[ my public key: https://keybase.io/dboreham; my proof: https://keybase.io/dboreham/sigs/lC9hM5haXXukH2rF_cFeB6gdtV0kXfHF7jZdZUdlkE4 ]
Verifying my Blockstack ID is secured with the address 1L7ikyCFhG5zyVSosrQYDs2ZG4ikEFqgBQ https://explorer.blockstack.org/address/1L7ikyCFhG5zyVSosrQYDs2ZG4ikEFqgBQ
I saw the title and assumed an article by Wolfram. But it's by Tim Roughgarden who I know from algorithmic game theory. Anyway, I'll register my membership in the "it's more fundamental than that" camp.
My experience has been that Claude/Opus will ask me questions, although sometimes I have to step in and redirect a bit. Codex/GPT just dives in and cranks code out, which after using Claude for a year I found rather concerning. It wrote working code though. Claude/Fable does something similar (asks far fewer questions than Opus) fwiw.
Ok thanks. Executed on that. I had it build a simple project (actually not so simple since it involved domain knowledge about snowpack and ice) and also gave the same prompt to Opus and to Fable. When I get some spare time I'll write an article highlighting the differences between all three.
Nudged by this thread, I've decided to switch from Claude to Codex for a bit to see what happens. But...I immediately became lost in their marketing vortex of confusion on plans and pricing. Anyone care to tell me which plan I should be using? On the other side I use the $100 Claude Code plan. We actually have a "Business" ChatGPT subscription already, which seems to be $50/mo/seat. OpenAI's web site offers a set of individual subscriptions (for parity with CC presumably) which I suspect weren't available when we signed up for ChatGPT. I think that in turn happened due to some web site feature it didn't allow for free users (uploading PDFs, something like that). Perhaps I should switch from that business account to an individual subscription for Codex?
But aren't the politicians also corrupt? (or at least most of them) One therefore assumes that any action by congress must be corrupt. This appears borne out by the evidence over the past few decades.
Ok but my understanding from the article was that the bug is "it always allows what shouldn't be allowed", therefore any negative outcome test should have failed (or at least a very very simple one). Again I'm sure I'm misunderstanding something about the context here.
If the author is here: thanks for that, interesting read, and also nice to note the absence of a marketing name for the bugs. If you have time, couple (edit: three) questions:
1. Could you expand on this? "That human-in-the-loop step still matters a lot, because AI candidate findings are cheap while trustworthy reports are not."
Roughly how many candidate reports did the LLMs create vs the eventual 7 true vulnerabilities?
2. As I was reading "CP-ABE access-control break via AND-share bug" I thought "why wasn't this caught with a test?", which was going to be my question but clicking through to the commit (thanks for that too btw) I see there was a regression test added: https://github.com/cloudflare/circl/commit/def2fd35b8535b0b8...
but I'm wondering why there isn't a test further up the stack that is simply checking "can't decrypt if the required attribute isn't present"? Seems similar to those situations where nobody thought to test an auth system for "user can't log in when they present the wrong password"!! Perhaps I'm missing some subtlety though.
3. This is probably a dumb question, but I wasn't sure (even after reading the linked article on zkao) exactly what zkao actually is. One description seems to be "a system for continuously running an LLM audit pass on a codebase". But that can't be right because this article talks about running it on the LLM-found vulnerability reports. Is it an LLM? (but better than the frontier LLMs?) Anyway, bit confused and would appreciate some clarity.
I think you could ignore their legal argument in the civilized world but in the USA perhaps not. The very concept of a "formally recognized diagnosis" is American health insurance industry gaslighting (also not a formal diagnosis fwiw). It means nothing in other countries.
For the similarly confused: it displays times in your local browser time zone, not the time zone of the actual train. I'm pretty sure this is an oversight since there's no universe in which I want train times not in their native time zone.
I suspect there are many things AI can do to help people and make their lives better. But that's not how business works: products get made and marketed because they make their owners more money. Totally different goal.
Verifying my Blockstack ID is secured with the address 1L7ikyCFhG5zyVSosrQYDs2ZG4ikEFqgBQ https://explorer.blockstack.org/address/1L7ikyCFhG5zyVSosrQYDs2ZG4ikEFqgBQ