upvote

points

by alex_young17 hours ago |
comments
upvoteby Glemllksdf15 hours ago|
next
[-]
It reduces the cost significantly.

A good security expert earns how much per year? And that person works 8/5.

Now you can just throw money at it.

CIA and co pay for sure more than 20k (thats what the anthropic red team stated as a cost for a complex exploit) for a zero day.

If someone builds some framework around this, you can literaly copy and paste it, throw money at it and scale it. This is not possible with a human.

reply
upvoteby eikenberry13 hours ago|
parent|
[-]
> It reduces the cost significantly.

> Now you can just throw money at it.

What happens when you throw enough money at it that it raises the cost significantly.

reply
upvoteby Glemllksdf11 hours ago|
parent|
next
[-]
But thats the thing, its already competitive and its not even released.

CIA and FBI and states easily pay 100k for a zero day.

Plenty of companies have security expert staff on file.

And it will become cheaper and easyer to use, fast.

reply
upvoteby i_think_so10 hours ago|
parent|
prev|
[-]
chef's kiss

Logged in just to show some love. +1 for the economics. +1 again (if I could) for the truth-to-power.

We need a lot more of this kind of multi-disciplinary skepticism to counterbalance the industrial grade rockstar ninja 10x Kool-Aid drinking.

reply
upvoteby drob51816 hours ago|
prev|
next
[-]
Right, but what is interesting is that you can buy it off the rack for the price of tokens. You don’t have to do a specialist search for a security expert, pay a recruiter, hire them, wait for the specialist to start, pay them a signing bonus, pay them an expert-level salary, pay their social security taxes, healthcare benefits, and finally pay for an exit package when you lay them off because the project got canceled. You buy tokens when you need them and you stop buying when you don’t. This was the same dynamic that made cloud computing more interesting than company-owned servers in a company-owned data center. It’s more responsive to business needs and it falls under the development expense budget, not payroll, so you can do it even during hiring freezes.
reply
upvoteby tracker111 hours ago|
parent|
[-]
But, you do have to have at least an employee or contractor skilled enough to actually understand the scope of a given bug report from the agent in order to determine validity. I've seen plenty of legit bug reports by humans get dismissed because the reviewer didn't understand the material impact or how the bug/exploit worked.
reply
upvoteby drob51810 hours ago|
parent|
[-]
Yep, sure. So, maybe you hire one and not three. The point is, it’s going to be fewer. Of course, all that assumes the AI is actually as good as a human, which I’m still skeptical of.
reply
upvoteby pixl9716 hours ago|
prev|
next
[-]
This is the weirdest take I've seen.

It takes humans a very long time to learn how to code/find bugs. You just can't take any human and have them do it in a reasonable amount of time with a reasonable amount of money.

Claude is effectively automation, once you have the hardware you can run as many copies of the model as you want. Factories can build hardware far faster then they can train more people.

It's weird to see a denial of the industrial revolution on HN.

reply
upvoteby alex_young15 hours ago|
parent|
next
[-]
A bit uncharitable no?

I’m not denying that LLMs can be used to improve security research, suggesting that their use is wrong or anything like that.

Humans have used software to research security for a long time. AI driven SAST is clearly going to help improve productivity.

reply
upvoteby pixl9715 hours ago|
parent|
[-]
Quantity is a quality.

Humans burned stuff for a very long time now, it's when we started burning coal in mass industrially that the global environmental impacts started stacking up to the point of considerable damage.

reply
upvoteby i_think_so8 hours ago|
parent|
[-]
Ahem. Let's please don't go off into areas outside of the topic and end up repeating political talking points from people with agendas.

Coal, even a home coal fired boiler of the 1940s vintage, is just about as clean as solar, when compared to open cooking fires burning dung, which is the "most popular" method of harnessing combustion on Earth, measured per ton over per capita. Even going from wood to coal is a huge step up in pollution reduction compared to old school methods of burning randomly sourced trees. (Your rocket heater doesn't count. That wasn't even a twinkle in an inventor's eye when coal started to become popular.)

Source: did my senior P-chem work on smog. Then saw the theory made manifest (in a way that no amount of schoolwork could possibly replace) by looking at particulate build-up on a glacier with my own eyeballs. Pollution you can see, and hold in your hand will make this more clear than any amount of chart and graph reading about PM2.5 this and that.

Also: I hate that I had to self-censor my use of emdashes because I don't want my lived experiences to get flagged as chatbot slop. Grrr.

reply
upvoteby tracker111 hours ago|
parent|
prev|
[-]
You still need people in the mix that understand the scope, scale and impact of the exploits/bugs found. Just letting agents go wild is how you get slop over time... You can probably get away without them to an extent, but I'd suggest that you're likely to increase the risk of errors and misbehavior in practice over time by not checking agent work.

Even checking human work is often a shortcoming of processes in practice.

reply
upvoteby TZubiri4 hours ago|
prev|
next
[-]
There's an actual word-phrase for this exact concept applied more broadly to Defense in general:

Arms race

reply
upvoteby aaron6952 hours ago|
prev|
[-]
[dead]
reply