That is precisely what happens. It is not unusual for code and databases to be written in English, even when the developers are from a non-English speaking country. Think about it: the toolchain, programming language and libraries are all based on English anyway.

There is some merit in asking your question, for there’s an unspoken rule (and a source of endless frustration) that business-/domain-related terms should remain in the language of their origin. Otherwise, (real-life story) "Leitungsauskunft" could end up being translated as "line information" or even "channel interface" ("pipeline inquiry" should be correct, it's a type of document you can procure from the [German] government).

Ironically, I’m currently working in an environment where we decided to translate such terms, and it hasn’t helped with understanding of the business logic at all. Furthermore, it adds an element of surprise and a topic for debate whenever somebody comes up with a "more accurate translation".

So if anything, English is a sign of a battle-hardened developer, until they try to convert proper names.

Depending on the company culture and policy, the most common thing to see is a mix of English variable and function names with native-language comments. Occasionally you will see native-language variable and function names. This is much more common in Latin character set languages (especially among Spanish and Portuguese speakers) in my experience; almost all Chinese code seems to use approximately-English variable and function names.

I'm a native English speaker, but from looking at various code bases written by people who aren't, I gather that it's basically this. It wasn't too long ago that one couldn't even reliably feed non-ASCII comments to a lot of compilers, let alone variable and function names.

Yes, that's what we did and do.

Depending on the project, I do use german variable names and comments at times, but stopped using all special characters like öüäß, they mess things up, despite in theory should just work fine.

Nowdays even chrome dev tools come in german, but experience shows, translated programming tools (or any software really) usually just have the UI a bit translated. But any errors you encounter or any advanced stuff will be in english anyway. And if you google issues of your translated UI, you won't find much, so better just use the original version.

So english it is.

(And it is the lingua franca in most parts of the world anyway)

When I interact with it by asking it a question in Spanish, the parts between the <think> ... </think> are in English before it goes on to answer in Spanish.

Give it a try in your favourite language.

I went on to ask it if it "thinks" in English, Spanish or Chinese but it just gives the pat answer that, being an LLM, it doesn't think in any language.

That said, many developers might still prefer Turkish for naming DB tables, fields, variables, types and so forth if that’s the preference of the team. It wouldn’t be an exceptional situation. It’s quite easy too since Turkish also uses a Latin alphabet. May not be as easy or preferable in Chinese.

This way, you don't have to change keyboard layout while writing code.

Anyway, you're forced to learn some English when doing any real software development.

I mean we're kind of an outsourcing hub so it makes sense. Even some of our companies outsource further to the east so you really can't avoid it.

PS: I remember quite a while back when Wargaming's World of Tanks became a big thing they had to translate everything from Russian to English because they wanted to get foreign developers involved as well. Never heard of the reverse happening.

See also: aviation.

As programming languages keywords and APIs are written in english, it just looks better to keep it that way for identifiers and internal doc, the other way causes a dissonance for me which feels unconfortable.

Not only that. All of the code I (not a native English speaker) write, even if only I will ever see it, is in English - comments too. And I'm pretty confident all my colleagues do that too.

Might be different for languages with large population of native speakers (Croatian is just a few mil so we're more exposed to it), but you still can't avoid using English for tools / libs / docs / research papers / stack overflow...

That's how it goes, at least around Europe. People know English as a technical jargon (similar to legal French and Latin in English) and can juggle enough to get around documentation, but I've been in companies where I was the only fluent English speaker (and we're talking startup stuff). That gave ma a bunch of cool opportunities though, being pulled in every other meeting as the designated translator.

I do occaisonally find code with variable names in other languages, but it's very rare, for the most part if you want to code, English is the way.

I've also seen a few devs who used Hebrew variable names but spelled in English (`shalom` instead of שלום).

English is the universal language in programming and software engineering, much like Latin was the universal scholarly language in the past. Sometimes even to the extent that the language starts leaking from the code and technical documents, reports, etc. are being written in English, often just because the people working close to the software are more familiar with the terminology in English than in their native language.

https://en.wikipedia.org/wiki/Non-English-based_programming_...

However, I suspect it's a honey pot.

Don't forget Shenzhen is a stone's throw away from Hong Kong where English is widely spoken.

Yes, coding in english is the standard.

It just makes things A LOT easier in terms of debugging, researching, reading examples from documentation, etc etc. I don't even understand my (boomer) colleagues who straight up refuse to learn english and get angry when they can't find solutions with german search input

That.

There's also a huge mental switching context cost when you try to have code mixing, say, french and english together:

    size_t taille;
    site_t taille_domaine;

    size_t length;
    size_t domain_length;

But we pretty much all name our functions/methods/variables/etc. and write our comments in english.

FWIW when I code I actually both think and count in english.

As I understand, the finish reason being “stop” in API responses usually means the AI ended the output normally. In any case, I don't see how training data could end up in production logs, nor why they'd want to prevent such data (a prompt you'd expect to see a normal user to write) from being responded to.

> [...] I'm guessing Wiz wanted to ride the current media wave with this post instead of seeing how far they could take it.

Security researchers are often asked to not pursue findings further than confirming their existence. It can be unhelpful or mess things up accidentally. Since these researchers probably weren't invited to deeply test their systems, I think it's the polite way to go about it.

This mistake was totally amateur hour by DeepSeek, though. I'm not too into security stuff but if I were looking for something, the first thing I'd think to do is nmap the servers and see what's up with any interesting open ports. Wouldn't be surprised at all if others had found this too.

- Password authentication (bcrypt, sha256 hashes) - Certificate authentication (Fantastic for server to server communication) - SSH key authentication (Personally, this is my favourite - every database should have this authentication mechanism to make it easy for Dev to work with)

Not very popular but LDAP and Http Authentication Server are also great options.

I also wonder how DeepSeek engineers deployed their ClickHouse instance. When I deployed using yum/apt install, the installation step literally ask you to input a default password.

And if you were to set it up manually with ClickHouse binary, the out-of-the-box config seal the instance from external network access and the default user is only exposed to localhost as explained by Alex here - https://news.ycombinator.com/item?id=42871371#42873446.

> The Wiz Research team immediately and responsibly disclosed the issue to DeepSeek, which promptly secured the exposure

I did the same a while ago, an education platform startup had their web server misconfigured, I could clone their repo locally because .git was accessible. I immediately sent them an email from a throwaway account in case they wanted to get me in trouble and informed them about the configuration issues. They thanked me for the warning and suggestions, and even said they could get me a job at their company.

Wiz folks are notoriously shady. They cross the line a ton. They did this to Amazon and Microsoft to make a name among other. Super unethical.

Their product isn't terrible but their sales people are just terrible. Completely off-putting. Most of them are idiots from zscaler.

Likewise, there may be Chinese laws were violated. However, outside of China they are a moot point.

DeepSeek & users that had data exposed here should be thanking Wiz.

They are getting DoS’d by us gov too so they were only trying to help /s

For most people, bash is not a tool for interacting with the computer, it is how they express their frustration with the computer (sometimes leaving damaged keyboards).

But also one those of us actually working on foundational AI saw coming a mile away when most of the top research of late has been happening in Chinese labs, not American or European ones.

Can't wait to see what this boneheaded President's tarrif on TSMC does to this situation.

NVIDIA's stock has been super bubbly—all DeepSeek did was set off itchy investor trigger fingers that were already worried about its highly inflated price.

DeepSeek uses H100s and H800s. They'll likely have reasons to buy more now, and America will want to compete even harder, buying more chips.

American companies are still way ahead as well, but they're just getting more competition. This will be healthy.

Personally, I know I've lost a lot of street cred amongst certain work circles in recent history as far as my thoughts of 'shops should pursue local LLM solutions[0]' and the '$6000 4-8 tokens/second local LLM box' post making the rounds [1] hopefully gives orgs a better idea of what LLMs can do if we keep them from being 100% SAASlike in structure.

I think a big litmus test for some orgs in near future, is whether they keep 'buying ChatGPT' or instead find a good way to quickly customize or at least properly deploy such models.

[0] - I mean, for starters, a locally hosted LLM resolves a LOT of concerns around infosec....

[1] - Very thankful a colleague shared that with me...

"This is good for Nvidia" is the 2025 version of "this is good for bitcoin"

A lot of people want to poke at Chinese weakness wherever it’s exposed because Americans are used to being the best and also unconscious racism. When Japan was about to overtake the US the US pulled some similar moves and that is partly what’s responsible for japans current economic funk. It’s unlikely these moves will work on China.

This whole thing should be an eye-opener to most people.

To ask an honest question, who gives a crap if a Chinese company manages to grab data that many of the usual Silicon Valley suspects have had all along and have been incrementally updating? How is this a "threat".

To pile on another gripe, why the hell does every single media outlet point out the "Tienanmen Square" question?

The whole thing has just become embarrassing. I honestly can't fathom what worse China could do with my personal info than the likes of say, Meta. I'm not saying I would enjoy it, but I just don't see how it could be more harmful than the Silicon Valley status quo.

No it isn't (well it probably is too). This is the rather naff nation state bollocks in play.

You have either or both of "some bigger boys found a more efficient way of doing something I thought I was good at" and "I've wet myself".

[0] https://www.spiegel.de/international/business/we-know-where-...

I doubt it very much that it only was that and not massivly backed by the Chinese state in general.

As with OpenAI, much of this has to do with hype based speculation.

In the case of OpenAI they played with the speculations, that they might have AGI locked up in their labs already and fueled those speculations. The result, massive investment (now in danger).

And China and the US play a game of global hegemony. I just read articles with the essence of, see China is so great, that a small sideproject there can take down the leading players from the west! Come join them.

It is mere propaganda to me.

Now deepseek in the open is a good thing, but I believe the Chinese state is backing it up massivly to help with that success and to help shake the western world of dominance. I would also assume, the chinese intelligence services helped directly with Intel straight out of OpenAI and co labs.

This is about real power.

Many states are about to decide which side they should take, if they have to choose between West and East. Stuff like this heavily influences those decisions.

(But btw. most don't want to have to choose)

The client facing aspect isn’t the problem here. This linked article is talking about the backend having vulnerabilities, not the client facing application. It’s about a database that is accessible from the internet, with no authentication, with unencrypted data sitting in it. High Flyer, the parent company of Deep Seek, already has a lot of backend experience, since that is a core part of the technologies they’ve built to operate the fund. If you’re a quantitative hedge fund, you aren’t just going to be lazy about your backend systems and data security. They have a lot of experience and capability to manage those backend systems just fine.

I’m not saying other companies are perfect either. There’s a long list of American companies that violate user privacy, or have bad security that then gets exploited by (often Chinese or Russian) hackers. But encrypting data in a database seems really basic, and requiring authentication on a database also seems really basic. It would be one thing if exposure of sensitive info required some complicated approach. But this degree of failure raises lots of questions whether such companies can ever be trusted.

Can we stop with this nonsense ?

The list of author of the paper is public, you can just go look it up. There are ~130 people on the ML team, they have regular ML background just like you would find at any other large ML labs.

Their infra cost multiple millions of dollar per month to run, and the salary of such a big team is somewhere in the $20-50M per year (not very au fait of the market rate in china hence the spread).

This is not a sideproject.

Edit: Apparently my comment is confusing some people. Am not arguing that ML people are good at security. Just that DS is not the side project of a bunch of quant bros.

Data breaches from unsecured or accidentally-public servers/databases are not unusual among much larger entities than DeepSeek.

A large scale DDos is being directed against deepseek.

US big tech wants to quench the competition.

No one is here as far as I can tell. But if you've ever been a software engineer who is required to work with someone purely from an ML lab and/or academia, you'll quickly discover that "principled software engineering" just isn't really something they consider an important facet of software. This is partly due to culture in academia, general inexperience (in the software industry) and deeply complicated/mathematical code really only needing to be read by other researchers who already "get it", to a degree.

Not an excuse but rather an explanation for _why_ such an otherwise impressive team might make a mistake like that.

I would recommend that. Bitwarden is a pretty good open-source password manager. You can install it as a plugin in your browser, so it can fill out your password for you so you don't have to manually copy and paste.

You can fault them for disclosure practices though :-)

If your information is sensitive, do not use an LLM by public API - absolutely all of your data is being stored and processed. For all of them.

Downvoted - because of course the CCP wouldn't want all of this data, that's preposterous. What would they even do with it? /S

Kinda like how your comment was grey within 1 minute, despite stating an objective truth.

Sure, this is to be expected given the billions and billions of dollars at stake but like - that money is gone lol. DeepSeek isn't going back in the bottle, nor is open source AI in general.

> The Wiz Research team immediately and responsibly disclosed the issue to DeepSeek, which promptly secured the exposure.

Assuming everything mentioned in the article was fixed before publication, I don’t see an issue with it.

https://news.ycombinator.com/newsguidelines.html

Don't take it personally, please. Just measuring my internal self which I inherited by coexisting many years with a similar regime.

US companies, on the other hand...did you miss where all of the tech oligarchs lined up in an obsequious little row to proselytize before the newly anointed king? When they all went on a spree in advance to show their deference to his "vision", including simply pathetic podcast appearances?

China has a lot of problems, but compared to what the United States has become, it looks positively harmless in comparison. Anyone who doesn't think the cabal of criminal administrative officials aren't going to completely annihilate your rights -- always with some "emergency" reason -- is blissfully detached from reality. It is currently the most dangerous nation on this planet.