enable listening to the wildcard address;
- remove IP filtering for the default user;
- set up a no-password authentication;
It is possible to ignore and turn off all guardrails that the system has by default, but it needs extra efforts. However, it's possible that someone copy-pasted a wrong configuration file from somewhere without knowing what is inside, or do something like - listen to localhost, but expose ports from Docker.
A use case for direct database access exists, and is acceptable, assuming you set up a readonly user, grant access to specific tables, limit queries by complexity, and limit total usage by quotas. This is demonstrated by the following public services:
https://play.clickhouse.com/
https://adsb.exposed/
https://reversedns.space/
In this way, ClickHouse can be used to implement public data APIs (which is probably not what DeepSeek wanted).
ClickHouse has a wide range of security and access control restrictions: authentication methods with SSL certificates; SSH keys; even simple password-based auth allows bcrypt and short-living credentials; integration with LDAP and Kerberos; every authentication method can be limited on a network level; full Role-Based Access Control; fine-grained restrictions on query complexity and resource consumption, user quotas.
But still, according to Shodan, there are 33,000 misconfigured ClickHouse servers on the Internet: https://www.shodan.io/search?query=clickhouse This can be attributed to a high popularity of ClickHouse (it is the most widely used analytic DBMS).
When you use ClickHouse Cloud, which is a commercial cloud service based on the open-source ClickHouse database (https://clickhouse.com/cloud), it ensures the needed security measures, improving strong defaults even more: TLS, stong credentials, IP filtering; plus it allows private link, data encryption with customer keys, etc.
Thanks for your insight. I got ratioed to fuck for trying to defend the standpoint that this is an unusual expectation of a regular engineer to stand this up correctly.
https://news.ycombinator.com/item?id=42873134
If you're referring to the downvotes on https://news.ycombinator.com/item?id=42873211, I think that comment would have done better if you had omitted the swipes, as the site guidelines ask: https://news.ycombinator.com/newsguidelines.html.
e.g. "You are, in typical HN style, minimising the problem into insignificance" and "love how this is getting ratioed by egotistical self confessed x10 engineers". This is the sort of thing commenters here are asked to edit out of their comment, and when they don't, it's correct to downvote them (even though your underlying points may otherwise be correct).
lol, nice. getting out in front of anyone even potentially pointing fingers at ClickHouse. Good initiative.
That used to be the default setup for Redis, too. Might still be. You aren’t supposed to have it on a public subnet.
> You aren’t supposed to have it on a public subnet.
That's an incredibly bad assumption. To have defaults assume that you are on a protected network (what does that even mean? like what permissions are assumed just because you are on the same network? admin?) is just bad practice.
Private networking for internal things like databases has been the standard best practice for a long, long time.
Safe default configuration has been the standard practice for even longer.
I’m all for both.
It's not anymore! They actually changed their defaults and it helped tremendously to reduce the exposure of Redis instances on the Internet.
I don't have personal experience but from a quick google it looks like default setup is to accept connections on localhost only [0], and there's a default user without capability to run SQL statements. They would have had to open remote connections and enable SQL capability for the default user (it looks like this is the first step to creating other users, the 3rd step is, removing SQL capability for default user.) [1]:
[0] https://chistadata.com/knowledge-base/allow-clickhouse-to-ac...[1] https://clickhouse.com/docs/en/operations/access-rights
From https://clickhouse.com/docs/en/operations/access-rights#acce...
> By default, the ClickHouse server provides the default user account which is not allowed using SQL-driven access control and account management but has all the rights and permissions. The default user account is used in any cases when the username is not defined, for example, at login from client or in distributed queries
This seems... very antiquated as a default? Clickhouse is relatively modern, first released in 2016, long after people were finding unauthenticated MongoDB servers left and right. Why not design it that starting a server requires at least a user-provided password in a config file? And then, even if that password was shared amongst all DeepSeek devs, at least it wouldn't be publicly accessible.
I imagine it wouldn't necessarily require their opening of remote connections, just a misconfigured reverse proxy.
when deployed to kubernetes you will have to open up to remote conns (thats how they were using it)
I suspect this is a docker container hijacking host firewall rules which is a common pitfall. Of course there should be an ingress and others, but it is also common to roll out a VPS in a hurry. No bad intentions from any side, just lack of practice.
[dead]
I'm not sure "irresponsible" is the word. Shouldn't this be, like, punishable by law?
The vulnerable services were presumably fixed by the time this was published. I don't see anything wrong with releasing the details now.
This doesn't look like a responsible disclosure, at all.
ed: I was wrong!
From the article:
> The Wiz Research team immediately and responsibly disclosed the issue to DeepSeek, which promptly secured the exposure.
Assuming everything mentioned in the article was fixed before publication, I don’t see an issue with it.
Yeah my bad I missed that and edited OP.
Who's going to go after them? Heck, they may get an award for this.
Uh, I don't know, but cannot DeepSeek do that, for starters? Being located in a different country than the service you are attacking doesn't really make you immune to being sued.
If random security researcher does this kind of disclosure, fine.
But if serious company that seems to offer services to seemingly plenty of serious customers acts this way, I'd not want to be their customer, if they seem to have such a cavalier attitude, disclosing stuff without even a sniff of "we notified the company about the breach".
It was fixed. Disclosing it after it's fixed is responsible.
[flagged]
Please don't take HN threads into nationalistic flamewar. It's not what this site is for, and destroys what it is for, regardless of which country you have a problem with.
https://news.ycombinator.com/newsguidelines.html
Well, yes, but I don't think I did.
Edit: Also: these things need to be discussed. Or can't they?
Did you rate limit me for this?
We didn't rate limit you. But I think you're underestimating the flamewar effect of a comment that begins "I honestly don't need to know more than: It's run from $Country".
Because you can download the models yourself and run them on your own hardware bypassing all of those concerns. Also, I would be far more worried what my government might do with my chat logs then a foreign one.
This post is about the service, not the model(s).
Their models are open weights, and they are supported in ollama. You can run locally if you have sufficient hardware.
Well, thanks for not calling it open source! I did run it locally. It behaved as you would expect when asked about things the CCP cares about.
https://hongkongfp.com/wp-content/uploads/2021/11/brave_udRs...
Very easy to circumvent if you run the raw model locally, no different from how western models are lobotomized for liberalist/nationalist reasons.
In fact these models are less lobotomized than western open source models.
Well, it is technically open source, open weights, and closed training set, right?
(My recollection is that the training code is MIT licensed.)
I don't see any training code in the GH repos. There is inference code for DeepSeek v3.
So "open weights" is accurate. We used to call this closed source...
Not being a fan of CCP, I wonder how many times you did ask ChagGPT about CCP? Why bother suddenly? Should it matter for a Chinese model which is genuinely good in every other aspect?
Don't take it personally, please. Just measuring my internal self which I inherited by coexisting many years with a similar regime.
I'm kind of old for HN. I (sort of) know what happened.
I'm concerned about later generations and about this information getting deleted.
I also think there's a clear risk of a currently democratic country becoming communistic within the the next 20-40 years. Inevitably, mass murder follows.
So I want what happened preserved in the day-to-day-consciousness, not deleted/censored.
As a Canadian, I don't particularly care what the Chinese government knows about me. They represent zero threat to me, and honestly I'm rational enough to know that they don't particularly care what I'm up to.
US companies, on the other hand...did you miss where all of the tech oligarchs lined up in an obsequious little row to proselytize before the newly anointed king? When they all went on a spree in advance to show their deference to his "vision", including simply pathetic podcast appearances?
China has a lot of problems, but compared to what the United States has become, it looks positively harmless in comparison. Anyone who doesn't think the cabal of criminal administrative officials aren't going to completely annihilate your rights -- always with some "emergency" reason -- is blissfully detached from reality. It is currently the most dangerous nation on this planet.
1. I'm not American.
2. The choice is not between US and China.
3. Communism is just destructive. Trust me, you'll eventually figure this one out.
I didn't assume you were American. But there is 100% chance that you share an enormous amount of information with American firms, given that they have exponential more of a global reach. And if you're in Europe, the US literally represents more of a threat to you than China does.
As to communism, thanks for the patronizing noise however the choice isn't between communism or a profoundly corrupt, lawless "democracy" where a nuclear armed, mega-military egotistical megalomaniac thinks "might makes right" and casually talks about manifest destiny.
Man! I used deepseek.com luckily I didn't use the same password as I use. :) Time to use ollama!