For example, using AI to write you TPS Report, probably fine; no one reads those anyway. On the flip-side, using it to write personal or engaging blog posts? Probably can be a bit soulless if you aren’t also heavily controlling the output.

I’ve often heard “If you can’t be bothered to write it, then I can’t be bothered to read it.”

Or, another example, “I used AI to take these 5 bullet points to make a five page report, that the recipient then used AI to turn back into 5 bullet points.”

The current wave of AI (roughly 2022–present) is dominated by transformer-based large language models that can generate text, code, and images. The capabilities continue to grow at a rapid pace. So are the risks: hallucination, deepfake-enabled scams, labor displacement, and the erosion of the ability to distinguish human from machine.

Some interesting cases with AI, to me, involve [[Security]], [[Privacy]], and skill augmentation. How these tools change the threat landscape (AI-powered phishing, voice cloning, automated vulnerability discovery) and how we can use AI to defend against AI. The reshaping of what “trust” means when you can no longer assume a message, image, or voice is from a real person.

As we all know, people like to categorize things, and this extends to grouping people based on certain characteristics of when they were born. The obvious ones are: “Baby Boomers” mainly based on the fact that there was a Boom in babies during that period. “Millennials” because they were at the turn of the millennium. While other groups are stuck with their holdover name like “Gen X”, “Gen Z”, and “Gen Alpha.”

I’d like to propose that the next generation being born and raised right now, which I think is “Gen Beta” will be known as “Generation AI” (aka “Gen AI”) because of the proliferation of AI tools becoming the new search engine.

In the past there were books, and group meetings to raise kids. Then people started googling and moving online, but there was usually other people grouped up in these sites. Now, though, you can do all that with AI. Asking AI nuanced questions and getting answers is the strength of AI.

So, now we are going to start seeing kids being raised by parents that will get a vast majority of their support through AI. Now, I am not going to make any sweeping thoughts on if this will be good or bad, but I do think it is interesting. Beyond to being “raised by AI”, this next generation will also have AI all through their life, similar to how “Gen Alpha” is a post-internet generation.

Anyway, I just wanted to make this post because I don’t think I have seen anyone try to coin the term for the next generation, and I found it interesting.

Now, as it is a new concept I do expect it to continue to evolve, and the processes around it to become a bit more concrete. But I have some thoughts on some aspects and the overall concept of how it might play out.

vibe coding vs googling

Let’s start with the obvious, what this is replacing. Before vibe coding started taking off, one of the most common ways to “generate” code was to use google. You’d often end up in places like StackOverflow where you might find a snippet close to what you were trying to do. You’d then copy and paste this – and it doesn’t work! Because you still haven’t updated it to work with your actual code. You still have to do a bit of critical thinking with how the code actually works and how you need to update it to make it work for you.

In most cases, this isn’t seen negatively. You simply need a function and get a boilerplate that is 90% of the way there. You update it. And it works.

Now sometimes copied code “works” out of the box and you can straight up paste it and run it without thinking. This is what I think early vibe coding was without the AI wrapper we are seeing now. And that is usually when people start running into trouble, because they didn’t really analyze how the code works and down the line it could end up being the thorn in the lion’s paw.

What the function is doing, if it is inefficient, or could even created vulnerabilities – this wasn’t considered by the developer. But, hey, it works, so all is good! “That’s a problem for future me” is what many would say to justify this.

vibe coding vs no code solutions

Where I can see a strong use case of vibe coding is as a no-code solution. There are already many tools out there that position themselves as low-code, visual-coding or no-code - and now we can add vibe code to that mix. In all intents and purposes you may not even need to see the code when you are “truly” vibe coding, so services like https://lovable.dev/ already are pushing for this “no need to view the code” mentality. Compared to https://www.cursor.com which is more adjacent to helping you with the code, but you can still just have it make something and run with it.

My opinion here is that a blind box solution can work but only in highly scoped solutions, but the real winner will be the more open-box solutions. There still will be a need to understand some concepts of programming - but that need is getting smaller all the time.

dabbling in vibe coding at a ctf

I would be a bit amiss to not including how I’ve dabbled in the idea of vibe coding.

There was a CTF I was at recently where, as with most hacking or red-teaming, anything goes. To that effect, I wanted to focus on what commercial AI models could do when it came to some of the challenges.

If you’ve not participated in CTFs (this was my first real life event) before, they are usually a mixed game of knowledge challenges, riddles and puzzles. Usually there are clues in the name or description of the challenge on what might be the way to complete it or where the flag might be. From there it is up to you think about the approach and what exploits or vulnerabilities exist that could get you there.

Vibe coding these exercises worked extremely well with one major caveat, you still need some baseline knowledge to guide the AI to the right place or be able to discern when the AI might be going off track. Now, I’ll admit that I am still a novice with CTFs, but by shifting to include AI in a way where I directed it what I needed, tested and reworked the code with it, I was able to successfully complete quite a few challenges.

At this point, I am fairly convinced that the tooling is at a point where this tooling is able to heavily accelerate the skills of threat actors to a point that adoption is required for those on the defense. I like to think of this as part of the evolution from one threat actor with one machine, to the many threat actors each with fleets of machines, to each threat actor to now a fleet of agents on a fleet of machines.

This has brought out a new layer of resources available to threat actors that need to be considered.

dabbling in general

Additionally to trying a bit of vibe coding with the CTF, I have also found AI helpful when I need a quick script made in a language I am comfortable with, like python. I generally know what I need, how to phrase and and can review the code (yes, I am not the best vibe coder in that sense) if needed.

I have also managed to generate an, albeit janky, app built on JavaScript and html. It wasn’t anything mind blowing, but it really does show that the generalist models, like Gemini 2.5 Pro, can handle complex functions and files. However, I want to reiterate that it still required a lot of coaching and realigning the AI to get it to stay on track.

Occasionally, once it got stuck on a loop of a problem it couldn’t fix, the best option was to have it generate a new handoff prompt and spin up a “new” chat and get that instance up to the same speed. I would bet that the dedicated tooling is much better, but I have not tested them just yet.

vibe coding and security

One of the largest concerns about vibe coding is the quality of the security of the code. This is where I think a lot of the ethos misses the mark. Sure, you could just “vibe out” a cool new app, but if you aren’t considering security in either a secure-by-design (which I guess that would mean to make sure the AI agent is prompted to consider it?) nor in code reviews (which is against the core idea of vibe coding), nor implementing any security testing – then this is just a disaster waiting to happen.

There are already instances of this already happening. So, yeah, this isn’t ready for primetime at its current state. It reminds me of when someone might spin up a VPS with LAMP and maybe Wordpress and then not put in any security controls around access to the server, and then within a few days it becomes compromised. It’s not that it isn’t a secure option - it’s just that it wasn’t considered correctly.

pre-requirements to be a good vibe coder

So what makes someone a good vibe coder? Or better yet, what makes good vibe coding? I think there is still a heavy need to actually understand what you are making - even if it is just handed to you and “works.” Beyond security concerns, there is just the ability to know what the code is doing and how it could be improved and what limitations it might have at that moment.

Will we get to a point that we don’t need to look at the code? Probably, or at least close to it. But for now we should recognize the limitations, but understand the fact that this can help someone really accelerate their coding proficiency.

I must preface this by stating I’m not an LLM expert; however, there is a lot of information to unpack. My aim is to highlight which aspects of Deepseek are crucial, worth considering now, and which remain unknown. I’ll try to break this down into a couple of topics; how it affects the current AI incumbents, is it safe to use, what information we could accept or should be critical of, and how this can affect things in the future.

Deepseek and the Incumbents

This is most likely where most have initially heard of Deepseek, that it is a new Chinese built LLM that is comparable to the most powerful, available, models from places like OpenAI. Benchmarks are available to analyze how different models compare. However, many people simply want to know whether it’s good, and in that regard, yes, it is.

A new model being better than an older one isn’t really news worthy in of itself, but it is more so the cases of how it was made, where it was made and its availability.

Starting with how it was made; this was a side project from a Chinese investment firm which was able to make this model with around $6 Million dollars worth of investment. It is important to be critical of this number for various reasons, but we should not overly focus on it. Even if it cost $100 Million, it would still be significantly less than what it has cost to create the models it is competing with.

The next key fact of its creation is that China is under an embargo from getting the latest computer hardware, e.g. chips. Meaning this model was trained on older hardware. Again, it should be noted there is a consideration of “standing on the shoulders of giants,” in that some research and development has already been done, and they were potentially leveraging other available models to support the training of this model. Regardless, they proved that it was relatively cheap to create this model.

Lastly, the model was made under an open license: meaning (1) the model is free to use and modify; (2) you can use their website or app and run the model on their servers; (3) you can also download the model and run it locally. Essentially, this means that you now have the ability to run a model on par with the best available from OpenAI for a fraction of the cost.

So in short, this was made extremely cheaply, provided freely with the ability for others to modify it for their needs - showing that maybe the incumbents with their access to powerful hardware may not be as untouchable as initially thought. Thus confidence fell, causing the stock market to react.

Is it safe?

With that being said, is it safe to use? Well, it depends.

Starting with the hosted version, from their website or app. When it first came out I was wary of it, mostly because it is a new SaaS tool and hasn’t really been reviewed or tested. So use at your own risk, and maybe don’t ask it (read provide it) anything personal or private. That wariness proved to be warranted as security researchers have already found a fully accessible database that they were using to chats and logs.

Additionally, Italy has begun pressuring them to review and adhere to various data processing laws. They did something similar with OpenAI’s ChatGPT when it first came out, and was later sufficiently reviewed and approved. However, with Deepseek, they have taken the stance that they only seem to fall under Chinese data laws; as that is where their servers and company are located.

So, is it safe to use the app and website? I would say no, not until they start adhering to and proving that they are handling data securely. Now, I do also think that when you use ChatGPT, Google Gemini or any of the other hosted AIs, you should always take care to avoid providing more information than you feel comfortable with being used and stored by them.

Consider using DeepSeek locally instead. Running a large language model (LLM) locally, without an internet connection, should offer more privacy since you control the computer processing the requests and have full control over it.

Being Critical

There is a point of contention on the model’s training data and censorship. The gist is, this model has censorships on things like the Tiananmen Square and other topics. Now, I think the topic of censorship is beyond this post, but I do want to say that all models are censored in some way; they will all have bias and you should always consider who built the model.

Furthermore, there are concerns about models being trained to provide seemingly harmless but actually malicious information. This is theoretically possible. It is important to carefully examine the information provided by any model before taking action.

I have often taken the stance that you should treat an AI like an Intern, where they have a lot of time to get you answers on things or confirm things, but they can get things wrong. And they are heavily dependent on how you ask them to do something. In short, use them to augment and not replace you processes.

The future

In summary, DeepSeek has demonstrated that creating a powerful large language model (LLM) doesn’t require massive hardware investments like OpenAI and others have made. This opens up the possibility of more players entering the field. However, it also highlights the importance of not blindly trusting new SaaS offerings with sensitive information until they have been thoroughly vetted.

For now, it might be prudent to avoid using the app until it has passed regulatory scrutiny in both the EU and US. Although these regions have their own biases, a consensus of reviews can help establish a baseline level of security.

We will probably see more models come out that are based on Deepseek, or trained in similar ways. This also applies to the big players, who should also benefit from this information to optimize their own training on top of having the most compute power to do even more.

Time will tell if this pushes to more availability of LLM models, or if the most powerful will still be closed behind big technology players.

Because as we know, strong defenses are only useful if they actually get used.

First let’s start with making a scammers job harder to begin with.

Lockdown accounts

This isn’t just make sure you have secure passwords and MFA - which you should have. Locking down your accounts means being aware of what you post, how someone could determine information about you, like where you are, problems you might have, interests they could tempt you with, and so on.

With AI, if there are videos or pictures of you - which I am sure there are of most people - then you could be cloned fairly easily. Honestly I don’t expect people to not post these types of things, which is why diligence is key.

Making accounts private, culling your followers, using multiple accounts to professional and personal interests. These can help minimize the potential knowledge scope on you if you are targeted.

Additionally, making sure you can recover your accounts and that your recovery email is well protected.

In short:

• Make sure your posts aren’t more revealing than you want them to be
• Know who follows you
• Take your account private by default
• Consider multiple accounts to split between public and private

This is something everyone should do, and you should do it on a cadence that makes sense. Because settings change, your tolerance for posting personal information changes and all that should be considered over time.

Set up strong authentication

Get a password manager, randomize your passwords, and if possible randomize your emails too! On top of all that, set up MFA where possible. I suggest software plus hardware (like a YubiKey).

Also, if you are helping a parent or loved one, then a family account with the password sharing may help when needed. We have all been there when their parent can’t remember the password to an account they need your help with, and you have to go through the recovery dance.

Avoid clicking suspicious links

This should also be an obvious one, but just don’t click links you don’t trust. These are links randomly texted to you, or just don’t look right (like fedex-com[.]net).

Now obviously clicking on links in social media is going to happen. Just make sure before you do click. And if you’re a bit suspicious of it. Google the website and the title of the article instead.

With that being said, suppose you’re targeted and a bad actor is realistically posing as someone you know. Maybe it’s a phone call, or a voice message, or even as sophisticated as a video call - all leveraging AI tooling.

Secret family codes

I see this being suggested a lot. And it can be helpful, but really it is a historical knowledge challenge. So, realistically the best way to leverage this in your daily life is to ask questions only the two of you might know. Like a conversation you had previously or the last place you ate and what you ordered.

Obviously people are human, and I’m not the only one that forgets what I had eaten a day or two later. Also, as mentioned earlier, depending how open your life is on the internet someone might know what you ate last Sunday because you posted it on your stories.

Better yet would be to use intimate knowledge. These are things like inside jokes the two of you might have, personal discussions or other things that have a very low chance of being online.

Which is why creating a code phrase can still be helpful, as it is a better type of shared knowledge - intimate knowledge.

Secondary channel of communication

Another way to check if someone is who they say they are is to either ask them to send you the same message on a known secure form of communication you two share. This could be instagram DMs, signal messaging, or something where they need to authenticate to access. Or you could reach out yourself and not tell them you’re planning to do it.

Now this isn’t perfect either, especially if the bad actor has already compromised those accounts and has access.

Third person check

Now if you really aren’t sure how compromised that person might be. You can also reach out to someone else that is close with them to check. Depending on the time of day it could be a colleague, or a partner, someone you expect them to be with at that moment, have seen recently or will see soon. They can then work one physically finding the person to confirm if it is them. Or might be able to confirm the request.

Lastly is education, not only for yourself but others around you. Knowing not only who is aware, but also the extent they are capable of. The sad truth is, the most vulnerable are often targeted the most. Knowing who you might have around that needs the extra help can make all the difference in the world.

Again, the best tools are the ones that are used, and the more in use the more layers of defense you have available.

How scams are changing

I want to reiterate that who this is most important for isn’t necessarily going to be the reader, nor most of their immediate friends and family. It will be the grandparents and older generations. Yes I do hope you learn something or use one of these techniques, but I also want you to be proactive.

There’s an event I was told of, which didn’t involve AI but is of the same vein of directed attacks. The scammer was watching a home of an elderly woman. Their adult children were visiting and some left for home. About 10 minutes later the woman received a phone call from the scammer, posing as one of the people that had just left, saying that the other was in trouble with the police and needed to pay a fine otherwise they were going to go to jail. Luckily the woman didn’t recognize the voice, and instead called someone else to check.

Now imagine if this same tactic added AI generated voice copies of the person they know? Just being that little more convincing could have lead to a successful scam. It’s these enhancements that people need to be prepared for.

As with everything in security, the bad actors only need to succeed once - so be diligent!