You should try writing a design doc with the AI before you have it write the code. It will make random extrapolations from your first prompt, some good and some bad. Then you get a chance to argue back and forth with yourself with the robot as a helper.
The best early example of this is that Anthropic is already eating the lunch of all the new “AI security audit” companies. And they were only a few years old.
Those guys certainly thought they were being novel and creative, using AI to disrupt an expensive and labor intensive business model. But now with Claude Security, their own market share is going to be gobbled up before they can even get established.
LLMs are bringing us back to all the “proper” software engineering stuff that we’ve always known we should be doing, but until now we never had enough time/people/money to do it right.
Brainstorming and research before writing a design.
Writing a design or spec before writing the code.
Comprehensive unit tests.
Etc etc etc.
Like you, I get vastly better output from the tool when I create a detailed spec in markdown before I let it start coding. And bonus, the LLM is pretty good at helping with the spec too.
re: incentives, my proposal was always to let schools pay their football and basketball players, but require that grad research assistants are paid the same.
I worked a ton in grad school, and it definitely sucked at the time.
But it’s crazy to complain about getting paid to go to school. A grad stipend is there to minimally support you so you don’t have to get another job and can focus on your research. It’s not supposed to be a career!
The word “exploit” may be doing a lot of work here. In my experience Opus 4.6 is perfectly happy to provide test cases that trigger ASAN, even without the super secret squirrel security access.
But if you ask it to get you a shell it’ll probably tell you to get lost.
It’s easy to find sketchy lines of code in any large C project.
The big advance that they are claiming with Mythos is the ability to triage all the hundreds of candidate vulns and automatically generate exploits to prove that the real ones are real. And if they’re really finding 27-yr-old 0-days in OpenBSD, then it’s not just hype.
Right. It’s things like Baltimore (when I lived there) requiring that high speed internet had to roll out in poor areas first, before it could go into the rich neighborhoods.
But this was the early 2000s and the internet was still “new”. Only the richer areas cared and were willing to pay the price. Letting them have first (or even equal!) access would have made it easier to fund the rollout in low income areas.
I thought that was kind of how the hard sciences work already?
My grad school friend who was a physicist would write his talk just before his conferences, and then submit the paper later. My experience in CS was totally backwards from that.