HackerTrans
TopNewTrendsCommentsPastAskShowJobs

jgeralnik

no profile record

Submissions

Evaluating GPT-5.2 Thinking: Cryptographic Challenge Case Study

irregular.com
1 points·by jgeralnik·vor 7 Monaten·0 comments

Cursor Bird

open-vsx.org
1 points·by jgeralnik·vor 8 Monaten·0 comments

Vibecoding my way to a crit on GitHub

furbreeze.github.io
3 points·by jgeralnik·vor 8 Monaten·0 comments

The bold gamble that helped Wiz CEO Assaf Rappaport win a $32B deal

fortune.com
2 points·by jgeralnik·vor 9 Monaten·1 comments

comments

jgeralnik
·vor 3 Monaten·discuss
The wonderful thing though is that you can just run the model multiple times (even in parallel). Some instances might get stuck but as long as some find the bug and you have a good way to filter outputs (e.g. with another llm that tries to create concrete exploits) even a very small success rate on stage 1 can lead to reliable exploits
jgeralnik
·vor 6 Monaten·discuss
I think there’s something very interesting here and would be interested in hearing more about the date discrepancies- it’s a shame the article is mostly just the raw output of gemini instead of more commentary
jgeralnik
·vor 7 Monaten·discuss
Ah, fair enough. Anthropic caches at a block level (basically a single message) so for non-trivial messages this is really less of a concern, although I definitely understand why they still scope cache to a single tenant
jgeralnik
·vor 7 Monaten·discuss
Anthropic requires explicit cache markers but will “look backwards” some amount, so you don’t need to fall on the exact split to get cached tokens
jgeralnik
·vor 7 Monaten·discuss
Right, you can’t actually guess a letter (byte) at a time but you can guess a token at a time (I believe the vocabulary is 200000 possible tokens in gpt 5) So you could send each of the 200000 possible tokens, see which is cached, and then send 200000 more tokens to find the next cached token Certainly less efficient but well within the realm of a feasible attack
jgeralnik
·vor 7 Monaten·discuss
A remote code execution bug in ios is valuable - it may take a long time to detect exploitation (potentially years if used carefully), and even after being discovered there is a long tail of devices that take time to update (although less so than on android, or linux run on embedded devices that can’t be updated) That’s why it’s worth millions on the black market and apple will pay you $2 million dollars for it

An XSS is much harder to exploit quietly (the server can log everything), and can be closed immediately 100% with no long tail. At the push of an update the vulnerability is now worth zero. Someone paying to purchase an XSS is probably intending to use it once (with a large blast radius) and get as much as they can from it in the time until it is closed (hours? maybe days?)
jgeralnik
·vor 9 Monaten·discuss
It actually sounds like they just want a switch