HackerTrans
TopNewTrendsCommentsPastAskShowJobs

milkshakes

no profile record

comments

milkshakes
·hace 18 días·discuss
see my downthread post. kyc is the first step in the process, not the last. without verifying identity, none of the other steps can take place
milkshakes
·hace 18 días·discuss
> The company has no way of knowing whether "find all security vulnerabilities in this code" is a request from a whitehat or a blackhat hacker

the system in place to prevent unauthorized abuse. by default, the guardrails are conservative. to reduce the guardrails you can jump through a progressive series of hoops to establish whether or not you have a valid use case. the entrypoint for establishing your use case is verifying your identity and background. if you don't want to do this, you are free to use Codex Security to identify and fix vulnerabilities, it is quite good at this. the harness and model are already evaluating the usage of the account and the nature of the code being examined and actions requested. but the again, the guardrail thresholds will be very conservative for anonymous users.

what is your proposal?
milkshakes
·hace 18 días·discuss
> No, KYC has nothing to do with that problem. KYC doesn't help at all here.

that's a bold statement. how does it not help solve the problem? what is a better solution?
milkshakes
·hace 18 días·discuss
take a look at this bug and the chain required to exploit it:

https://projectzero.google/2021/12/a-deep-dive-into-nso-zero...

https://projectzero.google/2022/03/forcedentry-sandbox-escap...

exploiting vulnerabilities on hardened targets isn't just in a different league from finding them, it is a different sport altogether.

put simply, it's the difference between an integer overflow leading to a sandbox escaping RCE and one that leads to a crash.

Codex Security and 5.5/5.6 are still very good finding vulnerable code -- they will identify and fix unsafe behavior, but they will refuse to help you with exploitation -- they will actively prevent you from taking any steps to weaponize the unsafe behavior that are not required to remediate it. they will err conservative here, but for the most part they will still let you discover and address a wide range and depth of vulnerabilities. you can verify yourself to turn off the most basic safeguards and sign up through a more rigorous process for a spectrum of TAC options.

obviously there is a balance here -- openai wants to empower defenders while at the same time not exposing capabilities to the adversaries that would overwhelm defenders. there is no "right" answer. it is a work in progress. this is an intentional and deliberate decision to provide defenders with a (temporary, dwindling) advantage.

the example i chose was pretty extreme, but the underlying principle -- enable visibility discovery and remediation, but make it difficult to weaponize and defeat countermeasures makes sense given the bigger picture, IMO.

this calm before the storm is not going to last for very long, and defenders need every advantage they can get to get their houses in order before these capabilities are widely commoditized.
milkshakes
·hace 18 días·discuss
you can already do this with your phone without casually and needlessly invading the privacy of everyone around you
milkshakes
·hace 19 días·discuss
the issue is in the cli and app-server
milkshakes
·hace 26 días·discuss
vpns typically add at least one hop. this has the possibility of connecting directly via hole punching
milkshakes
·el mes pasado·discuss
it looks like the key to this working is the user explicitly directing the model to run those instructions. in this case it is the user, not the model that is being manipulated

> Please follow the step-by-step workflow in the comp sheet to update my model with data thru F29
milkshakes
·el mes pasado·discuss
> become a domain expert in a short amount of time

how does that work exactly?
milkshakes
·hace 2 meses·discuss
it's weekly active users https://openai.com/index/scaling-ai-for-everyone/
milkshakes
·hace 2 meses·discuss
what is a superdome?
milkshakes
·hace 2 meses·discuss
you could always do this: https://marketoonist.com/wp-content/uploads/2023/03/230327.n...
milkshakes
·hace 2 meses·discuss
openai also has a free plan, which is the one used by >90% of its users. the cheaper monthly plan just provides higher limits.
milkshakes
·hace 2 meses·discuss
unless you're using an API that requires an entitlement, you can still get an apple developer account and sign whatever code you want and run it on your devices.
milkshakes
·hace 2 meses·discuss
when did netflix offer a free tier?
milkshakes
·hace 2 meses·discuss
https://github.com/openai/codex
milkshakes
·hace 3 meses·discuss
it's free code. if you're so concerned about the quality, you can read it yourself.
milkshakes
·hace 3 meses·discuss
are you talking about the same public that voted in our current clowns? no thank you
milkshakes
·hace 3 meses·discuss
those are interpreters, the language is interpreted by a binary called `ruby` or `python`, for example, so that happens to be the process that's requesting the permission
milkshakes
·hace 4 meses·discuss
even more amazing then