HackerTrans
TopNewTrendsCommentsPastAskShowJobs

gbrindisi

2,370 karmajoined hace 16 años
I do security and I write about it here:

https://cloudberry.engineering

Submissions

Automating Code Security Reviews

cloudberry.engineering
2 points·by gbrindisi·hace 2 meses·0 comments

Scaling Vulnerability Management with AI: What Worked

synthesia.io
8 points·by gbrindisi·hace 4 meses·3 comments

Facing bankruptcy after unauthorized Gemini API usage of about $128k

old.reddit.com
5 points·by gbrindisi·hace 4 meses·1 comments

Agentic Risks

cloudberry.engineering
1 points·by gbrindisi·hace 4 meses·0 comments

Sandboxing Agents

cloudberry.engineering
1 points·by gbrindisi·hace 4 meses·0 comments

I Automated a Daily Intelligence Briefing with OpenClaw

josecasanova.com
1 points·by gbrindisi·hace 5 meses·0 comments

comments

gbrindisi
·hace 5 días·discuss
I also notice the growing trend to have EM carry individual contributor duties, I thought it was mostly a consequence of using coding agents but perhaps it's not: the EM figure as we know might just be a consequence of the golden zirp times (do you remember the endless technical EM vs non-technical EM debates?)
gbrindisi
·hace 22 días·discuss
It's not just AI, these are the consequences of affiliate marketing. Just look at the crap that is YouTube nowadays.
gbrindisi
·el mes pasado·discuss
I like the pattern of making a dedicated cli/harness and just build a skill to teach coding agents to use it.

At $work we built a thorough workflow to do security reviews, which is a pure skill to simplify adoption https://www.synthesia.io/post/automating-code-security-revie...

But the user experience is tricky because if we aim for very low false positives the run time for this kind of workflows is too long, it's then hard to justify blocking PRs.
gbrindisi
·hace 2 meses·discuss
I protest the modern web by trying to consume all content via RSS.

The feed reader shall be my main window to the world, and I am sorry that it's not obvious to content creators that I read them so I often send an email on the note of "I enjoyed this article you wrote, thanks".

I write a small blog myself and I see the other side of it, but I just gave up on SEO, metrics, etc. I want to be the change I'd like see in the world: I publish full content RSS, I remove all analytics, make the website as lean as I can, put out my contact data and my only success metric is # of interactions I get with occasional readers.
gbrindisi
·hace 3 meses·discuss
This is pretty much a spec driven workflow.

I do similar, but my favorite step is the first: /rubberduck to discuss the problem with the agent, who is instructed by the command to help me frame and validate it. Hands down the most impactful piece of my workflow, because it helps me achieve the right clarity and I can use it also for non coding tasks.

After which is the usual: write PRDs, specs, tasks and then build and then verify the output.

I started with one the spec frameworks and eventually simplify everything to the bone.

I do feel it’s working great but someday I fear a lot of this might still be too much productivity theater.
gbrindisi
·hace 4 meses·discuss
are agents/ still relevant after we got skills? I am genuinely confused on why I would need custom system prompts for specific agents, what should I use them for?
gbrindisi
·hace 4 meses·discuss
thanks for raising the alarm and sharing this, very insightful

(also beautifully presented!)
gbrindisi
·hace 4 meses·discuss
1. I dont have hard metrics at hand but with the latest Sonnet I'd say we reach consensus around 80% of the time, with Opus is almost always but we are not using it due to cost

2. The difference I see in agent behavior when they don't reach consensus is usually either

- when one of them didn't explore enough and lack context

- and/or when their risk assessment is off

The latest happen often, in other workflows based on agents we are now giving clear instruction on how to assess risk and where to draw a line to consider something a true positive.

3. validation is on Sonnet, we don't use persona based prompts but all the 3 validators get's the same task and context. The agent orchestrating them will take their output and make the final decision. We use an internal fork of the claude code github action for now.
gbrindisi
·hace 4 meses·discuss
I am doing something similar: I use openspec to create context and a sequential task list that I feed to ralph loops, so that i’m involved for the planning and the verification step but completely hands off the wheel during code generation.
gbrindisi
·hace 4 meses·discuss
I like openspec, it lets you tune the workflow to your liking and doesn’t get in the way.

I started with all the standard spec flow and as I got more confident and opinionated I simplified it to my liking.

I think the point of any spec driven framework is that you want to eventually own the workflow yourself, so that you can constraint code generation on your own terms.
gbrindisi
·hace 4 meses·discuss
fifteen years ago I use to do mobile pentests for banks and when we could not find anything significant for the reports we could’ve always count on “lack of rooting detection” and pin the risk on some vague mobile banking malware threat pushed by marketing. I am sorry I contributed to this nonsense.

100% security theater, and here we are.
gbrindisi
·hace 4 meses·discuss
ah I also did my own sandbox and at least twice the agent inside tried really hard to go around the firewall, so I ended up intercepting calls to `connect` to return a message that says "Connection refused by the sandbox, don't try to bypass".

Code here: https://github.com/gbrindisi/agentbox
gbrindisi
·hace 4 meses·discuss
the most annoying thing with Google Workspace is that you need super admin privilege to properly audit the environment programmatically, I believe because of the cloud-identity api.
gbrindisi
·hace 7 meses·discuss
I noticed that too and it’s kinda scary. Soon we will have the opposite of canceling, where the target will be deepfaked to say everything and its opposite to nullify their signal to noise ratio.
gbrindisi
·hace 7 meses·discuss
The crowdstrike incident taught us that no one is going to review any dependency whatsoever.
gbrindisi
·hace 11 meses·discuss
This must be the best technical article I read on HN in months!