@bingbong @reverseics ya, I freely admit I have no knowledge of the experience or quality of the anthropic team. Which goes both ways. Experienced people make mistakes, and inexperienced people find gold.
R
rrdot@infosec.exchange
@rrdot@infosec.exchange
Posts
-
Anthropic wrote a blog post about their LLM finding 0days in open source projects. -
I see a lot of “vibes” about it, but has a real nonpartisan data scientist analyzed by key swing states what the SAVE act may do to the midterms?@hacks4pancakes no joke this is a bad bad direction to go. Scary as shit.
-
Anthropic wrote a blog post about their LLM finding 0days in open source projects.@reverseics I think the real question is whether or not you would have gone down this path and spent that amount of time if there wasn't the llm "pointing the way."
As part of the exercise, you've given the oh-day claim good faith and likely spent a bunch of time you might not have otherwise. This is probably because the anthropic peeps do not have a lot of experience doing vuln research, so they are pushing stuff that "qualifies" as vulns, but not from an experienced perspective. Not really, at least.
I dunno. To quote brighter minds than mine, the llms are "typicality" matchers not "correct" matchers. Will that work sometimes? For sure. Will it waste your time sometimes? Absolutely.
I guess it comes down to why we look for vulns. To find them, sure. But I'd argue because the hunt and the understanding and surprise is so damn rewarding. You're not surprised by what's typical. Apart from the fact that the typical keeps happening...